<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/13/12 10:13, Spain, Dr. Jeffry A. wrote:
<blockquote
cite="mid:7610864823C0D04D89342623A3ADC9DE2E30504A@hopple.countryday.net"
type="cite">
<blockquote type="cite">
<pre wrap="">But another question remains, where's the DNSKEY record which's the missing link as of the current time.
Querying --
dig +dnssec -t DNSKEY yahoo.com @198.41.0.4
Does not return anything.
</pre>
</blockquote>
<pre wrap="">
I think that yahoo.com is probably not a DNSSEC-signed zone and so has no DNSKEY records. Otherwise the query below would return DNSSEC-related records and probably an AD flag. By the way, bind.odvr.dns-oarc.net is a publicly-available DNSSEC-enabled recursive resolver that is good to use for testing purposes. See <a class="moz-txt-link-freetext" href="https://www.dns-oarc.net/oarc/services/odvr">https://www.dns-oarc.net/oarc/services/odvr</a>. Jeff
PS C:\> dig '@bind.odvr.dns-oarc.net.' yahoo.com +dnssec
; <<>> DiG 9.9.0rc2 <<>> @bind.odvr.dns-oarc.net. yahoo.com +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A
;; ANSWER SECTION:
yahoo.com. 3600 IN A 72.30.2.43
yahoo.com. 3600 IN A 98.137.149.56
yahoo.com. 3600 IN A 98.139.183.24
yahoo.com. 3600 IN A 209.191.122.70
;; AUTHORITY SECTION:
yahoo.com. 161515 IN NS ns1.yahoo.com.
yahoo.com. 161515 IN NS ns5.yahoo.com.
yahoo.com. 161515 IN NS ns4.yahoo.com.
yahoo.com. 161515 IN NS ns3.yahoo.com.
yahoo.com. 161515 IN NS ns2.yahoo.com.
;; Query time: 795 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
;; WHEN: Sun Feb 12 23:39:39 2012
;; MSG SIZE rcvd: 192
</pre>
</blockquote>
<br>
Using this DNS server, I'm still not getting the DNSKEY for any
DNSSEC capable domain; infact this server has issues - <br>
<br>
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t A
dnssec.net @bind.odvr.dns-oarc.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
40020<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;dnssec.net. IN A<br>
<br>
;; ANSWER SECTION:<br>
dnssec.net. 43179 IN A 80.69.95.164<br>
dnssec.net. 43179 IN A 80.69.93.34<br>
<br>
;; AUTHORITY SECTION:<br>
dnssec.net. 172778 IN NS ns2.dnssec.net.<br>
dnssec.net. 172778 IN NS ns0.dnssec.net.<br>
dnssec.net. 172778 IN NS ns3.dnssec.net.<br>
dnssec.net. 172778 IN NS ns1.dnssec.net.<br>
<br>
;; Query time: 883 msec<br>
;; SERVER: 149.20.64.20#53(149.20.64.20)<br>
;; WHEN: Mon Feb 13 10:41:19 2012<br>
;; MSG SIZE rcvd: 143<br>
<br>
<hr size="2" width="100%">dig +dnssec -t A dnssec.net
@198.41.0.4 <br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t A
dnssec.net @198.41.0.4<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
18381<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;dnssec.net. IN A<br>
<br>
;; AUTHORITY SECTION:<br>
net. 172800 IN NS a.gtld-servers.net.<br>
net. 172800 IN NS b.gtld-servers.net.<br>
net. 172800 IN NS c.gtld-servers.net.<br>
net. 172800 IN NS d.gtld-servers.net.<br>
net. 172800 IN NS e.gtld-servers.net.<br>
net. 172800 IN NS f.gtld-servers.net.<br>
net. 172800 IN NS g.gtld-servers.net.<br>
net. 172800 IN NS h.gtld-servers.net.<br>
net. 172800 IN NS i.gtld-servers.net.<br>
net. 172800 IN NS j.gtld-servers.net.<br>
net. 172800 IN NS k.gtld-servers.net.<br>
net. 172800 IN NS l.gtld-servers.net.<br>
net. 172800 IN NS m.gtld-servers.net.<br>
net. 86400 IN DS 35886 8 2
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE<br>
net. 86400 IN RRSIG DS 8 1 86400
20120220000000 20120212230000 51201 .
FG9Eoc3k1PvDfDoiE5GkpV8ui1/54dsqWoXfQg1OBHwoV915ileT944r
4CrkEKWgrss6YcmVvumbXRiTRaa4v0HM52Pmi/9IlU8KF2pM0thqZqLe
liT/awh8uYyEZxludwvvN2AAZKK/uLwQdKwsIf0KCjZ7+RH3nUgG9osu /WU=<br>
<br>
;; ADDITIONAL SECTION:<br>
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30<br>
a.gtld-servers.net. 86400 IN A 192.5.6.30<br>
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30<br>
b.gtld-servers.net. 86400 IN A 192.33.14.30<br>
c.gtld-servers.net. 86400 IN A 192.26.92.30<br>
d.gtld-servers.net. 86400 IN A 192.31.80.30<br>
e.gtld-servers.net. 86400 IN A 192.12.94.30<br>
f.gtld-servers.net. 86400 IN A 192.35.51.30<br>
g.gtld-servers.net. 86400 IN A 192.42.93.30<br>
h.gtld-servers.net. 86400 IN A 192.54.112.30<br>
i.gtld-servers.net. 86400 IN A 192.43.172.30<br>
j.gtld-servers.net. 86400 IN A 192.48.79.30<br>
k.gtld-servers.net. 86400 IN A 192.52.178.30<br>
l.gtld-servers.net. 86400 IN A 192.41.162.30<br>
m.gtld-servers.net. 86400 IN A 192.55.83.30<br>
<br>
;; Query time: 193 msec<br>
;; SERVER: 198.41.0.4#53(198.41.0.4)<br>
;; WHEN: Mon Feb 13 10:41:12 2012<br>
;; MSG SIZE rcvd: 731<br>
<br>
de@OLD_BROKEN_LAP ~ $ dig +dnssec -t A dnssec.net
@bind.odvr.dns-oarc.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t A
dnssec.net @bind.odvr.dns-oarc.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
40020<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;dnssec.net. IN A<br>
<br>
;; ANSWER SECTION:<br>
dnssec.net. 43179 IN A 80.69.95.164<br>
dnssec.net. 43179 IN A 80.69.93.34<br>
<br>
;; AUTHORITY SECTION:<br>
dnssec.net. 172778 IN NS ns2.dnssec.net.<br>
dnssec.net. 172778 IN NS ns0.dnssec.net.<br>
dnssec.net. 172778 IN NS ns3.dnssec.net.<br>
dnssec.net. 172778 IN NS ns1.dnssec.net.<br>
<br>
;; Query time: 883 msec<br>
;; SERVER: 149.20.64.20#53(149.20.64.20)<br>
;; WHEN: Mon Feb 13 10:41:19 2012<br>
;; MSG SIZE rcvd: 143<br>
<br>
<hr size="2" width="100%"><br>
I think root nameservers should be used for this purpose, they're
definitely DNSSEC capable and the source of all caches.<br>
<br>
Also, is it possible that the RRSIG and DS that I'm getting is from
the root name servers instead of the servers of the TLD or the
sub-domain?<br>
<br>
I'd be really happy if I could get some domains which are signed.<br>
</body>
</html>