Dig 9.7 DNSSEC output
Hi, might be me, but I don't get it. # dig @ns.nic.se nic.se ns +dnssec ; DiG 9.7.0-P1 @ns.nic.se nic.se ns +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15071 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns3.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN RRSIG NS 5 2 3600 20100517132001 20100507132001 20273 nic.se. Q9kNPVor5vCyji7XVDQMYAUcbhVTU43a/ftTBi04qXxe/AMkTO1m2C97 aRcSNG2dUWZsZ6TmaiqReMx1fARqjcP9fHHbdEtt3Oolvw9WH5KLd0Jg TnDql5bN1vUQpULOli86enlCBHCz5FWX5izQ7i+WmLKTI1zC+R9NYd3T G1g= ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= ;; Query time: 35 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:22:05 2010 ;; MSG SIZE rcvd: 994 The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; DiG 9.7.0-P1 @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
On Sun, May 9, 2010 at 11:24 AM, Peter Janssen peter.jans...@eurid.euwrote: ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Hi Rick, as per the header of Dig output ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 a part from that, I'm glad that my counting is still up to par :-) R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: R Dicaire [mailto:dicai...@gmail.com] Sent: Sunday, May 09, 2010 17:42 To: Peter Janssen Cc: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On Sun, May 9, 2010 at 11:24 AM, Peter Janssen peter.jans...@eurid.eu wrote: ;; ADDITIONAL SECTION: ns.nic.se. 3600 IN A 212.247.7.228 ns.nic.se. 3600 IN 2a00:801:f0:53::53 ns2.nic.se. 3600 IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ns.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. TLTnkqESLN7DdoC2urF14ox1JolvUSCySe4oqYfof4ER/ZNNl8DO1P46 mSKpNxf3kNUJWoMkjBjtUgZgiMcVSuD7V6qTHLA2A8tEhnM4pXCeo/yj kirCEzo3YQzcW56BZVXgVe41K3QT4GpIm0rmTyEy+8ZCe7oeMKFem5PL Ibw= ns.nic.se. 3600 IN RRSIG 5 3 3600 20100517132001 20100507132001 20273 nic.se. HcUbk9y1aR9zeHOwNsqTtPL97P+ftyoQVAyTZbuPpr6GEzIsKL8MyQoP h4qyAkOHFWC2lgZ4xroHemR9OXa3JCLn1UtYE0UbgszUJWSJcQW+2ho3 GIsfEzVfJwMEomhvPuEyVfNxdaP87ITFTfNJcUvEApHCnYHO0RNgeEL0 l/Y= ns2.nic.se. 3600 IN RRSIG A 5 3 3600 20100517132001 20100507132001 20273 nic.se. fGqc3OIwmaYPFJoRrULGaUIRxGV+i6FJkcSZ4HRJL0x+siwVcTrIb+5t ER9woGl9sabyXH9H4aHc90ARABer0RodbnQSZDT7SPamDb97UP1ESBs2 Av9N43nr54M/ctLk8EZc1q7GblBK7inf7iY/AQsHTsFv1BWJOAYw+n4N YaM= ns3.nic.se. 60 IN RRSIG A 5 3 60 20100517132001 20100507132001 20273 nic.se. vTil1+1r3dOyV3zHdd53p2O5qnBHfexdwJVjx2E+G5z5FTqa50YRQYfH JwVHHertJcMo2wek/y2g0GBQJdkFTKwpJZv3IWWp9TYqJ3lCIYzoWxWV pzc7i+m2Ha3HupVY0e/tOJPKsiJu+LnyH3LJ66WV/xCRDjhZ8N6RONl5 xQU= I count 8 RRs. 3 A, 1 , 4 RRSIG. Where are you seeing 9? -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
On 09/05/10 17:24, Peter Janssen wrote: Hi, might be me, but I don't get it. ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ADDITIONAL: 9 But as you count to 8, where is number 9. I seem to be counting as Peter here. The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; DiG 9.7.0-P1 @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANN's 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
On Sun, May 9, 2010 at 11:48 AM, Peter Janssen peter.jans...@eurid.euwrote: as per the header of Dig output… ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 Curious, I too get 9 but only 8 RRs are shown: ; DiG 9.7.0-P1 +dnssec @rdb.ardynet.com ardynet.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19752 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ardynet.com. IN NS ;; ANSWER SECTION: ardynet.com. 10800 IN NS rdb.ardynet.com. ardynet.com. 10800 IN NS dev.ardynet.com. ardynet.com. 10800 IN RRSIG NS 5 2 10800 2010051512 2010050912 60794 ardynet.com. uEABRGErPScK6zTn8V2aZwWXdC7sc1wh7eFsyGHkwcfGrugsLdFPVSfZ vetCUVXoOj1OnUNPeO5/cMB8Os0NGg== ;; ADDITIONAL SECTION: dev.ardynet.com. 10800 IN A 74.93.245.186 dev.ardynet.com. 10800 IN 2001:470:8:12:def::1000 rdb.ardynet.com. 10800 IN A 74.93.245.185 rdb.ardynet.com. 10800 IN 2001:470:e006::1000 dev.ardynet.com. 10800 IN RRSIG A 5 3 10800 2010051512 2010050912 60794 ardynet.com. OdH4FDSkj8daSKw0ooNX2ZJpjQVtTXI0ev5pblGM0+M/IYccu1fW9Tkk h9N0PPI7/4C2fpitdBbFGCq14hxocg== dev.ardynet.com. 10800 IN RRSIG 5 3 10800 2010051512 2010050912 60794 ardynet.com. ou2/+po9rUY1l8TYy4u23z0GWBuasEib5U1E1f//MJCQ1XRqOKX9h8y2 Gk6R3+lxXlDdoLtww8E2GpVpEK+U1A== rdb.ardynet.com. 10800 IN RRSIG A 5 3 10800 2010051512 2010050912 60794 ardynet.com. jUJ/1Miq+Y3RwFW8AyfCs6vJ+alynM/gzVIBFdn3SoIFzg3AiV4R8zHl sOX5xzP2eVEuQwtq6cDWhFqma3cr/A== rdb.ardynet.com. 10800 IN RRSIG 5 3 10800 2010051512 2010050912 60794 ardynet.com. M9NcSwlhg50H5zRXeB8iKZLFdm1dGmwEg/PIHYgTn9gyoXOcLUWRjK5Q RnPlqRyHoVdkkHyCFumEkMZVyneu1g== -- aRDy Music/Rick Dicaire http://www.ardynet.com http://linux.ardynet.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
