dig -- only RRSIG present.
dE .
de.techno at gmail.com
Mon Feb 13 05:21:08 UTC 2012
On 02/13/12 10:13, Spain, Dr. Jeffry A. wrote:
>> But another question remains, where's the DNSKEY record which's the missing link as of the current time.
>> Querying --
>> dig +dnssec -t DNSKEY yahoo.com @198.41.0.4
>> Does not return anything.
> I think that yahoo.com is probably not a DNSSEC-signed zone and so has no DNSKEY records. Otherwise the query below would return DNSSEC-related records and probably an AD flag. By the way, bind.odvr.dns-oarc.net is a publicly-available DNSSEC-enabled recursive resolver that is good to use for testing purposes. See https://www.dns-oarc.net/oarc/services/odvr. Jeff
>
> PS C:\> dig '@bind.odvr.dns-oarc.net.' yahoo.com +dnssec
>
> ;<<>> DiG 9.9.0rc2<<>> @bind.odvr.dns-oarc.net. yahoo.com +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6844
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;yahoo.com. IN A
>
> ;; ANSWER SECTION:
> yahoo.com. 3600 IN A 72.30.2.43
> yahoo.com. 3600 IN A 98.137.149.56
> yahoo.com. 3600 IN A 98.139.183.24
> yahoo.com. 3600 IN A 209.191.122.70
>
> ;; AUTHORITY SECTION:
> yahoo.com. 161515 IN NS ns1.yahoo.com.
> yahoo.com. 161515 IN NS ns5.yahoo.com.
> yahoo.com. 161515 IN NS ns4.yahoo.com.
> yahoo.com. 161515 IN NS ns3.yahoo.com.
> yahoo.com. 161515 IN NS ns2.yahoo.com.
>
> ;; Query time: 795 msec
> ;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
> ;; WHEN: Sun Feb 12 23:39:39 2012
> ;; MSG SIZE rcvd: 192
>
Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC
capable domain; infact this server has issues -
dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.net. IN A
;; ANSWER SECTION:
dnssec.net. 43179 IN A 80.69.95.164
dnssec.net. 43179 IN A 80.69.93.34
;; AUTHORITY SECTION:
dnssec.net. 172778 IN NS ns2.dnssec.net.
dnssec.net. 172778 IN NS ns0.dnssec.net.
dnssec.net. 172778 IN NS ns3.dnssec.net.
dnssec.net. 172778 IN NS ns1.dnssec.net.
;; Query time: 883 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Mon Feb 13 10:41:19 2012
;; MSG SIZE rcvd: 143
------------------------------------------------------------------------
dig +dnssec -t A dnssec.net @198.41.0.4
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @198.41.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18381
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec.net. IN A
;; AUTHORITY SECTION:
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400
20120220000000 20120212230000 51201 .
FG9Eoc3k1PvDfDoiE5GkpV8ui1/54dsqWoXfQg1OBHwoV915ileT944r
4CrkEKWgrss6YcmVvumbXRiTRaa4v0HM52Pmi/9IlU8KF2pM0thqZqLe
liT/awh8uYyEZxludwvvN2AAZKK/uLwQdKwsIf0KCjZ7+RH3nUgG9osu /WU=
;; ADDITIONAL SECTION:
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
a.gtld-servers.net. 86400 IN A 192.5.6.30
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
b.gtld-servers.net. 86400 IN A 192.33.14.30
c.gtld-servers.net. 86400 IN A 192.26.92.30
d.gtld-servers.net. 86400 IN A 192.31.80.30
e.gtld-servers.net. 86400 IN A 192.12.94.30
f.gtld-servers.net. 86400 IN A 192.35.51.30
g.gtld-servers.net. 86400 IN A 192.42.93.30
h.gtld-servers.net. 86400 IN A 192.54.112.30
i.gtld-servers.net. 86400 IN A 192.43.172.30
j.gtld-servers.net. 86400 IN A 192.48.79.30
k.gtld-servers.net. 86400 IN A 192.52.178.30
l.gtld-servers.net. 86400 IN A 192.41.162.30
m.gtld-servers.net. 86400 IN A 192.55.83.30
;; Query time: 193 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Feb 13 10:41:12 2012
;; MSG SIZE rcvd: 731
de at OLD_BROKEN_LAP ~ $ dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.net. IN A
;; ANSWER SECTION:
dnssec.net. 43179 IN A 80.69.95.164
dnssec.net. 43179 IN A 80.69.93.34
;; AUTHORITY SECTION:
dnssec.net. 172778 IN NS ns2.dnssec.net.
dnssec.net. 172778 IN NS ns0.dnssec.net.
dnssec.net. 172778 IN NS ns3.dnssec.net.
dnssec.net. 172778 IN NS ns1.dnssec.net.
;; Query time: 883 msec
;; SERVER: 149.20.64.20#53(149.20.64.20)
;; WHEN: Mon Feb 13 10:41:19 2012
;; MSG SIZE rcvd: 143
------------------------------------------------------------------------
I think root nameservers should be used for this purpose, they're
definitely DNSSEC capable and the source of all caches.
Also, is it possible that the RRSIG and DS that I'm getting is from the
root name servers instead of the servers of the TLD or the sub-domain?
I'd be really happy if I could get some domains which are signed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120213/dcb8a6b2/attachment.html>
More information about the bind-users
mailing list