Difference between revisions of "DNSSEC"
From Hack Sphere Labs Wiki
(Created page with " dig @dnsserver domain.tld +dnssec No authoritative dnssec response means no DNSSEC employed at domain. You will see the keys. IE google.com has no DNSSEC on the domain upen...") |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | ==What?== | ||
| + | |||
| + | Looks like alot if this is trust's between servers at many people are not signing their domains. I cannot sign mine yet because my hosting provider does not have a dnssec enabled server setup and I do not want to host my own DNS server at the moment. | ||
| + | |||
| + | ==Roots== | ||
| + | Common root tlds are signed: | ||
| + | |||
| + | .com | ||
| + | .net | ||
| + | .biz | ||
| + | .us | ||
| + | .org | ||
| + | .eu | ||
| + | .co.uk, .me.uk, and .org.uk | ||
| + | .co, .com.co, .net.co, and .nom.co | ||
| + | |||
| + | ==Domains== | ||
dig @dnsserver domain.tld +dnssec | dig @dnsserver domain.tld +dnssec | ||
| Line 6: | Line 23: | ||
google.com has no DNSSEC on the domain | google.com has no DNSSEC on the domain | ||
| + | |||
| + | <pre> | ||
| + | dig +dnssec google.com | ||
| + | |||
| + | ; <<>> DiG 9.6.2-P2 <<>> +dnssec google.com | ||
| + | ;; global options: +cmd | ||
| + | ;; Got answer: | ||
| + | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30351 | ||
| + | ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 5 | ||
| + | |||
| + | ;; OPT PSEUDOSECTION: | ||
| + | ; EDNS: version: 0, flags: do; udp: 4096 | ||
| + | ;; QUESTION SECTION: | ||
| + | ;google.com. IN A | ||
| + | |||
| + | ;; ANSWER SECTION: | ||
| + | google.com. 225 IN A 74.125.65.99 | ||
| + | google.com. 225 IN A 74.125.65.104 | ||
| + | google.com. 225 IN A 74.125.65.147 | ||
| + | google.com. 225 IN A 74.125.65.103 | ||
| + | google.com. 225 IN A 74.125.65.106 | ||
| + | google.com. 225 IN A 74.125.65.105 | ||
| + | |||
| + | ;; AUTHORITY SECTION: | ||
| + | google.com. 93256 IN NS ns3.google.com. | ||
| + | google.com. 93256 IN NS ns1.google.com. | ||
| + | google.com. 93256 IN NS ns4.google.com. | ||
| + | google.com. 93256 IN NS ns2.google.com. | ||
| + | |||
| + | ;; ADDITIONAL SECTION: | ||
| + | ns2.google.com. 282102 IN A 216.239.34.10 | ||
| + | ns4.google.com. 277770 IN A 216.239.38.10 | ||
| + | ns3.google.com. 266056 IN A 216.239.36.10 | ||
| + | ns1.google.com. 266056 IN A 216.239.32.10 | ||
| + | |||
| + | ;; Query time: 25 msec | ||
| + | ;; SERVER: 66.0.32.14#53(66.0.32.14) | ||
| + | ;; WHEN: Sat Dec 10 14:06:04 2011 | ||
| + | ;; MSG SIZE rcvd: 271 | ||
| + | </pre> | ||
upenn.edu does | upenn.edu does | ||
| + | |||
| + | <pre> | ||
| + | dig +dnssec upenn.edu | ||
| + | |||
| + | ; <<>> DiG 9.6.2-P2 <<>> +dnssec upenn.edu | ||
| + | ;; global options: +cmd | ||
| + | ;; Got answer: | ||
| + | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29811 | ||
| + | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 | ||
| + | |||
| + | ;; OPT PSEUDOSECTION: | ||
| + | ; EDNS: version: 0, flags: do; udp: 4096 | ||
| + | ;; QUESTION SECTION: | ||
| + | ;upenn.edu. IN A | ||
| + | |||
| + | ;; AUTHORITY SECTION: | ||
| + | upenn.edu. 1251 IN SOA assailants.net.isc.upenn.edu. hostmaster.upenn.edu. 1002092872 10800 3600 604800 3600 | ||
| + | upenn.edu. 1251 IN RRSIG SOA 5 2 3600 20120109192746 20111210182746 50475 upenn.edu. 09b8/qJl2E4O5gc63BRRCFrDzPLvwaZv+zPYUdWoFTNdZ8BoRbAtto+x BGAQOgPlVhWC8vIozWmed3J4KG74BcY1B4WaD+laiNg3rzKm2yBVorwC JXHyWIksF3/6uLeHWKf7w0DocYAtL5B8KtUuCjdRKN71qua/HqgHvGni 2u0= | ||
| + | upenn.edu. 1251 IN NSEC _kerberos.upenn.edu. NS SOA MX RRSIG NSEC DNSKEY TYPE65534 | ||
| + | upenn.edu. 1251 IN RRSIG NSEC 5 2 3600 20111225082135 20111125080254 50475 upenn.edu. LOlp2Zajrztv0rgpWPMdKsfZzdC74ovhHDiwRg1xm7P9yIXaoZCdw8s0 R/E5iEhQTXevOklrlJj4AOBqXlKW5/2coMto8eO/ryobX+qglRv8SHoB q9xHFDEVxgRZZyEnX8QTIr+SFtLKJy+D1HKR2hMBwkq4nUCl17diOXE2 vIo= | ||
| + | |||
| + | ;; Query time: 24 msec | ||
| + | ;; SERVER: 66.0.32.14#53(66.0.32.14) | ||
| + | ;; WHEN: Sat Dec 10 14:05:24 2011 | ||
| + | ;; MSG SIZE rcvd: 518 | ||
| + | </pre> | ||
| + | |||
| + | ==Test DNSSEC== | ||
| + | *http://test.dnssec-or-not.org/ | ||
| + | |||
| + | |||
| + | ==Resources== | ||
| + | *http://www.icann.org/en/announcements/dnssec-qaa-09oct08-en.htm | ||
Latest revision as of 12:12, 10 December 2011
Contents
What?
