A few weeks ago, the weather on Ibiza was 22C, partly cloudy; you may recall that I showed you how to do dynamic DNS updates. If I query the weather now, look what I get:

    dig +dnssec +multiline -p 5053 ibiza.temp.aa txt
    
    ;; ANSWER SECTION:
    ibiza.temp.aa. 120 IN TXT "Fair 24 C"
    ibiza.temp.aa. 120 IN RRSIG TXT 7 3 120 20101211152628 (
                     20101113152628 16487 temp.aa. 
                     Yp5G0fGUmUFfKkOtQyo5AsKP1pvRWuObO3EpyPxNH8Rc
                     aew93Ot3mWSTnDHuKs1ua6eCsRYQMXUdHkyetLKkIoGW
                     7UOBmngy/MQVq3Bx16B4pKesFPVan4DIWuiKt9sw32FA
                     ljbS+LH8eVyv+pZbmPcpwG6bwDcpD76OzIQlX/0= )
    

The weather has changed of course. :-) But the important bit here, is that the record is signed! The DNSSEC signed resource record set is compliments of Phreebird, a tool just released by Dan Kaminsky. It sits as a kind of proxy between a client and your non-DNSSEC-capable DNS server (e.g. PowerDNS) and signs RRsets on the fly before returning them to the client. What I did, without touching the temp.aa zone what so ever, is to add Phreebird (I changed its port numbers) and query that. To get started, build and install the prerequisites (from the deps/ directory). Then create a key (or have Phreebird create a key for you with -g):

    ldns-keygen -a RSASHA1 temp.aa
    Ktemp.aa.+005+14607
    

Launch Phreebird:

    bin/phreebird -k Ktemp.aa.+005+14607.private
    

Send it a query. Use any domain name served by your local DNS server. I repeat: any domain name. (See above.) You have a key generated by Phreebird in the file dns.key and need the DS record to publish at your parent? Here it is:

    dig  -p 5053 temp.aa ds
    ;; ANSWER SECTION:
    temp.aa. 3600  IN  DS  14607 5 1 9DE5D716CFDFC6FBF09AC3DEEABCCC1A710F8C9B
    

Time over DNS

    dig -p 5053 _dns._time txt
    ;; ANSWER SECTION:
    _dns._time.             1       IN      TXT     "v=dtm1 t=20101114144106"
    

This is wow! Phreebird supports

• automatic key generation (but I can provide my own key)
• zero configuration; apart from an initial key (that can be generated automatically)
• real-time signing with caching of signed answers

Read more on what goes on behind the scenes in Dan’s slides. The utility is not ready for production yet, but it may soon be. If and when it is ready, I expect this to revolutionize and greatly speed up DNSSEC deployment.