[分享]dnssec--DNS里公私匙-密码应用-看雪-安全社区|安全招聘|kanxue.com

[分享]dnssec--DNS里公私匙

发表于: 2011-12-14 16:25 8427

[分享]dnssec--DNS里公私匙

lilianjie

2011-12-14 16:25

8427

在线验：

http://dnssec-debugger.verisignlabs.com/

http://dnssec.resare.com/?name=iis.se&type=A

Analyzing DNSSEC problems for pediy.com
  DS=19036/SHA1 is now in the chain-of-trust
. Checking DS between Trust Anchor and .
  . 0 IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E ; xosih-kezeb-nulum-tohin-zafab-zyfom-hubur-masam-tikam-kelek-vyxex
  . 0 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 ; xidep-pybec-tyvak-zonag-kesud-vohip-cumul-fysuk-bivac-pubam-hugeb-buzud-symes-tylaf-dosog-vufor-huxax
  Query to e.root-servers.net for ./DNSKEY
  Received 736 bytes from 192.203.230.10
  ;; Answer received from 192.203.230.10 (736 bytes)
;; HEADER SECTION
;; id = 41276
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 3  nscount = 0  arcount = 1

;; QUESTION SECTION (1 record)
;; . IN DNSKEY

;; ANSWER SECTION (3 records)
. 172800 IN DNSKEY 256  3  8 (
AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1Arvn
hAzXDm7AuGxSQqmGBRmjJvBv0xS4gahB9mj6
ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3
mKSc4hOCP55hR22r5hIsPJoT19pv/VdZQfyT
zZ96frQ16qRa9+/GSjzjtFfQv16FwE7R
) ; Key ID = 55231
. 172800 IN DNSKEY 257  3  8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxh
JhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd
0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJR
kxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/V
HL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68
LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtu
A6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoB
Qzgul0sGIcGOYl7OyQdXfZ57relSQageu+ip
AdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwh
YB4N7knNnulqQxA+Uk1ihz0=
) ; Key ID = 19036
. 172800 IN RRSIG DNSKEY  8  0  172800  20111225000000 (
20111210000000 19036  .
SVMoD1UJztM3xQogcXUqZCMkD2qHwzBTnJ0CE0cCOjAkt
NzrSuzdYF07gSawB//VwH+56j5Hr6JE7UB+wMRZNS3G7A
ZKhbT9PbzIFt9TG68/M16Rp5p93rW2QWatjWmdY7X1nI3
mRwnyWPiFURSxGPX2ge47jpVYpqxh0FClQu6VyB4jI1wj
2CpYkL1xSrVLfwgf8pPMJVJJ6c18JqE63ML5vZ3MHvib/
+Nsk50FP1EemWSH3hzlnr/mLU9o1U2mIoFqK1skGo6Zag
v5L3pBH0vWtxVjGEP3WcOgNdWxwA/zNlEG0J3DmgVbyIm
vYFV4B+liT4rLUtFPeVtl2VNyww== )

;; AUTHORITY SECTION (0 records)

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

Found 2 DNSKEY records for .
  . 172800 IN DNSKEY 256 3 8 ( AwEAAdNW7YIhcTdqXrzgZjJJ35VjAFT1Arvn hAzXDm7AuGxSQqmGBRmjJvBv0xS4gahB9mj6 ekF0dVKoeZgLmNAjo8hj2JI7K281YTo2R5k3 mKSc4hOCP55hR22r5hIsPJoT19pv/VdZQfyT zZ96frQ16qRa9+/GSjzjtFfQv16FwE7R ) ; Key ID = 55231
  . 172800 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxh JhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd 0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJR kxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/V HL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68 LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtu A6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoB Qzgul0sGIcGOYl7OyQdXfZ57relSQageu+ip AdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwh YB4N7knNnulqQxA+Uk1ihz0= ) ; Key ID = 19036
  DNSKEY=19036/SEP is now in the chain-of-trust
DS=19036/SHA1 verifies DNSKEY=19036/SEP
  DS=19036/SHA256 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
  . 172800 IN RRSIG DNSKEY 8 0 172800 20111225000000 ( 20111210000000 19036 . SVMoD1UJztM3xQogcXUqZCMkD2qHwzBTnJ0CE0cCOjAkt NzrSuzdYF07gSawB//VwH+56j5Hr6JE7UB+wMRZNS3G7A ZKhbT9PbzIFt9TG68/M16Rp5p93rW2QWatjWmdY7X1nI3 mRwnyWPiFURSxGPX2ge47jpVYpqxh0FClQu6VyB4jI1wj 2CpYkL1xSrVLfwgf8pPMJVJJ6c18JqE63ML5vZ3MHvib/ +Nsk50FP1EemWSH3hzlnr/mLU9o1U2mIoFqK1skGo6Zag v5L3pBH0vWtxVjGEP3WcOgNdWxwA/zNlEG0J3DmgVbyIm vYFV4B+liT4rLUtFPeVtl2VNyww== )
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
  DNSKEY=55231 is now in the chain-of-trust
  Query to h.root-servers.net for pediy.com/A
  Received 736 bytes from 128.63.2.53
  ;; Answer received from 128.63.2.53 (736 bytes)
;; HEADER SECTION
;; id = 32585
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 15  arcount = 16

;; QUESTION SECTION (1 record)
;; pediy.com. IN A

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (15 records)
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909  8  2  e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ; xumit-fedac-katut-vapis-lusun-gypad-kafyr-hudah-bycyp-musaz-sahyh-nekum-zudun-cicos-zacyc-puhyk-kaxyx
com. 86400 IN RRSIG DS  8  1  86400  20111221000000 (
20111213230000 55231  .
eUuxmTJ6F83TkcDM91L41ipRcCPGYBOKDZnWIqp5kBkIP
rh8vopCBqVxPdqkEfH/SBamoEb3/uM+w8Gi6bmKG0HwMA
TXYB/djhyYUF+LGbkk7HTsVJkcsEPN95uHqK+0XqH1Qb4
u4jXSEC79dYm0/mlnl9yFfXUuXxCkFbdOkUE= )

