Michelle Konzack pisze: > As far as I can see, 'dig +dnssec www.tamay-dogan.net' give a nice output > but how can I know, the expiration date? > > Is this the timestamp here: > > tamay-dogan.net. 3600 IN RRSIG SOA 5 2 3600 20110131191903 > Nope
> ----[ command 'dig +dnssec tamay-dogan.net' ]----------------------- > tamay-dogan.net. 3600 IN SOA dns1.tamay-dogan.net. > hostmaster.tamay-dogan.net. 1292829280 10800 3600 604800 86400 > tamay-dogan.net. 3600 IN RRSIG SOA 5 2 3600 20110131191903 > 20110101191903 12795 tamay-dogan.net. > lti7l2JlLeIATApQfWp3BdPTH4MiP75crl4921bC1qdOXfWJH4La+L58 > t0hVMmzNaNbLDH36cQwrYdQvaBJHPkQEwi2Mr8WP0jCSp+bpc2lEP6sz > f+kRGWYITjuxAwFsSdhVR+EQd4pIupa16ylJ65OWcBGlIHbC5eA5KSN4 lTk= > The RRSIG here has two numbers 20110131191903 20110101191903. Look at it carefully: 2011-01-31 19:19:03 Looks like a date? The first one is when this signature ends to be valid, the second when it starts, both in UTC time. So in this case your signature on the SOA record is valid almost all of January. There's nothing stopping you from having different vaility periods on different signatures, it's all per-signature. > tamay-dogan.net. 86400 IN NSEC admin.tamay-dogan.net. NS SOA > MX TXT RRSIG NSEC DNSKEY > tamay-dogan.net. 86400 IN RRSIG NSEC 5 2 86400 20110131191903 > 20110101191903 12795 tamay-dogan.net. > YS5Y44ywYrsjbSJmtFgF9hk8K80VWLuyLRuDxLeO84kXA/hN9i8mzzDy > XYIoiUwWbyeKxEIhqAdA6gekLU2Z+ZuNsSGnPUcCdfZD+GiWEneeWGg/ > LcIi9FWTf7J++yGnVMA5Ng6vZ3SgTtiC7r74ZZytm7FkijxCwd8tRyKy a9c= > ------------------------------------------------------------------------ > > which I could grep? And what is NSEC entry? > Why is the VHost <admin.tamay-dogan.net> there? > And the NSEC is used in authenticated denial of existence. It tells that there are NS, SOA etc recors with name tamay-dogan.net, and that next name with any content is admin.tamay-dogan.net. So, if eg you've asked for abyss.tamay-dogan.net the NS could present you with this RR and it's signature and prove that abyss.tamay-dogan.net (which falls between tamay-dogan.net and admin.tamay-dogan.net) does not exist. As a side effect, it's now possible to enumerate every record your zone. If you're concerned about this, consider switching to NSEC3, which makes it much harder. Regards, Torinthiel _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
