subject:"A few conceptual question about dnssec."

Re: A few conceptual question about dnssec.

2012-03-03 Thread Kevin Oberman

On Fri, Mar 2, 2012 at 11:17 PM, dE . de.tec...@gmail.com wrote:
 On 02/18/12 00:36, Gaurav kansal wrote:





 Firstly, where do we get the public key for the DS records?

 Can you clarify your question???



 Second, why do I get multiple DS records as response? –

 You will always get a 2 DS Records in response. One for SHA-1 and second for
 SHA-256.


 I was reading the RFCs, but according to that, there's no provision of
 SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
 (appendix A1)

And RFC4024 is seven years old. No SHA256 back then.

See RFC6014 which allows IANA to assign new algorithm numbers as
needed without a new RFC. SHA256 is the current preferred algorithm,
while SHA-1 is still routinely used as some DNSSEC software may not
support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
software that does not support SHA256 at this time, but I suspect
someone, somewhere is running it.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-03-03 Thread Mark Andrews


In message can6yy1vu9ecabvindlmpufqfjj47jq_beejdwz8d-jsxvdo...@mail.gmail.com
, Kevin Oberman writes:
 On Fri, Mar 2, 2012 at 11:17 PM, dE . de.tec...@gmail.com wrote:
  On 02/18/12 00:36, Gaurav kansal wrote:
 
 
 
 
 
  Firstly, where do we get the public key for the DS records?
 
  Can you clarify your question???
 
 
 
  Second, why do I get multiple DS records as response? =96
 
  You will always get a 2 DS Records in response. One for SHA-1 and second =
 for
  SHA-256.
 
 
  I was reading the RFCs, but according to that, there's no provision of
  SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
  (appendix A1)
 
 And RFC4024 is seven years old. No SHA256 back then.
 
 See RFC6014 which allows IANA to assign new algorithm numbers as
 needed without a new RFC. SHA256 is the current preferred algorithm,
 while SHA-1 is still routinely used as some DNSSEC software may not
 support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
 suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
 software that does not support SHA256 at this time, but I suspect
 someone, somewhere is running it.

Additionally it helps to read the correct table,  A.2.  DNSSEC Digest Types.
SHA1 and SHA256 refer to digest types.

RSAMD5 (not just MD5) and Diffie-Hellman are DNSSEC Algorithm Types.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-03-02 Thread dE .


On 02/18/12 00:36, Gaurav kansal wrote:


Firstly, where do we get the public key for the DS records?

Can you clarify your question???



Second, why do I get multiple DS records as response? --

You will always get a 2 DS Records in response. One for SHA-1 and 
second for SHA-256.




I was reading the RFCs, but according to that, there's no provision of 
SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman 
(appendix A1)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-03-02 Thread dE .


On 03/03/12 12:47, dE . wrote:

On 02/18/12 00:36, Gaurav kansal wrote:


Firstly, where do we get the public key for the DS records?

Can you clarify your question???



Second, why do I get multiple DS records as response? --

You will always get a 2 DS Records in response. One for SHA-1 and 
second for SHA-256.




I was reading the RFCs, but according to that, there's no provision of 
SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman 
(appendix A.1)


Oops... sorry about that, got it. It was A.2
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-20 Thread Tony Finch

dE . de.tec...@gmail.com wrote:

 Ok, so the DS record is not encrypted.

DNSSEC is about signatures: nothing is encrypted. DS records are signed:
a DS RRset has an RRSIG. For example,

;  DiG 9.8.1-P1  +multi +dnssec DS isc.org
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 53813
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.   IN DS

;; ANSWER SECTION:
isc.org.86382 IN DS 12892 5 1 (
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 )
isc.org.86382 IN DS 12892 5 2 (
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F
0EB5C777586DE18DA6B5 )
isc.org.86382 IN RRSIG DS 7 2 86400 20120309160141 (
20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31X
G4vFFQzq57RIq0hUkWZ0dR5oBCpRC15osOXSZEwVuz3L
XXUd63GpI5aoGv/OtyPI/w4YTedgweoE9PWovcx6Ahr2
WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/vEjE= )

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 20 12:33:26 2012
;; MSG SIZE  rcvd: 283

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Dover, Wight, Portland, Plymouth: Southwesterly 4 or 5, increasing 6 or 7
later. Slight becoming moderate. Mainly fair. Mainly good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-18 Thread dE .


On 02/18/12 00:36, Gaurav kansal wrote:


Firstly, where do we get the public key for the DS records?

Can you clarify your question???




The DS record is a signature right? It has to be decrypted using a 
public key and the decrypted hash has to be compared to the DNSKEY's hash.


So what I'm asking for here is, where do we get this public key from?



Second, why do I get multiple DS records as response? --

You will always get a 2 DS Records in response. One for SHA-1 and 
second for SHA-256.




dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.

;  DiG 9.8.1  +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.   IN  DS

;; ANSWER SECTION:
isc.org.86400   IN  DS  12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.86400   IN  DS  12892 5 1 
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org.86400   IN  RRSIG   DS 7 2 86400 
20120309160141 20120217150141 55440 org. 
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI 
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y 
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=


;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE  rcvd: 283




Why do I get multiple RRSIG records from some servers? --

You will get single RRSIG per RR sets.




dig +dnssec -t NS yahoo.com @g.gtld-servers.net.