;; ADDITIONAL SECTION (16 records)
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e:0:0:0:2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d:0:0:0:2:30
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to f.root-servers.net for com/DNSKEY
  Received 727 bytes from 192.5.5.241
  ;; Answer received from 192.5.5.241 (727 bytes)
;; HEADER SECTION
;; id = 48109
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 15  arcount = 16

;; QUESTION SECTION (1 record)
;; com. IN DNSKEY

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (15 records)
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 86400 IN DS 30909  8  2  e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ; xumit-fedac-katut-vapis-lusun-gypad-kafyr-hudah-bycyp-musaz-sahyh-nekum-zudun-cicos-zacyc-puhyk-kaxyx
com. 86400 IN RRSIG DS  8  1  86400  20111221000000 (
20111213230000 55231  .
eUuxmTJ6F83TkcDM91L41ipRcCPGYBOKDZnWIqp5kBkIP
rh8vopCBqVxPdqkEfH/SBamoEb3/uM+w8Gi6bmKG0HwMA
TXYB/djhyYUF+LGbkk7HTsVJkcsEPN95uHqK+0XqH1Qb4
u4jXSEC79dYm0/mlnl9yFfXUuXxCkFbdOkUE= )

;; ADDITIONAL SECTION (16 records)
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e:0:0:0:2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d:0:0:0:2:30
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Found child zone com

com Checking DS between . and com
  Query to f.root-servers.net for com/DS
  Received 239 bytes from 192.5.5.241
  ;; Answer received from 192.5.5.241 (239 bytes)
;; HEADER SECTION
;; id = 1252
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 2  nscount = 0  arcount = 1

;; QUESTION SECTION (1 record)
;; com. IN DS

;; ANSWER SECTION (2 records)
com. 86400 IN DS 30909  8  2  e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ; xumit-fedac-katut-vapis-lusun-gypad-kafyr-hudah-bycyp-musaz-sahyh-nekum-zudun-cicos-zacyc-puhyk-kaxyx
com. 86400 IN RRSIG DS  8  1  86400  20111221000000 (
20111213230000 55231  .
eUuxmTJ6F83TkcDM91L41ipRcCPGYBOKDZnWIqp5kBkIP
rh8vopCBqVxPdqkEfH/SBamoEb3/uM+w8Gi6bmKG0HwMA
TXYB/djhyYUF+LGbkk7HTsVJkcsEPN95uHqK+0XqH1Qb4
u4jXSEC79dYm0/mlnl9yFfXUuXxCkFbdOkUE= )

;; AUTHORITY SECTION (0 records)

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

Found 1 DS records for com in the . zone
Found 1 RRSIGs over DS RRset
  com. 86400 IN RRSIG DS 8 1 86400 20111221000000 ( 20111213230000 55231 . eUuxmTJ6F83TkcDM91L41ipRcCPGYBOKDZnWIqp5kBkIP rh8vopCBqVxPdqkEfH/SBamoEb3/uM+w8Gi6bmKG0HwMA TXYB/djhyYUF+LGbkk7HTsVJkcsEPN95uHqK+0XqH1Qb4 u4jXSEC79dYm0/mlnl9yFfXUuXxCkFbdOkUE= )
RRSIG=55231 and DNSKEY=55231 verifies the DS RRset
  DS=30909/SHA256 is now in the chain-of-trust
  com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ; xumit-fedac-katut-vapis-lusun-gypad-kafyr-hudah-bycyp-musaz-sahyh-nekum-zudun-cicos-zacyc-puhyk-kaxyx
  Query to h.gtld-servers.net for com/DNSKEY
  Received 743 bytes from 192.54.112.30
  ;; Answer received from 192.54.112.30 (743 bytes)
;; HEADER SECTION
;; id = 57822
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 3  nscount = 0  arcount = 1

;; QUESTION SECTION (1 record)
;; com. IN DNSKEY

;; ANSWER SECTION (3 records)
com. 86400 IN DNSKEY 257  3  8 (
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQ
R0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik836
6LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7e
vWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroD
snw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79Vm
cQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7Z
SdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF
7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8
Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HD
HjRPJ2aywIpKNnv4oPo/
) ; Key ID = 30909
com. 86400 IN DNSKEY 256  3  8 (
AQPWca3l7bNAUrEUMzSaKmlF6hErmKVpPNh9
i8r6KE2mbaQlzAkItasXGCv0mfm9Lbs7Qw81
K9cOQ0VyX5hOA6y5zhChO4NSUleDnVcyk6ut
X/g1zpB8z7UthZkCa2xAjr1NIf8XBU8iEqM+
xsvNfgL0/hLwKv86v474937aaD3KHQ==
) ; Key ID = 3272
com. 86400 IN RRSIG DNSKEY  8  1  86400  20111220192533 (
20111213192033 30909  com.
WeAqy3gnm/pnVBWydhS6gdOOpXHvfc/04cG8VgMY7FT16
sCmcrLtNJX4PMG1MIUn8cKwrT02TQX5BWx3TqqhYl4DU6
O4drHNWoNp+ybP0yPEo1eq517fG8CsbZtrLXw3/u0VTI0
BqL+Kh0K+Sid2cXAtSoR55u+4K85rQhS4jyia5XbiOReJ
7r+iyrpXfl1WFRvP6f4fF79HmNY8gEGZnGRetPnRQJQff
Ea0zI36im5FCUprdJeD/Oqb4DEL7Cb7OA6Kr32rJfUwe5
CtA4+zuX+TvyUno/StGZeAS1FK2KoR1N8YaeEf78UN4WE
1o7M+Dmxg+A8CYFudMiFFA2zHaQ== )

;; AUTHORITY SECTION (0 records)

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 512
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

