[Pdns-users] pdns-recursor 4.0.0~alpha3-1 - no DNSSEC answer?
Bit World Computing - Michael Mertel
michael.mertel at bwc.de
Fri May 20 06:10:23 UTC 2016
Hi Leen,
thanks for clearing this up. My approach was a bit to naive but my recursor is now returning whats expected.
The +dnssec Parameter is the essential trick, and depending on dnssec=off or =process in my recursor.conf the recursor is returning the correct information.
Thanks for your feedback.
—Michael
> Am 19.05.2016 um 17:36 schrieb Leen Besselink <leen at consolejunkie.net>:
>
> On Thu, May 19, 2016 at 03:00:12PM +0200, Bit World Computing - Michael Mertel wrote:
>> Hi,
>>
>
> Hi,
>
>> I’am currently trying to get a better unterstanding of DNSSEC. But even if I enable dnssec=process in my recursor.conf, I cannot get any DNSSEC related answer from it. What do I’am doing wrong here, I’am somewhat lost?
>>
>> —————————————————————————————————————
>> --- direct query ----
>> dig @ns1.denic.de ANY www.denic.de
>> ;; ANSWER SECTION:
>> www.denic.de. 3600 IN A 81.91.170.12
>> www.denic.de. 3600 IN RRSIG A 8 3 3600 20160602090000 20160519090000 26155 denic.de. rPMh+rMzzR2S4ZfPNlRVhhMInQ2NRJnbrVdpcu1pSiao0sNQ0cT0VtbG lt5inSNmhglwvHKVug4zMHlS+LOtXeRDikzZSvL9k3oam/livEQ4MaKO ZOR9PkIC8bf0bUj1Asfn2ifE9t5GmMXq6mFbP5ey38Q8bQn+nSancGwG AIvwtwE0rFUh5dH9o767dE3U+wl0Phx7QgzzT68gix9YosPmSFRJnZGp ICqyiViPDzmiU1WUjmpe9Vx3xHEPVHuS
>>
>> ;; AUTHORITY SECTION:
>> denic.de. 3600 IN NS ns2.denic.de.
>> denic.de. 3600 IN NS ns3.denic.de.
>> denic.de. 3600 IN NS ns1.denic.de.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.denic.de. 3600 IN A 81.91.170.1
>> ns1.denic.de. 3600 IN AAAA 2a02:568:121:6:2::2
>> ns2.denic.de. 3600 IN A 78.104.145.26
>> ns3.denic.de. 3600 IN A 81.91.173.19
>
>
> DENIC can return whatever they want with an ANY-query, but that doesn't mean it's DNSSEC.
>
>>
>> —————————————————————————————————————
>> — query through dnsdist —
>> dig @192.168.1.5 ANY www.denic.de
>>
>> ;; ANSWER SECTION:
>> www.denic.de. 2083 IN A 81.91.170.12
>> www.denic.de. 2083 IN RRSIG A 8 3 3600 20160601090000 20160518090000 26155 denic.de. CjMNUtYc5apXRuMLeqH+s8OoOrYyoV5r/CD0xmUNQIhT9DpS80QhB6b2 oMhjxPqAN4leJUbJvMv23mAOMmnqViITN5c6aLWywDBcaN4JKCwBQbD8 n8LxMSC2QxKM7Ypl8bQBBvPTrT9fHauXGlLcQNLWtYPQ8vD7+5XurFJm YCe6ZV3KTwkzHjDJSv4tSPFLfCHuFJSMtXqLewqwNPstqzvu4DXznj6Z RcYURFkGvSJsajzbVbVvDMrFO3tY6Faa
>>
>> —————————————————————————————————————
>> — query through recursor (no forwarders, dnssec=process) —
>> dig -p 5153 @192.168.1.5 ANY www.denic.de
>>
>> ;; ANSWER SECTION:
>> www.denic.de. 2724 IN A 81.91.170.12
>>
>> —————————————————————————————————————
>>
>> Thanks in advance.
>>
>
> This would be the usual way to check DNSSEC. Without:
>
> $ dig @d.ns.nic.cz labs.nic.cz A
>
> ; <<>> DiG 9.8.1-P1 <<>> @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60824
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;labs.nic.cz. IN A
>
> ;; ANSWER SECTION:
> labs.nic.cz. 1800 IN A 217.31.205.52
>
> ;; AUTHORITY SECTION:
> nic.cz. 1800 IN NS a.ns.nic.cz.
