<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/18/12 00:36, Gaurav kansal wrote:
<blockquote cite="mid:000601cceda7$30360630$90a21290$@nic.in"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal">Firstly, where do we get the public key for
the DS records?<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red">Can
you clarify your question???<o:p></o:p></span></p>
<p class="MsoNormal"><br>
</p>
</div>
</blockquote>
<br>
The DS record is a signature right? It has to be decrypted using a
public key and the decrypted hash has to be compared to the DNSKEY's
hash.<br>
<br>
So what I'm asking for here is, where do we get this public key
from?<br>
<br>
<blockquote cite="mid:000601cceda7$30360630$90a21290$@nic.in"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><br>
Second, why do I get multiple DS records as response? <span
style="color:#1F497D">–</span> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red">You
will always get a 2 DS Records in response. One for SHA-1
and second for SHA-256.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal">dig +dnssec -t DS isc.org
@b0.org.afilias-nst.org.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t DS
isc.org @b0.org.afilias-nst.org.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 32385<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 4096<br>
;; QUESTION SECTION:<br>
;isc.org. IN DS<br>
<br>
;; ANSWER SECTION:<br>
isc.org. 86400 IN DS 12892 5 <span
style="color:red">2 </span>F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D
E18DA6B5<br>
isc.org. 86400 IN DS 12892 5 <span
style="color:red">1 </span>982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759<br>
isc.org. 86400 IN RRSIG DS 7 2 86400
20120309160141 20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=<br>
<br>
;; Query time: 339 msec<br>
;; SERVER: 199.19.54.1#53(199.19.54.1)<br>
;; WHEN: Fri Feb 17 23:36:01 2012<br>
;; MSG SIZE rcvd: 283<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Why do I get multiple RRSIG records from some servers? <span
style="color:#1F497D">–</span> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red">You
will get single RRSIG per RR sets.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
dig +dnssec -t NS yahoo.com @g.gtld-servers.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t NS
yahoo.com @g.gtld-servers.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 35065<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9,
ADDITIONAL: 6<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;yahoo.com. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
yahoo.com. 172800 IN NS ns1.yahoo.com.<br>
yahoo.com. 172800 IN NS ns5.yahoo.com.<br>
yahoo.com. 172800 IN NS ns2.yahoo.com.<br>
yahoo.com. 172800 IN NS ns3.yahoo.com.<br>
yahoo.com. 172800 IN NS ns4.yahoo.com.<br>
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY
NSEC3PARAM<br>
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2
86400 20120222012103 20120215001103 54350 com.
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=<br>
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG<br>
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2
86400 20120224144059 20120217133059 54350 com.
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=<br>
<br>
;; ADDITIONAL SECTION:<br>
ns1.yahoo.com. 172800 IN A 68.180.131.16<br>
ns5.yahoo.com. 172800 IN A
119.160.247.124<br>
ns2.yahoo.com. 172800 IN A 68.142.255.16<br>
ns3.yahoo.com. 172800 IN A 121.101.152.99<br>
ns4.yahoo.com. 172800 IN A 68.142.196.63<br>
<br>
;; Query time: 386 msec<br>
;; SERVER: 192.42.93.30#53(192.42.93.30)<br>
;; WHEN: Fri Feb 17 23:40:26 2012<br>
;; MSG SIZE rcvd: 693<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Do we get a RRSIG for each RR retrieved? If so, why does <span
style="color:#1F497D">–</span> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red">Not
for each RR But for each RR sets.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
dig +dnssec -t NS com @a.root-servers.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t NS
com @a.root-servers.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 44852<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15,
