On 02/12/12 09:40, dE . wrote:
I'm trying to see DNSSEC response of various sites; my DNS server is
8.8.8.8 (google's public DNS service)
Response is as such -
dig +dnssec -t SOA org
; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 899 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info.
2009954959 1800 900 604800 86400
org. 899 IN RRSIG SOA 7 1 900 20120304071611 20120212061611 55440 org.
M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG
EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE
ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=
;; Query time: 1371 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:49:02 2012
;; MSG SIZE rcvd: 258
As we can see, the DNSKEY and DS RR is missing which's mandatory for
this to be of any use. So where is it?
Well, the DS RR resides in the parent, not in the zone you're querying.
You need to ask for it explicitly. Although DNSKEY records are in the
actual zone you're querying, you still need to ask for them explicitly.
They're there; you just need to ask for them.
If I explicitly specify the name server to be one of the root nameservers -
dig +dnssec -t SOA org 198.41.0.4
[snip]
Your dig foo is a bit off today. Remember, to explicitly specify a name
server, you need to prepend the IP address with @. You meant to say:
dig +dnssec -t SOA org @198.41.0.4
What you ended up getting is the RRSIG for the root SOA and for the NSEC
record for '198.41.0.4', since that doesn't exist in DNS.
michael
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
