Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? - You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. _____ dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org. 86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org. 86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. 86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 _____ Why do I get multiple RRSIG records from some servers? - You will get single RRSIG per RR sets. _____ dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 _____ Do we get a RRSIG for each RR retrieved? If so, why does - Not for each RR But for each RR sets. _____ dig +dnssec -t NS com @a.root-servers.net. ; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY= ;; ADDITIONAL SECTION: a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30 a.gtld-servers.net. 86400 IN A 192.5.6.30 b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30 b.gtld-servers.net. 86400 IN A 192.33.14.30 c.gtld-servers.net. 86400 IN A 192.26.92.30 d.gtld-servers.net. 86400 IN A 192.31.80.30 e.gtld-servers.net. 86400 IN A 192.12.94.30 f.gtld-servers.net. 86400 IN A 192.35.51.30 g.gtld-servers.net. 86400 IN A 192.42.93.30 h.gtld-servers.net. 86400 IN A 192.54.112.30 i.gtld-servers.net. 86400 IN A 192.43.172.30 j.gtld-servers.net. 86400 IN A 192.48.79.30 k.gtld-servers.net. 86400 IN A 192.52.178.30 l.gtld-servers.net. 86400 IN A 192.41.162.30 m.gtld-servers.net. 86400 IN A 192.55.83.30 ;; Query time: 192 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Fri Feb 17 23:43:09 2012 ;; MSG SIZE rcvd: 727 _____ Does not return multiple RR? Lastly, what's the format for the output dis DNSSEC records? com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 Sow what's '30909 8 2' 30909 is TTL Value; 2 signifies SHA-256; And in - com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY= What's 8 1 86400 20120224000000 20120216230000 51201 ? 1- SHA-1 86400 - TTL Value 20120224000000 - Signature Expire time 20120224000000 - Signature Creation Time 51201 - Key Id DNSSEC appears to be a rarely explored topic.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users