Found 2 DNSKEY records for com
  com. 86400 IN DNSKEY 257 3 8 ( AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQ R0lpBmVcNcsIszxNFxsBfKNW9JYCYqpik836 6LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7e vWEmu/6od+2boggPoiEfGNyvNPaSI7FOIroD snw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ79Vm cQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7Z SdrbTQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF 7O9ioVNc0+7ASbqmZN7Z98EGU/Qh2K/BgUe8 Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HD HjRPJ2aywIpKNnv4oPo/ ) ; Key ID = 30909
  com. 86400 IN DNSKEY 256 3 8 ( AQPWca3l7bNAUrEUMzSaKmlF6hErmKVpPNh9 i8r6KE2mbaQlzAkItasXGCv0mfm9Lbs7Qw81 K9cOQ0VyX5hOA6y5zhChO4NSUleDnVcyk6ut X/g1zpB8z7UthZkCa2xAjr1NIf8XBU8iEqM+ xsvNfgL0/hLwKv86v474937aaD3KHQ== ) ; Key ID = 3272
  DNSKEY=30909/SEP is now in the chain-of-trust
DS=30909/SHA256 verifies DNSKEY=30909/SEP
Found 1 RRSIGs over DNSKEY RRset
  com. 86400 IN RRSIG DNSKEY 8 1 86400 20111220192533 ( 20111213192033 30909 com. WeAqy3gnm/pnVBWydhS6gdOOpXHvfc/04cG8VgMY7FT16 sCmcrLtNJX4PMG1MIUn8cKwrT02TQX5BWx3TqqhYl4DU6 O4drHNWoNp+ybP0yPEo1eq517fG8CsbZtrLXw3/u0VTI0 BqL+Kh0K+Sid2cXAtSoR55u+4K85rQhS4jyia5XbiOReJ 7r+iyrpXfl1WFRvP6f4fF79HmNY8gEGZnGRetPnRQJQff Ea0zI36im5FCUprdJeD/Oqb4DEL7Cb7OA6Kr32rJfUwe5 CtA4+zuX+TvyUno/StGZeAS1FK2KoR1N8YaeEf78UN4WE 1o7M+Dmxg+A8CYFudMiFFA2zHaQ== )
RRSIG=30909 and DNSKEY=30909/SEP verifies the DNSKEY RRset
  DNSKEY=3272 is now in the chain-of-trust
  Query to i.gtld-servers.net for pediy.com/A
  Received 771 bytes from 192.43.172.30
  ;; Answer received from 192.43.172.30 (771 bytes)
;; HEADER SECTION
;; id = 28962
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 10  arcount = 9

;; QUESTION SECTION (1 record)
;; pediy.com. IN A

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (10 records)
pediy.com. 172800 IN NS dns1.iidns.com.
pediy.com. 172800 IN NS dns2.iidns.com.
pediy.com. 172800 IN NS dns3.iidns.com.
pediy.com. 172800 IN NS dns5.iidns.com.
pediy.com. 172800 IN NS dns4.iidns.com.
pediy.com. 172800 IN NS dns6.iidns.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - (
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2
DNSKEY NS NSEC3PARAM RRSIG SOA )
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220154028 (
20111213143028 3272  com.
0ClNuJ5Hzc6Qe6F63ewEsJErKRWgsIa3ec33DzUFZttly
BE9+HyiS6dF9ftn+TNCik4ARAi77E42+3fu8pciq1x/kD
qMPCqRwnhE4urKbnLgOGQ3IAvLm2G+/l4YBr79rx2UJRp
OJexgqmH3FF6syXUAHIFr7qEl2lcZzsHfwis= )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN NSEC3 1 1 0 - (
0D894AUFQJMR4EK36F57UAHTSHJJGP60
DS NS RRSIG )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220232829 (
20111213221829 3272  com.
dhTqqLF11mZNM1XdZpX4tlyyLaW2cPkPVLWzAPqk0ZKof
0UXLvffLOwCBllPGcSL2uUzS2st4NRr275fFzw/imP57/
pVctv9QLrWBN8rQVNctIMrw1sBNtO2dHi6e7qWD+6Rlh0
6mxGj3OP31rK8iSXOHzuosK06CtA67M47heI= )

;; ADDITIONAL SECTION (9 records)
dns1.iidns.com. 172800 IN A 112.90.174.69
dns2.iidns.com. 172800 IN A 112.90.174.68
dns2.iidns.com. 172800 IN A 121.10.126.68
dns3.iidns.com. 172800 IN A 112.90.174.67
dns3.iidns.com. 172800 IN A 121.10.126.67
dns5.iidns.com. 172800 IN A 113.105.171.115
dns4.iidns.com. 172800 IN A 183.60.141.38
dns6.iidns.com. 172800 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 512
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to f.gtld-servers.net for pediy.com/DNSKEY
  Received 771 bytes from 192.35.51.30
  ;; Answer received from 192.35.51.30 (771 bytes)
;; HEADER SECTION
;; id = 40314
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 10  arcount = 9

;; QUESTION SECTION (1 record)
;; pediy.com. IN DNSKEY

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (10 records)
pediy.com. 172800 IN NS dns1.iidns.com.
pediy.com. 172800 IN NS dns2.iidns.com.
pediy.com. 172800 IN NS dns3.iidns.com.
pediy.com. 172800 IN NS dns5.iidns.com.
pediy.com. 172800 IN NS dns4.iidns.com.
pediy.com. 172800 IN NS dns6.iidns.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - (
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2
DNSKEY NS NSEC3PARAM RRSIG SOA )
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220154028 (
20111213143028 3272  com.
0ClNuJ5Hzc6Qe6F63ewEsJErKRWgsIa3ec33DzUFZttly
BE9+HyiS6dF9ftn+TNCik4ARAi77E42+3fu8pciq1x/kD
qMPCqRwnhE4urKbnLgOGQ3IAvLm2G+/l4YBr79rx2UJRp
OJexgqmH3FF6syXUAHIFr7qEl2lcZzsHfwis= )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN NSEC3 1 1 0 - (
0D894AUFQJMR4EK36F57UAHTSHJJGP60
DS NS RRSIG )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220232829 (
20111213221829 3272  com.
dhTqqLF11mZNM1XdZpX4tlyyLaW2cPkPVLWzAPqk0ZKof
0UXLvffLOwCBllPGcSL2uUzS2st4NRr275fFzw/imP57/
pVctv9QLrWBN8rQVNctIMrw1sBNtO2dHi6e7qWD+6Rlh0
6mxGj3OP31rK8iSXOHzuosK06CtA67M47heI= )

