dig -- only RRSIG present.
dE .
de.techno at gmail.com
Sun Feb 12 17:40:53 UTC 2012
I'm trying to see DNSSEC response of various sites; my DNS server is
8.8.8.8 (google's public DNS service)
Response is as such -
dig +dnssec -t SOA org
; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 899 IN SOA a0.org.afilias-nst.info.
noc.afilias-nst.info. 2009954959 1800 900 604800 86400
org. 899 IN RRSIG SOA 7 1 900
20120304071611 20120212061611 55440 org.
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=
;; Query time: 1371 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:49:02 2012
;; MSG SIZE rcvd: 258
As we can see, the DNSKEY and DS RR is missing which's mandatory for
this to be of any use. So where is it?
If I explicitly specify the name server to be one of the root nameservers -
dig +dnssec -t SOA org 198.41.0.4
; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org 198.41.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 451 IN SOA a0.org.afilias-nst.info.
noc.afilias-nst.info. 2009954959 1800 900 604800 86400
org. 451 IN RRSIG SOA 7 1 900
20120304071611 20120212061611 55440 org.
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=
;; Query time: 131 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE rcvd: 258
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26058
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;198.41.0.4. IN SOA
;; AUTHORITY SECTION:
. 0 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2012021200 1800 900 604800 86400
. 0 IN RRSIG SOA 8 0 86400
20120219000000 20120211230000 51201 .
Es1RsMErjNpgyBqjHbUIVQ77hrA6quuq45ZNhiL1CwXkLpd9wnPVSlcu
xAcF675og+exWPBUMUBrXNTpYOI4a2Wrvkafd7629kT21alDyiUa28FC
P/P/pWOFVa0ceDDQGnwKg7ec4r+UyhoTLGmvlVpDjqMhmR17a02SLz31 a/Q=
. 86399 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
. 86399 IN RRSIG NSEC 8 0 86400
20120219000000 20120211230000 51201 .
hFSp9EIMo7fEbc3gKaZD8gH5XzUUjNy9rRGf0cW3mtHy8FoqaLg1eIfg
9CGjjWqx58t2R68O+/f7sQ6F4aysMA30aiYsOJXJRENEuzGKSGQiuRZE
nP3K5AjqcKmxgkllKAQWMITFU2HDXzgHH3iWOhxh6zdCV8hZe4xPv60Z Zp4=
;; Query time: 195 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE rcvd: 454
I get 3 completely different RRSIGs, and the DNSKEY and DS are still
missing.
The last thing that I want to ask is that, this string -
"M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c="
Which's a part of the RRSIG, is this a single key or multiple keys?
More information about the bind-users
mailing list