In message <888060.89769...@web110304.mail.gq1.yahoo.com>, "prock...@yahoo.com"
writes:
> In a DNSSEC compliant world (I know we're not there yet) we need to give a co
> py of our DSSET and KEYSET to our parent domain. Please confirm that is an a
> ccurate statement.
More correctly the parent needs to publish the DS RRset that matches
your SEP keys. Some parents prefer to be given the public key,
other are happy with just the DS records.
> So my question is, is there a way through DIG (or some other utility) to conf
> irm that the parent domain has the DSSET and KEYSET records required to suppo
> rt the child domain?
To a first approximation you can use key ids to check this. The
key ID field in the DS record is the first field (12892 in this
case). You can then ask dig to display the key ids of the DNSKEY
records with +multi.
If you need to go further there are tools which can take a DNSKEY
record and produce DS records and you can compare the hash fields.
I've never needed to do this later step when debugging a validation
failure.
In addition to the key ids matching one of the keys identified by
the DS RRset MUST also sign the DNSKEY RRset for it to be a secure
linkage. This can also be done to a first approximation by looking
at the key id field in the RRSIG record.
When debugging a actual failure adding +cd will allow you to see
what named is getting even though it is not being return to normal
queries.
Mark
; <<>> DiG 9.3.6-P1 <<>> ds isc.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44326
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
isc.org. 900 IN DS 12892 5 2
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org. 900 IN DS 12892 5 1
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
;; Query time: 430 msec
;; SERVER: 192.168.191.233#53(192.168.191.233)
;; WHEN: Fri Jan 29 07:50:55 2010
;; MSG SIZE rcvd: 109
; <<>> DiG 9.3.6-P1 <<>> dnskey isc.org +multi +dnssec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30104
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DNSKEY
;; ANSWER SECTION:
isc.org. 31 IN DNSKEY 257 3 5 (
BEAAAAOfDU7lEMzlyr3z7cRBzlD4HVyg3CwQX4FycN7u
HAbRdGmwlorB3dnQO/TjnyC5f8ik0wgKJ6092WTnNNxG
IqbtFLC6xn0P1ES1LlCe0HmVSokKl7JS/753B4m7moOc
Oo/50sGM+vlZXO4pxmrW1EduobMgl/M1wpLvdBs+FFtY
idmeM8ECaSy/CHehlnY+BzoPH5/W+5CSRg4B7uK6GquI
syW34MbQIzRrRrp/VMiIVm1WSCwhE22+OMkaW+iX7h/S
gjzwh6T2+iUccDtyoBop6A5OVYj6DHip1WmwepiPjmTW
6dTmRo64QS/5S+0xZlvOU8NPgMSuW5pcgImp1/w/
) ; key id = 47407
isc.org. 31 IN DNSKEY 257 3 5 (
BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hW
LDMvoOMRXjGrhhCeFvAZih7yJHf8ZGfW6hd38hXG/xyl
YCO6Krpbdojwx8YMXLA5/kA+u50WIL8ZR1R6KTbsYVMf
/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy347cBB1zM
nnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/z
ZrQzBkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix
5WcJt+xzqZ7+ysyLKOOedS39Z7SDmsn2eA0FKtQpwA6L
XeG2w+jxmw3oA8lVUgEf/rzeC/bByBNsO70aEFTd
) ; key id = 12892
isc.org. 31 IN DNSKEY 256 3 5 (
BEAAAAO4r5Xw/jbd+p7UiuzpoXQRjUzDaBIP0GaF2h8N
rzydq8Faopgc29K9elYlNjC39T0qlaV2J2iqZS9g90AA
TKsXKPy7E9NSe/+Bsr0Uipehvt4K6jqaqSSLubuSisIM
R/q5x+wP6QUUKT0kjnycfDjjeORdiINckWHsbM87rtNw
8Q==
) ; key id = 8496
isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
20100125205023 8496 isc.org.
bXGIYbjQbuLU4yzve/NxzhOKz8JLnCiuBnAKkqj0NEX3
c2IHY3pANw0itH3LuhQp0mrYx8/39vF/XYYT10V3NK2T
TiGUgZa0nOjRhPZNvs2+G5kcfHUvQvwbmldTvtjEADrx
q55tI5Qax8kf61CFWBjTdXpWVTM+asY0TD6GXSw= )
isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
20100125205023 12892 isc.org.
U67k/VAaIBdAOEQhEVtbEY8lhqHfnDHbir/PntlqYRvg
4LjlILpNbHRcyWzHKsBb0bnHp+qMYkiBYczNvZ4zD4nh
FR7ZVh6z046IcAzI8G1KD6n96GraXBXFJN2z+kE+B/gY
xMy3xWfrIoxj/L8hEy3mqjpPXfcdtzrD3/bjf/og3Mrn
WZJuawTcn3/ptMyQYbD5J7yr8xvpq7EjjclOR1u4WCXr
pjEbRN/OmlPSSmM9RI/1w8/ONmCDJSIBaRgc8cMvHvgJ
utPGMmW1ci/LTHVA7dBXb9K/fvOMyuJJMmN4p6Q6KQbY
cNwwktZlkIBO8KdojAsI+Z904XvThCYgbA== )
isc.org. 31 IN RRSIG DNSKEY 5 2 7200 20100224205023 (
20100125205023 47407 isc.org.
RNdtNlmH1MJasaAM2pM1/jo+fr0/UBauutDoR0TlZR1+
5SeuE5LLs1rqGc3Q8poVgCEFVX6MtFDf78wrSn/aQ+YD
ubvg/O8H8a98MyJaInHJZza265LnjsfVYJprExnnJFug
olzIuAQ+F5obSWXKx/WdyXXzzwcD2qWXOovRo4FN6xyE
KqdcaPECZfTJo8T+EqU5KpnHDvCyKf6F2v07GGyXe69t
tRzgCsEIsYGoagLANNSGnb53DqHYQWVJaOEGoEQRa0Ox
QrB8oGyvfCEE3AtFhR/UY9mq+rXDVRUkp9DeqqNRX1uf
OCeIHgkjynUUq8iEsjwhzn+bRbtUR8aNgA== )
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 29 08:08:37 2010
;; MSG SIZE rcvd: 1496
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
