can't query for RRSIG that references NSEC3
Jack Tavares
j.tavares at F5.com
Wed Jun 24 12:40:46 UTC 2009
a correction:
my dig command is
dig @127.0.0.1 -t RRSIG 4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net
and I still get NXDOMAIN
--
Jack Tavares
AIM: jacktavares
SKYPE: jackandkaddee
Reminder: I am at GMT+2, 10 hours AHEAD of Seattle.
My workweek is Sunday-Thursday.
Email sent to me Thursday afternoon (PST) may not be viewed until Sunday morning (GMT+2).
________________________________
From: bind-users-bounces at lists.isc.org [bind-users-bounces at lists.isc.org] On Behalf Of Jack Tavares [j.tavares at F5.com]
Sent: Wednesday, June 24, 2009 15:24
To: bind-users at lists.isc.org
Subject: can't query for RRSIG that references NSEC3
When I query my test zone I get RRSIG records that cover NSEC3
and all the NSEC3 records etc like so:
dig axfr @127.0.0.1 test.net.
; <<>> DiG 9.6.1 <<>> axfr @127.0.0.1 test.net.
; (1 server found)
;; global options: +cmd
test.net. 500 IN SOA d62.test.net. hostmaster.d62.test.net. 2009033114 10800 3600 604800 86400
test.net. 500 IN RRSIG SOA 7 2 500 20090721094639 20090621084639 50417 test.net. rqx/Equtdg0y3DqMpiRRSpZpYySn8JgJgktpXvSTpQH6glNeTKK7kw6i 6OedcRnKYdxwzqhvu4urnWS3oO7Sc1fBGnVj9lVfNt5qOos2imWx7zut i7209qs1bDwZLv6Cn/0AdQXazuP94GfPeqQ5LZ06bqihJTaN04dbtV26 M2A=
test.net. 500 IN NS d62.test.net.
test.net. 500 IN RRSIG NS 7 2 500 20090721085219 20090621084639 50417 test.net. QVYC9R/1G+AsiOrXD1dOhGqY9PKoNtQ8s85lErpIH6Et8rxJQJLSFEMa pOYkywMXZnQJ4DZGUA3RNjXgGeZsIW9DPeJnY45L866+ddWEKII75Nat 3kvJoBLrz4WNsQb1/qHi/4ch04gIs7c5OLSYtxfzpa5BMBybZh+Zhddi 9g8=
test.net. 500 IN DNSKEY 256 3 7 AwEAAdftV28eJd92UYVeU71g7ZuCEFW57nyfG05Vt4GOM9745koGevi5 F8BtVoeHywudGKE3vHjCubhSWFBPqZaKduQYTQTeZE4eQFSyExDgbVAA 3K7BD+O9Qa4MXMudiBpF9RBVI9XAcvcIGyHGqcqLku6JhAeZ9NNwXQpM jWLcyD59
test.net. 500 IN DNSKEY 257 3 7 AwEAAbdMLjb/5Rs5wWF32mjB7LTSAo2EM5qHkUa3L74+5mSFBfLHLuQj /EMI23o2djg6IEi3D+vo2yJgypEVgeiXqHBnGqqkF6vX+3OM313zYago N3X2NJnC7XmBpTTA7zUNmXI4I/kG+hUV+WPBQl4OAdymMBTXctMSWRgY can8shw7356SEjmMN4fDsqrkdl4xUx7XWx9j/LjVhy7lCz8YsHtX3vp+ P5UsfiAjnt3RAT3w6ShgA9ZnXle9HswW10yHLR6AMvonItZvhoFM4ckU Tb0aRkQjeqhM+6CSdBkkloQ+tI3CF5mfoqNQRnSk0A25FA42r6uOrtSi NYlIEo4zpBE=
test.net. 500 IN RRSIG DNSKEY 7 2 500 20090721085219 20090621084639 21768 test.net. ZCQ21MP5Sn2ZULlUyLKLjkZPl4BtqQZj44x0HPXMPAX6UNgZzJ+oSqqo MXJ/kRfxXJLJJ86fBi1NrC4XntvOGrZ5BuVEXokGhRXmtPNvlWCQqPWO lXPLUt3vLcHT/IWMEpO4l0woV3/X3E+v2cmSZFBkBVZ7KRh4RfNTf2eq x/goe/ql4YEjfHcI4CvbA6cVT/4XLjLSIm1Z3N7ZNZuHrvljk+fqHiq7 C2Vv0/ZPiDAYxr94yN2W6v6iBMLxSqdaDzPTcvGtZiJavR/Tnt0xDcWR yYYnfNArPCxPavcVC3akPUoxBkqnZ8KbkWOMVwmIr7rrKyfsXujfPD5y iCoA8g==
test.net. 500 IN RRSIG DNSKEY 7 2 500 20090721085219 20090621084639 50417 test.net. QgOOg0QGR7sdEHGeQjE9o8/LPgYqYlse7EX8y+R5zKVWSbz35Epo1Km3 q3wJAzl7+lee7Xadsl4G9zW0JLctvJeknLIjDGQf1ND6P9hmTLwjCZfr C9PTNmadoTdsEiZCO0stckBnzU9f81Avamf3awAdwpSDG2FKeFNtEYwM WMg=
test.net. 0 IN NSEC3PARAM 1 0 100 0123456789ABCDEF
