Created
March 6, 2011 18:56
-
-
Save rmoriz/857542 to your computer and use it in GitHub Desktop.
I for one welcome our new DNSSEC overlords!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key | |
| $ dig +topdown +sigchase +multiline -ta moriz.org | |
| ns name: 198.41.0.4 | |
| ns name: 192.228.79.201 | |
| ns name: 192.33.4.12 | |
| ns name: 128.8.10.90 | |
| ns name: 192.203.230.10 | |
| ns name: 192.5.5.241 | |
| ns name: 192.112.36.4 | |
| ns name: 128.63.2.53 | |
| ns name: 192.36.148.17 | |
| ns name: 192.58.128.30 | |
| ns name: 193.0.14.129 | |
| ns name: 199.7.83.42 | |
| ns name: 202.12.27.33 | |
| Launch a query to find a RRset of type A for zone: moriz.org with nameservers: | |
| . 518302 IN NS a.root-servers.net. | |
| 518302 IN NS b.root-servers.net. | |
| 518302 IN NS c.root-servers.net. | |
| 518302 IN NS d.root-servers.net. | |
| 518302 IN NS e.root-servers.net. | |
| 518302 IN NS f.root-servers.net. | |
| 518302 IN NS g.root-servers.net. | |
| 518302 IN NS h.root-servers.net. | |
| 518302 IN NS i.root-servers.net. | |
| 518302 IN NS j.root-servers.net. | |
| 518302 IN NS k.root-servers.net. | |
| 518302 IN NS l.root-servers.net. | |
| 518302 IN NS m.root-servers.net. | |
| no response but there is a delegation in authority section:org. | |
| Launch a query to find a RRset of type DNSKEY for zone: . | |
| ;; DNSKEYset: | |
| . 172800 IN DNSKEY 256 3 8 ( | |
| AwEAAb5gVAzK59YHDxf/DnswfO1RmbRZ6W16JfhFecfI | |
| +EUHRXPWlXDi47t2FHaKyMMEROapL5SZ8HiCzl05lORZ | |
| GGdN37WY7fkv55rs+kwHdVRSrQdl81fUnEspt67IIgaj | |
| 3SrGyZqgzyixNk/8oT3yEfKDycTeJy4chKPt0JegWrjL | |
| ) ; key id = 21639 | |
| 172800 IN DNSKEY 257 3 8 ( | |
| AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ | |
| bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh | |
| /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA | |
| JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp | |
| oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 | |
| LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO | |
| Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc | |
| LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= | |
| ) ; key id = 19036 | |
| ;; RRSIG of the DNSKEYset: | |
| . 172800 IN RRSIG DNSKEY 8 0 172800 20110316235959 ( | |
| 20110302000000 19036 . | |
| IGGhnsDYejuzNgbSKfuuGKEh3NV/BDazSDUxILsG256J | |
| ih24nrl3Ks7H56ay4gt3VtjoFK9wKzwKVu2vDAJ+k/SY | |
| lAM1g9bQ06dmwqSgtZbLIJo5bkumohjdsZMQossGMzdV | |
| tg1iTZrqt+1evgWPQnsol3H25MOG6zm5xPLv21jk77Sh | |
| AVz4wFxKx9r5c14ufPsuYk4FCG5/CgeXzRKrpap1/6vC | |
| ttO9R+wJjA8Yqs62BJnTQWogGP78jn9ER8L6c0X13iQC | |
| 7dLJ788j6/TzLj7WXNlpFrlEcHJ/zEuc35F2mWjPMPuP | |
| 2b/lDHA2Q30jZe6kUjMlxlFlvlAG73Rb6w== ) | |
| ;; Ok, find a Trusted Key in the DNSKEY RRset: 21639 | |
| ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 | |
| ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success | |
| ;; DSset: | |
| org. 86400 IN DS 21366 7 2 ( | |
| 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B6 | |
| 9F634DA078F0D90F01BA ) | |
| 86400 IN DS 21366 7 1 ( | |
| E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 ) | |
| ;; RRSIGset of DSset | |
