A few conceptual question about dnssec.
Gaurav kansal
gaurav.kansal at nic.in
Fri Feb 17 19:06:00 UTC 2012
Firstly, where do we get the public key for the DS records?
Can you clarify your question???
Second, why do I get multiple DS records as response? -
You will always get a 2 DS Records in response. One for SHA-1 and second for
SHA-256.
_____
dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.
; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
isc.org. 86400 IN DS 12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org. 86400 IN DS 12892 5 1
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. 86400 IN RRSIG DS 7 2 86400 20120309160141
20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=
;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE rcvd: 283
_____
Why do I get multiple RRSIG records from some servers? -
You will get single RRSIG per RR sets.
_____
dig +dnssec -t NS yahoo.com @g.gtld-servers.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com. IN NS
;; AUTHORITY SECTION:
yahoo.com. 172800 IN NS ns1.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20120222012103 20120215001103 54350 com.
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400
20120224144059 20120217133059 54350 com.
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=
;; ADDITIONAL SECTION:
ns1.yahoo.com. 172800 IN A 68.180.131.16
ns5.yahoo.com. 172800 IN A 119.160.247.124
ns2.yahoo.com. 172800 IN A 68.142.255.16
ns3.yahoo.com. 172800 IN A 121.101.152.99
ns4.yahoo.com. 172800 IN A 68.142.196.63
;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE rcvd: 693
_____
Do we get a RRSIG for each RR retrieved? If so, why does -
Not for each RR But for each RR sets.
_____
dig +dnssec -t NS com @a.root-servers.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20120224000000
20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
;; ADDITIONAL SECTION:
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
a.gtld-servers.net. 86400 IN A 192.5.6.30
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
b.gtld-servers.net. 86400 IN A 192.33.14.30
c.gtld-servers.net. 86400 IN A 192.26.92.30
d.gtld-servers.net. 86400 IN A 192.31.80.30
e.gtld-servers.net. 86400 IN A 192.12.94.30
f.gtld-servers.net. 86400 IN A 192.35.51.30
g.gtld-servers.net. 86400 IN A 192.42.93.30
h.gtld-servers.net. 86400 IN A 192.54.112.30
i.gtld-servers.net. 86400 IN A 192.43.172.30
j.gtld-servers.net. 86400 IN A 192.48.79.30
k.gtld-servers.net. 86400 IN A 192.52.178.30
l.gtld-servers.net. 86400 IN A 192.41.162.30
m.gtld-servers.net. 86400 IN A 192.55.83.30
;; Query time: 192 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Feb 17 23:43:09 2012
;; MSG SIZE rcvd: 727
_____
Does not return multiple RR?
Lastly, what's the format for the output dis DNSSEC records?
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
Sow what's '30909 8 2'
30909 is TTL Value; 2 signifies SHA-256;
And in -
com. 86400 IN RRSIG DS 8 1 86400 20120224000000
20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
What's 8 1 86400 20120224000000 20120216230000 51201
?
1- SHA-1
86400 - TTL Value
20120224000000 - Signature Expire time
20120224000000 - Signature Creation Time
51201 - Key Id
DNSSEC appears to be a rarely explored topic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120218/37d16b89/attachment.html>
More information about the bind-users
mailing list