A few conceptual question about dnssec.
dE .
de.techno at gmail.com
Sat Feb 18 16:51:50 UTC 2012
On 02/18/12 02:41, Tony Finch wrote:
> dE .<de.techno at gmail.com> wrote:
>
>> Firstly, where do we get the public key for the DS records?
> A zone's DNSKEY RRset contains its public keys, and these are hashed to
> make its DS records. For example,
>
> $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
> isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
> $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
> isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
>
Ok, so the DS record is not encrypted.
Now, I got a feeling that this fact will add some major security
implications.
>> Why do I get multiple RRSIG records from some servers? -
> When you ask a GTLD server for the yahoo.com delegation NS records, you
> also get two NSEC3 records that bracket the yahoo.com delegation to prove
> it is insecure (no DS record), and an RRSIG record for each NSEC3 record.
>
>> Do we get a RRSIG for each RR retrieved?
> No, one per RRset, where an RRset is all the records with the same name,
> class, and type.
>
>> Lastly, what's the format for the output dis DNSSEC records?
> See RFC 4034.
>
> Tony.
Thanks!
More information about the bind-users
mailing list