A few conceptual question about dnssec.

[Tony Finch]

dE . <de.techno at gmail.com> wrote:

> Firstly, where do we get the public key for the DS records?

A zone's DNSKEY RRset contains its public keys, and these are hashed to
make its DS records. For example,

$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
$ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

> Why do I get multiple RRSIG records from some servers? -

When you ask a GTLD server for the yahoo.com delegation NS records, you
also get two NSEC3 records that bracket the yahoo.com delegation to prove
it is insecure (no DS record), and an RRSIG record for each NSEC3 record.

> Do we get a RRSIG for each RR retrieved?

No, one per RRset, where an RRset is all the records with the same name,
class, and type.

> Lastly, what's the format for the output dis DNSSEC records?

See RFC 4034.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to
gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or
high, occasionally very high in Rockall and Bailey, but rough at first in
Shannon. Rain then squally snow showers. Moderate, occasionally poor.