The root is now signed!

Jay Daley

15 Jul 2010 15 Jul '10

5:16 a.m.

Woo hoo! Jay wintermute:~ jay$ dig +dnssec @a.root-servers.net . DNSKEY ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec @a.root-servers.net . DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20062 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 86400 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA== ;; Query time: 210 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Jul 16 10:15:32 2010 ;; MSG SIZE rcvd: 736 -- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

Show replies by date

Sam Sargeant

15 Jul 15 Jul

5:50 a.m.

Step 1: Sign the root Step 2: ??? Step 3: Security for all! Now that we have a signed root, how progress on DNSSEC for .nz ? Sam. On 16/07/2010, at 10:16 AM, Jay Daley wrote:

...

Woo hoo!

Jay

wintermute:~ jay$ dig +dnssec @a.root-servers.net . DNSKEY

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec @a.root-servers.net . DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20062 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY

;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 86400 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==

;; Query time: 210 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Jul 16 10:15:32 2010 ;; MSG SIZE rcvd: 736

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Jay Daley

5:58 a.m.

On 16/07/2010, at 10:50 AM, Sam Sargeant wrote:

...

Step 1: Sign the root Step 2: ???

2a: Change TLS to use the CERT resource record and make domain-validated certificates ubiquitous. 2b: Move access control into a CERT based automated challenge/response mechanism. 2g: Add pre-connection/post-connection policy pointers into DNS (ala what SPF could have been) 2d - 2o: secure all the other layers

...

Step 3: Security for all!

Nope but at least we won't look silly any more.

...

Now that we have a signed root, how progress on DNSSEC for .nz ?

We hope to publish a plan soon. Currently we have several major projects underway, the largest of which is EPP, and as a small registry we can't do everything at once. kind regards Jay

...

Sam.

On 16/07/2010, at 10:16 AM, Jay Daley wrote:

...
Woo hoo!

Jay

wintermute:~ jay$ dig +dnssec @a.root-servers.net . DNSKEY

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec @a.root-servers.net . DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20062 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY

;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 86400 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==

;; Query time: 210 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Jul 16 10:15:32 2010 ;; MSG SIZE rcvd: 736

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

Andy Linton

8:42 a.m.

On 16/07/10 Fri, Jul 16, 10:50, Sam Sargeant wrote:

...

Step 1: Sign the root Step 2: ??? Step 3: Security for all!

Now that we have a signed root, how progress on DNSSEC for .nz ?

Following up on this and Jay's comments about when we'll do this for .nz. I'd observe that the process involved in getting ready and implementing this is non trivial. The procedure we followed on Monday consisted of something like 165 individual steps which were meticulously documented and recorded. And that was after weeks of testing, rehearsal and revision. Wearing my DNS Board hat I'm keen to see .nz signed as soon as we can do so safely and securely. There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

Peter Mott

8:44 a.m.

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...

There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

This will redefine the meaning of "too hard" to something much harder. regards Peter Mott Swizzle | Managed Private Clouds Tel. +64 21 279 4995 -/-

Andy Linton

9:10 a.m.

On 16/07/10 Fri, Jul 16, 13:44, Peter Mott wrote:

...

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...
There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

This will redefine the meaning of "too hard" to something much harder.

Look on the bright side, all those tasks you've been putting in the "too hard basket" will suddenly spontaneously leap out of that one into the "so trivial I'm going to ignore them basket".

Sam Sargeant

9:22 a.m.

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...

Following up on this and Jay's comments about when we'll do this for .nz. I'd observe that the process involved in getting ready and implementing this is non trivial.

The logistics of deploying and operating DNSSEC are certainly non-trivial. I'd also observe this hasn't just arrived out of the blue; we've all known the root was due to be signed for some time and there is no reason why planning can't have happened before now. While I'm sure that some work has been happening, I had hoped that we'd have a timeframe for implementation when the root was signed.

...

There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

Couldn't agree more. Sam.

Donald Neal

9:58 a.m.

Jay Daley

17 Jul 17 Jul

7:26 a.m.

On 16/07/2010, at 2:22 PM, Sam Sargeant wrote:

...

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...
Following up on this and Jay's comments about when we'll do this for .nz. I'd observe that the process involved in getting ready and implementing this is non trivial.

