<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:red'><o:p> </o:p></span></p><p class=MsoNormal>Firstly, where do we get the public key for the DS records?<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>Can you clarify your question???<o:p></o:p></span></p><p class=MsoNormal><br><br>Second, why do I get multiple DS records as response? <span style='color:#1F497D'>–</span> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256.<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal>dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.<br><br>; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>;; WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>;; QUESTION SECTION:<br>;isc.org. IN DS<br><br>;; ANSWER SECTION:<br>isc.org. 86400 IN DS 12892 5 <span style='color:red'>2 </span>F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5<br>isc.org. 86400 IN DS 12892 5 <span style='color:red'>1 </span>982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759<br>isc.org. 86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=<br><br>;; Query time: 339 msec<br>;; SERVER: 199.19.54.1#53(199.19.54.1)<br>;; WHEN: Fri Feb 17 23:36:01 2012<br>;; MSG SIZE rcvd: 283<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>Why do I get multiple RRSIG records from some servers? <span style='color:#1F497D'>–</span> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>You will get single RRSIG per RR sets.<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>dig +dnssec -t NS yahoo.com @g.gtld-servers.net.<br><br>; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net.<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065<br>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6<br>;; WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;yahoo.com. IN NS<br><br>;; AUTHORITY SECTION:<br>yahoo.com. 172800 IN NS ns1.yahoo.com.<br>yahoo.com. 172800 IN NS ns5.yahoo.com.<br>yahoo.com. 172800 IN NS ns2.yahoo.com.<br>yahoo.com. 172800 IN NS ns3.yahoo.com.<br>yahoo.com. 172800 IN NS ns4.yahoo.com.<br>CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM<br>CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=<br>GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG<br>GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=<br><br>;; ADDITIONAL SECTION:<br>ns1.yahoo.com. 172800 IN A 68.180.131.16<br>ns5.yahoo.com. 172800 IN A 119.160.247.124<br>ns2.yahoo.com. 172800 IN A 68.142.255.16<br>ns3.yahoo.com. 172800 IN A 121.101.152.99<br>ns4.yahoo.com. 172800 IN A 68.142.196.63<br><br>;; Query time: 386 msec<br>;; SERVER: 192.42.93.30#53(192.42.93.30)<br>;; WHEN: Fri Feb 17 23:40:26 2012<br>;; MSG SIZE rcvd: 693<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>Do we get a RRSIG for each RR retrieved? If so, why does <span style='color:#1F497D'>–</span> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>Not for each RR But for each RR sets.<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>dig +dnssec -t NS com @a.root-servers.net.<br><br>; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852<br>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16<br>;; WARNING: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;com. IN NS<br><br>;; AUTHORITY SECTION:<br>com. 172800 IN NS a.gtld-servers.net.<br>com. 172800 IN NS b.gtld-servers.net.<br>com. 172800 IN NS c.gtld-servers.net.<br>com. 172800 IN NS d.gtld-servers.net.<br>com. 172800 IN NS e.gtld-servers.net.<br>com. 172800 IN NS f.gtld-servers.net.<br>com. 172800 IN NS g.gtld-servers.net.<br>com. 172800 IN NS h.gtld-servers.net.<br>com. 172800 IN NS i.gtld-servers.net.<br>com. 172800 IN NS j.gtld-servers.net.<br>com. 172800 IN NS k.gtld-servers.net.<br>com. 172800 IN NS l.gtld-servers.net.<br>com. 172800 IN NS m.gtld-servers.net.<br>com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766<br>com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br><br>;; ADDITIONAL SECTION:<br>a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30<br>a.gtld-servers.net. 86400 IN A 192.5.6.30<br>b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30<br>b.gtld-servers.net. 86400 IN A 192.33.14.30<br>c.gtld-servers.net. 86400 IN A 192.26.92.30<br>d.gtld-servers.net. 86400 IN A 192.31.80.30<br>e.gtld-servers.net. 86400 IN A 192.12.94.30<br>f.gtld-servers.net. 86400 IN A 192.35.51.30<br>g.gtld-servers.net. 86400 IN A 192.42.93.30<br>h.gtld-servers.net. 86400 IN A 192.54.112.30<br>i.gtld-servers.net. 86400 IN A 192.43.172.30<br>j.gtld-servers.net. 86400 IN A 192.48.79.30<br>k.gtld-servers.net. 86400 IN A 192.52.178.30<br>l.gtld-servers.net. 86400 IN A 192.41.162.30<br>m.gtld-servers.net. 86400 IN A 192.55.83.30<br><br>;; Query time: 192 msec<br>;; SERVER: 198.41.0.4#53(198.41.0.4)<br>;; WHEN: Fri Feb 17 23:43:09 2012<br>;; MSG SIZE rcvd: 727<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal><br>Does not return multiple RR?<br><br>Lastly, what's the format for the output dis DNSSEC records?<br><br>com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766<br><br>Sow what's '30909 8 2'<span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>30909 is TTL Value; 2 signifies SHA-256; <o:p></o:p></span></p><p class=MsoNormal><br><br>And in - <br><br>com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br><br>What's 8 1 86400 20120224000000 20120216230000 51201<br>?<span style='color:red'><br>1- SHA-1<o:p></o:p></span></p><p class=MsoNormal><span style='color:red'>86400 – TTL Value<o:p></o:p></span></p><p class=MsoNormal><span style='color:red'>20120224000000 – Signature Expire time<o:p></o:p></span></p><p class=MsoNormal><span style='color:red'>20120224000000 – Signature Creation Time<o:p></o:p></span></p><p class=MsoNormal><span style='color:red'>51201 – Key Id<o:p></o:p></span></p><p class=MsoNormal><br>DNSSEC appears to be a rarely explored topic.<o:p></o:p></p></div></body></html>