<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Firstly, where do we get the public key for the DS records?<br>
<br>
Second, why do I get multiple DS records as response? -- <br>
<hr size="2" width="100%">dig +dnssec -t DS isc.org
@b0.org.afilias-nst.org.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org
@b0.org.afilias-nst.org.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
32385<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;isc.org. IN DS<br>
<br>
;; ANSWER SECTION:<br>
isc.org. 86400 IN DS 12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5<br>
isc.org. 86400 IN DS 12892 5 1
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759<br>
isc.org. 86400 IN RRSIG DS 7 2 86400
20120309160141 20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=<br>
<br>
;; Query time: 339 msec<br>
;; SERVER: 199.19.54.1#53(199.19.54.1)<br>
;; WHEN: Fri Feb 17 23:36:01 2012<br>
;; MSG SIZE rcvd: 283<br>
<hr size="2" width="100%"><br>
Why do I get multiple RRSIG records from some servers? - <br>
<br>
<hr size="2" width="100%"><br>
dig +dnssec -t NS yahoo.com @g.gtld-servers.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t NS
yahoo.com @g.gtld-servers.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
35065<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;yahoo.com. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
yahoo.com. 172800 IN NS ns1.yahoo.com.<br>
yahoo.com. 172800 IN NS ns5.yahoo.com.<br>
yahoo.com. 172800 IN NS ns2.yahoo.com.<br>
yahoo.com. 172800 IN NS ns3.yahoo.com.<br>
yahoo.com. 172800 IN NS ns4.yahoo.com.<br>
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM<br>
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20120222012103 20120215001103 54350 com.
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=<br>
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG<br>
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400
20120224144059 20120217133059 54350 com.
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=<br>
<br>
;; ADDITIONAL SECTION:<br>
ns1.yahoo.com. 172800 IN A 68.180.131.16<br>
ns5.yahoo.com. 172800 IN A 119.160.247.124<br>
ns2.yahoo.com. 172800 IN A 68.142.255.16<br>
ns3.yahoo.com. 172800 IN A 121.101.152.99<br>
ns4.yahoo.com. 172800 IN A 68.142.196.63<br>
<br>
;; Query time: 386 msec<br>
;; SERVER: 192.42.93.30#53(192.42.93.30)<br>
;; WHEN: Fri Feb 17 23:40:26 2012<br>
;; MSG SIZE rcvd: 693<br>
<br>
<hr size="2" width="100%"><br>
Do we get a RRSIG for each RR retrieved? If so, why does - <br>
<br>
<hr size="2" width="100%"><br>
dig +dnssec -t NS com @a.root-servers.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t NS com
@a.root-servers.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
44852<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;com. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
com. 172800 IN NS a.gtld-servers.net.<br>
com. 172800 IN NS b.gtld-servers.net.<br>
com. 172800 IN NS c.gtld-servers.net.<br>
com. 172800 IN NS d.gtld-servers.net.<br>
com. 172800 IN NS e.gtld-servers.net.<br>
com. 172800 IN NS f.gtld-servers.net.<br>
com. 172800 IN NS g.gtld-servers.net.<br>
com. 172800 IN NS h.gtld-servers.net.<br>
com. 172800 IN NS i.gtld-servers.net.<br>
com. 172800 IN NS j.gtld-servers.net.<br>
com. 172800 IN NS k.gtld-servers.net.<br>
com. 172800 IN NS l.gtld-servers.net.<br>
com. 172800 IN NS m.gtld-servers.net.<br>
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
;; ADDITIONAL SECTION:<br>
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30<br>
a.gtld-servers.net. 86400 IN A 192.5.6.30<br>
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30<br>
b.gtld-servers.net. 86400 IN A 192.33.14.30<br>
c.gtld-servers.net. 86400 IN A 192.26.92.30<br>
d.gtld-servers.net. 86400 IN A 192.31.80.30<br>
e.gtld-servers.net. 86400 IN A 192.12.94.30<br>
f.gtld-servers.net. 86400 IN A 192.35.51.30<br>
g.gtld-servers.net. 86400 IN A 192.42.93.30<br>
h.gtld-servers.net. 86400 IN A 192.54.112.30<br>
i.gtld-servers.net. 86400 IN A 192.43.172.30<br>
j.gtld-servers.net. 86400 IN A 192.48.79.30<br>
k.gtld-servers.net. 86400 IN A 192.52.178.30<br>
l.gtld-servers.net. 86400 IN A 192.41.162.30<br>
m.gtld-servers.net. 86400 IN A 192.55.83.30<br>
<br>
;; Query time: 192 msec<br>
;; SERVER: 198.41.0.4#53(198.41.0.4)<br>
;; WHEN: Fri Feb 17 23:43:09 2012<br>
;; MSG SIZE rcvd: 727<br>
<br>
<hr size="2" width="100%"><br>
Does not return multiple RR?<br>
<br>
Lastly, what's the format for the output dis DNSSEC records?<br>
<br>
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766<br>
<br>
Sow what's '30909 8 2'<br>
<br>
And in - <br>
<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
What's 8 1 86400 20120224000000 20120216230000 51201<br>
?<br>
<br>
DNSSEC appears to be a rarely explored topic.<br>
</body>
</html>