dig -- only RRSIG present.
Michael Sinatra
michael at rancid.berkeley.edu
Sun Feb 12 18:22:22 UTC 2012
On 02/12/12 09:40, dE . wrote:
> I'm trying to see DNSSEC response of various sites; my DNS server is
> 8.8.8.8 (google's public DNS service)
>
> Response is as such -
>
> dig +dnssec -t SOA org
>
> ; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;org. IN SOA
>
> ;; ANSWER SECTION:
> org. 899 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
> 2009954959 1800 900 604800 86400
> org. 899 IN RRSIG SOA 7 1 900 20120304071611 20120212061611 55440 org.
> M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
> EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
> ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=
>
> ;; Query time: 1371 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Sun Feb 12 12:49:02 2012
> ;; MSG SIZE rcvd: 258
>
> As we can see, the DNSKEY and DS RR is missing which's mandatory for
> this to be of any use. So where is it?
Well, the DS RR resides in the parent, not in the zone you're querying.
You need to ask for it explicitly. Although DNSKEY records are in the
actual zone you're querying, you still need to ask for them explicitly.
They're there; you just need to ask for them.
> If I explicitly specify the name server to be one of the root nameservers -
>
> dig +dnssec -t SOA org 198.41.0.4
[snip]
Your dig foo is a bit off today. Remember, to explicitly specify a name
server, you need to prepend the IP address with @. You meant to say:
dig +dnssec -t SOA org @198.41.0.4
What you ended up getting is the RRSIG for the root SOA and for the NSEC
record for '198.41.0.4', since that doesn't exist in DNS.
michael
More information about the bind-users
mailing list