test.net. 0 IN RRSIG NSEC3PARAM 7 2 0 20090721085219 20090621084639 50417 test.net. jukLTp523hzchhjHlldmnMqQK1tKTQPq/HcMrpP7YtA/DiYMDmar9hDQ q+eB+zP3CPvJKnuiKyjwY+nRGIoJPmzPGFzB7oT0qjF5KjtkFjTlxTY3 RVpSxOFNQ1DBjt8GB1uSGPKzLTDDmaB25i2bf/3AUhJH4jPLWzjNdLM7 oS8=
a.test.net. 500 IN A 1.2.3.4
a.test.net. 500 IN RRSIG A 7 3 500 20090721085219 20090621084639 50417 test.net. raR/8vMh37yX6LOsE1TqzqPJe7XfD6XY9Rw7+CIJC4z1XWWDKRf3/NoF 3bXhxaBUr6XfSeWt2MjX6hS8BGlUfO2ClshKbuydO8wfXn0I7yHGI+o4 535Nt1fzIcfVlrNBVepMByoVsgHhGe0XGJwMB0uPC40l1zcnTWKO7MeJ Z3E=
b.test.net. 500 IN A 1.2.3.4
b.test.net. 500 IN RRSIG A 7 3 500 20090721085219 20090621084639 50417 test.net. On3h0pjjndShviCCOZZmzjEGbkNHLPaQJQse7DKcp/jf6mywoHPefa/6 OW32wLn/1erXVMJPjaAbW1kc9PHIWj4AcY8k9e/U0EnbsndRXuL+N60c 2fJI+PxztgWrSykqVSuh5NGQIlCvlGfRbem/es0ECMDRRM3aMpZXMAkp F8M=
c.test.net. 500 IN TXT "blah"
c.test.net. 500 IN RRSIG TXT 7 3 500 20090721093908 20090621084639 50417 test.net. 0RZeSr+Bv0SqfJbMVzMHp54uf5KzJdfRAveAmrpBLp1JD2Po6qWNWmpO HXEuLBAIuzV7p0poAxHpMYrWfRyHKs1nFxsfBlaoA9/XxmBiRpFHagQO K7dEl+HQb/HkzmMk80HJstNoTrInHKQ6fIhBc5zaNqxwicsFPW3uzMn+ xu8=
d.test.net. 500 IN A 1.2.3.4
d.test.net. 500 IN RRSIG A 7 3 500 20090721085219 20090621084639 50417 test.net. UOtChpH31l+q0m/Fgw8/Ks0N/K2B4ykXVgsXDzFQzR6Vc26K0QnA+zoC 5LKyNzTLk1DkjOOuH5lMYIHdClkIYopajtaXHhINeVj8xR2q9iv/J+gy zr01stNuk9sRy0ynBnKc7mjdA8hTTKTnf31RSgP3NedDfJZa2+ptbvgR 0/Y=
e.test.net. 500 IN A 1.2.3.4
e.test.net. 500 IN RRSIG A 7 3 500 20090721093908 20090621084639 50417 test.net. ADxHuMrnaoLu9oMSgdksa4LRGzYK8N5gjt0D3sSs+RPKIDsXeVsntRrZ dAX6ja2a2Rbip3wRyP1VD5uzonMeWrOouHIsR5NgQxZPWqFM6ITX4hRE tVVGZPJMK4mfl7YRxObA/zkke5uXDLhMX8uNKjDVGq/1/09cjwZgQrpd BWU=
4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net. 86400 IN NSEC3 1 0 100 0123456789ABCDEF 5PMCTBRN3GQV2KV3MVKV66C5BFCOSM7I
4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net. 86400 IN RRSIG NSEC3 7 3 86400 20090721085219 20090621084639 50417 test.net. uWbSe5g12MF07HK1I1Tq/w7LRcCdE+KWJ8YtKHryG7hBlqBeU6lHHvf3 8ND1mKyhpPwgUarHiZeNAhcYDo2oY00dj1Ltpc9vb7QZl2rBh8PLo1eZ FlhYNWqu6aH4OWaS5bG471EjnhM+jDpDJh5eqMYMNIr3D6Evy6UgErbb jN4=
5PMCTBRN3GQV2KV3MVKV66C5BFCOSM7I.test.net. 86400 IN NSEC3 1 0 100 0123456789ABCDEF K011G4RQVBP3KSK3MAIFS4TN9BISTPN1 A RRSIG
etc etc
but when I try to guery for the RRSIG record I get a NXDOMAIN
[root at d62:Active] tools # dig @127.0.0.1 4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net.
; <<>> DiG 9.6.1 <<>> @127.0.0.1 4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2512
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;4PPH7Q8R02M0AD8MLJPS0UEH2AB9KFJL.test.net. IN A
;; AUTHORITY SECTION:
test.net. 500 IN SOA d62.test.net. hostmaster.d62.test.net. 2009033114 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 24 05:20:37 2009
;; MSG SIZE rcvd: 110
What am I doing wrong?
thanks
--
Jack Tavares
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090624/08e87ff6/attachment.html>
More information about the bind-users
mailing list