dnssec-verify and dnssec-dnskey-kskonly
Tony Finch
dot at dotat.at
Wed Aug 15 10:41:32 UTC 2012
Playing around with dnssec-verify:
$ dig axfr dotat.at | dnssec-verify -o dotat.at /dev/stdin
Loading zone 'dotat.at' from file '/dev/stdin'
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
OK. But the manual says:
-x
Only verify that the DNSKEY RRset is signed with key-signing keys.
Without this flag, it is assumed that the DNSKEY RRset will be
signed by all active keys. When this flag is set, it will not be an
error if the DNSKEY RRset is not signed by zone-signing keys. This
corresponds to the -x option in dnssec-signzone.
And my zone has only one RRSIG on its DNSKEY RRset:
; <<>> DiG 9.9.2b1 <<>> +dnssec +multiline dnskey dotat.at
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dotat.at. IN DNSKEY
;; ANSWER SECTION:
dotat.at. 3600 IN DNSKEY 256 3 5 (
AwEAAczBisQAJbGom5SzZHxr7j/ddJBsoxuchn4Ki+Xl
NASArKXs46UbXWbXZitymfv4F6wkY8mEErgEs4qil5Im
p9zv7qmSpHJEFOSrgEP+XYyD6duCw57uvXYBv5mV2ulr
wrbEHfcZmu1gYb9UDhTi4j7dBExUkNW2qSV5H4/kzCT/
) ; ZSK; alg = RSASHA1; key id = 56700
dotat.at. 3600 IN DNSKEY 257 3 5 (
AwEAAZfTCuV4JYWU/COTmC6N37hek+RsIHLZ484GGO4O
hGNpBYIIlcT+wubBD4VPyjmALVny0lV3nUVle9PrPHJC
4q02uJnoRi+NPAJ9eAVlBGkvJ75l0TgaSgCV+xtR69VM
xomC1B00pBZHzfnY3Ig4OhrH6YoaezgQ4eyNkzg3fWVi
SQvjosTZmuwwhnNfWu9bKQiM/WSRHLFiNBjB/H/YtjM1
It0dQaLDRiZMX2/dFZw0YewdHei46NjCXarNe/CwiTw7
+g3zPyGmDPSVFNr+INvdMDqyVRroHkZ8Ky+kPL4lLz9E
oG1PcCzq7YjBr+JY6Hq7CjLbZZFw1wY0jKISoKk=
) ; KSK; alg = RSASHA1; key id = 5677
dotat.at. 3600 IN RRSIG DNSKEY 5 2 3600 (
20120831190247 20120801184840 5677 dotat.at.
EPDmmG99GNcPHRzMK7fbkWOpE7P+hbyNbCcpi9hYmwq9
GUNqmHI1VK3xNl4YiB6ARUtVuGqKi45SGltFlBKBh+KW
i6NA+U7IXniKXnztUJqo7QSAWVdcZrRVcEpNE7MdPUeT
lyijL9ytXfFV/q1398o00KErc7OGZ+rlRhQQZAX0SiU6
UV4C/ecA581j231rfSGb9ttGhqFK7lPNkv33B2jyc7uU
qxm7Ra5WSWnfudPeBlhg3YcqCwoefwA0a7QviqR3VKjM
Ak1pr4EH9KX5H2TFSP4EazJTqIuRvbGWH5TVuHMaH/cm
rI7gCUkIOxPKWYgIhwnjSMp5E/mjMfoOmA== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 15 11:38:10 2012
;; MSG SIZE rcvd: 757
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire: Southeasterly 4 or 5, occasionally 6 later
except in North Utsire. Slight or moderate. Showers. Moderate or good.
More information about the bind-users
mailing list