DNSSEC

From Hack Sphere Labs Wiki
Revision as of 12:08, 10 December 2011 by Webdawg (talk | contribs)

Jump to: navigation, search

Roots

Delegation of Signing (DS) records contain the digital signature information for your domain name's DNS. In the Domain Manager, you can manage DS records for the following domain name extensions: 

   .com
   .net
   .biz
   .us
   .org
   .eu
   .co.uk, .me.uk, and .org.uk
   .co, .com.co, .net.co, and .nom.co


Domains

dig @dnsserver domain.tld +dnssec

No authoritative dnssec response means no DNSSEC employed at domain. You will see the keys.

IE

google.com has no DNSSEC on the domain 

dig +dnssec google.com

; <<>> DiG 9.6.2-P2 <<>> +dnssec google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30351
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		225	IN	A	74.125.65.99
google.com.		225	IN	A	74.125.65.104
google.com.		225	IN	A	74.125.65.147
google.com.		225	IN	A	74.125.65.103
google.com.		225	IN	A	74.125.65.106
google.com.		225	IN	A	74.125.65.105

;; AUTHORITY SECTION:
google.com.		93256	IN	NS	ns3.google.com.
google.com.		93256	IN	NS	ns1.google.com.
google.com.		93256	IN	NS	ns4.google.com.
google.com.		93256	IN	NS	ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.		282102	IN	A	216.239.34.10
ns4.google.com.		277770	IN	A	216.239.38.10
ns3.google.com.		266056	IN	A	216.239.36.10
ns1.google.com.		266056	IN	A	216.239.32.10

;; Query time: 25 msec
;; SERVER: 66.0.32.14#53(66.0.32.14)
;; WHEN: Sat Dec 10 14:06:04 2011
;; MSG SIZE  rcvd: 271

upenn.edu does 

dig +dnssec upenn.edu

; <<>> DiG 9.6.2-P2 <<>> +dnssec upenn.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29811
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;upenn.edu.			IN	A

;; AUTHORITY SECTION:
upenn.edu.		1251	IN	SOA	assailants.net.isc.upenn.edu. hostmaster.upenn.edu. 1002092872 10800 3600 604800 3600
upenn.edu.		1251	IN	RRSIG	SOA 5 2 3600 20120109192746 20111210182746 50475 upenn.edu. 09b8/qJl2E4O5gc63BRRCFrDzPLvwaZv+zPYUdWoFTNdZ8BoRbAtto+x BGAQOgPlVhWC8vIozWmed3J4KG74BcY1B4WaD+laiNg3rzKm2yBVorwC JXHyWIksF3/6uLeHWKf7w0DocYAtL5B8KtUuCjdRKN71qua/HqgHvGni 2u0=
upenn.edu.		1251	IN	NSEC	_kerberos.upenn.edu. NS SOA MX RRSIG NSEC DNSKEY TYPE65534
upenn.edu.		1251	IN	RRSIG	NSEC 5 2 3600 20111225082135 20111125080254 50475 upenn.edu. LOlp2Zajrztv0rgpWPMdKsfZzdC74ovhHDiwRg1xm7P9yIXaoZCdw8s0 R/E5iEhQTXevOklrlJj4AOBqXlKW5/2coMto8eO/ryobX+qglRv8SHoB q9xHFDEVxgRZZyEnX8QTIr+SFtLKJy+D1HKR2hMBwkq4nUCl17diOXE2 vIo=

;; Query time: 24 msec
;; SERVER: 66.0.32.14#53(66.0.32.14)
;; WHEN: Sat Dec 10 14:05:24 2011
;; MSG SIZE  rcvd: 518
Retrieved from "https://wiki.hackspherelabs.com/index.php?title=DNSSEC&oldid=303"