> nic.cz. 1800 IN NS b.ns.nic.cz.
> nic.cz. 1800 IN NS d.ns.nic.cz.
>
> ;; ADDITIONAL SECTION:
> a.ns.nic.cz. 1800 IN A 194.0.12.1
> a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1
> b.ns.nic.cz. 1800 IN A 194.0.13.1
> b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1
> d.ns.nic.cz. 1800 IN A 193.29.206.1
> d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1
>
> With DNSSEC:
>
> $ dig +dnssec @d.ns.nic.cz labs.nic.cz A
>
> ; <<>> DiG 9.8.1-P1 <<>> +dnssec @d.ns.nic.cz labs.nic.cz A
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54051
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 10
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;labs.nic.cz. IN A
>
> ;; ANSWER SECTION:
> labs.nic.cz. 1800 IN A 217.31.205.52
> labs.nic.cz. 1800 IN RRSIG A 5 3 1800 20160531125753 20160518035002 37152 nic.cz. 0xzEtxkFeiOrdU2dqdKWmltIQEHn28Rv3bZKepOFmr3EUDcQDiGtWoV4 CRUdrcKAoP9Gjq31qqHjYd7xvKJo54jb9IMI42X6PTHe+Mm/dgyYgoQw wdMjd+i/oEGF9MH/6BYbviaStGK5ocAsbB49pbvJW1Fh+e8rcTiHt9tt wlU=
>
> ;; AUTHORITY SECTION:
> nic.cz. 1800 IN NS a.ns.nic.cz.
> nic.cz. 1800 IN NS b.ns.nic.cz.
> nic.cz. 1800 IN NS d.ns.nic.cz.
> nic.cz. 1800 IN RRSIG NS 5 2 1800 20160531192914 20160518035002 37152 nic.cz. eddprYYJBlc+xmv1WAuOLJ8zek0G4dtXlOSx3cNp4KFwscwsKBKD07k7 jScwCdvHZsnD2tOjDtJ0cPyMl/JffL9s4lXp5nqh7rtrTPPHMzqER3Zy MsY+/Nl0MJV3Z15wRzgSvnG/EjXxHLJ+vRIShWceXXhdFCt+5vR2wwng evk=
>
> ;; ADDITIONAL SECTION:
> a.ns.nic.cz. 1800 IN A 194.0.12.1
> a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1
> b.ns.nic.cz. 1800 IN A 194.0.13.1
> b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1
> d.ns.nic.cz. 1800 IN A 193.29.206.1
> d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1
> a.ns.nic.cz. 1800 IN RRSIG A 5 4 1800 20160531092635 20160518035002 37152 nic.cz. CXDP0ZWPcrd3k8Tdot6TIr2Q5VVpop73FG79j41D7q7dQV7y1Bm7OziO fXdjvVxVAT9nYaiSPRkQgmX6xBO9ktjlt6eetyba+OXuX1W0H+ki9k9I CVQo/VERsXEmoV+obOj1ffqRcTcjkrmQAoVoM5y93qNLBwt8SrCBjMLS swU=
> a.ns.nic.cz. 1800 IN RRSIG AAAA 5 4 1800 20160531144958 20160518035002 37152 nic.cz. 1RLUU4lIhPy5sbDJF0w4ydp56lhlBGLta7MlGi3FNZJ06jX1KFQ6WqaF NDrKiBqqTRs5lU2HL1tl0D4Y01QKMlpRBUI29k1fVniKWXhjLsxe7sv+ ikpWfP4fPume9+sMmbYi9lDnxF4LF7aV1g9QkLOS5OC4R9dySIHePLuN c/g=
> b.ns.nic.cz. 1800 IN RRSIG A 5 4 1800 20160531200746 20160518035002 37152 nic.cz. 4Gg3+dtnHlvGxgfEU0dtWZMXU7cKISFOfWwQWWdJzkjwTIT2NagmnmEr u8dfUkSPitwngS7JmXwSIkI4lLe51BCnfYIPBEm44yuV80if0/GUw3I9 4i4LiXwbv5SsqMzqMlMOIX7zyX1b4S/hgclLLMUVjNoTiDBkCgXR+kP1 eDg=
>
>> —Michael
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list