Getting those DNSSEC keys, was Re: [dnssec-deployment] dot MUSEUM implemented DNSSEC

Shane Kerr shane at ca.afilias.info
Fri Sep 19 11:59:07 EDT 2008


On Fri, 2008-09-19 at 11:25 -0400, Dan Mahoney, System Admin wrote:
> >
> > Though I think someone should put up a trusted keys page that's easier
> > to configure in existing software. (eg bind/unbound include file, though
> > I'd prefer one TLD per file, so people can easilly add/remove entries).

Cool.

> True, but in the absence of a signed root, that could lead to people 
> blindly pasting the whole thing into their named.conf -- which while it 
> might encourage more widespread adoption, opens us up to a trust attack -- 
> i.e. if all the keys are there, why would joe-sysadmin think signing the 
> root is important?

Uh huh.

Have you set up a DNSSEC-verifying resolver? I just did this last week,
looking around for information on various signed sources. I decided to
use DLV to get as much DNSSEC-goodness as possible.

The quality varies *widely* (at least from naive Google-based approach).
Here are the comments in my named.conf:

// DLV keys
// https://secure.isc.org/index.pl?/ops/dlv/
// https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf
// announcements to <dlv-announce at isc.org>

// RIPE keys
// https://www.ripe.net/projects/disi//keys/
// https://www.ripe.net/projects/disi//keys/ripe-ncc-dnssec-keys-new.txt
// announcements to <dnssec-announce at lists.nic.se>

// SE keys
// https://www.iis.se/domains/sednssec/publickey
// announcements to <dnssec-announce at lists.nic.se>

// BR keys (BR is also in DLV)

// PR keys
// http://dnssec.nic.pr/
// http://dnssec.nic.pr/serverconf.php
// *** no announcement list ***

// CZ keys
// http://www.nic.cz/dnssec/
// *** no announcement list ***

// BG keys
// ???... some keys http://www.unbound.net/documentation/howto_anchor.html

Some sites have nice SSL-verified sites and PGP-signed announcements on
mailing lists, with published policies. Others... less so.

So if Paul's site has a simple list of URL's (and maybe notes) like I
used, it's good enough. Really. It would have saved me a couple hours at
least.

--
Shane




More information about the Dnssec-deployment mailing list