On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael Mertel
wrote:
> Hi,
>
Hi,
> I’am currently trying to get a better unterstanding of DNSSEC. But even if I
> enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related
> answer from it. What do I’am doing wrong here, I’am somewhat lost?
>
> —
> --- direct query
> dig @ns1.denic.de ANY www.denic.de
> ;; ANSWER SECTION:
> www.denic.de. 3600IN A 81.91.170.12
> www.denic.de. 3600IN RRSIG A 8 3 3600 2016060209
> 2016051909 26155 denic.de.
> rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG
> lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO
> ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG
> AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp
> ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
>
> ;; AUTHORITY SECTION:
> denic.de. 3600IN NS ns2.denic.de.
> denic.de. 3600IN NS ns3.denic.de.
> denic.de. 3600IN NS ns1.denic.de.
>
> ;; ADDITIONAL SECTION:
> ns1.denic.de. 3600IN A 81.91.170.1
> ns1.denic.de. 3600IN 2a02:568:121:6:2::2
> ns2.denic.de. 3600IN A 78.104.145.26
> ns3.denic.de. 3600IN A 81.91.173.19
DENIC can return whatever they want with an ANY-query, but that doesn't mean
it's DNSSEC.
>
> —
> — query through dnsdist —
> dig @192.168.1.5 ANY www.denic.de
>
> ;; ANSWER SECTION:
> www.denic.de. 2083IN A 81.91.170.12
> www.denic.de. 2083IN RRSIG A 8 3 3600 2016060109
> 2016051809 26155 denic.de.
> CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2
> oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8
> n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm
> YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z
> RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
>
> —
> — query through recursor (no forwarders, dnssec=process) —
> dig -p 5153 @192.168.1.5 ANY www.denic.de
>
> ;; ANSWER SECTION:
> www.denic.de. 2724IN A 81.91.170.12
>
> —
>
> Thanks in advance.
>
This would be the usual way to check DNSSEC. Without:
$ dig @d.ns.nic.cz labs.nic.cz A
; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;labs.nic.cz. IN A
;; ANSWER SECTION:
labs.nic.cz.1800IN A 217.31.205.52
;; AUTHORITY SECTION:
nic.cz. 1800IN NS a.ns.nic.cz.
nic.cz. 1800IN NS b.ns.nic.cz.
nic.cz. 1800IN NS d.ns.nic.cz.
;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN A 194.0.12.1
a.ns.nic.cz.1800IN 2001:678:f::1
b.ns.nic.cz.1800IN A 194.0.13.1
b.ns.nic.cz.1800IN 2001:678:10::1
d.ns.nic.cz.1800IN A 193.29.206.1
d.ns.nic.cz.1800IN 2001:678:1::1
With DNSSEC:
$ dig +dnssec @d.ns.nic.cz labs.nic.cz A
; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;labs.nic.cz. IN A
;; ANSWER SECTION:
labs.nic.cz.1800IN A 217.31.205.52
labs.nic.cz.1800IN RRSIG A 5 3 1800 20160531125753
20160518035002 37152 nic.cz.
0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4
CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw
wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU=
;; AUTHORITY SECTION:
nic.cz. 1800IN NS a.ns.nic.cz.
nic.cz. 1800IN NS b.ns.nic.cz.
nic.cz. 1800IN NS d.ns.nic.cz.
nic.cz. 1800IN RRSIG NS 5 2 1800 20160531192914
20160518035002 37152 nic.cz.
eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7
jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy
MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk=
;; ADDITIONAL SECTION:
a.ns.nic.cz.1800IN A 194.0.12.1
a.ns.nic.cz.1800IN 2001:678:f::1
b.ns.nic.cz.1800
