ad flag for RRSIG queries

Kalman Feher kalman.feher at melbourneit.com.au
Wed Jul 14 11:50:15 UTC 2010


Using bind 9.7.1. w/ IANA test bed and not DLV:
dig +dnssec rrsig www.iis.se

; <<>> DiG 9.7.1 <<>> +dnssec rrsig www.iis.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49621
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.iis.se.                    IN      RRSIG

;; ANSWER SECTION:
www.iis.se.             60      IN      RRSIG   NSEC 5 3 14400
20100723102502 20100713102502 3932 iis.se.
n+0mfgfl9Ov76DZlF6BZoyGNJSc3GX/RFTaWOVStNIqPPGW13b/zuvBr
ml3g556jt6GibbVp5apJ3FuQeqI9v6U4SOA36AqjhE5zMhbx2w+gAyez
5DDPyr1NOCC6E0f0cPGYj48O/aNIEXJKjyTJ0vwuwwLYiDt7jI8CNxcD Zec=
www.iis.se.             60      IN      RRSIG   AAAA 5 3 3600 20100723102502
20100713102502 3932 iis.se.
EOM2vHFm1XrQYe3xyiT+CCLU49XljlFpZzFUKZZWZb2l6hRjh9OnrTYJ
bP817UA2OgKEs4Pdp6ZugQIiYhAViRd6EMlMPSyb+9YHCMioQ7JLrxfY
D9K4BJOAmtBFpzL4laG5SltCx9FEesIWAYOySApVmM+uTBoRDXBHK23Z 9aw=
www.iis.se.             60      IN      RRSIG   A 5 3 60 20100723102502
20100713102502 3932 iis.se.
MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9
39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe
fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk=
 
and the other domain

 dig +dnssec -t RRSIG www.forfunsec.org

; <<>> DiG 9.7.1 <<>> +dnssec -t RRSIG www.forfunsec.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8864
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;www.forfunsec.org.             IN      RRSIG

;; ANSWER SECTION:
www.forfunsec.org.      3291    IN      RRSIG   AAAA 7 3 36000
20100813101841 20100714101841 50402 forfunsec.org.
ixahCFi//d5CBf0ScxkwcYSCZv+RhfckdVscoVLxov6BGQ8F+skuy/AS
WB69Dt9Q5uKjFGPNLmAnBbLL+f5ShQ/0VXAoyHCKRtiBofNFDK19VfvI
y03pKjRYhAewZq5ztNzmMWH6pI014l4t6FX+Axj0dRWown6Ep0+MRYJF pGg=
www.forfunsec.org.      3291    IN      RRSIG   SSHFP 7 3 86400
20100813101841 20100714101841 50402 forfunsec.org.
diOATJqAlbwIljg6ZcFxpsMPObTo8wmXyMORzZxErWxnFbpcks+ePx1t
cmxKvmTKTGJ15yVab6aV+BLbxKwpIHeXLttBvWVH49twAeQrurnHmOfE
UPSUzxu7bpG2czbNXk2bKuG8MyRC6Oep50sY1/ZdzAv0PN6BUokEAyJG PvQ=
www.forfunsec.org.      3291    IN      RRSIG   A 7 3 3600 20100813101841
20100714101841 50402 forfunsec.org.
Gkk25aX2wRSwwEqAvazUqmdWXW9P7iW/j2LcRbuUnJnEleQYr2OWuLNf
60spJ2xFI7zD10DQcgXBnjU4lf4qozOd9w9iNzzAqFOyZ5EftSv0j2Go
BZZQWAztx/JLoFyLC8EkygySl4APxWTxbb5J4FWyMuSRlG392DBDL/GS 4FI=


So it looks ok from my box.

On 14/07/10 10:49 AM, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:

> On 07/14/10 00:43, Doug Barton wrote:
> 
>>>>> Can anyone explain to me why the 'ad'-flag is set for this query?
>>>>> 
>>>>> dig +dnssec -t RRSIG www.forfunsec.org
>>>> 
>>> I use BIND 9.7.0rc1, configured to work with the IANA testbed.
> 
>> I'd be interested to see what happens if you upgrade to the latest
>> versions in each branch (the 9.7.x server above
>> What you're seeing sounds like a bug, hopefully one that's been fixed
>> (as it seems to be in 9.7.1-P1).
> 
> I just upgraded one machine to 9.7.1-P1 (configured to use DLV).
> 
> Same result...
> 
> ; <<>> DiG 9.7.1-P1 <<>> +dnssec rrsig www.iis.se @localhost
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48545
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.iis.se.   IN RRSIG
> 
> ;; ANSWER SECTION:
> www.iis.se.  6 IN RRSIG A 5 3 60 20100723102502 20100713102502 3932
> iis.se. MF5Qq5yBzQ+ZvDvcfGBoVn6ym3EzCOVVqQY2ghVxBoSCQ9Hrh1/0nOj9
> 39Mr5incAefjg0mXSSvDo9WqFUm1cqUcQ4UJuOoT7VzDiC2OilAxr2xe
> fo6pivkNlHGIPzbXjSrq65292YIKgQnPXleTtH4HepUmn6bESQI/ioaB 9xk=
> 
> ;; AUTHORITY SECTION:
> iis.se.   3545 IN NS ns2.nic.se.
> iis.se.   3545 IN NS ns.nic.se.
> iis.se.   3545 IN NS ns3.nic.se.
> iis.se.   3545 IN RRSIG NS 5 2 3600 20100723102502 20100713102502 3932
> iis.se. JRJ11qCnEFgVFY0ZDfevfd7Colywb7tlgFXWXOjq0ikqCX8lvcIBKbik
> RQ+NqwBsHE4aa4E9QLVaruFTg+5tYIKWdonDjk8Kon+8f4oAf9cy9Yjs
> Ldg0N6wa2HsTlHAq+EdlvXKgZvs8qCkY87iwkVLqn0bp704yacQhVKIQ yXA=
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Wed Jul 14 04:46:41 2010
> ;; MSG SIZE  rcvd: 428
> 
> 
> dig +short chaos txt version.bind @localhost
> "9.7.1-P1"
> 
> --
> Marco
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 




More information about the bind-users mailing list