On Fri, May 20, 2016 at 08:10:23AM +0200, Bit World Computing - Michael Mertel wrote: > Hi Leen, > > thanks for clearing this up. My approach was a bit to naive but my recursor > is now returning whats expected. > > The +dnssec Parameter is the essential trick, and depending on dnssec=off or > =process in my recursor.conf the recursor is returning the correct > information. > > Thanks for your feedback. >
I forgot to mention, when you query a recursor, the recursor can also indicate that the response is DNSSEC-validated, you need to look at the AD-bit. See the dig output here: https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation You will need the ad-bit if you have an application which depends on that, but it can't really be trusted unless it's running on the same machine aka: localhost But it is also an indicator from the recursor that it did the DNSSEC-validation, so it's useful if you want to know what the recursor is doing. > —Michael > > > > Am 19.05.2016 um 17:36 schrieb Leen Besselink <[email protected]>: > > > > On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael > > Mertel wrote: > >> Hi, > >> > > > > Hi, > > > >> I’am currently trying to get a better unterstanding of DNSSEC. But even if > >> I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC > >> related answer from it. What do I’am doing wrong here, I’am somewhat lost? > >> > >> ————————————————————————————————————— > >> --- direct query ---- > >> dig @ns1.denic.de ANY www.denic.de > >> ;; ANSWER SECTION: > >> www.denic.de. 3600 IN A 81.91.170.12 > >> www.denic.de. 3600 IN RRSIG A 8 3 3600 > >> 20160602090000 20160519090000 26155 denic.de. > >> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG > >> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO > >> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG > >> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp > >> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS > >> > >> ;; AUTHORITY SECTION: > >> denic.de. 3600 IN NS ns2.denic.de. > >> denic.de. 3600 IN NS ns3.denic.de. > >> denic.de. 3600 IN NS ns1.denic.de. > >> > >> ;; ADDITIONAL SECTION: > >> ns1.denic.de. 3600 IN A 81.91.170.1 > >> ns1.denic.de. 3600 IN AAAA 2a02:568:121:6:2::2 > >> ns2.denic.de. 3600 IN A 78.104.145.26 > >> ns3.denic.de. 3600 IN A 81.91.173.19 > > > > > > DENIC can return whatever they want with an ANY-query, but that doesn't > > mean it's DNSSEC. > > > >> > >> ————————————————————————————————————— > >> — query through dnsdist — > >> dig @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2083 IN A 81.91.170.12 > >> www.denic.de. 2083 IN RRSIG A 8 3 3600 > >> 20160601090000 20160518090000 26155 denic.de. > >> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 > >> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 > >> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm > >> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z > >> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa > >> > >> ————————————————————————————————————— > >> — query through recursor (no forwarders, dnssec=process) — > >> dig -p 5153 @192.168.1.5 ANY www.denic.de > >> > >> ;; ANSWER SECTION: > >> www.denic.de. 2724 IN A 81.91.170.12 > >> > >> ————————————————————————————————————— > >> > >> Thanks in advance. > >> > > > > This would be the usual way to check DNSSEC. Without: > > > > $ dig @d.ns.nic.cz labs.nic.cz A > > > > ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6 > > ;; WARNING: recursion requested but not available > > > > ;; QUESTION SECTION: > > ;labs.nic.cz. IN A > > > > ;; ANSWER SECTION: > > labs.nic.cz. 1800 IN A 217.31.205.52 > > > > ;; AUTHORITY SECTION: > > nic.cz. 1800 IN NS a.ns.nic.cz. > > nic.cz. 1800 IN NS b.ns.nic.cz. > > nic.cz. 1800 IN NS d.ns.nic.cz. > > > > ;; ADDITIONAL SECTION: > > a.ns.nic.cz. 1800 IN A 194.0.12.1 > > a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1 > > b.ns.nic.cz. 1800 IN A 194.0.13.1 > > b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1 > > d.ns.nic.cz. 1800 IN A 193.29.206.1 > > d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1 > > > > With DNSSEC: > > > > $ dig +dnssec @d.ns.nic.cz labs.nic.cz A > > > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 1232 > > ;; QUESTION SECTION: > > ;labs.nic.cz. IN A > > > > ;; ANSWER SECTION: > > labs.nic.cz. 1800 IN A 217.31.205.52 > > labs.nic.cz. 1800 IN RRSIG A 5 3 1800 20160531125753 > > 20160518035002 37152 nic.cz. > > 0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 > > CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw > > wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU= > > > > ;; AUTHORITY SECTION: > > nic.cz. 1800 IN NS a.ns.nic.cz. > > nic.cz. 1800 IN NS b.ns.nic.cz. > > nic.cz. 1800 IN NS d.ns.nic.cz. > > nic.cz. 1800 IN RRSIG NS 5 2 1800 20160531192914 > > 20160518035002 37152 nic.cz. > > eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7 > > jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy > > MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk= > > > > ;; ADDITIONAL SECTION: > > a.ns.nic.cz. 1800 IN A 194.0.12.1 > > a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1 > > b.ns.nic.cz. 1800 IN A 194.0.13.1 > > b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1 > > d.ns.nic.cz. 1800 IN A 193.29.206.1 > > d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1 > > a.ns.nic.cz. 1800 IN RRSIG A 5 4 1800 20160531092635 > > 20160518035002 37152 nic.cz. > > CXDP0ZWPcrd3k8Tdot6TIr2Q5VVpop73FG79j41D7q7dQV7y1Bm7OziO > > fXdjvVxVAT9nYaiSPRkQgmX6xBO9ktjlt6eetyba+OXuX1W0H+ki9k9I > > CVQo/VERsXEmoV+obOj1ffqRcTcjkrmQAoVoM5y93qNLBwt8SrCBjMLS swU= > > a.ns.nic.cz. 1800 IN RRSIG AAAA 5 4 1800 > > 20160531144958 20160518035002 37152 nic.cz. > > 1RLUU4lIhPy5sbDJF0w4ydp56lhlBGLta7MlGi3FNZJ06jX1KFQ6WqaF > > NDrKiBqqTRs5lU2HL1tl0D4Y01QKMlpRBUI29k1fVniKWXhjLsxe7sv+ > > ikpWfP4fPume9+sMmbYi9lDnxF4LF7aV1g9QkLOS5OC4R9dySIHePLuN c/g= > > b.ns.nic.cz. 1800 IN RRSIG A 5 4 1800 20160531200746 > > 20160518035002 37152 nic.cz. > > 4Gg3+dtnHlvGxgfEU0dtWZMXU7cKISFOfWwQWWdJzkjwTIT2NagmnmEr > > u8dfUkSPitwngS7JmXwSIkI4lLe51BCnfYIPBEm44yuV80if0/GUw3I9 > > 4i4LiXwbv5SsqMzqMlMOIX7zyX1b4S/hgclLLMUVjNoTiDBkCgXR+kP1 eDg= > > > >> —Michael > >> _______________________________________________ > >> Pdns-users mailing list > >> [email protected] > >> https://mailman.powerdns.com/mailman/listinfo/pdns-users > > > _______________________________________________ > Pdns-users mailing list > [email protected] > https://mailman.powerdns.com/mailman/listinfo/pdns-users _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