;  DiG 9.8.1  +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com. IN  NS

;; AUTHORITY SECTION:
yahoo.com.  172800  IN  NS  ns1.yahoo.com.
yahoo.com.  172800  IN  NS  ns5.yahoo.com.
yahoo.com.  172800  IN  NS  ns2.yahoo.com.
yahoo.com.  172800  IN  NS  ns3.yahoo.com.
yahoo.com.  172800  IN  NS  ns4.yahoo.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - 
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 
20120222012103 20120215001103 54350 com. 
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC 
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - 
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 
20120224144059 20120217133059 54350 com. 
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn 
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=


;; ADDITIONAL SECTION:
ns1.yahoo.com.  172800  IN  A   68.180.131.16
ns5.yahoo.com.  172800  IN  A   119.160.247.124
ns2.yahoo.com.  172800  IN  A   68.142.255.16
ns3.yahoo.com.  172800  IN  A   121.101.152.99
ns4.yahoo.com.  172800  IN  A   68.142.196.63

;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE  rcvd: 693




Do we get a RRSIG for each RR retrieved? If so, why does --

Not for each RR But for each RR sets.




dig +dnssec -t NS com @a.root-servers.net.

;  DiG 9.8.1  +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.   IN  NS

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.

Re: A few conceptual question about dnssec.

2012-02-18 Thread Axel Rau


Am 18.02.2012 um 17:35 schrieb dE .:

 The DS record is a signature right?
No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a 
RRSIG.

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-18 Thread dE .


On 02/18/12 02:41, Tony Finch wrote:

dE .de.tec...@gmail.com  wrote:


Firstly, where do we get the public key for the DS records?

A zone's DNSKEY RRset contains its public keys, and these are hashed to
make its DS records. For example,

$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
$ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5



Ok, so the DS record is not encrypted.

Now, I got a feeling that this fact will add some major security 
implications.



Why do I get multiple RRSIG records from some servers? -

When you ask a GTLD server for the yahoo.com delegation NS records, you
also get two NSEC3 records that bracket the yahoo.com delegation to prove
it is insecure (no DS record), and an RRSIG record for each NSEC3 record.


Do we get a RRSIG for each RR retrieved?

No, one per RRset, where an RRset is all the records with the same name,
class, and type.


Lastly, what's the format for the output dis DNSSEC records?

See RFC 4034.

Tony.


Thanks!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-18 Thread dE .


On 02/18/12 22:14, Axel Rau wrote:

Am 18.02.2012 um 17:35 schrieb dE .:


The DS record is a signature right?

No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a 
RRSIG.

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius



Thanks for the clarification.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-18 Thread Phil Mayers


On 02/18/2012 04:35 PM, dE . wrote:

  On 02/18/12 00:36, Gaurav kansal wrote:


Firstly, where do we get the public key for the DS records?

Can you clarify your question???




The DS record is a signature right?


Wrong.

You're asking a lot of basic questions here. Maybe you could go off and 
read the applicable RFCs - they're quite well written - rather than 
asking us to explain them for you?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-18 Thread dE .


On 02/18/12 22:55, Jeremy C. Reed wrote:

I started writing a book introducing DNSSEC a few years ago. Would you
like to read a draft of it?


Book on DNSSEC? Ok. Thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A few conceptual question about dnssec.

2012-02-17 Thread dE .


Firstly, where do we get the public key for the DS records?

Second, why do I get multiple DS records as response? --

dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.

;  DiG 9.8.1  +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.   IN  DS

;; ANSWER SECTION:
isc.org.86400   IN  DS  12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.86400   IN  DS  12892 5 1 
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org.86400   IN  RRSIG   DS 7 2 86400 
20120309160141 20120217150141 55440 org. 
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI 
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y 
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=


;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE  rcvd: 283


Why do I get multiple RRSIG records from some servers? -



dig +dnssec -t NS yahoo.com @g.gtld-servers.net.

;  DiG 9.8.1  +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com. IN  NS

;; AUTHORITY SECTION:
yahoo.com.  172800  IN  NS  ns1.yahoo.com.
yahoo.com.  172800  IN  NS  ns5.yahoo.com.
yahoo.com.  172800  IN  NS  ns2.yahoo.com.
yahoo.com.  172800  IN  NS  ns3.yahoo.com.
yahoo.com.  172800  IN  NS  ns4.yahoo.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - 
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 
20120222012103 20120215001103 54350 com. 
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC 
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - 
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 
20120224144059 20120217133059 54350 com. 
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn 
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=


;; ADDITIONAL SECTION:
ns1.yahoo.com.  172800  IN  A   68.180.131.16
ns5.yahoo.com.  172800  IN  A   119.160.247.124
ns2.yahoo.com.  172800  IN  A   68.142.255.16
ns3.yahoo.com.  172800  IN  A   121.101.152.99
ns4.yahoo.com.  172800  IN  A   68.142.196.63

;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE  rcvd: 693



Do we get a RRSIG for each RR retrieved? If so, why does -



dig +dnssec -t NS com @a.root-servers.net.

