11. TLD’s
Printer root
resolvers
Webcam
Game Console
Router / resolvers
wifi Modem ISP’s
Browser
Mail agents
resolvers
OS Firewall Google
Virus scanner
Telephone
Mobile resolvers
Media Centre
15. (authoritative)
name servers
local resolver 2 Where’s www.mybank.dom?
1 Get me www.mybank.dom 3
Try the name server for
.dom
Here you can find www.mybank.dom:
192.0.32.10
8 4 Where’s www.mybank.dom?
Try the name server for mybank.dom
5
9 online banking
6 Where’s www.mybank.dom?
7
Here you can find www.mybank.dom
17. (authoritative)
name servers
local resolver Where’s www.mybank.dom?
Get me www.mybank.dom Try the auth for mybank.dom
Here you can find www.mybank.dom
Where’s www.mybank.dom?
online banking Here you can find www.mybank.dom:
192.0.32.10
Here you can find www.mybank.dom:
6.6.6.10
18. (authoritative)
name servers
local resolver Where’s 1234.mybank.dom?
Get me 1234.mybank.dom Try the auth for mybank.dom
Where’s 1234.mybank.dom?
online banking No such domain exists
NXDOMAIN
Here you can find 1234.mybank.dom:
6.6.6.10
And by the way:
ns.mybank.dom = 6.6.6.1
ns2.mybank.dom = 6.6.6.2
And the authoritative nameserver
for the entire .dom domain is
ns.mine.dom = 6.6.6.6
28. root zone signing keys
zone
Signed records (including .dom)
contains
Public key for .dom
.dom zone signing keys
zone
Signed records for mybank.dom
contains
Public key for mybank.dom
.mybank.dom signing keys
zone
contains
Signed record for www.mybank.dom
29. zone Public root key
validates
Public key for .dom
validates
zone
Public key for mybank.dom
validates
zone
Signed record for www.mybank.dom
30. o
dnssec-keygen -a alg -b bits -n type [options] name
o
o
o
o
o
Kzonename+<alg>+<fing>.key
Kzonename+<alg>+<fing>.private
example.dom. 3600 IN DNSKEY 256 3 5
AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK
7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT
YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k
YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB
sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv
NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv
O7StbOht
31. o
dnssec-keygen -a alg -b bits -n type [options] name
o
o
o
o
o
Kzonename+<alg>+<fing>.key
Kzonename+<alg>+<fing>.private
example.dom. 3600 IN DNSKEY 256 3 5
AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK
7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT
YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k
YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB
sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv
NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv
O7StbOht
33. o
o example.dom. 3600 IN DNSKEY 257 3 5
AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N
o
Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW
o 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U
BYtEIQ==
example.dom. 3600 IN DNSKEY 256 3 5
AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV
o
HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp
o /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3
F+MGQw==
o
o
34. dnssec-signzone [-o zonename] [-N INCREMENT] [-k KSKfile]
zonefile [ZSKfile]
o
o
o
o
example.dom. 9504 IN RRSIG A 5 2
10200 20100412015003 20100315015003 18182 example.dom.
H4Yy1ClPpBEj+Et3c7rkxZW3Q/w3O28sO3Mpt6c4HRpFdBwwMjzbYI0Q
vWInuxSIWx3IJ455nX4k/N8NBRENzRK/+L74dM71OovOT50oLJ6ZOVvu
/cjQtvQzHtJkoIvywsVpzDlgckvp8jVR6pDDM3TuXhehh6HHSR/E9NxT
7oE=
example.dom. 9346 IN RRSIG NS 5 2
10200 20100412015003 20100315015003 18182 example.dom.
XIUX8rm6LZQq1+agULABIllTWic18Fa92MrHtn+vRce+mHN6svWALutF
SvsqqCbCCBMlwZgShXKNZjuSu8+NKMnurafAtWU4IVWrt3UqSsWxKYPZ
N3qtKrSuTTo/8vwUmmvyShlehSQ2xTA6Sk6dnn8iwUObO+8eoX190A23
0Z8=
35. o
o
o
o
o
o
o
example.dom. 3600 DS 10177 5 1 (
763F5C58926ECA5C4E1B6B2701CA75E9F509F321
)
example.dom. 3600 DNSKEY 257 3 5 (
AwEAAbctL3nCKtl55NRZW6g4i3tajQi55OtP
XZYIIPoo2h6ENB0eGA5xfeDDJZwDkZt6z5bp
ur0P1zCMa17JPMMpylp1+4j8G3VyKuZkLBIV
eQif7N7sbP14Qzuo/T90ErVG/YbUYTSZifu3
xm4D/P2xSV+SFe3tNd0g9o94TSs5jWM5
) ; key id = 10177
46. Feb 10 04:16:43 ns0 unbound: [5973:1] info: validation failure <USPTO.GOV. MX IN>: no
signatures from 151.207.246.51 for key USPTO.GOV. while building chain of trust
Feb 10 04:53:00 ns0 unbound: [5973:0] info: validation failure <gk-w-mail.srvs.usps.gov. A
IN>: no signatures over NSEC3s from 56.0.141.25 for DS gk-w-mail.srvs.usps.gov. while...
Feb 10 14:21:48 ns0 unbound: [5973:1] info: validation failure <www.hud.gov. A IN>: no DS...
Feb 10 13:47:35 ns0 unbound: [5973:0] info: validation failure <www.atol.bg. A IN>: No DNSK...
Feb 10 13:37:17 ns0 unbound: [5973:0] info: validation failure <ns.unicycle.cz. A IN>: no k...
Feb 15 19:10:25 ns0 unbound: [5973:1] info: validation failure <FM.UL.PT. MX IN>: no NSEC3
records from 2001:690:21c0:b::150 for DS FM.UL.PT. while building chain of trust
o
o