Should (or can) master and slave DNS servers have different RRSIG entries? The 2019 Stack...
Why is the maximum length of OpenWrt’s root password 8 characters?
Is a "Democratic" Oligarchy-Style System Possible?
What do hard-Brexiteers want with respect to the Irish border?
Did Section 31 appear in Star Trek: The Next Generation?
What tool would a Roman-age civilization have for the breaking of silver and other metals into dust?
Why not take a picture of a closer black hole?
A poker game description that does not feel gimmicky
Are there incongruent pythagorean triangles with the same perimeter and same area?
Are there any other methods to apply to solving simultaneous equations?
Delete all lines which don't have n characters before delimiter
Interpreting the 2019 New York Reproductive Health Act?
Resizing object distorts it (Illustrator CC 2018)
Can one be advised by a professor who is very far away?
How to manage monthly salary
Does coating your armor in silver add any effects?
Protecting Dualbooting Windows from dangerous code (like rm -rf)
Can you compress metal and what would be the consequences?
Can we generate random numbers using irrational numbers like π and e?
Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?
How to answer pointed "are you quitting" questioning when I don't want them to suspect
What is the motivation for a law requiring 2 parties to consent for recording a conversation
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
When should I buy a clipper card after flying to OAK?
Apparent duplicates between Haynes service instructions and MOT
Should (or can) master and slave DNS servers have different RRSIG entries?
The 2019 Stack Overflow Developer Survey Results Are InHow to setup geographically different primary/secondary, master/slave DNS services at domain registrar?DNS delegation on same server with DDNS and second slave serverBIND DNS Master with Zerigo Slaves - BIND won't update the slave serversAnyone else experiencing high rates of Linux server crashes during a leap second day?BIND slave doesn't sync up with master until it is restartedDNS Slave doesnot serve new record while master is down until restartInternal-only DNS Master and Slave Servers on Linux (No Internet) - Recursion?DNS Slave Unresponsive When Master Is UnavailableHow to verify that a BIND slave name server is actually synchronizing properly with master (and fix it afterwards)?DNS: Can master server be non-authoritative?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I've just configured DNSSEC on my master DNS server and in testing with dig from each server to the other, I found that while each server had RRSIG entries they were different.
Is this expected behaviour? I see that each server has different times in the signature, so is that causing it? Is this even an issue?
master result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225201200 20181125193702 47985 example.com.
PNY/8BLZrBZ6Ax27MsblQg/QGPyIrS/uK/xAJY9DXw+s
nexXcvRXbEG+3E4yotVtay/ACN4+qMto4Ny87yyM7XFI
t0cBHnRx6n1DqU0jX0ARNWWDjaNRW/PlYrTKeqyXesVj
Cew44FJDXSd+65PxFlvQRDw6ZIdSbDYdXF1OYMw= )
slave result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225193928 20181125191401 47985 example.com.
b034jrblNOi/Rmm7o34pRMLwH2Qa4dPuJ7ssTGWam/7z
b8JTaCtgKwrglzBXzcGaUfcxfCTNeBV0o6HXDvQ7kmx4
pZVt8Igvsw/ansIJOsvG+k+nS+ZHTACsgFaOgOegTnNb
+SMspj5n54s/mdMhAMreMKYXBPyVEfN0PFVv574= )
domain-name-system debian bind
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
add a comment |
I've just configured DNSSEC on my master DNS server and in testing with dig from each server to the other, I found that while each server had RRSIG entries they were different.
Is this expected behaviour? I see that each server has different times in the signature, so is that causing it? Is this even an issue?
master result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225201200 20181125193702 47985 example.com.