;; ADDITIONAL SECTION (9 records)
dns1.iidns.com. 172800 IN A 112.90.174.69
dns2.iidns.com. 172800 IN A 112.90.174.68
dns2.iidns.com. 172800 IN A 121.10.126.68
dns3.iidns.com. 172800 IN A 112.90.174.67
dns3.iidns.com. 172800 IN A 121.10.126.67
dns5.iidns.com. 172800 IN A 113.105.171.115
dns4.iidns.com. 172800 IN A 183.60.141.38
dns6.iidns.com. 172800 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 512
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Found child zone pediy.com

pediy.com Checking DS between com and pediy.com
  Query to d.gtld-servers.net for pediy.com/DS
  Received 762 bytes from 192.31.80.30
  ;; Answer received from 192.31.80.30 (762 bytes)
;; HEADER SECTION
;; id = 43159
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 6  arcount = 1

;; QUESTION SECTION (1 record)
;; pediy.com. IN DS

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (6 records)
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - (
CK3O3O11OF9QR6F29BIIMK6FFD57PGE2
DNSKEY NS NSEC3PARAM RRSIG SOA )
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220154028 (
20111213143028 3272  com.
0ClNuJ5Hzc6Qe6F63ewEsJErKRWgsIa3ec33DzUFZttly
BE9+HyiS6dF9ftn+TNCik4ARAi77E42+3fu8pciq1x/kD
qMPCqRwnhE4urKbnLgOGQ3IAvLm2G+/l4YBr79rx2UJRp
OJexgqmH3FF6syXUAHIFr7qEl2lcZzsHfwis= )
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (
1323850326 ; Serial
1800 ; Refresh
900 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
com. 900 IN RRSIG SOA  8  1  900  20111221081206 (
20111214070206 3272  com.
ucePk8ifqRDy2S9bvn9i13c0/xDE5pmoiCU63Gans7/N6
sIlm28X8WsKcgGr9M9jaUnpt80zUONPYYZrOF1fASzG/Q
QVBvbBkayi+f5BvkHciZ6/FdbsjWD53wW/iJDRE/6T8tY
NO1nuU/iuMQGf5pgYh2wHEWvcUDi6r076lEc= )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN NSEC3 1 1 0 - (
0D894AUFQJMR4EK36F57UAHTSHJJGP60
DS NS RRSIG )
0D07FAP6HICHNNQUDVNAR44RCOJHAVBS.com. 86400 IN RRSIG NSEC3  8  2  86400  20111220232829 (
20111213221829 3272  com.
dhTqqLF11mZNM1XdZpX4tlyyLaW2cPkPVLWzAPqk0ZKof
0UXLvffLOwCBllPGcSL2uUzS2st4NRr275fFzw/imP57/
pVctv9QLrWBN8rQVNctIMrw1sBNtO2dHi6e7qWD+6Rlh0
6mxGj3OP31rK8iSXOHzuosK06CtA67M47heI= )

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 512
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

No DS records found for pediy.com in the com zone
  Query to dns3.iidns.com for pediy.com/DNSKEY
Query to dns3.iidns.com/121.10.126.67 for pediy.com/DNSKEY timed out or failed
  Query to dns2.iidns.com for pediy.com/DNSKEY
Query to dns2.iidns.com/121.10.126.68 for pediy.com/DNSKEY timed out or failed
  Query to dns6.iidns.com for pediy.com/DNSKEY
Query to dns6.iidns.com/121.12.172.50 for pediy.com/DNSKEY timed out or failed
  Query to dns5.iidns.com for pediy.com/DNSKEY
  Received 97 bytes from 113.105.171.115
  ;; Answer received from 113.105.171.115 (97 bytes)
;; HEADER SECTION
;; id = 64801
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 1  arcount = 1

;; QUESTION SECTION (1 record)
;; pediy.com. IN DNSKEY

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (1 record)
pediy.com. 3600 IN SOA dns5.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

No DNSKEY records found
  Query to dns1.iidns.com for pediy.com/A
  Received 270 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (270 bytes)
;; HEADER SECTION
;; id = 38583
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN A

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN A 219.232.241.55

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  pediy.com is authoritative for pediy.com
  Query to dns1.iidns.com for pediy.com/SOA
  Received 302 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (302 bytes)
;; HEADER SECTION
;; id = 36912
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN SOA

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN SOA dns1.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to dns4.iidns.com for pediy.com/SOA
  Received 302 bytes from 183.60.141.38
  ;; Answer received from 183.60.141.38 (302 bytes)
;; HEADER SECTION
;; id = 2979
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN SOA

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN SOA dns4.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to dns5.iidns.com for pediy.com/SOA
  Received 302 bytes from 113.105.171.115
  ;; Answer received from 113.105.171.115 (302 bytes)
;; HEADER SECTION
;; id = 35609
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN SOA

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN SOA dns5.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to dns1.iidns.com for pediy.com/A
  Received 270 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (270 bytes)
;; HEADER SECTION
;; id = 21412
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN A

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN A 219.232.241.55

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

pediy.com A RR has value 219.232.241.55
No RRSIGs found
  Query to dns1.iidns.com for pediy.com/AAAA
  Received 97 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (97 bytes)
;; HEADER SECTION
;; id = 59221
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 1  arcount = 1

;; QUESTION SECTION (1 record)
;; pediy.com. IN AAAA

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (1 record)
pediy.com. 3600 IN SOA dns1.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to dns1.iidns.com for pediy.com/MX
  Received 291 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (291 bytes)
;; HEADER SECTION
;; id = 36841
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 8

;; QUESTION SECTION (1 record)
;; pediy.com. IN MX

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN MX 5 mail.pediy.com.

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns6.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.

