Difference between revisions of "DNSSEC"
From Hack Sphere Labs Wiki
Line 1: | Line 1: | ||
+ | ==Roots== | ||
+ | Delegation of Signing (DS) records contain the digital signature information for your domain name's DNS. In the Domain Manager, you can manage DS records for the following domain name extensions: | ||
+ | |||
+ | .com | ||
+ | .net | ||
+ | .biz | ||
+ | .us | ||
+ | .org | ||
+ | .eu | ||
+ | .co.uk, .me.uk, and .org.uk | ||
+ | .co, .com.co, .net.co, and .nom.co | ||
+ | |||
+ | |||
+ | |||
+ | ==Domains== | ||
dig @dnsserver domain.tld +dnssec | dig @dnsserver domain.tld +dnssec | ||
Revision as of 12:08, 10 December 2011
Roots
Delegation of Signing (DS) records contain the digital signature information for your domain name's DNS. In the Domain Manager, you can manage DS records for the following domain name extensions:
.com .net .biz .us .org .eu .co.uk, .me.uk, and .org.uk .co, .com.co, .net.co, and .nom.co
Domains
dig @dnsserver domain.tld +dnssec
No authoritative dnssec response means no DNSSEC employed at domain. You will see the keys.
IE
google.com has no DNSSEC on the domain
dig +dnssec google.com ; <<>> DiG 9.6.2-P2 <<>> +dnssec google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30351 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 225 IN A 74.125.65.99 google.com. 225 IN A 74.125.65.104 google.com. 225 IN A 74.125.65.147 google.com. 225 IN A 74.125.65.103 google.com. 225 IN A 74.125.65.106 google.com. 225 IN A 74.125.65.105 ;; AUTHORITY SECTION: google.com. 93256 IN NS ns3.google.com. google.com. 93256 IN NS ns1.google.com. google.com. 93256 IN NS ns4.google.com. google.com. 93256 IN NS ns2.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 282102 IN A 216.239.34.10 ns4.google.com. 277770 IN A 216.239.38.10 ns3.google.com. 266056 IN A 216.239.36.10 ns1.google.com. 266056 IN A 216.239.32.10 ;; Query time: 25 msec ;; SERVER: 66.0.32.14#53(66.0.32.14) ;; WHEN: Sat Dec 10 14:06:04 2011 ;; MSG SIZE rcvd: 271
upenn.edu does
dig +dnssec upenn.edu ; <<>> DiG 9.6.2-P2 <<>> +dnssec upenn.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;upenn.edu. IN A ;; AUTHORITY SECTION: upenn.edu. 1251 IN SOA assailants.net.isc.upenn.edu. hostmaster.upenn.edu. 1002092872 10800 3600 604800 3600 upenn.edu. 1251 IN RRSIG SOA 5 2 3600 20120109192746 20111210182746 50475 upenn.edu. 09b8/qJl2E4O5gc63BRRCFrDzPLvwaZv+zPYUdWoFTNdZ8BoRbAtto+x BGAQOgPlVhWC8vIozWmed3J4KG74BcY1B4WaD+laiNg3rzKm2yBVorwC JXHyWIksF3/6uLeHWKf7w0DocYAtL5B8KtUuCjdRKN71qua/HqgHvGni 2u0= upenn.edu. 1251 IN NSEC _kerberos.upenn.edu. NS SOA MX RRSIG NSEC DNSKEY TYPE65534 upenn.edu. 1251 IN RRSIG NSEC 5 2 3600 20111225082135 20111125080254 50475 upenn.edu. LOlp2Zajrztv0rgpWPMdKsfZzdC74ovhHDiwRg1xm7P9yIXaoZCdw8s0 R/E5iEhQTXevOklrlJj4AOBqXlKW5/2coMto8eO/ryobX+qglRv8SHoB q9xHFDEVxgRZZyEnX8QTIr+SFtLKJy+D1HKR2hMBwkq4nUCl17diOXE2 vIo= ;; Query time: 24 msec ;; SERVER: 66.0.32.14#53(66.0.32.14) ;; WHEN: Sat Dec 10 14:05:24 2011 ;; MSG SIZE rcvd: 518