On 02/13/12 10:13, Spain, Dr. Jeffry A. wrote:
But another question remains, where's the DNSKEY record which's the missing
link as of the current time.
Querying --
dig +dnssec -t DNSKEY yahoo.com @198.41.0.4
Does not return anything.
I think that yahoo.com is probably not a DNSSEC-signed zone and so has no
DNSKEY records. Otherwise the query below would return DNSSEC-related records
and probably an AD flag. By the way, bind.odvr.dns-oarc.net is a
publicly-available DNSSEC-enabled recursive resolver that is good to use for
testing purposes. See https://www.dns-oarc.net/oarc/services/odvr. Jeff
PS C:\> dig '@bind.odvr.dns-oarc.net.' yahoo.com +dnssec
;<<>> DiG 9.9.0rc2<<>> @bind.odvr.dns-oarc.net. yahoo.com +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6844
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;yahoo.com. IN A
;; ANSWER SECTION:
yahoo.com. 3600 IN A 72.30.2.43
yahoo.com. 3600 IN A 98.137.149.56
yahoo.com. 3600 IN A 98.139.183.24
yahoo.com. 3600 IN A 209.191.122.70
;; AUTHORITY SECTION:
yahoo.com. 161515 IN NS ns1.yahoo.com.
yahoo.com. 161515 IN NS ns5.yahoo.com.
yahoo.com. 161515 IN NS ns4.yahoo.com.
yahoo.com. 161515 IN NS ns3.yahoo.com.
yahoo.com. 161515 IN NS ns2.yahoo.com.
;; Query time: 795 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
;; WHEN: Sun Feb 12 23:39:39 2012
;; MSG SIZE rcvd: 192
Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC
capable domain; infact this server has issues -
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.net. IN A
;; ANSWER SECTION:
dnssec.net. 43179 IN A 80.69.95.164
dnssec.net. 43179 IN A 80.69.93.34
;; AUTHORITY SECTION:
dnssec.net. 172778 IN NS ns2.dnssec.net.
dnssec.net. 172778 IN NS ns0.dnssec.net.
dnssec.net. 172778 IN NS ns3.dnssec.net.
dnssec.net. 172778 IN NS ns1.dnssec.net.
;; Query time: 883 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Mon Feb 13 10:41:19 2012
;; MSG SIZE rcvd: 143
------------------------------------------------------------------------
dig +dnssec -t A dnssec.net @198.41.0.4
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @198.41.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18381
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec.net. IN A
;; AUTHORITY SECTION:
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400
20120220000000 20120212230000 51201 .
FG9Eoc3k1PvDfDoiE5GkpV8ui1/54dsqWoXfQg1OBHwoV915ileT944r
4CrkEKWgrss6YcmVvumbXRiTRaa4v0HM52Pmi/9IlU8KF2pM0thqZqLe
liT/awh8uYyEZxludwvvN2AAZKK/uLwQdKwsIf0KCjZ7+RH3nUgG9osu /WU=
;; ADDITIONAL SECTION:
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
a.gtld-servers.net. 86400 IN A 192.5.6.30
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
b.gtld-servers.net. 86400 IN A 192.33.14.30
c.gtld-servers.net. 86400 IN A 192.26.92.30
d.gtld-servers.net. 86400 IN A 192.31.80.30
e.gtld-servers.net. 86400 IN A 192.12.94.30
f.gtld-servers.net. 86400 IN A 192.35.51.30
g.gtld-servers.net. 86400 IN A 192.42.93.30
h.gtld-servers.net. 86400 IN A 192.54.112.30
i.gtld-servers.net. 86400 IN A 192.43.172.30
j.gtld-servers.net. 86400 IN A 192.48.79.30
k.gtld-servers.net. 86400 IN A 192.52.178.30
l.gtld-servers.net. 86400 IN A 192.41.162.30
m.gtld-servers.net. 86400 IN A 192.55.83.30
;; Query time: 193 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Feb 13 10:41:12 2012
;; MSG SIZE rcvd: 731
de@OLD_BROKEN_LAP ~ $ dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.net. IN A
;; ANSWER SECTION:
dnssec.net. 43179 IN A 80.69.95.164
dnssec.net. 43179 IN A 80.69.93.34
;; AUTHORITY SECTION:
dnssec.net. 172778 IN NS ns2.dnssec.net.
dnssec.net. 172778 IN NS ns0.dnssec.net.
dnssec.net. 172778 IN NS ns3.dnssec.net.
dnssec.net. 172778 IN NS ns1.dnssec.net.
;; Query time: 883 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Mon Feb 13 10:41:19 2012
;; MSG SIZE rcvd: 143
------------------------------------------------------------------------
I think root nameservers should be used for this purpose, they're
definitely DNSSEC capable and the source of all caches.
Also, is it possible that the RRSIG and DS that I'm getting is from the
root name servers instead of the servers of the TLD or the sub-domain?
I'd be really happy if I could get some domains which are signed.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