ADDITIONAL: 16<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;com. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
com. 172800 IN NS
a.gtld-servers.net.<br>
com. 172800 IN NS
b.gtld-servers.net.<br>
com. 172800 IN NS
c.gtld-servers.net.<br>
com. 172800 IN NS
d.gtld-servers.net.<br>
com. 172800 IN NS
e.gtld-servers.net.<br>
com. 172800 IN NS
f.gtld-servers.net.<br>
com. 172800 IN NS
g.gtld-servers.net.<br>
com. 172800 IN NS
h.gtld-servers.net.<br>
com. 172800 IN NS
i.gtld-servers.net.<br>
com. 172800 IN NS
j.gtld-servers.net.<br>
com. 172800 IN NS
k.gtld-servers.net.<br>
com. 172800 IN NS
l.gtld-servers.net.<br>
com. 172800 IN NS
m.gtld-servers.net.<br>
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF
C41A5766<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
;; ADDITIONAL SECTION:<br>
a.gtld-servers.net. 86400 IN AAAA
2001:503:a83e::2:30<br>
a.gtld-servers.net. 86400 IN A 192.5.6.30<br>
b.gtld-servers.net. 86400 IN AAAA
2001:503:231d::2:30<br>
b.gtld-servers.net. 86400 IN A 192.33.14.30<br>
c.gtld-servers.net. 86400 IN A 192.26.92.30<br>
d.gtld-servers.net. 86400 IN A 192.31.80.30<br>
e.gtld-servers.net. 86400 IN A 192.12.94.30<br>
f.gtld-servers.net. 86400 IN A 192.35.51.30<br>
g.gtld-servers.net. 86400 IN A 192.42.93.30<br>
h.gtld-servers.net. 86400 IN A 192.54.112.30<br>
i.gtld-servers.net. 86400 IN A 192.43.172.30<br>
j.gtld-servers.net. 86400 IN A 192.48.79.30<br>
k.gtld-servers.net. 86400 IN A 192.52.178.30<br>
l.gtld-servers.net. 86400 IN A 192.41.162.30<br>
m.gtld-servers.net. 86400 IN A 192.55.83.30<br>
<br>
;; Query time: 192 msec<br>
;; SERVER: 198.41.0.4#53(198.41.0.4)<br>
;; WHEN: Fri Feb 17 23:43:09 2012<br>
;; MSG SIZE rcvd: 727<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr align="center" size="2" width="100%"></div>
<p class="MsoNormal"><br>
Does not return multiple RR?<br>
<br>
Lastly, what's the format for the output dis DNSSEC records?<br>
<br>
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF
C41A5766<br>
<br>
Sow what's '30909 8 2'<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:red">30909
is TTL Value; 2 signifies SHA-256; <o:p></o:p></span></p>
<p class="MsoNormal"><br>
<br>
And in - <br>
<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
What's 8 1 86400 20120224000000 20120216230000 51201<br>
?<span style="color:red"><br>
1- SHA-1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">86400 – TTL Value<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">20120224000000 –
Signature Expire time<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">20120224000000 –
Signature Creation Time<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red">51201 – Key Id<o:p></o:p></span></p>
<p class="MsoNormal"><br>
DNSSEC appears to be a rarely explored topic.<o:p></o:p></p>
</div>
</blockquote>
<br>
Thanks for the answer! That cleared a lot of things.<br>
<br>
Another thing I forgot to ask, is in - <br>
<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
What does the DS signify here? RRSIG for the returned DS RRset?<br>
<br>
If this's so, why does - <br>
<br>
<hr size="2" width="100%">dig +dnssec -t NS com @a.root-servers.net.<br>
<br>
; <<>> DiG 9.8.1 <<>> +dnssec -t NS com
@a.root-servers.net.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
44852<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 512<br>
;; QUESTION SECTION:<br>
;com. IN NS<br>
<br>
;; AUTHORITY SECTION:<br>
com. 172800 IN NS a.gtld-servers.net.<br>
com. 172800 IN NS b.gtld-servers.net.<br>
com. 172800 IN NS c.gtld-servers.net.<br>
com. 172800 IN NS d.gtld-servers.net.<br>
com. 172800 IN NS e.gtld-servers.net.<br>
com. 172800 IN NS f.gtld-servers.net.<br>
com. 172800 IN NS g.gtld-servers.net.<br>
com. 172800 IN NS h.gtld-servers.net.<br>
com. 172800 IN NS i.gtld-servers.net.<br>
com. 172800 IN NS j.gtld-servers.net.<br>
com. 172800 IN NS k.gtld-servers.net.<br>
com. 172800 IN NS l.gtld-servers.net.<br>
com. 172800 IN NS m.gtld-servers.net.<br>
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766<br>
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=<br>
<br>
<hr size="2" width="100%"><br>
Does not return RRSIG for the NS RRset?<br>
</body>
</html>