;; ADDITIONAL SECTION (8 records)
mail.pediy.com. 3600 IN A 219.232.241.55
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  pediy.com MX RR has value 5 mail.pediy.com.
No RRSIGs found
  Query to dns1.iidns.com for pediy.com/PTR
  Received 97 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (97 bytes)
;; HEADER SECTION
;; id = 23055
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 0  nscount = 1  arcount = 1

;; QUESTION SECTION (1 record)
;; pediy.com. IN PTR

;; ANSWER SECTION (0 records)

;; AUTHORITY SECTION (1 record)
pediy.com. 3600 IN SOA dns1.iidns.com. domainadmin.iidns.com. (
1318150561 ; Serial
3600 ; Refresh
900 ; Retry
1209600 ; Expire
3600 ) ; Minimum TTL

;; ADDITIONAL SECTION (1 record)
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  Query to dns1.iidns.com for pediy.com/TXT
  Received 300 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (300 bytes)
;; HEADER SECTION
;; id = 47305
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 1  nscount = 6  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN TXT

;; ANSWER SECTION (1 record)
pediy.com. 3600 IN TXT "v=spf1 a mx a:mail.pediy.com ~all"

;; AUTHORITY SECTION (6 records)
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  pediy.com TXT RR has value "v=spf1 a mx a:mail.pediy.com ~all"
No RRSIGs found
  Query to dns1.iidns.com for pediy.com/NS
  Received 254 bytes from 112.90.174.69
  ;; Answer received from 112.90.174.69 (254 bytes)
;; HEADER SECTION
;; id = 61075
;; qr = 1 opcode = QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode  = NOERROR
;; qdcount = 1  ancount = 6  nscount = 0  arcount = 7

;; QUESTION SECTION (1 record)
;; pediy.com. IN NS

;; ANSWER SECTION (6 records)
pediy.com. 3600 IN NS dns3.iidns.com.
pediy.com. 3600 IN NS dns4.iidns.com.
pediy.com. 3600 IN NS dns5.iidns.com.
pediy.com. 3600 IN NS dns2.iidns.com.
pediy.com. 3600 IN NS dns1.iidns.com.
pediy.com. 3600 IN NS dns6.iidns.com.

;; AUTHORITY SECTION (0 records)

;; ADDITIONAL SECTION (7 records)
dns1.iidns.com. 600 IN A 112.90.174.69
dns2.iidns.com. 600 IN A 121.10.126.68
dns3.iidns.com. 600 IN A 121.10.126.67
dns4.iidns.com. 600 IN A 183.60.141.38
dns5.iidns.com. 600 IN A 113.105.171.115
dns6.iidns.com. 600 IN A 121.12.172.50
; EDNS Version 0    UDP Packetsize: 4096
; EDNS-RCODE: 0 (ONLY_RDATA)
; EDNS-FLAGS: 0x8000

  pediy.com NS RR has value dns3.iidns.com.
  pediy.com NS RR has value dns4.iidns.com.
  pediy.com NS RR has value dns5.iidns.com.
  pediy.com NS RR has value dns2.iidns.com.
  pediy.com NS RR has value dns1.iidns.com.
  pediy.com NS RR has value dns6.iidns.com.
No RRSIGs found

用unbound效果：先IPV6 INSTALL

C:\Program Files\unbound>unbound-host.exe -vvv -d -d -6 pediy.com
[1323850902] libunbound[2484:0] debug: switching log to stderr
[1323850902] libunbound[2484:0] debug: module config: "validator iterator"
[1323850902] libunbound[2484:0] notice: init module 0: validator
[1323850902] libunbound[2484:0] notice: init module 1: iterator
[1323850902] libunbound[2484:0] debug: target fetch policy for level 0 is 3
[1323850902] libunbound[2484:0] debug: target fetch policy for level 1 is 2
[1323850902] libunbound[2484:0] debug: target fetch policy for level 2 is 1
[1323850902] libunbound[2484:0] debug: target fetch policy for level 3 is 0
[1323850902] libunbound[2484:0] debug: target fetch policy for level 4 is 0
[1323850902] libunbound[2484:0] debug: validator[module 0] operate: extstate:mod
ule_state_initial event:module_event_new
[1323850902] libunbound[2484:0] info: validator operate: query pediy.com. A IN
[1323850902] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850902] libunbound[2484:0] info: resolving pediy.com. A IN
[1323850902] libunbound[2484:0] info: priming . IN NS
[1323850902] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850902] libunbound[2484:0] info: iterator operate: query . NS IN
[1323850902] libunbound[2484:0] info: processQueryTargets: . NS IN
[1323850902] libunbound[2484:0] info: sending query: . NS IN
[1323850902] libunbound[2484:0] debug: sending to target: <.> 2001:503:ba3e::2:3
0#53
[1323850902] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_noreply
[1323850902] libunbound[2484:0] info: iterator operate: query . NS IN
[1323850902] libunbound[2484:0] info: processQueryTargets: . NS IN
[1323850902] libunbound[2484:0] info: sending query: . NS IN
[1323850902] libunbound[2484:0] debug: sending to target: <.> 2001:dc3::35#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_reply
[1323850903] libunbound[2484:0] info: iterator operate: query . NS IN
[1323850903] libunbound[2484:0] info: response for . NS IN
[1323850903] libunbound[2484:0] info: reply from <.> 2001:dc3::35#53
[1323850903] libunbound[2484:0] info: query response was ANSWER
[1323850903] libunbound[2484:0] debug: validator[module 0] operate: extstate:mod
ule_state_initial event:module_event_moddone
[1323850903] libunbound[2484:0] info: validator operate: query . NS IN
[1323850903] libunbound[2484:0] info: priming successful for . NS IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_subquery event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query pediy.com. A IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  pediy.com. A IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  pediy.com. A IN
[1323850903] libunbound[2484:0] info: processQueryTargets: pediy.com. A IN
[1323850903] libunbound[2484:0] info: new target c.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target g.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: pediy.com. A IN
[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:500:2f::f#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query c.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving c.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  c.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  c.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: c.root-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) c.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: new target e.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target g.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: c.root-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:500

:42#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query e.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving e.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  e.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  e.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: e.root-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) e.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) c.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: new target g.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: e.root-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:500:2f::f#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query g.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving g.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  g.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  g.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: g.root-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) e.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) c.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) g.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: new target b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: g.root-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:dc3::35#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query b.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  b.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  b.root-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: b.root-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) e.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) c.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) b.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: skipping target due to dependency cycle (h
arden-glue: no may fix some of the cycles) g.root-servers.net. A IN
[1323850903] libunbound[2484:0] info: sending query: b.root-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:7fd::1#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_reply
[1323850903] libunbound[2484:0] info: iterator operate: query pediy.com. A IN
[1323850903] libunbound[2484:0] info: response for pediy.com. A IN
[1323850903] libunbound[2484:0] info: reply from <.> 2001:500:2f::f#53
[1323850903] libunbound[2484:0] info: query response was REFERRAL
[1323850903] libunbound[2484:0] info: processQueryTargets: pediy.com. A IN
[1323850903] libunbound[2484:0] info: new target e.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target h.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target l.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: pediy.com. A IN
[1323850903] libunbound[2484:0] debug: sending to target: <com.> 2001:503:a83e::
2:30#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query h.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving h.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  h.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  h.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: h.gtld-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: new target e.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: h.gtld-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:dc3::35#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query l.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving l.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  l.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  l.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: l.gtld-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: new target c.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: l.gtld-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:500:2d::d#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_state_initial event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query e.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: resolving e.gtld-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 2):  e.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: resolving (init part 3):  e.gtld-servers.n
et. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: e.gtld-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] info: new target e.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: new target b.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: sending query: e.gtld-servers.net. AAAA IN

