A few conceptual question about dnssec.
dE .
de.techno at gmail.com
Sat Feb 18 16:35:45 UTC 2012
On 02/18/12 00:36, Gaurav kansal wrote:
>
> Firstly, where do we get the public key for the DS records?
>
> Can you clarify your question???
>
>
The DS record is a signature right? It has to be decrypted using a
public key and the decrypted hash has to be compared to the DNSKEY's hash.
So what I'm asking for here is, where do we get this public key from?
>
> Second, why do I get multiple DS records as response? --
>
> You will always get a 2 DS Records in response. One for SHA-1 and
> second for SHA-256.
>
> ------------------------------------------------------------------------
>
> dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.
>
> ; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;isc.org. IN DS
>
> ;; ANSWER SECTION:
> isc.org. 86400 IN DS 12892 5 2
> F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
> isc.org. 86400 IN DS 12892 5 1
> 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> isc.org. 86400 IN RRSIG DS 7 2 86400
> 20120309160141 20120217150141 55440 org.
> SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI
> q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y
> TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=
>
> ;; Query time: 339 msec
> ;; SERVER: 199.19.54.1#53(199.19.54.1)
> ;; WHEN: Fri Feb 17 23:36:01 2012
> ;; MSG SIZE rcvd: 283
>
> ------------------------------------------------------------------------
>
>
> Why do I get multiple RRSIG records from some servers? --
>
> You will get single RRSIG per RR sets.
>
> ------------------------------------------------------------------------
>
>
> dig +dnssec -t NS yahoo.com @g.gtld-servers.net.
>
> ; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;yahoo.com. IN NS
>
> ;; AUTHORITY SECTION:
> yahoo.com. 172800 IN NS ns1.yahoo.com.
> yahoo.com. 172800 IN NS ns5.yahoo.com.
> yahoo.com. 172800 IN NS ns2.yahoo.com.
> yahoo.com. 172800 IN NS ns3.yahoo.com.
> yahoo.com. 172800 IN NS ns4.yahoo.com.
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
> CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
> CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
> 20120222012103 20120215001103 54350 com.
> gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC
> yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9
> TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
> GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -
> GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
> GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400
> 20120224144059 20120217133059 54350 com.
> NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+
> 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn
> YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=
>
> ;; ADDITIONAL SECTION:
> ns1.yahoo.com. 172800 IN A 68.180.131.16
> ns5.yahoo.com. 172800 IN A 119.160.247.124
> ns2.yahoo.com. 172800 IN A 68.142.255.16
> ns3.yahoo.com. 172800 IN A 121.101.152.99
> ns4.yahoo.com. 172800 IN A 68.142.196.63
>
> ;; Query time: 386 msec
> ;; SERVER: 192.42.93.30#53(192.42.93.30)
> ;; WHEN: Fri Feb 17 23:40:26 2012
> ;; MSG SIZE rcvd: 693
>
> ------------------------------------------------------------------------
>
>
> Do we get a RRSIG for each RR retrieved? If so, why does --
>
> Not for each RR But for each RR sets.
>
> ------------------------------------------------------------------------
>
>
> dig +dnssec -t NS com @a.root-servers.net.
>
> ; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;com. IN NS
>
> ;; AUTHORITY SECTION:
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> com. 86400 IN DS 30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
> com. 86400 IN RRSIG DS 8 1 86400
> 20120224000000 20120216230000 51201 .
> IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
> SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
> MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
>
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
> a.gtld-servers.net. 86400 IN A 192.5.6.30
> b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
> b.gtld-servers.net. 86400 IN A 192.33.14.30
> c.gtld-servers.net. 86400 IN A 192.26.92.30
> d.gtld-servers.net. 86400 IN A 192.31.80.30
> e.gtld-servers.net. 86400 IN A 192.12.94.30
> f.gtld-servers.net. 86400 IN A 192.35.51.30
> g.gtld-servers.net. 86400 IN A 192.42.93.30
> h.gtld-servers.net. 86400 IN A 192.54.112.30
> i.gtld-servers.net. 86400 IN A 192.43.172.30
> j.gtld-servers.net. 86400 IN A 192.48.79.30
> k.gtld-servers.net. 86400 IN A 192.52.178.30
> l.gtld-servers.net. 86400 IN A 192.41.162.30
> m.gtld-servers.net. 86400 IN A 192.55.83.30
>
> ;; Query time: 192 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Fri Feb 17 23:43:09 2012
> ;; MSG SIZE rcvd: 727
>
> ------------------------------------------------------------------------
>
>
> Does not return multiple RR?
>
> Lastly, what's the format for the output dis DNSSEC records?
>
> com. 86400 IN DS 30909 8 2
> E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
>
> Sow what's '30909 8 2'
>
> 30909 is TTL Value; 2 signifies SHA-256;
>
>
>
> And in -
>
> com. 86400 IN RRSIG DS 8 1 86400
> 20120224000000 20120216230000 51201 .
> IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
> SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
> MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
>
> What's 8 1 86400 20120224000000 20120216230000 51201
> ?
> 1- SHA-1
>
> 86400 -- TTL Value
>
> 20120224000000 -- Signature Expire time
>
> 20120224000000 -- Signature Creation Time
>
> 51201 -- Key Id
>
>
> DNSSEC appears to be a rarely explored topic.
>
Thanks for the answer! That cleared a lot of things.
Another thing I forgot to ask, is in -
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
What does the DS signify here? RRSIG for the returned DS RRset?
If this's so, why does -
------------------------------------------------------------------------
dig +dnssec -t NS com @a.root-servers.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2
E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400
20120224000000 20120216230000 51201 .
IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg
SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN
MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
------------------------------------------------------------------------
Does not return RRSIG for the NS RRset?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120218/7be154aa/attachment.html>
More information about the bind-users
mailing list