Verification with dig, Dnssec gslb in dns proxy mode – Brocade Communications Systems ServerIron ADX 12.4.00 User Manual

Page 126

Advertising
background image

114

ServerIron ADX Global Server Load Balancing Guide

53-1002437-01

DNSSEC

1

Verification with DIG

The following example shows dig being used to validate a DNSSEC response.

DNSSEC GSLB in DNS proxy mode

The ServerIron ADX supports GSLB for DNSSEC in the DNS proxy mode. In this mode, when the
ServerIron ADX sees a DNS response, it re-orders the response such that it has the 'best IP
address' as the first address in the answer RRset. It also sets the TTL of each of the answer records
(This is for UDP). In the ADNS or the LDNS, the signature in the RRSIG record is calculated by
ordering the individual resource records in canonical order. Only the RR type, class and the value

[16:31:54 root@rhl-236 ~]# dig +dnssec mydnssec.com +multiline +sigchase

+trusted-key=/root/dnssec/Kmydnssec.com.+005+08340.key

;; RRset to chase:

mydnssec.com. 86400 IN A 10.35.62.235

;; RRSIG of the RRset to chase:

mydnssec.com. 86400 IN RRSIG A 5 2 86400 20100513221145 (

20100413221145 8340 mydnssec.com.

XdrNlVeH/Hc6sMCAOFCWerqtFRgCyNNlOcHrwnLZ+ApI

plN2t2QdpmEqhltmNyINJK2WH6xzP59bkynjOUcg8QQr

OBPRyjlZCXkTS0y8JFNGd0OIjW8KJkLmZ/cag0zFcvA+

xvNQsSM5w9hiprH364JDhSoQYASxFslLkX+MtGw= )

Launch a query to find a RRset of type DNSKEY for zone: mydnssec.com.

;; DNSKEYset that signs the RRset to chase:

mydnssec.com. 86400 IN DNSKEY 256 3 5 (

AwEAAacXnVRCUEnP7nRuCaGHWw5K7H+IedN5xWnnCUfe

f9upLZESWMPiY0b08biliRQ5Uqt6wCNINM9nBGGxxOhV

i/oT+DEkrjOhNN4o5L7Bd+PwYV0Vh+Fq383jvGdHtr8n

Q+mc69OgQjdARn6ofH6sDcOQFsvKsgtA/EQUa/mc9V2B

) ; key id = 8340

;; RRSIG of the DNSKEYset that signs the RRset to chase:

mydnssec.com. 86400 IN RRSIG DNSKEY 5 2 86400 20100513221145 (

20100413221145 8340 mydnssec.com.

WdGTjFIGfFf6jpTm04iDYIj44WgvG+XMGJyzMS7jC5k7

LYk8HtjUAjVs920sgrz9HED7JKs9tMjzIiPZEKRsa+HI

7Re2Rvvrb5PbwNwWFi/smDI57NztLvCNoOWdYEk1r6jW

S8YVLnvd5rsN9d2DY+wr8UZSemRWAURn8G3GRLA= )

Launch a query to find a RRset of type DS for zone: mydnssec.com.

;; NO ANSWERS: no more

;; WARNING There is no DS for the zone: mydnssec.com.

;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for mydnssec.com.

with DNSKEY:8340: success ;; OK We found DNSKEY (or more) to validate the RRset

;; Ok, find a Trusted Key in the DNSKEY RRset: 8340 ;; VERIFYING DNSKEY RRset for

mydnssec.com. with DNSKEY:8340: success

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

[16:32:06 root@rhl-236 ~]#

Advertising
Popular Brands
Popular manuals