A few conceptual question about dnssec.
dE .
Second, why do I get multiple DS records as response? --
dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.
; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
isc.org. 86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org. 86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. 86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=
;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE rcvd: 283
Why do I get multiple RRSIG records from some servers? -
dig +dnssec -t NS yahoo.com @g.gtld-servers.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t NS yahoo.com @g.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35065
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;yahoo.com. IN NS
;; AUTHORITY SECTION:
yahoo.com. 172800 IN NS ns1.yahoo.com.
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8=
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG
GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds=
;; ADDITIONAL SECTION:
ns1.yahoo.com. 172800 IN A 68.180.131.16
ns5.yahoo.com. 172800 IN A 119.160.247.124
ns2.yahoo.com. 172800 IN A 68.142.255.16
ns3.yahoo.com. 172800 IN A 121.101.152.99
ns4.yahoo.com. 172800 IN A 68.142.196.63
;; Query time: 386 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Fri Feb 17 23:40:26 2012
;; MSG SIZE rcvd: 693
Do we get a RRSIG for each RR retrieved? If so, why does -
dig +dnssec -t NS com @a.root-servers.net.
; <<>> DiG 9.8.1 <<>> +dnssec -t NS com @a.root-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44852
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
;; ADDITIONAL SECTION:
a.gtld-servers.net. 86400 IN AAAA 2001:503:a83e::2:30
a.gtld-servers.net. 86400 IN A 192.5.6.30
b.gtld-servers.net. 86400 IN AAAA 2001:503:231d::2:30
b.gtld-servers.net. 86400 IN A 192.33.14.30
c.gtld-servers.net. 86400 IN A 192.26.92.30
d.gtld-servers.net. 86400 IN A 192.31.80.30
e.gtld-servers.net. 86400 IN A 192.12.94.30
f.gtld-servers.net. 86400 IN A 192.35.51.30
g.gtld-servers.net. 86400 IN A 192.42.93.30
h.gtld-servers.net. 86400 IN A 192.54.112.30
i.gtld-servers.net. 86400 IN A 192.43.172.30
j.gtld-servers.net. 86400 IN A 192.48.79.30
k.gtld-servers.net. 86400 IN A 192.52.178.30
l.gtld-servers.net. 86400 IN A 192.41.162.30
m.gtld-servers.net. 86400 IN A 192.55.83.30
;; Query time: 192 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Feb 17 23:43:09 2012
;; MSG SIZE rcvd: 727
Does not return multiple RR?
Lastly, what's the format for the output dis DNSSEC records?
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
Sow what's '30909 8 2'
And in -
com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
What's 8 1 86400 20120224000000 20120216230000 51201
?
DNSSEC appears to be a rarely explored topic.
Gaurav kansal
Firstly, where do we get the public key for the DS records?
Can you clarify your question???
Second, why do I get multiple DS records as response? –
You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256.
dig +dnssec -t DS isc.org @b0.org.afilias-nst.org.
; <<>> DiG 9.8.1 <<>> +dnssec -t DS isc.org @b0.org.afilias-nst.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32385
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
isc.org. 86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
isc.org. 86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. 86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE=
;; Query time: 339 msec
;; SERVER: 199.19.54.1#53(199.19.54.1)
;; WHEN: Fri Feb 17 23:36:01 2012
;; MSG SIZE rcvd: 283
Why do I get multiple RRSIG records from some servers? –
You will get single RRSIG per RR sets.
Do we get a RRSIG for each RR retrieved? If so, why does –
Not for each RR But for each RR sets.
30909 is TTL Value; 2 signifies SHA-256;
And in -
com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
What's 8 1 86400 20120224000000 20120216230000 51201
?
1- SHA-1
86400 – TTL Value
20120224000000 – Signature Expire time
20120224000000 – Signature Creation Time
51201 – Key Id
Miek Gieben
>
> Can you clarify your question???
>
>
>
> Second, why do I get multiple DS records as response? –
>
> You will always get a 2 DS Records in response. One for SHA-1 and second for
> SHA-256.
Perhaps this will help:
http://nlnetlabs.nl/publications/dnssec_howto/
grtz Miek
Gaurav kansal
-----Original Message-----
From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of Miek Gieben
Sent: Saturday, February 18, 2012 12:42 AM
To: bind-...@lists.isc.org
Subject: Re: A few conceptual question about dnssec.
[ Quoting <gaurav...@nic.in> at 00:36 on Feb 18 in "RE: A few conceptual..." ]
> Firstly, where do we get the public key for the DS records?
>
> Can you clarify your question???
>
>
>
> Second, why do I get multiple DS records as response? –
>
> You will always get a 2 DS Records in response. One for SHA-1 and
> second for SHA-256.
That completely depends on what is configured in the zone.
But I think it is recommended that you should always put 2 DS Records in your zone file corresponding to each child zone.
One for SHA1 and second for SHA256.
That’s why we always get 2 DS Records from ROOT Server pointing to TLDs.
Tony Finch
make its DS records. For example,
$ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
$ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
> Why do I get multiple RRSIG records from some servers? -
When you ask a GTLD server for the yahoo.com delegation NS records, you
also get two NSEC3 records that bracket the yahoo.com delegation to prove
it is insecure (no DS record), and an RRSIG record for each NSEC3 record.
> Do we get a RRSIG for each RR retrieved?
class, and type.
> Lastly, what's the format for the output dis DNSSEC records?
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Shannon, Rockall, Malin, Hebrides, Bailey: Southwest, veering northwest, 6 to
gale 8, occasionally severe gale 9, except in Shannon and Malin. Very rough or
high, occasionally very high in Rockall and Bailey, but rough at first in
Shannon. Rain then squally snow showers. Moderate, occasionally poor.
dE .