[1323850903] libunbound[2484:0] debug: sending to target: <.> 2001:500:1::803f:2
35#53
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_reply
[1323850903] libunbound[2484:0] info: iterator operate: query e.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: response for e.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: reply from <.> 2001:500:2f::f#53
[1323850903] libunbound[2484:0] info: query response was nodata ANSWER
[1323850903] libunbound[2484:0] info: finishing processing for e.root-servers.ne
t. AAAA IN
[1323850903] libunbound[2484:0] debug: validator[module 0] operate: extstate:mod
ule_state_initial event:module_event_moddone
[1323850903] libunbound[2484:0] info: validator operate: query e.root-servers.ne
t. AAAA IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query e.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: e.gtld-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query h.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: h.gtld-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query c.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: c.root-servers.net. A
AAA IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_reply
[1323850903] libunbound[2484:0] info: iterator operate: query c.root-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: response for c.root-servers.net. AAAA IN
[1323850903] libunbound[2484:0] info: reply from <.> 2001:500

:42#53
[1323850903] libunbound[2484:0] info: query response was nodata ANSWER
[1323850903] libunbound[2484:0] info: finishing processing for c.root-servers.ne
t. AAAA IN
[1323850903] libunbound[2484:0] debug: validator[module 0] operate: extstate:mod
ule_state_initial event:module_event_moddone
[1323850903] libunbound[2484:0] info: validator operate: query c.root-servers.ne
t. AAAA IN
[1323850903] libunbound[2484:0] debug: iterator[module 1] operate: extstate:modu
le_wait_reply event:module_event_pass
[1323850903] libunbound[2484:0] info: iterator operate: query l.gtld-servers.net
. AAAA IN
[1323850903] libunbound[2484:0] info: processQueryTargets: l.gtld-servers.net. A
AAA IN