| org. 86400 IN RRSIG DS 8 1 86400 20110313000000 ( | |
| 20110305230000 21639 . | |
| KT34D+pIxR0uz6/D8OWN+fh4tIbdknarx5iCoLE2+Fid | |
| YW5m3HDPoS2gi08kdjGq4SZT0cNm/uFQD69yy2kBRJP6 | |
| sA0sl7z9jgXQeJEmFVxXJt00lXSrISq7HDkZO04oFPNn | |
| 3H1YIzWu4+NmgJH3lu8CainfmwF1Dnh7RVVaT4w= ) | |
| ;; VERIFYING DS RRset for org. with DNSKEY:21639: success | |
| ns name: 199.19.57.1 | |
| ns name: 199.19.54.1 | |
| ns name: 199.249.112.1 | |
| ns name: 199.19.53.1 | |
| ns name: 199.19.56.1 | |
| ns name: 199.249.120.1 | |
| Launch a query to find a RRset of type A for zone: moriz.org with nameservers: | |
| org. 172800 IN NS d0.org.afilias-nst.org. | |
| 172800 IN NS b0.org.afilias-nst.org. | |
| 172800 IN NS a2.org.afilias-nst.info. | |
| 172800 IN NS c0.org.afilias-nst.info. | |
| 172800 IN NS a0.org.afilias-nst.info. | |
| 172800 IN NS b2.org.afilias-nst.org. | |
| no response but there is a delegation in authority section:moriz.org. | |
| Launch a query to find a RRset of type DNSKEY for zone: org. | |
| ;; Truncated, retrying in TCP mode. | |
| ;; DNSKEYset: | |
| org. 900 IN DNSKEY 256 3 7 ( | |
| AwEAAXUJw6fljkclERcqTpZH+p96dqnyGPB/OnIml0qV | |
| muKbNcSYKdTAIUd7MysKeInHKln+9RmpRdSmlXJCJ63T | |
| oera1gil++t2yjUC6ZaHgatiW2W655dVlhl+g/e20kyL | |
| L7PZHOuTjve2/4JtPP3o0eQayXXLLUSIYDqHLJE3bGH/ | |
| ) ; key id = 46002 | |
| 900 IN DNSKEY 256 3 7 ( | |
| AwEAAZMKvhAE5BARHVleVsDcGRBQBFYdfAbhixOI9a3t | |
| Z4av7wX0HB6/ZUWDp5m+WeUoR/lGNIyrp+oGMTzU4Zym | |
| sU4s1b5vZ+lUIpgF99Vji8ZcjxqcW97JFxrrWB4Bt88D | |
| c/4FxCl6KwmWCbyD8WnTh0MQajJ+mhDvw1Ib+YE3L8iD | |
| ) ; key id = 34260 | |
| 900 IN DNSKEY 257 3 7 ( | |
| AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo | |
| dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm | |
| GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A | |
| bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t | |
| XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m | |
| x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj | |
| CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj | |
| DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU= | |
| ) ; key id = 21366 | |
| 900 IN DNSKEY 257 3 7 ( | |
| AwEAAZTjbIO5kIpxWUtyXc8avsKyHIIZ+LjC2Dv8naO+ | |
| Tz6X2fqzDC1bdq7HlZwtkaqTkMVVJ+8gE9FIreGJ4c8G | |
| 1GdbjQgbP1OyYIG7OHTc4hv5T2NlyWr6k6QFz98Q4zwF | |
| IGTFVvwBhmrMDYsOTtXakK6QwHovA1+83BsUACxlidpw | |
| B0hQacbD6x+I2RCDzYuTzj64Jv0/9XsX6AYV3ebcgn4h | |
| L1jIR2eJYyXlrAoWxdzxcW//5yeL5RVWuhRxejmnSVnC | |
| uxkfS4AQ485KH2tpdbWcCopLJZs6tw8q3jWcpTGzdh/v | |
| 3xdYfNpQNcPImFlxAun3BtORPA2r8ti6MNoJEHU= | |
| ) ; key id = 9795 | |
| ;; RRSIG of the DNSKEYset: | |
| org. 900 IN RRSIG DNSKEY 7 1 900 20110315155513 ( | |
| 20110301145513 21366 org. | |
| A+NaiHVLFy84FXqs3qRYL0V/wtkGKBAZOwGgHdkgV7gz | |
| 9D7bsQVVjwF06K4fW2ikrqqcFseGUb1BaT2tFrYC+7FM | |
| Hr7j8ZLC1SVUjwaI47T6PFrVua5dYBRyiyDiNh7iMIvq | |
| GmGHhEQiWel6SQIJOdUaAp40uMJLf90ia2RxOS/O+uKo | |
| QtDBcEK8czUQQyuw27ECrzSagy2FTUUgw4rd2L3kF6QA | |
| rmAy4KATJaQuflFjg3niiFew9n+e07VelRU5nUetaAzK | |
| FHen/PU0xTAxgtQT8B65j7cu18o9wprDXjcDIgDEa6Tu | |
| Zcz19pxEjm/XYU4xQAlEOGFD5EuB0ah2PQ== ) | |
| 900 IN RRSIG DNSKEY 7 1 900 20110315155513 ( | |
| 20110301145513 46002 org. | |