The logistics of deploying and operating DNSSEC are certainly non-trivial. I'd also observe this hasn't just arrived out of the blue; we've all known the root was due to be signed for some time and there is no reason why planning can't have happened before now. While I'm sure that some work has been happening, I had hoped that we'd have a timeframe for implementation when the root was signed.

While you are correct in your observation, it would not be fair to draw an inference that registries have been sitting around waiting for this to happen, blithe to the consequences. The development of DNSSEC has not taken place in isolation from the registries, rather many of us have been a major contributors to the work and it would not have happened without that community effort. This effort has gone/is going into the following main areas: 1. Developing the protocol. DNSSEC has been around 15 years in the making but it only really started to gain traction around 2004 when registries intervened heavily to explain how the protocol at that point was unusable and proposed changes that would enable to be used (NSEC3 being the result). There are still important niche features being added to the protocol now as we learn from the operational practice (3 below). 2. Signing the root. While this is the responsibility of IANA the registries have played a significant part to. This has included considerable behind the scenes politics, lots of work in peer review of process and technology and then in the measurements and analysis of nameserver behaviour to understand how DNSSEC has/will change the DNS landscape. 3. Developing operational best practice and tools. We've known all along that it would have been a very poor look for us to have said "right, we've signed .nz now you can use and BTW there are no tools and no documented practice to use" so we are putting effort into the development of tools and policies. We want DNSSEC to be a success and that means making life as easy as possible for sysadmins to implement. The epicentre for that work is http://www.opendnssec.org/ 4. Developing local policy. As with all technology, the layer 9 considerations only truly come to the fore when people have used the technology for a while and got used to it. This is when we start to think really hard about such issues as what happens when a registrant moves between registrars where DNSSEC is now in play. This is not trivial and many of the TLDs that have implemented DNSSEC already have done so without these issues being fully resolved, fully expecting those to come out in the wash in the first year or so. We take a slightly different view and would like to have those issues thought through and new policy in place that protect the same principles as before and maintain the same balance between participants. If you want an indication of some (not all) of the questions that policy must address then see http://syd.icann.org/files/meetings/sydney2009/presentation-dnssec-workshop-... So that in a nutshell is why we are where we are. DNSSEC as a change is the most important thing to happen to the global DNS industry because it is system and so the risks of failure are also systemic, which is as high as it gets. We are moving carefully and cooperatively to get this right. kind regards Jay

...

...
There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

Couldn't agree more.

Sam.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

Andy Linton

18 Jul 18 Jul

3:44 a.m.

Jay covers off the approach that DNCL and NZRS are taking on this very clearly. I'd also add that DNCL expects a consultation paper around DNSSEC Implementation for .nz to go out for comment in August. We'll be putting a draft paper to the August DNCL board meeting and expect the consultation paper to be confirmed at that meeting.

Drew Broadley

26 Jul 26 Jul

1:49 p.m.

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...

There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!) I'm keen to hear about people using mysql backed DNS systems and their solutions to getting DNSSEC going with their current setups. Thanks, Drew Broadley

Andy Linton

3:47 p.m.

afaik bind 9 supports dnssec right now I use nsd and unbound and I know those work On 27/07/2010, at 18:49, Drew Broadley wrote:

...

On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...
There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)

I'm keen to hear about people using mysql backed DNS systems and their solutions to getting DNSSEC going with their current setups.

Thanks, Drew Broadley

Sebastian Castro

7:15 p.m.

Andy Linton wrote: Andy,

...

afaik bind 9 supports dnssec right now

that's correct. Depending on the version, there are features added or bug fixed regarding DNSSEC If my memory serves me correctly, the first DNSSEC tools were added in 9.3. 9.4 supported zone signing reasonably well. for most recent history you can check https://www.isc.org/software/bind/new-features

...

I use nsd and unbound and I know those work

...

On 27/07/2010, at 18:49, Drew Broadley wrote:

...
On 16/07/2010, at 1:42 PM, Andy Linton wrote:

...
There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.

What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)

I'm keen to hear about people using mysql backed DNS systems and their solutions to getting DNSSEC going with their current setups.

Thanks, Drew Broadley

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

Ewen McNeill

8:52 p.m.

Hi Drew, On 26/07/10 23:49, Drew Broadley wrote:

...

