Re: A few conceptual question about dnssec.
On Fri, Mar 2, 2012 at 11:17 PM, dE . de.tec...@gmail.com wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A1) And RFC4024 is seven years old. No SHA256 back then. See RFC6014 which allows IANA to assign new algorithm numbers as needed without a new RFC. SHA256 is the current preferred algorithm, while SHA-1 is still routinely used as some DNSSEC software may not support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC software that does not support SHA256 at this time, but I suspect someone, somewhere is running it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
In message can6yy1vu9ecabvindlmpufqfjj47jq_beejdwz8d-jsxvdo...@mail.gmail.com , Kevin Oberman writes: On Fri, Mar 2, 2012 at 11:17 PM, dE . de.tec...@gmail.com wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? =96 You will always get a 2 DS Records in response. One for SHA-1 and second = for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A1) And RFC4024 is seven years old. No SHA256 back then. See RFC6014 which allows IANA to assign new algorithm numbers as needed without a new RFC. SHA256 is the current preferred algorithm, while SHA-1 is still routinely used as some DNSSEC software may not support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC software that does not support SHA256 at this time, but I suspect someone, somewhere is running it. Additionally it helps to read the correct table, A.2. DNSSEC Digest Types. SHA1 and SHA256 refer to digest types. RSAMD5 (not just MD5) and Diffie-Hellman are DNSSEC Algorithm Types. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A1) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 03/03/12 12:47, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A.1) Oops... sorry about that, got it. It was A.2 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
dE . de.tec...@gmail.com wrote: Ok, so the DS record is not encrypted. DNSSEC is about signatures: nothing is encrypted. DS records are signed: a DS RRset has an RRSIG. For example, ; DiG 9.8.1-P1 +multi +dnssec DS isc.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 53813 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86382 IN DS 12892 5 1 ( 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 ) isc.org.86382 IN DS 12892 5 2 ( F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F 0EB5C777586DE18DA6B5 ) isc.org.86382 IN RRSIG DS 7 2 86400 20120309160141 ( 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31X G4vFFQzq57RIq0hUkWZ0dR5oBCpRC15osOXSZEwVuz3L XXUd63GpI5aoGv/OtyPI/w4YTedgweoE9PWovcx6Ahr2 WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/vEjE= ) ;; Query time: 9 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 20 12:33:26 2012 ;; MSG SIZE rcvd: 283 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dover, Wight, Portland, Plymouth: Southwesterly 4 or 5, increasing 6 or 7 later. Slight becoming moderate. Mainly fair. Mainly good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? It has to be decrypted using a public key and the decrypted hash has to be compared to the DNSKEY's hash. So what I'm asking for here is, where do we get this public key from? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 Why do I get multiple RRSIG records from some servers? -- You will get single RRSIG per RR sets. dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 Do we get a RRSIG for each RR retrieved? If so, why does -- Not for each RR But for each RR sets. dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.
Re: A few conceptual question about dnssec.
Am 18.02.2012 um 17:35 schrieb dE .: The DS record is a signature right? No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a RRSIG. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 02:41, Tony Finch wrote: dE .de.tec...@gmail.com wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 Ok, so the DS record is not encrypted. Now, I got a feeling that this fact will add some major security implications. Why do I get multiple RRSIG records from some servers? - When you ask a GTLD server for the yahoo.com delegation NS records, you also get two NSEC3 records that bracket the yahoo.com delegation to prove it is insecure (no DS record), and an RRSIG record for each NSEC3 record. Do we get a RRSIG for each RR retrieved? No, one per RRset, where an RRset is all the records with the same name, class, and type. Lastly, what's the format for the output dis DNSSEC records? See RFC 4034. Tony. Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 22:14, Axel Rau wrote: Am 18.02.2012 um 17:35 schrieb dE .: The DS record is a signature right? No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a RRSIG. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius Thanks for the clarification. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/2012 04:35 PM, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? Wrong. You're asking a lot of basic questions here. Maybe you could go off and read the applicable RFCs - they're quite well written - rather than asking us to explain them for you? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 22:55, Jeremy C. Reed wrote: I started writing a book introducing DNSSEC a few years ago. Would you like to read a draft of it? Book on DNSSEC? Ok. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A few conceptual question about dnssec.
Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? - You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. _ dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 _ Why do I get multiple RRSIG records from some servers? - You will get single RRSIG per RR sets. _ dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 _ Do we get a RRSIG for each RR retrieved? If so, why does - Not for each RR But for each RR sets. _ dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.
Re: A few conceptual question about dnssec.
[ Quoting gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few conceptual... ] Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. That completely depends on what is configured in the zone. Perhaps this will help: http://nlnetlabs.nl/publications/dnssec_howto/ grtz Miek signature.asc Description: Digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A few conceptual question about dnssec.
-Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Miek Gieben Sent: Saturday, February 18, 2012 12:42 AM To: bind-users@lists.isc.org Subject: Re: A few conceptual question about dnssec. [ Quoting mailto:gaurav.kan...@nic.in gaurav.kan...@nic.in at 00:36 on Feb 18 in RE: A few conceptual... ] Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? – You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. That completely depends on what is configured in the zone. But I think it is recommended that you should always put 2 DS Records in your zone file corresponding to each child zone. One for SHA1 and second for SHA256. That’s why we always get 2 DS Records from ROOT Server pointing to TLDs. Perhaps this will help: http://nlnetlabs.nl/publications/dnssec_howto/ http://nlnetlabs.nl/publications/dnssec_howto/ grtz Miek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
dE . de.tec...@gmail.com wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 Why do I get multiple RRSIG records from some servers? - When you ask a GTLD server for the yahoo.com delegation NS records, you also get two NSEC3 records that bracket the yahoo.com delegation to prove it is insecure (no DS record), and an RRSIG record for each NSEC3 record. Do we get a RRSIG for each RR retrieved? No, one per RRset, where an RRset is all the records with the same name, class, and type. Lastly, what's the format for the output dis DNSSEC records? See RFC 4034. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or high, occasionally very high in Rockall and Bailey, but rough at first in Shannon. Rain then squally snow showers. Moderate, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users