dig -- only RRSIG present.

dE . de.techno at gmail.com
Sun Feb 12 17:40:53 UTC 2012 

I'm trying to see DNSSEC response of various sites; my DNS server is 
8.8.8.8 (google's public DNS service)

Response is as such -

dig +dnssec -t SOA org

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org.                           IN      SOA

;; ANSWER SECTION:
org.                    899     IN      SOA     a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009954959 1800 900 604800 86400
org.                    899     IN      RRSIG   SOA 7 1 900 
20120304071611 20120212061611 55440 org. 
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG 
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE 
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 1371 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:49:02 2012
;; MSG SIZE  rcvd: 258

As we can see, the DNSKEY and DS RR is missing which's mandatory for 
this to be of any use. So where is it?

If I explicitly specify the name server to be one of the root nameservers -

dig +dnssec -t SOA org 198.41.0.4

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org 198.41.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org.                           IN      SOA

;; ANSWER SECTION:
org.                    451     IN      SOA     a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009954959 1800 900 604800 86400
org.                    451     IN      RRSIG   SOA 7 1 900 
20120304071611 20120212061611 55440 org. 
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG 
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE 
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 131 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE  rcvd: 258

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26058
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;198.41.0.4.                    IN      SOA

;; AUTHORITY SECTION:
.                       0       IN      SOA     a.root-servers.net. 
nstld.verisign-grs.com. 2012021200 1800 900 604800 86400
.                       0       IN      RRSIG   SOA 8 0 86400 
20120219000000 20120211230000 51201 . 
Es1RsMErjNpgyBqjHbUIVQ77hrA6quuq45ZNhiL1CwXkLpd9wnPVSlcu 
xAcF675og+exWPBUMUBrXNTpYOI4a2Wrvkafd7629kT21alDyiUa28FC 
P/P/pWOFVa0ceDDQGnwKg7ec4r+UyhoTLGmvlVpDjqMhmR17a02SLz31 a/Q=
.                       86399   IN      NSEC    ac. NS SOA RRSIG NSEC DNSKEY
.                       86399   IN      RRSIG   NSEC 8 0 86400 
20120219000000 20120211230000 51201 . 
hFSp9EIMo7fEbc3gKaZD8gH5XzUUjNy9rRGf0cW3mtHy8FoqaLg1eIfg 
9CGjjWqx58t2R68O+/f7sQ6F4aysMA30aiYsOJXJRENEuzGKSGQiuRZE 
nP3K5AjqcKmxgkllKAQWMITFU2HDXzgHH3iWOhxh6zdCV8hZe4xPv60Z Zp4=

;; Query time: 195 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE  rcvd: 454


I get 3 completely different RRSIGs, and the DNSKEY and DS are still 
missing.

The last thing that I want to ask is that, this string -

"M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG 
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE 
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c="

Which's a part of the RRSIG, is this a single key or multiple keys?

More information about the bind-users mailing list