Firstly, where do we get the public key for the DS records?
Can you clarify your question???
The DS record is a signature right? It has to be decrypted using a public key and the decrypted hash has to be compared to the DNSKEY's hash.
So what I'm asking for here is, where do we get this public key from?
Second, why do I get multiple DS records as response? –You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256.
Lastly, what's the format for the output dis DNSSEC records?
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
Sow what's '30909 8 2'
30909 is TTL Value; 2 signifies SHA-256;
And in -
com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
What's 8 1 86400 20120224000000 20120216230000 51201
?
1- SHA-186400 – TTL Value
20120224000000 – Signature Expire time
20120224000000 – Signature Creation Time
51201 – Key Id
DNSSEC appears to be a rarely explored topic.
Thanks for the answer! That cleared a lot of things.
Another thing I forgot to ask, is in -
com. 86400 IN RRSIG DS 8 1 86400 20120224000000 20120216230000 51201 . IuENP04r85gzobEOPGEWr+cRxuPep8KWQgp0P9e3RxVlL5ZFaSzUHjVg SQL7LMHn31FfiUDrGW9oTs3knqqGNbex+LDB9lIq17dEN3k1A+1emHcN MF6kDBCoSPiU9yvaxZkII4Omj051XyHH+5st8cpZemLgR/n+2gtDpvPV PeY=
If this's so, why does -
Does not return RRSIG for the NS RRset?
Axel Rau
Am 18.02.2012 um 17:35 schrieb dE .:
> The DS record is a signature right?
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
dE .
> make its DS records. For example,
>
> $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g'
> isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759
> isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
> $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org
> isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5
>
Ok, so the DS record is not encrypted.
Now, I got a feeling that this fact will add some major security
implications.
>> Why do I get multiple RRSIG records from some servers? -
> When you ask a GTLD server for the yahoo.com delegation NS records, you
> also get two NSEC3 records that bracket the yahoo.com delegation to prove
> it is insecure (no DS record), and an RRSIG record for each NSEC3 record.
>
> class, and type.
>
>
> Tony.
Thanks!
dE .
Phil Mayers
>>
>> Firstly, where do we get the public key for the DS records?
>>
>>
>>
>
You're asking a lot of basic questions here. Maybe you could go off and
read the applicable RFCs - they're quite well written - rather than
asking us to explain them for you?
dE .
> I started writing a book introducing DNSSEC a few years ago. Would you
> like to read a draft of it?
Book on DNSSEC? Ok. Thanks.
Tony Finch
a DS RRset has an RRSIG. For example,
; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec DS isc.org
;; Got answer:
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN DS
;; ANSWER SECTION:
982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 )
isc.org. 86382 IN DS 12892 5 2 (
F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F
0EB5C777586DE18DA6B5 )
isc.org. 86382 IN RRSIG DS 7 2 86400 20120309160141 (
SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31X
G4vFFQzq57RIq0hUkWZ0dR5oBCpRC15osOXSZEwVuz3L
XXUd63GpI5aoGv/OtyPI/w4YTedgweoE9PWovcx6Ahr2
;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 20 12:33:26 2012
;; MSG SIZE rcvd: 283
Dover, Wight, Portland, Plymouth: Southwesterly 4 or 5, increasing 6 or 7
later. Slight becoming moderate. Mainly fair. Mainly good.
dE .
Firstly, where do we get the public key for the DS records?
Can you clarify your question???
Second, why do I get multiple DS records as response? –
You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256.
I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A1)
dE .
I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A.1)
Oops... sorry about that, got it. It was A.2
Kevin Oberman
> On 02/18/12 00:36, Gaurav kansal wrote:
>
>
>
>
>
> Firstly, where do we get the public key for the DS records?
>
> Can you clarify your question???
>
>
>
> Second, why do I get multiple DS records as response? –
>
> You will always get a 2 DS Records in response. One for SHA-1 and second for
> SHA-256.
>
>
> I was reading the RFCs, but according to that, there's no provision of
> SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
And RFC4024 is seven years old. No SHA256 back then.
See RFC6014 which allows IANA to assign new algorithm numbers as
needed without a new RFC. SHA256 is the current preferred algorithm,
while SHA-1 is still routinely used as some DNSSEC software may not
support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
software that does not support SHA256 at this time, but I suspect
someone, somewhere is running it.
--
R. Kevin Oberman, Network Engineer
E-mail: kob...@gmail.com
Mark Andrews
In message <CAN6yY1vu9ecaBviNdLmPuFQf...@mail.gmail.com>
> On Fri, Mar 2, 2012 at 11:17 PM, dE . <de.t...@gmail.com> wrote:
> > On 02/18/12 00:36, Gaurav kansal wrote:
> >
> >
> >
> >
> >
> > Firstly, where do we get the public key for the DS records?
> >
> > Can you clarify your question???
> >
> >
> >
> >
> > You will always get a 2 DS Records in response. One for SHA-1 and second =
> > SHA-256.
> >
> >
> > I was reading the RFCs, but according to that, there's no provision of
> > SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman
> > (appendix A1)
>
> And RFC4024 is seven years old. No SHA256 back then.
>
> See RFC6014 which allows IANA to assign new algorithm numbers as
> needed without a new RFC. SHA256 is the current preferred algorithm,
> while SHA-1 is still routinely used as some DNSSEC software may not
> support SHA256 yet. Both MD5 and Diffie-Hellman are obsolete. I
> suspect SHA-1 will be deprecated soon. I am unaware of any DNSSEC
> software that does not support SHA256 at this time, but I suspect
> someone, somewhere is running it.
SHA1 and SHA256 refer to digest types.
RSAMD5 (not just MD5) and Diffie-Hellman are DNSSEC Algorithm Types.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org