Looks like alot if this is trust's between servers at many people are not signing their domains. I cannot sign mine yet because my hosting provider does not have a dnssec enabled server setup and I do not want to host my own DNS server at the moment.
Roots
Common root tlds are signed:
.com .net .biz .us .org .eu .co.uk, .me.uk, and .org.uk .co, .com.co, .net.co, and .nom.co
Domains
dig @dnsserver domain.tld +dnssec
No authoritative dnssec response means no DNSSEC employed at domain. You will see the keys.
IE
google.com has no DNSSEC on the domain
dig +dnssec google.com ; <<>> DiG 9.6.2-P2 <<>> +dnssec google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30351 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 225 IN A 74.125.65.99 google.com. 225 IN A 74.125.65.104 google.com. 225 IN A 74.125.65.147 google.com. 225 IN A 74.125.65.103 google.com. 225 IN A 74.125.65.106 google.com. 225 IN A 74.125.65.105 ;; AUTHORITY SECTION: google.com. 93256 IN NS ns3.google.com. google.com. 93256 IN NS ns1.google.com. google.com. 93256 IN NS ns4.google.com. google.com. 93256 IN NS ns2.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 282102 IN A 216.239.34.10 ns4.google.com. 277770 IN A 216.239.38.10 ns3.google.com. 266056 IN A 216.239.36.10 ns1.google.com. 266056 IN A 216.239.32.10 ;; Query time: 25 msec ;; SERVER: 66.0.32.14#53(66.0.32.14) ;; WHEN: Sat Dec 10 14:06:04 2011 ;; MSG SIZE rcvd: 271
upenn.edu does
dig +dnssec upenn.edu ; <<>> DiG 9.6.2-P2 <<>> +dnssec upenn.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;upenn.edu. IN A ;; AUTHORITY SECTION: upenn.edu. 1251 IN SOA assailants.net.isc.upenn.edu. hostmaster.upenn.edu. 1002092872 10800 3600 604800 3600 upenn.edu. 1251 IN RRSIG SOA 5 2 3600 20120109192746 20111210182746 50475 upenn.edu. 09b8/qJl2E4O5gc63BRRCFrDzPLvwaZv+zPYUdWoFTNdZ8BoRbAtto+x BGAQOgPlVhWC8vIozWmed3J4KG74BcY1B4WaD+laiNg3rzKm2yBVorwC JXHyWIksF3/6uLeHWKf7w0DocYAtL5B8KtUuCjdRKN71qua/HqgHvGni 2u0= upenn.edu. 1251 IN NSEC _kerberos.upenn.edu. NS SOA MX RRSIG NSEC DNSKEY TYPE65534 upenn.edu. 1251 IN RRSIG NSEC 5 2 3600 20111225082135 20111125080254 50475 upenn.edu. LOlp2Zajrztv0rgpWPMdKsfZzdC74ovhHDiwRg1xm7P9yIXaoZCdw8s0 R/E5iEhQTXevOklrlJj4AOBqXlKW5/2coMto8eO/ryobX+qglRv8SHoB q9xHFDEVxgRZZyEnX8QTIr+SFtLKJy+D1HKR2hMBwkq4nUCl17diOXE2 vIo= ;; Query time: 24 msec ;; SERVER: 66.0.32.14#53(66.0.32.14) ;; WHEN: Sat Dec 10 14:05:24 2011 ;; MSG SIZE rcvd: 518
Test DNSSEC