各种工具：
OpenDNSSEC
http://www.opendnssec.org/
http://www.dnssec.net/software

http://www.xelerance.com/services/dns/

Domain Name System Security Extensions (DNSSEC)DNS安全扩展，是由IETF提供的一系列DNS安全认证的机制（可参考RFC2535）。它提供了一种来源鉴定和数据完整性的扩展，但不去保障可用性、加密性和证实域名不存在。　　若要通过互联网联系他人，就必须在计算机中键入一个地址（以名称或数字表示）。该地址必须是唯一的，这样计算机才能确定彼此的位置。 ICANN 负责在全球范围内协调此类唯一标识符。如果没有这种协调，我们就不会拥有统一的全球互联网。在键入名称时，必须首先由某个系统将该名称转换为数字，然后才能建立连接。该系统称为域名系统 (Domain Name System, DNS) ，它将类似于 www. icann. org 的名称转换为数字，这些数字称为互联网协议 (Internet Protocol, IP) 地址。 ICANN 对寻址系统进行协调，以确保所有地址都是唯一的。　　最近，人们在 DNS 中发现了一些漏洞，攻击者可以利用这些漏洞劫持这一使用名称在互联网上搜寻某个人或某个站点的过程。这种攻击的目的是取得对会话的控制以实施某种操作，例如使用户进入劫持者自己设立的欺骗性网站，以便收集用户的帐户和密码。　　由于这些漏洞的存在，人们越来越希望引入一种称为 DNS 安全扩展 (DNS Security Extensions, DNSSEC) 的技术，以保护互联网的这一部分基础设施。　　下面的问题和答案试图说明 DNSSEC 是什么以及为什么说它的实施很重要。　　1) 首先，什么是根区域？　　DNS 将人们可以记住的域名转换为计算机使用的数字以寻找其目的地（有点类似于用来查找电话号码的电话簿）。它分阶段完成此项工作。它“查找”的第一个地方是目录服务的顶级域，即“根区域”。以 www. google. com 为例，您的计算机将“询问”根区域目录（即顶级域）到何处去查找有关“ .com ”的信息。在得到答复后，它将询问由根区域目录标识的“ .com ”目录服务到何处查找有关 . google. com （第二级）的信息，并最终询问由“ .com ”标识的 google. com 目录服务 www. google. com 的地址是什么（第三级）。在执行该过程以后（该过程几乎瞬间完成），您的计算机就可以获得完整的地址。这些目录服务分别由不同的实体 i 进行管理： google. com 由 Google 管理，“ .com ”由 VeriSign Corporation 管理（其他顶级域由其他组织管理），而根区域由 ICANN 管理。　　2) 为什么我们需要“对根区域进行签名”？　　通过将最近在 DNS 中发现的漏洞与技术进步相结合，攻击者已经大大缩短了劫持 DNS 查找过程的任一步骤所需的时间，从而可以更快地取得对会话的控制以实施某种恶意操作（例如，使用户进入劫持者自己设立的欺骗性网站，以便收集用户的帐户和密码）。若要在长期内消除此漏洞，唯一的解决方案是以端到端的形式部署一种称为 DNS 安全扩展 (DNS Security Extensions, DNSSEC) 的安全协议。　　3) 什么是 DNSSEC ？　　开发 DNSSEC 技术的目的之一是通过对数据进行数字“签名”来抵御此类攻击，从而使您确信数据有效。但是，为了从互联网中消除该漏洞，必须在从根区域到最终域名（例如， www. icann. org ）的查找过程中的每一步部署该项技术。对根区域进行签名（在根区域部署 DNSSEC ）是整个过程中的必要步骤。需要说明的是，该技术并不对数据进行加密。它只是验证您所访问的站点地址是否有效。　　4) 哪些因素能够阻止寻址链的所有其他部分利用 DNSSEC ？　　什么因素都无法阻止。但是，像任何依赖于其他部分来发挥作用的链一样，如果您不对根区域进行签名，就会存在重大缺陷。即，寻址链的某些部分可以信任，而其他部分可能无法信任。　　5) 对于普通用户而言，该技术将如何提高安全性？　　完全部署 DNSSEC 可以确保最终用户连接到与特定域名相对应的实际网站或其他服务。尽管这不会解决互联网的所有安全问题，但它确实保护了互联网的关键部分（即目录查找），从而对 SSL (https:) 等其他保护“会话”的技术进行了补充，并且为尚待开发的安全改进技术提供了平台。　　6) 在对根区域进行签名时，实际发生了什么事情？　　使用 DNSSEC “对根区域进行签名”时，将在根区域文件中为每个顶级域再添加几条记录。所添加的内容是一个密钥以及一个验证该密钥是否有效的签名。　　DNSSEC 为记录提供了验证途径。它不会加密数据或更改数据的管理方式，并且与当前的 DNS 和应用程序“向后兼容”。这意味着它不会更改互联网的寻址系统所基于的现有协议。它将一系列数字签名结合到 DNS 层次结构中，并使每个级别都拥有其自己的签名生成密钥。这意味着，对于类似于 www. icann. org 的域名，该路径上的每个组织都必须对低于它的组织的密钥进行签名。例如， .org 对 icann. org 的密钥进行签名，根区域对 .org 的密钥进行签名。在验证过程中， DNSSEC 沿着该信任链一直追溯到根区域，并自动使用该路径上的“父”密钥验证“子”密钥。因为每个密钥都可以由它上面的一个密钥进行验证，所以验证整个域名所需的唯一密钥是最顶层的父密钥（即根密钥）。　　但是，此层次结构意味着，即使对根区域进行了签名，跨所有域名完全部署 DNSSEC 也将是一个相当耗时的过程，因为下面的每个域也都需要由其各自的运营商进行签名，以便完成特定的信任链。对根区域进行签名只是一个起点。但它是至关重要的。最近， TLD 运营商已经加快了在其区域（ .se 、 .bg 、 .br 、 .cz 、 .pr do now with .gov 、 .uk 、 .ca 和其他即将出现的区域）上部署 DNSSEC 的工作进度，而其他运营商预计也将这样做。　　7) 根区域文件是如何管理的？　　根区域的管理由以下四个实体共同完成：　　i) ICANN 履行 “ IANA ” 职能，这是一家与美国商务部签有合同的国际非营利性公司。 IANA 表示互联网编号分配机构 ( Internet Assigned Numbers Authority ) 。 ICANN 接收和审查来自顶级域 (TLD) 运营商（例如，“ com ”）的信息。　　ii) 国家电讯管理中心 ( National Telecommunications and Information Administration, NTIA) 对根区域的变更进行授权，这是美国商务部内部的一个政府机关。　　iii) VeriSign 是一家总部设在美国的营利性公司，该公司与美国政府签订了合同，负责使用由 ICANN 提供和验证且由美国商务部授权的变更信息对根区域进行编辑，并对包含有关到何处查找有关 TLD （例如，“ com ”）的信息的根区域文件进行分发；　　iv) 一组国际性根服务器运营商，这些运营商志愿运行和拥有遍布全球的 200 台以上的服务器，而这些服务器负责在整个互联网中分发来自根区域文件的根信息。按字母编号，根服务器的运营商为：　　A) VeriSign Global Registry Services ；　　B) 位于南加利福尼亚大学 (USC) 的信息科学研究所 (Informati o n Sciences Institute) ；　　C) Cogent Communications ；　　D) 马里兰大学；　　E) 美国国家航空航天局艾姆斯研究中心 (NASA Ames Research Center) ；　　F) Internet Systems Consortium Inc. ；　　G) 美国国防部网络信息中心 (U.S. DOD Network Information Center) ；　　H) 美国陆军研究实验室 (U.S. Army Research Lab) ；　　I) Autonomica/NORDUnet （瑞典）；　　J) VeriSign Global Registry Services ；　　K) RIPE NCC （荷兰）；　　L) ICANN ；　　M) WIDE Project （日本）。　　8) 为什么由一家组织对信息进行审查、编辑和签名对于 DNSSEC 安全很重要？　　对于 DNSSEC 而言，信任链中每个链路的作用都基于用户对于为该链路审查密钥和其他 DNS 信息的组织所具有的信任。为了保证这些信息的完整性以及维持这一信任，在对数据进行验证之后必须立即采取措施，防止其出现错误（无论是恶意的还是偶然的） — 在跨组织边界交换重要数据时，随时都可能引入错误。让同一个组织和系统将经过验证的材料直接纳入已签名的区域中，可以一直维持信任，直到发布为止。这种方式只是更加安全。　　随着人们对于 DNSSEC 将带来的 DNS 安全越来越有信心，将对于从 ICANN 验证和鉴别 TLD 信任支持材料的过程中获得的信任一直维持到已签名的根区域文件就变得越发重要。　　9) 在 DNSSEC 中，什么是 KSK 和 ZSK ？　　KSK 表示密钥签名密钥 (Key Signing key) （一种长期密钥）， ZSK 表示区域签名密钥 (Zone Signing Key) （一种短期密钥）。如果有足够的时间和数据，加密密钥最终都会被破解。对于 DNSSECv 中使用的非对称密钥或公钥密码系统而言，这意味着攻击者可通过强力攻击方法或其他方法确定公钥 - 私钥对的私钥部分（该部分用于创建对 DNS 记录的有效性进行验证的签名），从而使 DNSSEC 提供的保护失效。 DNSSEC 使用短期密钥（即区域签名密钥 (ZSK) ）来定期计算 DNS 记录的签名，同时使用长期密钥（即密钥签名密钥 (KSK) ）来计算 ZSK 上的签名，以使其可以得到验证，从而挫败了这些破解企图。 ZSK 被频繁更改或滚动，以使攻击者难以“猜测”，而期限较长的 KSK 则经过一个长得多的时段之后才更改（当前的最佳做法是以年为单位设置此时段）。由于 KSK 对 ZSK 进行签名而 ZSK 对 DNS 记录进行签名，因此只需具有 KSK 即可对区域中的 DNS 记录进行验证。它是以授权签名者 (Delegation Signer, DS) 记录形式传递到“父”区域的一个 KSK 示例。父区域（例如，根区域）使用其自己的、由其自己的 KSK 签名的 ZSK 对子区域（例如， .org ）的 DS 记录进行签名。　　这意味着，如果 DNSSEC 被完全采用，则根区域的 KSK 将是每个经 DNSSEC 验证的域名（或尚待开发的应用程序）的验证链的一部分。　　10) 谁管理这些密钥？　　根据此提案， ICANN 将保持密钥基础设施，但用于实际生成 KSK 的凭据将由外方持有。要使此过程在全球得到全面接受，这是一个很重要的因素。 ICANN 未就各实体在持有凭据时所应采用的具体解决方案提出建议，而是认为，像上述所有问题一样，此问题的解决应向公众征求意见，并由美国商务部作出决定。