;  DiG 9.8.1  +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.   IN  NS

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.

RE: A few conceptual question about dnssec.

2012-02-17 Thread Gaurav kansal

 

 

Firstly, where do we get the public key for the DS records?

Can you clarify your question???



Second, why do I get multiple DS records as response? - 

You will always get a 2 DS Records in response. One for SHA-1 and second for
SHA-256.

  _  

dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.

;  DiG 9.8.1  +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.   IN  DS

;; ANSWER SECTION:
isc.org.86400   IN  DS  12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org.86400   IN  DS  12892 5 1
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org.86400   IN  RRSIG   DS 7 2 86400 20120309160141
20120217150141 55440 org.
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI
q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y
TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=

;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE  rcvd: 283

  _  


Why do I get multiple RRSIG records from some servers? - 

You will get single RRSIG per RR sets.

  _  


dig +dnssec -t NS yahoo.com @g.gtld-servers.net.

;  DiG 9.8.1  +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com. IN  NS

;; AUTHORITY SECTION:
yahoo.com.  172800  IN  NS  ns1.yahoo.com.
yahoo.com.  172800  IN  NS  ns5.yahoo.com.
yahoo.com.  172800  IN  NS  ns2.yahoo.com.
yahoo.com.  172800  IN  NS  ns3.yahoo.com.
yahoo.com.  172800  IN  NS  ns4.yahoo.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400
20120222012103 20120215001103 54350 com.
gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC
yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9
TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -
GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400
20120224144059 20120217133059 54350 com.
NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+
3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn
YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=

;; ADDITIONAL SECTION:
ns1.yahoo.com.  172800  IN  A   68.180.131.16
ns5.yahoo.com.  172800  IN  A   119.160.247.124
ns2.yahoo.com.  172800  IN  A   68.142.255.16
ns3.yahoo.com.  172800  IN  A   121.101.152.99
ns4.yahoo.com.  172800  IN  A   68.142.196.63

;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE  rcvd: 693

  _  


Do we get a RRSIG for each RR retrieved? If so, why does - 

Not for each RR But for each RR sets.

  _  


dig +dnssec -t NS com @a.root-servers.net.

;  DiG 9.8.1  +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.   IN  NS

;; AUTHORITY SECTION:
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.

Re: A few conceptual question about dnssec.

2012-02-17 Thread Miek Gieben

[ Quoting gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few 
conceptual... ]
 Firstly, where do we get the public key for the DS records?
 
 Can you clarify your question???
 
 
 
 Second, why do I get multiple DS records as response? –
 
 You will always get a 2 DS Records in response. One for SHA-1 and second for
 SHA-256.

That completely depends on what is configured in the zone.

Perhaps this will help:
http://nlnetlabs.nl/publications/dnssec_howto/

grtz Miek


signature.asc
Description: Digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A few conceptual question about dnssec.

2012-02-17 Thread Gaurav kansal

-Original Message-
From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org 
[mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of 
Miek Gieben
Sent: Saturday, February 18, 2012 12:42 AM
To: bind-users@lists.isc.org
Subject: Re: A few conceptual question about dnssec.

[ Quoting  mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in at 00:36 on Feb 
18 in RE: A few conceptual... ]

 Firstly, where do we get the public key for the DS records?

 Can you clarify your question???

 Second, why do I get multiple DS records as response? –

 You will always get a 2 DS Records in response. One for SHA-1 and 

 second for SHA-256.

That completely depends on what is configured in the zone.

But I think it is recommended that you should always put 2 DS Records in your 
zone file corresponding to each child zone.

One for SHA1 and second for SHA256.

That’s why we always get 2 DS Records from ROOT Server pointing to TLDs.

Perhaps this will help:

 http://nlnetlabs.nl/publications/dnssec_howto/ 
http://nlnetlabs.nl/publications/dnssec_howto/

grtz Miek

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

2012-02-17 Thread Tony Finch

dE . de.tec...@gmail.com wrote:

 Firstly, where do we get the public key for the DS records?

A zone's DNSKEY RRset contains its public keys, and these are hashed to
make its DS records. For example,

$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
$ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5

 Why do I get multiple RRSIG records from some servers? -

When you ask a GTLD server for the yahoo.com delegation NS records, you
also get two NSEC3 records that bracket the yahoo.com delegation to prove
it is insecure (no DS record), and an RRSIG record for each NSEC3 record.

 Do we get a RRSIG for each RR retrieved?

No, one per RRset, where an RRset is all the records with the same name,
class, and type.

 Lastly, what's the format for the output dis DNSSEC records?

See RFC 4034.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to
gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or
high, occasionally very high in Rockall and Bailey, but rough at first in
Shannon. Rain then squally snow showers. Moderate, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

A few conceptual question about dnssec.

RE: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

RE: A few conceptual question about dnssec.

Re: A few conceptual question about dnssec.

16 matches

Site Navigation

Mail list logo

Footer information