Behavior of delegation records for dnssec
marka at isc.org
Tue May 11 06:08:35 UTC 2010
In message <AANLkTil45QVWbpxOgLSsjXfEjKHMvyPSrQwfwJ_gJeam at mail.gmail.com>, rams
> I have delegation of NS records in my zone and i signed zone using RSASHA1
> algorithm. It is signed successfully. When I checked the the zone i am not
> seeing RRSIG for delegated NS records.
There arn't supposed to be any. The child zone is authoritative
for the NS RRset and signs it. Similarly glue records are signed
by the zone that owns them not the parent zone.
> When I query for delegated NS record
> with dnssec, it is returning NS records, NSEC and RRSIG for NSEC and also
> glue records returned in additional section with out any RRSIG. Dig results
> are given below.
The NSEC record proves that the delegation exists and that it a
insecure delegation (no DS records).
> ; <<>> DiG 9.6.1-P3 <<>> @localhost srs.net.nu.moon. A +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40245
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;srs.net.nu.moon. IN A
> ;; AUTHORITY SECTION:
> srs.net.nu.moon. 86400 IN NS ns1.dns.net.nu.moon.
> srs.net.nu.moon. 86400 IN NS ns2.dns.net.nu.moon.
> srs.net.nu.moon. 86400 IN NS ns3.dns.net.nu.moon.
> srs.net.nu.moon. 86400 IN NSEC net.nu.moon. NS RRSIG NSEC
> srs.net.nu.moon. 86400 IN RRSIG NSEC 5 4 86400
> 20100521075518 20100421075518 57966 net.nu.moon.
> ;; ADDITIONAL SECTION:
> ns1.dns.net.nu.moon. 86400 IN A 22.214.171.124
> ns1.dns.net.nu.moon. 86400 IN AAAA 2001:dce:2000:2::130
> ns2.dns.net.nu.moon. 86400 IN A 126.96.36.199
> Why i am not getting RRSIG for NS records and also RRSIG for additional
> section records. Is there any configuration required for glue records and
> delegated records . Please clarify me on this.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users