What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)

BIND 9.7 has some useful additions to make zone signing easier/more automatic; see, eg, OSCON 2010 slides from an ISC speaker: http://www.oscon.com/oscon2010/public/schedule/detail/14112 (the first half of the slides is intro-to-DNSSEC, the second half is a simple recipe for signing your zone using BIND 9.7). The major limitation seems to be that in order for the turnkey setup to work the system with the original zone information also needs the private keys (both ZSK and KSK), which may or may not be the ideal security partitioning. (I suspect it's probably okay for many if you use a hidden master that's fairly well isolated.) As others have pointed out, with some extra effort (mainly in specifying a bunch of extra flags that are now defaults in BIND 9.7, plus some extra cron jobs) one could do the same thing well back into the BIND 9.x versions. Ewen

Sebastian Castro

27 Jul 27 Jul

6:17 a.m.

Ewen McNeill wrote:

...

Hi Drew,

On 26/07/10 23:49, Drew Broadley wrote:

...
What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)

BIND 9.7 has some useful additions to make zone signing easier/more automatic; see, eg, OSCON 2010 slides from an ISC speaker:

http://www.oscon.com/oscon2010/public/schedule/detail/14112

(the first half of the slides is intro-to-DNSSEC, the second half is a simple recipe for signing your zone using BIND 9.7).

The major limitation seems to be that in order for the turnkey setup to work the system with the original zone information also needs the private keys (both ZSK and KSK), which may or may not be the ideal security partitioning. (I suspect it's probably okay for many if you use a hidden master that's fairly well isolated.)

You can consider that as a major limitation of any signing system :) But in practice, you can use a hardware security module to protect the private part of the keys. What I personally think it's a limitation is the lack of functionality around key management: if by policy you need to have frequent roll-overs, you need to use a different set of tools to do that.

...

As others have pointed out, with some extra effort (mainly in specifying a bunch of extra flags that are now defaults in BIND 9.7, plus some extra cron jobs) one could do the same thing well back into the BIND 9.x versions.

Depending if you are in the authoritative side or the validating side it's the version you pick. For an authoritative nameserver serving a signed zone, BIND 9.6 it's good enough. If you are a validating resolver who wants to implement trust anchor rollovers, you need to use BIND 9.7. For the .nz zone we are planning to use OpenDNSSEC (www.opendnssec.org) as key management software and signing engine and BIND 9.6 for the authoritative nameservers cheers,

...

Ewen _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

Sebastian Castro

15 Jul 15 Jul

5:56 a.m.

Jay Daley wrote:

...

Woo hoo!

Jay

wintermute:~ jay$ dig +dnssec @a.root-servers.net . DNSKEY

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec @a.root-servers.net . DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20062 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY

;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 86400 IN RRSIG DNSKEY 8 0 86400 20100725235959 20100711000000 19036 . I4cENgcWP+mN7eoX8KqPhvOMcGB0MMOB6ooTbEKHPR9gk6sAcJvq04tC ncwBNiMY3JxzHajsLmMermTL0sVmXj8j6Ba3eTX+t4CsdnUBFfk8zDyb lIIlYwWKZ/x2aXmOjKIKMIC9w8Wnt8awoo45MWzlAT2wGU7gcCAKxJ+O FG/ev8eUXpNxpzRIQvuC7ZGOlELJrrTQCgubyMWOjGaY0MPzrei0Uwe9 2autHPcISBKghnp80zfLmkueSO8qmkbwHn6Jg5vFQ7mG/BKJ5mDXCX5k IjfBQPPe+I2FsGnl+2r9yAmT1n7xLzktKRwKpCwE265EUhDMq7e0P7gF khgEPA==

;; Query time: 210 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Jul 16 10:15:32 2010 ;; MSG SIZE rcvd: 736

And even better, there are 7 TLDs with DS records in the root zone (BG, BR, CAT, CZ, NA, TM, UK) and 24 signed TLDs (arpa, bg, biz, br, cat, ch, cz, eu, gov, kg, li, lk, museum, na, nu, org, pm, pr, pt, se, th, tm, uk, us). And Andy Linton, member of our community was present in the KSK Ceremony in LA two days ago, as Crypto Officer! cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

5262

Age (days ago)

5274

Last active (days ago)

List overview

Download

15 comments

8 participants

participants (8)

Andy Linton
Donald Neal
Drew Broadley
Ewen McNeill
Jay Daley
Peter Mott
Sam Sargeant
Sebastian Castro