DNSSEC DSSET & KEYSET

Mark Andrews marka at isc.org
Thu Jan 28 21:12:23 UTC 2010 

In message <888060.89769.qm at web110304.mail.gq1.yahoo.com>, "prock111 at yahoo.com"
 writes:
> In a DNSSEC compliant world (I know we're not there yet) we need to give a co
> py of our DSSET and KEYSET to our parent domain.  Please confirm that is an a
> ccurate statement.

More correctly the parent needs to publish the DS RRset that matches
your SEP keys.  Some parents prefer to be given the public key,
other are happy with just the DS records.
 
> So my question is, is there a way through DIG (or some other utility) to conf
> irm that the parent domain has the DSSET and KEYSET records required to suppo
> rt the child domain?

To a first approximation you can use key ids to check this.   The
key ID field in the DS record is the first field (12892 in this
case).  You can then ask dig to display the key ids of the DNSKEY
records with +multi.

If you need to go further there are tools which can take a DNSKEY
record and produce DS records and you can compare the hash fields.
I've never needed to do this later step when debugging a validation
failure.

In addition to the key ids matching one of the keys identified by
the DS RRset MUST also sign the DNSKEY RRset for it to be a secure
linkage.  This can also be done to a first approximation by looking
at the key id field in the RRSIG record.

When debugging a actual failure adding +cd will allow you to see
what named is getting even though it is not being return to normal
queries.

Mark

; <<>> DiG 9.3.6-P1 <<>> ds isc.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44326
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;isc.org.			IN	DS

;; ANSWER SECTION:
isc.org.		900	IN	DS	12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.		900	IN	DS	12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759

;; Query time: 430 msec
;; SERVER: 192.168.191.233#53(192.168.191.233)
;; WHEN: Fri Jan 29 07:50:55 2010
;; MSG SIZE  rcvd: 109


; <<>> DiG 9.3.6-P1 <<>> dnskey isc.org +multi +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30104
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.		IN DNSKEY

;; ANSWER SECTION:
isc.org.		31 IN DNSKEY 257 3 5 (
				BEAAAAOfDU7lEMzlyr3z7cRBzlD4HVyg3CwQX4FycN7u
				HAbRdGmwlorB3dnQO/TjnyC5f8ik0wgKJ6092WTnNNxG
				IqbtFLC6xn0P1ES1LlCe0HmVSokKl7JS/753B4m7moOc
				Oo/50sGM+vlZXO4pxmrW1EduobMgl/M1wpLvdBs+FFtY
				idmeM8ECaSy/CHehlnY+BzoPH5/W+5CSRg4B7uK6GquI
				syW34MbQIzRrRrp/VMiIVm1WSCwhE22+OMkaW+iX7h/S
				gjzwh6T2+iUccDtyoBop6A5OVYj6DHip1WmwepiPjmTW
				6dTmRo64QS/5S+0xZlvOU8NPgMSuW5pcgImp1/w/
				) ; key id = 47407
isc.org.		31 IN DNSKEY 257 3 5 (
				BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hW
				LDMvoOMRXjGrhhCeFvAZih7yJHf8ZGfW6hd38hXG/xyl
				YCO6Krpbdojwx8YMXLA5/kA+u50WIL8ZR1R6KTbsYVMf
				/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy347cBB1zM
				nnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/z
				ZrQzBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix
				5WcJt+xzqZ7+ysyLKOOedS39Z7SDmsn2eA0FKtQpwA6L
				XeG2w+jxmw3oA8lVUgEf/rzeC/bByBNsO70aEFTd
				) ; key id = 12892
isc.org.		31 IN DNSKEY 256 3 5 (
				BEAAAAO4r5Xw/jbd+p7UiuzpoXQRjUzDaBIP0GaF2h8N
				rzydq8Faopgc29K9elYlNjC39T0qlaV2J2iqZS9g90AA
				TKsXKPy7E9NSe/+Bsr0Uipehvt4K6jqaqSSLubuSisIM
				R/q5x+wP6QUUKT0kjnycfDjjeORdiINckWHsbM87rtNw
				8Q==
				) ; key id = 8496
isc.org.		31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
				20100125205023 8496 isc.org.
				bXGIYbjQbuLU4yzve/NxzhOKz8JLnCiuBnAKkqj0NEX3
				c2IHY3pANw0itH3LuhQp0mrYx8/39vF/XYYT10V3NK2T
				TiGUgZa0nOjRhPZNvs2+G5kcfHUvQvwbmldTvtjEADrx
				q55tI5Qax8kf61CFWBjTdXpWVTM+asY0TD6GXSw= )
isc.org.		31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
				20100125205023 12892 isc.org.
				U67k/VAaIBdAOEQhEVtbEY8lhqHfnDHbir/PntlqYRvg
				4LjlILpNbHRcyWzHKsBb0bnHp+qMYkiBYczNvZ4zD4nh
				FR7ZVh6z046IcAzI8G1KD6n96GraXBXFJN2z+kE+B/gY
				xMy3xWfrIoxj/L8hEy3mqjpPXfcdtzrD3/bjf/og3Mrn
				WZJuawTcn3/ptMyQYbD5J7yr8xvpq7EjjclOR1u4WCXr
				pjEbRN/OmlPSSmM9RI/1w8/ONmCDJSIBaRgc8cMvHvgJ
				utPGMmW1ci/LTHVA7dBXb9K/fvOMyuJJMmN4p6Q6KQbY
				cNwwktZlkIBO8KdojAsI+Z904XvThCYgbA== )
isc.org.		31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
				20100125205023 47407 isc.org.
				RNdtNlmH1MJasaAM2pM1/jo+fr0/UBauutDoR0TlZR1+
				5SeuE5LLs1rqGc3Q8poVgCEFVX6MtFDf78wrSn/aQ+YD
				ubvg/O8H8a98MyJaInHJZza265LnjsfVYJprExnnJFug
				olzIuAQ+F5obSWXKx/WdyXXzzwcD2qWXOovRo4FN6xyE
				KqdcaPECZfTJo8T+EqU5KpnHDvCyKf6F2v07GGyXe69t
				tRzgCsEIsYGoagLANNSGnb53DqHYQWVJaOEGoEQRa0Ox
				QrB8oGyvfCEE3AtFhR/UY9mq+rXDVRUkp9DeqqNRX1uf
				OCeIHgkjynUUq8iEsjwhzn+bRbtUR8aNgA== )

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 29 08:08:37 2010
;; MSG SIZE  rcvd: 1496

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list