dnssec question
Edward Lewis
edlewis at arin.net
Mon Aug 16 19:03:18 UTC 2004
I have a (930rc2 on MacOS X.latest) server loaded with signed zones
but am not getting signatures with dig.
To see that the server has loaded a signed zone, here's the start of
a zone transfer:
$ dig @127.0.0.1 136.136.192.in-addr.arpa axfr +dnssec +multiline | head -25
; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa axfr
+dnssec +multiline
;; global options: printcmd
136.136.192.in-addr.arpa. 10800 IN SOA ns1.arin.net. bind.arin.net. (
2004051001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
136.136.192.in-addr.arpa. 10800 IN RRSIG SOA 1 5 10800 20040915144638 (
20040816144638 40035 136.136.192.in-addr.arpa.
bYg/yO1jp2cVYx64dF92VabeZ+6ETYpK5X2t91E+426h
5Oc9XkIU1q+3+MSYXofmLhjY6S6wjaufiUMdlnbjTx94
/VcxFnPlgwgPOXyTgTcHXnh/hATTOqIIPP5i+BJ0tTUU
CRhrN1xWpOqIOQa8hDCD2ajqxz6Lyi3IdSutGIQ= )
136.136.192.in-addr.arpa. 10800 IN NS ns1.arin.net.
...
Here is the puzzling query:
$ dig @127.0.0.1 136.136.192.in-addr.arpa soa +dnssec +multiline
+noadditional +noauthority
; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa soa
+dnssec +multiline +noadditional +noauthority
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54423
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;136.136.192.in-addr.arpa. IN SOA
;; ANSWER SECTION:
136.136.192.in-addr.arpa. 10800 IN SOA ns1.arin.net. bind.arin.net. (
2004051001 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 16 14:58:46 2004
;; MSG SIZE rcvd: 356
If I leave off "+noadditional +noauthority" I still don't get the
RRSIG, I used the options just cut down on fluff in this message.
Am I missing an option somewhere?
PS - this happens:
$ dig @127.0.0.1 136.136.192.in-addr.arpa RRSIG +multiline
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa RRSIG +multiline
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43271
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 7
;; QUESTION SECTION:
;136.136.192.in-addr.arpa. IN RRSIG
;; ANSWER SECTION:
136.136.192.in-addr.arpa. 10800 IN RRSIG SOA 1 5 10800 20040915144638 (
20040816144638 40035 136.136.192.in-addr.arpa.
bYg/yO1jp2cVYx64dF92VabeZ+6ETYpK5X2t91E+426h
5Oc9XkIU1q+3+MSYXofmLhjY6S6wjaufiUMdlnbjTx94
/VcxFnPlgwgPOXyTgTcHXnh/hATTOqIIPP5i+BJ0tTUU
CRhrN1xWpOqIOQa8hDCD2ajqxz6Lyi3IdSutGIQ= )
136.136.192.in-addr.arpa. 10800 IN RRSIG NS 1 5 10800 20040915144638 (
...
so the RRSIG for the SOA is in there, somewhere.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
Grandpa Simpson.
More information about the bind-users
mailing list