I'm trying to see DNSSEC response of various sites; my DNS server is 8.8.8.8 (google's public DNS service)

Response is as such -

dig +dnssec -t SOA org

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org.                           IN      SOA

;; ANSWER SECTION:
org. 899 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009954959 1800 900 604800 86400 org. 899 IN RRSIG SOA 7 1 900 20120304071611 20120212061611 55440 org. M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 1371 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:49:02 2012
;; MSG SIZE  rcvd: 258

As we can see, the DNSKEY and DS RR is missing which's mandatory for this to be of any use. So where is it?

If I explicitly specify the name server to be one of the root nameservers -

dig +dnssec -t SOA org 198.41.0.4

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org 198.41.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62972
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;org.                           IN      SOA

;; ANSWER SECTION:
org. 451 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2009954959 1800 900 604800 86400 org. 451 IN RRSIG SOA 7 1 900 20120304071611 20120212061611 55440 org. M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 131 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE  rcvd: 258

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26058
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;198.41.0.4.                    IN      SOA

;; AUTHORITY SECTION:
. 0 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2012021200 1800 900 604800 86400 . 0 IN RRSIG SOA 8 0 86400 20120219000000 20120211230000 51201 . Es1RsMErjNpgyBqjHbUIVQ77hrA6quuq45ZNhiL1CwXkLpd9wnPVSlcu xAcF675og+exWPBUMUBrXNTpYOI4a2Wrvkafd7629kT21alDyiUa28FC P/P/pWOFVa0ceDDQGnwKg7ec4r+UyhoTLGmvlVpDjqMhmR17a02SLz31 a/Q=
.                       86399   IN      NSEC    ac. NS SOA RRSIG NSEC DNSKEY
. 86399 IN RRSIG NSEC 8 0 86400 20120219000000 20120211230000 51201 . hFSp9EIMo7fEbc3gKaZD8gH5XzUUjNy9rRGf0cW3mtHy8FoqaLg1eIfg 9CGjjWqx58t2R68O+/f7sQ6F4aysMA30aiYsOJXJRENEuzGKSGQiuRZE nP3K5AjqcKmxgkllKAQWMITFU2HDXzgHH3iWOhxh6zdCV8hZe4xPv60Z Zp4=

;; Query time: 195 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Feb 12 12:56:30 2012
;; MSG SIZE  rcvd: 454


I get 3 completely different RRSIGs, and the DNSKEY and DS are still missing.

The last thing that I want to ask is that, this string -

"M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c="

Which's a part of the RRSIG, is this a single key or multiple keys?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to