Am Fri, 16 Jul 2010 12:25:44 +0200 schrieb Niobos <nio...@dest-unreach.be>:
> Hi, > > It's probably just my lack of knowledge, but there seems to be a > missing RRSIG in the root zone. > > I try to securely resolve example.net. I obviously get a delegation > returned (dig output below), but I can't seem to validate that > delegation. The delegation itself (and a direct request for net./NS) > only yield an RRSIG over the NSEC RRset, not over the NS RRset and not > over the glue A-records (which are in bailiwick, and I have "no other > way" to resolve them) > > Can anyone clarify? > > thx, > Niobos > You're asking the root servers for example.net. They only know .net though and thus give you a list of nameservers responsible for .net. But even if you'd asked a validating resolver instead of one of the root servers, there wouldn't be a validatable answer as there's no delegation signer for .net in the root yet. Ciao Torsten > > $ dig @l.root-servers.net. +dnssec example.net. A > > ; <<>> DiG 9.6.0-APPLE-P2 <<>> @l.root-servers.net. +dnssec > example.net. A ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;example.net. IN A > > ;; AUTHORITY SECTION: > net. 172800 IN NS > a.gtld-servers.net. net. 172800 > IN NS b.gtld-servers.net. net. > 172800 IN NS c.gtld-servers.net. > net. 172800 IN NS > d.gtld-servers.net. net. 172800 > IN NS e.gtld-servers.net. net. > 172800 IN NS f.gtld-servers.net. > net. 172800 IN NS > g.gtld-servers.net. net. 172800 > IN NS h.gtld-servers.net. net. > 172800 IN NS i.gtld-servers.net. > net. 172800 IN NS > j.gtld-servers.net. net. 172800 > IN NS k.gtld-servers.net. net. > 172800 IN NS l.gtld-servers.net. > net. 172800 IN NS > m.gtld-servers.net. net. 86400 > IN NSEC nf. NS RRSIG NSEC net. > 86400 IN RRSIG NSEC 8 1 86400 20100722000000 > 20100714230000 41248 . > XNB4appdNqmX630pa76WvD7nVhSqz908XQ2DXxLUB2q6VeMsVVPnYppg > 5w7zStc5DSFboylq9XeJJXrYJcGmLo9llWj2WNkRa/X4TfGm0P4s1zC5 > BDAzvbTYm2KbUv88b3TzZzIxmyyCMWbo8sY+ihJckmkpftg5LAVcU9B6 Ajs= > > ;; ADDITIONAL SECTION: > a.gtld-servers.net. 172800 IN A 192.5.6.30 > b.gtld-servers.net. 172800 IN A > 192.33.14.30 c.gtld-servers.net. 172800 IN > A 192.26.92.30 d.gtld-servers.net. 172800 > IN A 192.31.80.30 e.gtld-servers.net. > 172800 IN A 192.12.94.30 > f.gtld-servers.net. 172800 IN A > 192.35.51.30 g.gtld-servers.net. 172800 IN > A 192.42.93.30 h.gtld-servers.net. 172800 > IN A 192.54.112.30 i.gtld-servers.net. > 172800 IN A 192.43.172.30 > j.gtld-servers.net. 172800 IN A > 192.48.79.30 k.gtld-servers.net. 172800 IN > A 192.52.178.30 l.gtld-servers.net. 172800 > IN A 192.41.162.30 m.gtld-servers.net. > 172800 IN A 192.55.83.30 > a.gtld-servers.net. 172800 IN AAAA > 2001:503:a83e::2:30 b.gtld-servers.net. 172800 > IN AAAA 2001:503:231d::2:30 > > ;; Query time: 69 msec > ;; SERVER: 199.7.83.42#53(199.7.83.42) > ;; WHEN: Fri Jul 16 12:21:13 2010 > ;; MSG SIZE rcvd: 711 > > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
