Re: A few conceptual question about dnssec.

dE . Sat, 18 Feb 2012 08:37:35 -0800

On 02/18/12 00:36, Gaurav kansal wrote:


Firstly, where do we get the public key for the DS records?

Can you clarify your question???

The DS record is a signature right? It has to be decrypted using apublic key and the decrypted hash has to be compared to the DNSKEY's hash.


So what I'm asking for here is, where do we get this public key from?


Second, why do I get multiple DS records as response? --

You will always get a 2 DS Records in response. One for SHA-1 andsecond for SHA-256.


------------------------------------------------------------------------

dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.

; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.                       IN      DS

;; ANSWER SECTION:

isc.org. 86400 IN DS 12892 5 2F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5isc.org. 86400 IN DS 12892 5 1982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759isc.org. 86400 IN RRSIG DS 7 2 8640020120309160141 20120217150141 55440 org.SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RIq0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4YTedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=


;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE  rcvd: 283

------------------------------------------------------------------------


Why do I get multiple RRSIG records from some servers? --

You will get single RRSIG per RR sets.

------------------------------------------------------------------------


dig +dnssec -t NS yahoo.com @g.gtld-servers.net.

; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com.                     IN      NS

;; AUTHORITY SECTION:
yahoo.com.              172800  IN      NS      ns1.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns3.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.

CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAMCK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 8640020120222012103 20120215001103 54350 com.gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvCyAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 -GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIGGP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 8640020120224144059 20120217133059 54350 com.NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXnYZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=


;; ADDITIONAL SECTION:
ns1.yahoo.com.          172800  IN      A       68.180.131.16
ns5.yahoo.com.          172800  IN      A       119.160.247.124
ns2.yahoo.com.          172800  IN      A       68.142.255.16
ns3.yahoo.com.          172800  IN      A       121.101.152.99
ns4.yahoo.com.          172800  IN      A       68.142.196.63

;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE  rcvd: 693

------------------------------------------------------------------------


Do we get a RRSIG for each RR retrieved? If so, why does --

Not for each RR But for each RR sets.

------------------------------------------------------------------------


dig +dnssec -t NS com @a.root-servers.net.

; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.                           IN      NS

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.

com. 86400 IN DS 30909 8 2E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766com. 86400 IN RRSIG DS 8 1 8640020120224000000 20120216230000 51201 .IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVgSQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcNMF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=


;; ADDITIONAL SECTION:
a.gtld-servers.net.     86400   IN      AAAA    2001:503:a83e::2:30
a.gtld-servers.net.     86400   IN      A       192.5.6.30
b.gtld-servers.net.     86400   IN      AAAA    2001:503:231d::2:30
b.gtld-servers.net.     86400   IN      A       192.33.14.30
c.gtld-servers.net.     86400   IN      A       192.26.92.30
d.gtld-servers.net.     86400   IN      A       192.31.80.30
e.gtld-servers.net.     86400   IN      A       192.12.94.30
f.gtld-servers.net.     86400   IN      A       192.35.51.30
g.gtld-servers.net.     86400   IN      A       192.42.93.30
h.gtld-servers.net.     86400   IN      A       192.54.112.30
i.gtld-servers.net.     86400   IN      A       192.43.172.30
j.gtld-servers.net.     86400   IN      A       192.48.79.30
k.gtld-servers.net.     86400   IN      A       192.52.178.30
l.gtld-servers.net.     86400   IN      A       192.41.162.30
m.gtld-servers.net.     86400   IN      A       192.55.83.30

;; Query time: 192 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Feb 17 23:43:09 2012
;; MSG SIZE  rcvd: 727

------------------------------------------------------------------------


Does not return multiple RR?

Lastly, what's the format for the output dis DNSSEC records?

com. 86400 IN DS 30909 8 2E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766


Sow what's '30909 8 2'

30909 is TTL Value; 2 signifies SHA-256;



And in -

com. 86400 IN RRSIG DS 8 1 8640020120224000000 20120216230000 51201 .IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVgSQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcNMF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=


What's 8 1 86400 20120224000000 20120216230000 51201
?
1- SHA-1

86400 -- TTL Value

20120224000000 -- Signature Expire time

20120224000000 -- Signature Creation Time

51201 -- Key Id


DNSSEC appears to be a rarely explored topic.


Thanks for the answer! That cleared a lot of things.

Another thing I forgot to ask, is in -


What does the DS signify here? RRSIG for the returned DS RRset?

If this's so, why does -

------------------------------------------------------------------------
dig +dnssec -t NS com @a.root-servers.net.

; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.                           IN      NS

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.


------------------------------------------------------------------------

Does not return RRSIG for the NS RRset?

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A few conceptual question about dnssec.

Reply via email to