dnssec question

Edward Lewis edlewis at arin.net
Mon Aug 16 19:03:18 UTC 2004 

I have a (930rc2 on MacOS X.latest) server loaded with signed zones 
but am not getting signatures with dig.

To see that the server has loaded a signed zone, here's the start of 
a zone transfer:

$ dig @127.0.0.1 136.136.192.in-addr.arpa axfr +dnssec +multiline | head -25

; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa axfr 
+dnssec +multiline
;; global options:  printcmd
136.136.192.in-addr.arpa. 10800 IN SOA ns1.arin.net. bind.arin.net. (
                                 2004051001 ; serial
                                 10800      ; refresh (3 hours)
                                 3600       ; retry (1 hour)
                                 604800     ; expire (1 week)
                                 3600       ; minimum (1 hour)
                                 )
136.136.192.in-addr.arpa. 10800 IN RRSIG SOA 1 5 10800 20040915144638 (
                                 20040816144638 40035 136.136.192.in-addr.arpa.
                                 bYg/yO1jp2cVYx64dF92VabeZ+6ETYpK5X2t91E+426h
                                 5Oc9XkIU1q+3+MSYXofmLhjY6S6wjaufiUMdlnbjTx94
                                 /VcxFnPlgwgPOXyTgTcHXnh/hATTOqIIPP5i+BJ0tTUU
                                 CRhrN1xWpOqIOQa8hDCD2ajqxz6Lyi3IdSutGIQ= )
136.136.192.in-addr.arpa. 10800 IN NS ns1.arin.net.
...


Here is the puzzling query:

$ dig @127.0.0.1 136.136.192.in-addr.arpa soa +dnssec +multiline 
+noadditional +noauthority

; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa soa 
+dnssec +multiline +noadditional +noauthority
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54423
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 8

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;136.136.192.in-addr.arpa. IN SOA

;; ANSWER SECTION:
136.136.192.in-addr.arpa. 10800 IN SOA ns1.arin.net. bind.arin.net. (
                                 2004051001 ; serial
                                 10800      ; refresh (3 hours)
                                 3600       ; retry (1 hour)
                                 604800     ; expire (1 week)
                                 3600       ; minimum (1 hour)
                                 )

;; Query time: 7 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 16 14:58:46 2004
;; MSG SIZE  rcvd: 356

If I leave off "+noadditional +noauthority" I still don't get the 
RRSIG, I used the options just cut down on fluff in this message.

Am I missing an option somewhere?

PS - this happens:

$ dig @127.0.0.1 136.136.192.in-addr.arpa RRSIG +multiline
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.3.0rc2 <<>> @127.0.0.1 136.136.192.in-addr.arpa RRSIG +multiline
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43271
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 7

;; QUESTION SECTION:
;136.136.192.in-addr.arpa. IN RRSIG

;; ANSWER SECTION:
136.136.192.in-addr.arpa. 10800 IN RRSIG SOA 1 5 10800 20040915144638 (
                                 20040816144638 40035 136.136.192.in-addr.arpa.
                                 bYg/yO1jp2cVYx64dF92VabeZ+6ETYpK5X2t91E+426h
                                 5Oc9XkIU1q+3+MSYXofmLhjY6S6wjaufiUMdlnbjTx94
                                 /VcxFnPlgwgPOXyTgTcHXnh/hATTOqIIPP5i+BJ0tTUU
                                 CRhrN1xWpOqIOQa8hDCD2ajqxz6Lyi3IdSutGIQ= )
136.136.192.in-addr.arpa. 10800 IN RRSIG NS 1 5 10800 20040915144638 (
...

so the RRSIG for the SOA is in there, somewhere.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

"I can't go to Miami.  I'm expecting calls from telemarketers." -
Grandpa Simpson.

More information about the bind-users mailing list