On Sun, Feb 12, 2012 at 10:22:22AM -0800, Michael Sinatra wrote: > On 02/12/12 09:40, dE . wrote: > >I'm trying to see DNSSEC response of various sites; my DNS server is > >8.8.8.8 (google's public DNS service) . . . > >As we can see, the DNSKEY and DS RR is missing which's mandatory for > >this to be of any use. So where is it? > > Well, the DS RR resides in the parent, not in the zone you're querying. > You need to ask for it explicitly. Although DNSKEY records are in the > actual zone you're querying, you still need to ask for them explicitly. > They're there; you just need to ask for them.
As Tony Finch pointed out to me a few days ago, the Google public servers don't understand that fact about DS records, and don't know to ask for them in the parent. But here's something interesting - as of my testing just now, they *do* respond with DS records: [littledebian:~/dns] owens% dig isc.org @8.8.8.8 ds +dnssec ; <<>> DiG 9.9.0rc2 <<>> isc.org @8.8.8.8 ds +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48488 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org. 73847 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. 73847 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org. 73847 IN RRSIG DS 7 2 86400 20120301160425 20120209150425 55440 org. AaHh8ATWNZqZAfqKxoFS2GyScv46ME2s2sS6lG/AzWzDn6r7R1aXRPIT 2zfDhLfP6yyQSREh8BSd4K98OKfWW2ZSDPxHx3soJotG+N9RFqs33HYR 2rfJNsKDelnLQZvql93HkhblDALFycKHxKZDocNF/DgANJZbhV0qh1c9 5Cs= ;; Query time: 63 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Feb 12 19:19:43 2012 ;; MSG SIZE rcvd: 283 They're not setting AD so they aren't validating, and in fact they'll return records with broken signatures, like so: [littledebian:~/dns] owens% dig pastdate-a.test.dnssec-tools.org @8.8.8.8 ; <<>> DiG 9.9.0rc2 <<>> pastdate-a.test.dnssec-tools.org @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30272 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;pastdate-a.test.dnssec-tools.org. IN A ;; ANSWER SECTION: pastdate-a.test.dnssec-tools.org. 86400 IN A 75.119.216.33 ;; Query time: 154 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Feb 12 19:23:11 2012 ;; MSG SIZE rcvd: 77 Still, I think it's a good sign. . . Bill. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users