dig -- only RRSIG present.

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 13 12:45:18 UTC 2012

On 13/02/12 12:28, dE . wrote:
> On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote:
>>> Using this DNS server, I'm still not getting the DNSKEY for any
>>> DNSSEC capable domain; infact this server has issues -
>>> dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
>>> I'd be really happy if I could get some domains which are signed.
>> Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec
>> You should get an AD flag returned and a variety of RRSIG records. Jeff.
> I hope I'm not missing any concepts here, but there should be a public
> key to verify the RRSIG, where's that? Shouldn't the server return
> additional DNSKEY records?


The RRSIG records are signatures of the name you did the query for, so 
are included in the same response.

The DNSKEY records are common to thousands of signatures, and it would 
therefore be a waste of bandwidth to include them in every response. 
They are separate records, which have to be fetched separately.

More information about the bind-users mailing list