Entired NS crashed

Torinthiel torinthiel at data.pl
Sun Jan 2 12:07:28 UTC 2011 

Michelle Konzack pisze:
> As far as I can see, 'dig +dnssec www.tamay-dogan.net' give a nice output
> but how can I know, the expiration date?
>
> Is this the timestamp here:
>
> tamay-dogan.net.        3600    IN      RRSIG   SOA 5 2 3600 20110131191903
>   
Nope

> ----[ command 'dig +dnssec tamay-dogan.net' ]-----------------------
> tamay-dogan.net.        3600    IN      SOA     dns1.tamay-dogan.net. hostmaster.tamay-dogan.net. 1292829280 10800 3600 604800 86400
> tamay-dogan.net.        3600    IN      RRSIG   SOA 5 2 3600 20110131191903 20110101191903 12795 tamay-dogan.net. lti7l2JlLeIATApQfWp3BdPTH4MiP75crl4921bC1qdOXfWJH4La+L58 t0hVMmzNaNbLDH36cQwrYdQvaBJHPkQEwi2Mr8WP0jCSp+bpc2lEP6sz f+kRGWYITjuxAwFsSdhVR+EQd4pIupa16ylJ65OWcBGlIHbC5eA5KSN4 lTk=
>   
The RRSIG here has two numbers 20110131191903 20110101191903. Look at it
carefully: 2011-01-31 19:19:03
Looks like a date? The first one is when this signature ends to be
valid, the second when it starts, both in UTC time. So in this case your
signature on the SOA record is valid almost all of January.
There's nothing stopping you from having different vaility periods on
different signatures, it's all per-signature.
> tamay-dogan.net.        86400   IN      NSEC    admin.tamay-dogan.net. NS SOA MX TXT RRSIG NSEC DNSKEY
> tamay-dogan.net.        86400   IN      RRSIG   NSEC 5 2 86400 20110131191903 20110101191903 12795 tamay-dogan.net. YS5Y44ywYrsjbSJmtFgF9hk8K80VWLuyLRuDxLeO84kXA/hN9i8mzzDy XYIoiUwWbyeKxEIhqAdA6gekLU2Z+ZuNsSGnPUcCdfZD+GiWEneeWGg/ LcIi9FWTf7J++yGnVMA5Ng6vZ3SgTtiC7r74ZZytm7FkijxCwd8tRyKy a9c=
> ------------------------------------------------------------------------
>
> which I could grep?  And what is NSEC entry?
> Why is the VHost <admin.tamay-dogan.net> there?
>   
And the NSEC is used in authenticated denial of existence. It tells that
there are NS, SOA etc recors with name tamay-dogan.net, and that next
name with any content is admin.tamay-dogan.net.
So, if eg you've asked for abyss.tamay-dogan.net the NS could present
you with this RR and it's signature and prove that abyss.tamay-dogan.net
(which falls between tamay-dogan.net and admin.tamay-dogan.net) does not
exist.
As a side effect, it's now possible to enumerate every record your zone.
If you're concerned about this, consider switching to NSEC3, which makes
it much harder.

Regards,
Torinthiel

More information about the bind-users mailing list