A few conceptual question about dnssec.
Tony Finch
dot at dotat.at
Mon Feb 20 12:34:05 UTC 2012
dE . <de.techno at gmail.com> wrote:
>
> Ok, so the DS record is not encrypted.
DNSSEC is about signatures: nothing is encrypted. DS records are signed:
a DS RRset has an RRSIG. For example,
; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec DS isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53813
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
isc.org. 86382 IN DS 12892 5 1 (
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 )
isc.org. 86382 IN DS 12892 5 2 (
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F
0EB5C777586DE18DA6B5 )
isc.org. 86382 IN RRSIG DS 7 2 86400 20120309160141 (
20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31X
G4vFFQzq57RIq0hUkWZ0dR5oBCpRC15osOXSZEwVuz3L
XXUd63GpI5aoGv/OtyPI/w4YTedgweoE9PWovcx6Ahr2
WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/vEjE= )
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 20 12:33:26 2012
;; MSG SIZE rcvd: 283
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Dover, Wight, Portland, Plymouth: Southwesterly 4 or 5, increasing 6 or 7
later. Slight becoming moderate. Mainly fair. Mainly good.
More information about the bind-users
mailing list