dig -- only RRSIG present.

Bill Owens owens at nysernet.org
Mon Feb 13 00:24:24 UTC 2012 

On Sun, Feb 12, 2012 at 10:22:22AM -0800, Michael Sinatra wrote:
> On 02/12/12 09:40, dE . wrote:
> >I'm trying to see DNSSEC response of various sites; my DNS server is
> >8.8.8.8 (google's public DNS service)
 . . .
> >As we can see, the DNSKEY and DS RR is missing which's mandatory for
> >this to be of any use. So where is it?
> 
> Well, the DS RR resides in the parent, not in the zone you're querying. 
>  You need to ask for it explicitly.  Although DNSKEY records are in the 
> actual zone you're querying, you still need to ask for them explicitly. 
>  They're there; you just need to ask for them.

As Tony Finch pointed out to me a few days ago, the Google public servers don't understand that fact about DS records, and don't know to ask for them in the parent. But here's something interesting - as of my testing just now, they *do* respond with DS records:

[littledebian:~/dns] owens% dig isc.org @8.8.8.8 ds +dnssec

; <<>> DiG 9.9.0rc2 <<>> isc.org @8.8.8.8 ds +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48488
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org.			IN	DS

;; ANSWER SECTION:
isc.org.		73847	IN	DS	12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org.		73847	IN	DS	12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.		73847	IN	RRSIG	DS 7 2 86400 20120301160425 20120209150425 55440 org. AaHh8ATWNZqZAfqKxoFS2GyScv46ME2s2sS6lG/AzWzDn6r7R1aXRPIT 2zfDhLfP6yyQSREh8BSd4K98OKfWW2ZSDPxHx3soJotG+N9RFqs33HYR 2rfJNsKDelnLQZvql93HkhblDALFycKHxKZDocNF/DgANJZbhV0qh1c9 5Cs=

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 19:19:43 2012
;; MSG SIZE  rcvd: 283

They're not setting AD so they aren't validating, and in fact they'll return records with broken signatures, like so:

[littledebian:~/dns] owens% dig pastdate-a.test.dnssec-tools.org @8.8.8.8

; <<>> DiG 9.9.0rc2 <<>> pastdate-a.test.dnssec-tools.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30272
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pastdate-a.test.dnssec-tools.org. IN	A

;; ANSWER SECTION:
pastdate-a.test.dnssec-tools.org. 86400	IN A	75.119.216.33

;; Query time: 154 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 19:23:11 2012
;; MSG SIZE  rcvd: 77

Still, I think it's a good sign. . .

Bill.

More information about the bind-users mailing list