| LV1q+7i7G+ZTpkV5N+wITQ/qr3Jrqid1qn8ydvr+kWFQ | |
| VnUrA/6frNx9J1fzmI/EhvxTQ71hYBgD2CjVSwDV2w4L | |
| RsyK64p2RA3rqxIt1qR/hMZWo+XSw1bQ6/OFpKIOS07y | |
| 4SyHHw/8j86J2ZQCd8ul52KSRzm4+NQrMZxWprA= ) | |
| ;; OK a DS valids a DNSKEY in the RRset | |
| ;; Now verify that this DNSKEY validates the DNSKEY RRset | |
| ;; VERIFYING DNSKEY RRset for org. with DNSKEY:21366: success | |
| ;; DSset: | |
| moriz.org. 86400 IN DS 38420 8 1 ( | |
| 0F244C102CD9090CDF1BF927841A3C8D7831865C ) | |
| ;; RRSIGset of DSset | |
| moriz.org. 86400 IN RRSIG DS 7 2 86400 20110320184937 ( | |
| 20110306174937 46002 org. | |
| XShZffZNksio0RbThzZDERrm3Np9E+gGqdrwcTlVmSTy | |
| muNLQMuFYwiV5Sxe181v0xDOqQKcfgPD+XZunBrMVpUD | |
| ncajS2fcbm7l2d2Phx6Wayn5Y2hp99Zx577XYO9lArus | |
| L2biKAoBTyQT4G8DIfyMNDoFYLFGKonNk3S8kdI= ) | |
| ;; VERIFYING DS RRset for moriz.org. with DNSKEY:46002: success | |
| Launch a query to find a RRset of type A for zone: moriz.org with nameservers: | |
| moriz.org. 86400 IN NS dnssectest2.moriz.de. | |
| 86400 IN NS dnssectest.moriz.de. | |
| Launch a query to find a RRset of type DNSKEY for zone: moriz.org. | |
| ;; DNSKEYset: | |
| moriz.org. 2546 IN DNSKEY 256 3 8 ( | |
| AwEAAbQloFFwhj3QUOBFiisxfpSa36Ocpxf+BEZF7Dve | |
| ZAfQhmOFWvhR374Iylh+QywYMpdSVPtPgl4bvLtXI8gv | |
| A+ByPiPDzqvZ3tteC0QAu/LvtsJHhCVKVoYyx8KVTgfm | |
| WuuH5hK8DlnN4lwewI1EPiv7Y3tYE1uesWT192fSRZIT | |
| ) ; key id = 47835 | |
| 2546 IN DNSKEY 256 3 8 ( | |
| AwEAAeGni4LKzoVGIkBKlXmjFVRaCJSILPe79MNQ7rgM | |
| x4FKXcdIYOsFxs/E1l89VWz6Udcuewv840jwvtLTgwRf | |
| 2ZJ5Vr6B22qDDKOmLnejyRFkuDy7H4KXMqqrQZ7zXDV0 | |
| EZ4mYHW5Vw7zV0yRj0cXwLujR45TXSbdkI6n7kt7asyd | |
| ) ; key id = 62830 | |
| 2546 IN DNSKEY 257 3 8 ( | |
| AwEAAagupz+bjinvhpKjxUbFrO/xgy+tP4ME6OCwcA5V | |
| zoeUfoLza8YwShCp7mi8y8i6v2t3JdbFFHvtKqC3az0i | |
| YlC6EsP8xr7/x09i4pyxUt2D8nm/MPfv3Q5HZYtOS9rK | |
| ApXj3t3lkvrRx27mfZPG9D7kArT1oYuuQ6tOBobMdcgm | |
| XoZ2fnEsweqbebymT/yiCvOR3hIvDkcwm4DYcUg/CzVL | |
| nHExRWLAdiU1CLiwBRBEk215ukXhyKbWLVfRwVePCNUS | |
| HUrUBJW2VtO2FYNvLpu1CEX81w6dRacaaUpQNa3OUAQa | |
| L3LDk5756eVz0lruFkGb4iQuXaZ/g0xJSwR2Cs8= | |
| ) ; key id = 38420 | |
| ;; RRSIG of the DNSKEYset: | |
| moriz.org. 2546 IN RRSIG DNSKEY 8 2 2560 20110317000000 ( | |
| 20110303000000 38420 moriz.org. | |
| WnBtTklv80WnA/MMjpNRi/u9/ZiO1x1zEMdL5SCZzi6J | |
| IqD+d7+7391Y79yuN0X0YpeGGGqt6VTRUKZBGi/YzTYk | |
| w+nUpWRmOL2+GzucqGz6uHarOj/zSQgx/e72nvz9JZNx | |
| 9/ApH89NWagxqy8TmtLaAdwHNTjUmipbBdksa4chP0dx | |
| 66rB/9MkmQrvyBz5xtDHdbObLefNJbx3Nr78m8Y2iuXn | |
| wxc3YX/meqwL0C8yW7R8Ix9oNc7dsGyK2IKNzYVuWIRJ | |
| LW0ENOdeYVx3eXLY5CwhQOqVsDTXpyHnu/eElZyWpxkC | |
| wxkiGu0xQVceyG5bHM5tj6GZivJ0x+6H6A== ) | |
| ;; OK a DS valids a DNSKEY in the RRset | |
| ;; Now verify that this DNSKEY validates the DNSKEY RRset | |
| ;; VERIFYING DNSKEY RRset for moriz.org. with DNSKEY:38420: success | |
| ;; VERIFYING A RRset for moriz.org. with DNSKEY:62830: success | |
| ;; The Answer: | |
| moriz.org. 86061 IN A 188.40.182.50 | |
| ;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS | |
| ;; cleanandgo |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://skitch.com/rmoriz/rujce/dnssec-internetx