In message <888060.89769...@web110304.mail.gq1.yahoo.com>, "prock...@yahoo.com" writes: > In a DNSSEC compliant world (I know we're not there yet) we need to give a co > py of our DSSET and KEYSET to our parent domain. Please confirm that is an a > ccurate statement.
More correctly the parent needs to publish the DS RRset that matches your SEP keys. Some parents prefer to be given the public key, other are happy with just the DS records. > So my question is, is there a way through DIG (or some other utility) to conf > irm that the parent domain has the DSSET and KEYSET records required to suppo > rt the child domain? To a first approximation you can use key ids to check this. The key ID field in the DS record is the first field (12892 in this case). You can then ask dig to display the key ids of the DNSKEY records with +multi. If you need to go further there are tools which can take a DNSKEY record and produce DS records and you can compare the hash fields. I've never needed to do this later step when debugging a validation failure. In addition to the key ids matching one of the keys identified by the DS RRset MUST also sign the DNSKEY RRset for it to be a secure linkage. This can also be done to a first approximation by looking at the key id field in the RRSIG record. When debugging a actual failure adding +cd will allow you to see what named is getting even though it is not being return to normal queries. Mark ; <<>> DiG 9.3.6-P1 <<>> ds isc.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44326 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org. 900 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org. 900 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 ;; Query time: 430 msec ;; SERVER: 192.168.191.233#53(192.168.191.233) ;; WHEN: Fri Jan 29 07:50:55 2010 ;; MSG SIZE rcvd: 109 ; <<>> DiG 9.3.6-P1 <<>> dnskey isc.org +multi +dnssec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30104 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DNSKEY ;; ANSWER SECTION: isc.org. 31 IN DNSKEY 257 3 5 ( BEAAAAOfDU7lEMzlyr3z7cRBzlD4HVyg3CwQX4FycN7u HAbRdGmwlorB3dnQO/TjnyC5f8ik0wgKJ6092WTnNNxG IqbtFLC6xn0P1ES1LlCe0HmVSokKl7JS/753B4m7moOc Oo/50sGM+vlZXO4pxmrW1EduobMgl/M1wpLvdBs+FFtY idmeM8ECaSy/CHehlnY+BzoPH5/W+5CSRg4B7uK6GquI syW34MbQIzRrRrp/VMiIVm1WSCwhE22+OMkaW+iX7h/S gjzwh6T2+iUccDtyoBop6A5OVYj6DHip1WmwepiPjmTW 6dTmRo64QS/5S+0xZlvOU8NPgMSuW5pcgImp1/w/ ) ; key id = 47407 isc.org. 31 IN DNSKEY 257 3 5 ( BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hW LDMvoOMRXjGrhhCeFvAZih7yJHf8ZGfW6hd38hXG/xyl YCO6Krpbdojwx8YMXLA5/kA+u50WIL8ZR1R6KTbsYVMf /Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy347cBB1zM nnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/z ZrQzBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix 5WcJt+xzqZ7+ysyLKOOedS39Z7SDmsn2eA0FKtQpwA6L XeG2w+jxmw3oA8lVUgEf/rzeC/bByBNsO70aEFTd ) ; key id = 12892 isc.org. 31 IN DNSKEY 256 3 5 ( BEAAAAO4r5Xw/jbd+p7UiuzpoXQRjUzDaBIP0GaF2h8N rzydq8Faopgc29K9elYlNjC39T0qlaV2J2iqZS9g90AA TKsXKPy7E9NSe/+Bsr0Uipehvt4K6jqaqSSLubuSisIM R/q5x+wP6QUUKT0kjnycfDjjeORdiINckWHsbM87rtNw 8Q== ) ; key id = 8496 isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 ( 20100125205023 8496 isc.org. bXGIYbjQbuLU4yzve/NxzhOKz8JLnCiuBnAKkqj0NEX3 c2IHY3pANw0itH3LuhQp0mrYx8/39vF/XYYT10V3NK2T TiGUgZa0nOjRhPZNvs2+G5kcfHUvQvwbmldTvtjEADrx q55tI5Qax8kf61CFWBjTdXpWVTM+asY0TD6GXSw= ) isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 ( 20100125205023 12892 isc.org. U67k/VAaIBdAOEQhEVtbEY8lhqHfnDHbir/PntlqYRvg 4LjlILpNbHRcyWzHKsBb0bnHp+qMYkiBYczNvZ4zD4nh FR7ZVh6z046IcAzI8G1KD6n96GraXBXFJN2z+kE+B/gY xMy3xWfrIoxj/L8hEy3mqjpPXfcdtzrD3/bjf/og3Mrn WZJuawTcn3/ptMyQYbD5J7yr8xvpq7EjjclOR1u4WCXr pjEbRN/OmlPSSmM9RI/1w8/ONmCDJSIBaRgc8cMvHvgJ utPGMmW1ci/LTHVA7dBXb9K/fvOMyuJJMmN4p6Q6KQbY cNwwktZlkIBO8KdojAsI+Z904XvThCYgbA== ) isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 ( 20100125205023 47407 isc.org. RNdtNlmH1MJasaAM2pM1/jo+fr0/UBauutDoR0TlZR1+ 5SeuE5LLs1rqGc3Q8poVgCEFVX6MtFDf78wrSn/aQ+YD ubvg/O8H8a98MyJaInHJZza265LnjsfVYJprExnnJFug olzIuAQ+F5obSWXKx/WdyXXzzwcD2qWXOovRo4FN6xyE KqdcaPECZfTJo8T+EqU5KpnHDvCyKf6F2v07GGyXe69t tRzgCsEIsYGoagLANNSGnb53DqHYQWVJaOEGoEQRa0Ox QrB8oGyvfCEE3AtFhR/UY9mq+rXDVRUkp9DeqqNRX1uf OCeIHgkjynUUq8iEsjwhzn+bRbtUR8aNgA== ) ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 29 08:08:37 2010 ;; MSG SIZE rcvd: 1496 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users