PNY/8BLZrBZ6Ax27MsblQg/QGPyIrS/uK/xAJY9DXw+s
nexXcvRXbEG+3E4yotVtay/ACN4+qMto4Ny87yyM7XFI
t0cBHnRx6n1DqU0jX0ARNWWDjaNRW/PlYrTKeqyXesVj
Cew44FJDXSd+65PxFlvQRDw6ZIdSbDYdXF1OYMw= )
slave result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225193928 20181125191401 47985 example.com.
b034jrblNOi/Rmm7o34pRMLwH2Qa4dPuJ7ssTGWam/7z
b8JTaCtgKwrglzBXzcGaUfcxfCTNeBV0o6HXDvQ7kmx4
pZVt8Igvsw/ansIJOsvG+k+nS+ZHTACsgFaOgOegTnNb
+SMspj5n54s/mdMhAMreMKYXBPyVEfN0PFVv574= )
domain-name-system debian bind
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
add a comment |
I've just configured DNSSEC on my master DNS server and in testing with dig from each server to the other, I found that while each server had RRSIG entries they were different.
Is this expected behaviour? I see that each server has different times in the signature, so is that causing it? Is this even an issue?
master result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225201200 20181125193702 47985 example.com.
PNY/8BLZrBZ6Ax27MsblQg/QGPyIrS/uK/xAJY9DXw+s
nexXcvRXbEG+3E4yotVtay/ACN4+qMto4Ny87yyM7XFI
t0cBHnRx6n1DqU0jX0ARNWWDjaNRW/PlYrTKeqyXesVj
Cew44FJDXSd+65PxFlvQRDw6ZIdSbDYdXF1OYMw= )
slave result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225193928 20181125191401 47985 example.com.
b034jrblNOi/Rmm7o34pRMLwH2Qa4dPuJ7ssTGWam/7z
b8JTaCtgKwrglzBXzcGaUfcxfCTNeBV0o6HXDvQ7kmx4
pZVt8Igvsw/ansIJOsvG+k+nS+ZHTACsgFaOgOegTnNb
+SMspj5n54s/mdMhAMreMKYXBPyVEfN0PFVv574= )
domain-name-system debian bind
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
I've just configured DNSSEC on my master DNS server and in testing with dig from each server to the other, I found that while each server had RRSIG entries they were different.
Is this expected behaviour? I see that each server has different times in the signature, so is that causing it? Is this even an issue?
master result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225201200 20181125193702 47985 example.com.
PNY/8BLZrBZ6Ax27MsblQg/QGPyIrS/uK/xAJY9DXw+s
nexXcvRXbEG+3E4yotVtay/ACN4+qMto4Ny87yyM7XFI
t0cBHnRx6n1DqU0jX0ARNWWDjaNRW/PlYrTKeqyXesVj
Cew44FJDXSd+65PxFlvQRDw6ZIdSbDYdXF1OYMw= )
slave result:
example.com. 600 IN RRSIG NS 5 2 600 (
20181225193928 20181125191401 47985 example.com.
b034jrblNOi/Rmm7o34pRMLwH2Qa4dPuJ7ssTGWam/7z
b8JTaCtgKwrglzBXzcGaUfcxfCTNeBV0o6HXDvQ7kmx4
pZVt8Igvsw/ansIJOsvG+k+nS+ZHTACsgFaOgOegTnNb
+SMspj5n54s/mdMhAMreMKYXBPyVEfN0PFVv574= )
domain-name-system debian bind
domain-name-system debian bind
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
asked Nov 26 '18 at 4:02
John MoffittJohn Moffitt
1162
1162
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is expected.
The RRSIG record's signature is computed over everything you see (except the signature itself of course), including hence the owner (that is the domain name on the left) as well as the record types (NS here), algorithm (5 which is "Elliptic Curve [ECC]"), number of label (2 because example.com has 2 labels), original TTL (600), signature expiration (20181225193928) and signature inception (20181125191401), keytag (47985) and signer's name (example.com). Plus the data in the record being signed (that is the whole content of example.com. NS resource record set)
See RFC 4034 that defines the RRSIG record.
Section 3.1 shows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type Covered | Algorithm | Labels |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original TTL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Expiration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Inception |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Signature /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
and 3.1.8 says:
The Signature field contains the cryptographic signature that covers
the RRSIG RDATA (excluding the Signature field) and the RRset
specified by the RRSIG owner name, RRSIG class, and RRSIG Type
Covered field. The format of this field depends on the algorithm in
use, and these formats are described in separate companion documents.
