Signed root - missing RRSIG for delegation?

[Niobos]

Hi,

It's probably just my lack of knowledge, but there seems to be a missing
RRSIG in the root zone.

I try to securely resolve example.net. I obviously get a delegation
returned (dig output below), but I can't seem to validate that
delegation. The delegation itself (and a direct request for net./NS)
only yield an RRSIG over the NSEC RRset, not over the NS RRset and not
over the glue A-records (which are in bailiwick, and I have "no other
way" to resolve them)

Can anyone clarify?

thx,
Niobos


$ dig @l.root-servers.net. +dnssec example.net. A

; <<>> DiG 9.6.0-APPLE-P2 <<>> @l.root-servers.net. +dnssec example.net. A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.net.                   IN      A

;; AUTHORITY SECTION:
net.                    172800  IN      NS      a.gtld-servers.net.
net.                    172800  IN      NS      b.gtld-servers.net.
net.                    172800  IN      NS      c.gtld-servers.net.
net.                    172800  IN      NS      d.gtld-servers.net.
net.                    172800  IN      NS      e.gtld-servers.net.
net.                    172800  IN      NS      f.gtld-servers.net.
net.                    172800  IN      NS      g.gtld-servers.net.
net.                    172800  IN      NS      h.gtld-servers.net.
net.                    172800  IN      NS      i.gtld-servers.net.
net.                    172800  IN      NS      j.gtld-servers.net.
net.                    172800  IN      NS      k.gtld-servers.net.
net.                    172800  IN      NS      l.gtld-servers.net.
net.                    172800  IN      NS      m.gtld-servers.net.
net.                    86400   IN      NSEC    nf. NS RRSIG NSEC
net.                    86400   IN      RRSIG   NSEC 8 1 86400 20100722000000 
20100714230000 41248
. XNB4appdNqmX630pa76WvD7nVhSqz908XQ2DXxLUB2q6VeMsVVPnYppg
5w7zStc5DSFboylq9XeJJXrYJcGmLo9llWj2WNkRa/X4TfGm0P4s1zC5
BDAzvbTYm2KbUv88b3TzZzIxmyyCMWbo8sY+ihJckmkpftg5LAVcU9B6 Ajs=

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30

;; Query time: 69 msec
;; SERVER: 199.7.83.42#53(199.7.83.42)
;; WHEN: Fri Jul 16 12:21:13 2010
;; MSG SIZE  rcvd: 711



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users