Or this one : # dig @j.ns.se se. dnskey +dnssec ; DiG 9.7.0-P1 @j.ns.se se. dnskey +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24743 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;se.IN DNSKEY ;; ANSWER SECTION: se. 3600IN DNSKEY 257 3 5 Asnip... EaRlZigUCp8= se. 3600IN DNSKEY 257 3 5 Asnip 7TKYyQgsTlc= se. 3600IN DNSKEY 256 3 5 Asnip 2oXgSod9 se. 3600IN RRSIG DNSKEY 5 1 3600 20100515203911 20100509131031 39547 se. gsnip uAYDHw== se. 3600IN RRSIG DNSKEY 5 1 3600 20100517001830 20100509131031 8779 se. vsnip NRwr1A== ;; Query time: 17 msec ;; SERVER: 199.254.63.1#53(199.254.63.1) ;; WHEN: Sun May 9 18:54:10 2010 ;; MSG SIZE rcvd: 1311 One (1) additional announced, while there is not even an additional section. Maybe this is related to the EDNS0 stuff? --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu From: bind-users-bounces+peter.janssen=eurid...@lists.isc.org [mailto:bind-users-bounces+peter.janssen=eurid...@lists.isc.org] On Behalf Of Sten Carlsen Sent: Sunday, May 09, 2010 17:48 To: bind-users@lists.isc.org Subject: Re: Dig 9.7 DNSSEC output On 09/05/10 17:24, Peter Janssen wrote: Hi, might be me, but I don't get it. ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 ADDITIONAL: 9 But as you count to 8, where is number 9. I seem to be counting as Peter here. The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. Without DNSSEC, it seems to be able to count correctly... # dig @ns.nic.se nic.se ns ; DiG 9.7.0-P1 @ns.nic.se nic.se ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nic.se.IN NS ;; ANSWER SECTION: nic.se. 3600IN NS ns2.nic.se. nic.se. 3600IN NS ns.nic.se. nic.se. 3600IN NS ns3.nic.se. ;; ADDITIONAL SECTION: ns.nic.se. 3600IN A 212.247.7.228 ns.nic.se. 3600IN 2a00:801:f0:53::53 ns2.nic.se. 3600IN A 194.17.45.54 ns3.nic.se. 60 IN A 212.247.3.83 ;; Query time: 34 msec ;; SERVER: 212.247.7.228#53(212.247.7.228) ;; WHEN: Sun May 9 17:23:51 2010 ;; MSG SIZE rcvd: 153 Am I missing something? Or is this already reported? If so, what would be the correct channel? R. --Pj. Peter Janssen Technical Manager Join us in June! EURid hosts ICANNs 38th meeting in Brussels. Find out more at brussels38.icann.org. EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 2750 peter.jans...@eurid.eu http://www.eurid.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
On Sun, May 09, 2010 at 05:48:34PM +0200, Peter Janssen wrote: Hi Rick, as per the header of Dig output? ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 a part from that, I'm glad that my counting is still up to par :-) R. --Pj. Peter Janssen Technical Manager The EDNS0 record is a pseudo RR that appears in the additional section. dig reports that separately rather than in the additional section, but the count of records in the header is correct. -- Shumon Huque University of Pennsylvania. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dig 9.7 DNSSEC output
On May 9 2010, Peter Janssen wrote: Maybe this is related to the EDNS0 stuff? Precisely so. dig does not display the OPT RR in the reply (or that in the question if you use +qr, for that matter), but it's there in the additional section as you can see from the count. You don't have to use +dnssec to get this apparent-mismatch effect: +buf=... or +edns=... are enough. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Re: Dig 9.7 DNSSEC output
On 05/09/2010 05:24 PM, Peter Janssen wrote: ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9 The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. The additional section also contains the EDNS0 OPT record. Hauke. signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.7 DNSSEC output
In message 023b01caef8b$c0e22860$42a679...@janssen@eurid.eu, Peter Janssen writes: Hi, might be me, but I don't get it. The issue I have with this is, dig announces 9 additional section entries, while 3 A, 1 and 4 RRSIG, in my book sums up to 8. The 9th record is the OPT record and it is displayed like this: ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 And no it would not be useful to display it with the other additional section records. You need to be able to pull apart the TTL. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users