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f941591%2fshould-or-can-master-and-slave-dns-servers-have-different-rrsig-entries%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is expected.
The RRSIG record's signature is computed over everything you see (except the signature itself of course), including hence the owner (that is the domain name on the left) as well as the record types (NS here), algorithm (5 which is "Elliptic Curve [ECC]"), number of label (2 because example.com has 2 labels), original TTL (600), signature expiration (20181225193928) and signature inception (20181125191401), keytag (47985) and signer's name (example.com). Plus the data in the record being signed (that is the whole content of example.com. NS resource record set)
See RFC 4034 that defines the RRSIG record.
Section 3.1 shows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type Covered | Algorithm | Labels |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original TTL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Expiration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Inception |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Signature /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
and 3.1.8 says:
The Signature field contains the cryptographic signature that covers
the RRSIG RDATA (excluding the Signature field) and the RRset
specified by the RRSIG owner name, RRSIG class, and RRSIG Type
Covered field. The format of this field depends on the algorithm in
use, and these formats are described in separate companion documents.
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
add a comment |
This is expected.
The RRSIG record's signature is computed over everything you see (except the signature itself of course), including hence the owner (that is the domain name on the left) as well as the record types (NS here), algorithm (5 which is "Elliptic Curve [ECC]"), number of label (2 because example.com has 2 labels), original TTL (600), signature expiration (20181225193928) and signature inception (20181125191401), keytag (47985) and signer's name (example.com). Plus the data in the record being signed (that is the whole content of example.com. NS resource record set)
See RFC 4034 that defines the RRSIG record.
Section 3.1 shows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type Covered | Algorithm | Labels |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original TTL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Expiration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Inception |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Signature /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
and 3.1.8 says:
The Signature field contains the cryptographic signature that covers
the RRSIG RDATA (excluding the Signature field) and the RRset
specified by the RRSIG owner name, RRSIG class, and RRSIG Type
Covered field. The format of this field depends on the algorithm in
use, and these formats are described in separate companion documents.
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
add a comment |
This is expected.
The RRSIG record's signature is computed over everything you see (except the signature itself of course), including hence the owner (that is the domain name on the left) as well as the record types (NS here), algorithm (5 which is "Elliptic Curve [ECC]"), number of label (2 because example.com has 2 labels), original TTL (600), signature expiration (20181225193928) and signature inception (20181125191401), keytag (47985) and signer's name (example.com). Plus the data in the record being signed (that is the whole content of example.com. NS resource record set)
See RFC 4034 that defines the RRSIG record.
Section 3.1 shows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type Covered | Algorithm | Labels |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original TTL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Expiration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Inception |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Signature /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
and 3.1.8 says:
The Signature field contains the cryptographic signature that covers
the RRSIG RDATA (excluding the Signature field) and the RRset
specified by the RRSIG owner name, RRSIG class, and RRSIG Type
Covered field. The format of this field depends on the algorithm in
use, and these formats are described in separate companion documents.
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
This is expected.
The RRSIG record's signature is computed over everything you see (except the signature itself of course), including hence the owner (that is the domain name on the left) as well as the record types (NS here), algorithm (5 which is "Elliptic Curve [ECC]"), number of label (2 because example.com has 2 labels), original TTL (600), signature expiration (20181225193928) and signature inception (20181125191401), keytag (47985) and signer's name (example.com). Plus the data in the record being signed (that is the whole content of example.com. NS resource record set)
See RFC 4034 that defines the RRSIG record.
Section 3.1 shows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type Covered | Algorithm | Labels |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original TTL |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Expiration |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Signature Inception |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key Tag | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ /
/ Signature /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
and 3.1.8 says:
The Signature field contains the cryptographic signature that covers
the RRSIG RDATA (excluding the Signature field) and the RRset
specified by the RRSIG owner name, RRSIG class, and RRSIG Type
Covered field. The format of this field depends on the algorithm in
use, and these formats are described in separate companion documents.
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
answered 11 mins ago
Patrick MevzekPatrick Mevzek
2,92731225
2,92731225
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f941591%2fshould-or-can-master-and-slave-dns-servers-have-different-rrsig-entries%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