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・0

支持

最新回复 (3)
lilianjie 雪币： 433 活跃值： (45) 能力值： ( LV4，RANK：50 ) 在线值：发帖 141 回帖 549 粉丝 1 关注私信	lilianjie 1 2 楼从图可看DNSSEC服务得由国家搞，不过我国还没，DNSSec所用的密钥算法比例图 Resource Records digital Signatures (RRSIG) 資源紀錄數位簽章，是DNSSEC 中及重要的一個資料，主要是用來驗證回應資料的正確姓，RRSIG 在整個 DNS 回應中，會自成一個 Type, 但是如果您使用的是 DNSSEC 的查詢，則此資源紀錄會被附加在 Answer 區段中，也就是說，如果你是 DNSSEC 的查詢，是不需要另外查詢 RRSIG 來取得數位簽章，但若是想單獨查詢 RRSIG 這個 Type，也是不會影響任何查詢的。 RRSIG 有幾個特性： RRSIG 本身不需要簽章同一個 FQDN 和 Type 之需要一個RRSIG簽章 SubDomain 之 NS(Name Server)不需要簽章 External Host 不需要進行簽章簽章有效時間與過期時間第一點透過字面解釋容易理解。第二點主要是 DNS 在查詢的時候會其實同一個 FQDN 與 TYPE 都會 ”一次回應”，譬如說您查詢 google.com.(FQDN) 的 MX(Type)，都會固定獲得五筆資料，不論是任何人查詢皆是如此，所以我們不用特別針對五筆資料簽署五個RRSIG，只要把這些資料 Group 起來，簽署一個RRSIG即可。第三點主要是在 SubDomain 的授權後，該 NS 之RRSIG 紀錄應該由該網域的權威伺服器取得，而不是在上層取得。第四點與第三點非常類似，主要也是網域已被授權，RRSIG 應該從權威伺服器取得。第五點的特性是說明每一個 RRSIG 在簽署的時候會有兩個時間，也就是這個數位簽章的開始時間與有效時間，過了有效時間之後，此資源紀錄就無法在被使用，此時間與TTL不同喔，在設定的時候要多加注意。 ISC BIND 9 RRSIG记录类型远程拒绝服务漏洞来源：中国反病毒小组更新时间：2010-8-6 17 受影响系统： ISC BIND 9.7.1-P1 ISC BIND 9.7.1 不受影响系统： ISC BIND 9.7.1-P2 描述： -------------------------------------------------------------------------------- BUGTRAQ ID: 41730 CVE(CAN) ID: CVE-2010-0213 BIND是一个应用非常广泛的DNS协议的实现，由ISC负责维护，具体的开发由Nominum公司完成。如果用户向运行BIND的验证递归服务器提交了RRSIG类型记录的查询请求，且服务器静态的或通过DLV配置了一个或多个信任锚，则在缓存中不存在应答的情况下，服务器就会陷入为包含有所查询名称区域的权威服务器反复生成RRSIG查询的循环。在正常操作中很少会出现这种情况，因为在启用了DNSSEC且存在记录的情况下，RRSIG已经包含在了对所涵盖RR类型查询的响应中。 <*来源：Marco Davids 链接：https://www.isc.org/software/bind/advisories/cve-2010-0213 http://secunia.com/advisories/40652/ http://laoyaoba.com/forums/viewthread.php?tid=423351&from=recommend_f 上传的附件： 1151143141-1.jpg （50.19kb，63次下载） p13-1.jpg （49.54kb，62次下载） 10082616338416b324b4ff0f51.jpg （15.83kb，62次下载） 10082616338ccc8c86e2636324.jpg （16.66kb，63次下载） p3-1.gif （29.49kb，63次下载） 2011-12-14 16:39 0
我是土匪雪币： 546 活跃值： (1605) 能力值： ( LV12，RANK：210 ) 在线值：发帖 75 回帖 787 粉丝 7 关注私信	我是土匪 4 3 楼这个很强大，我国没搞是有原因的 2011-12-14 17:19 0
lilianjie 雪币： 433 活跃值： (45) 能力值： ( LV4，RANK：50 ) 在线值：发帖 141 回帖 549 粉丝 1 关注私信	lilianjie 1 4 楼看来真有原因的，可到底甚麽原因 IL/TM /TW/INFO/PRI/FORM/MUM/XN/US/UK都有两台，HK/CN/CC还没有，UK的强 WHITEHOUSE。GOV FBI。GOV 全是绿的可 CIA。GOV gchq.gov.uk GOV。CN 还是有红的上传的附件： 10082616337b5759044b0b122a.jpg.thumb.jpg （69.74kb，33次下载） 2011-12-14 18:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lilianjie

141

发帖

549

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
lilianjie 雪币： 433 活跃值： (45) 能力值： ( LV4，RANK：50 ) 在线值：发帖 141 回帖 549 粉丝 1 关注私信	lilianjie 1 2 楼从图可看DNSSEC服务得由国家搞，不过我国还没，DNSSec所用的密钥算法比例图 Resource Records digital Signatures (RRSIG) 資源紀錄數位簽章，是DNSSEC 中及重要的一個資料，主要是用來驗證回應資料的正確姓，RRSIG 在整個 DNS 回應中，會自成一個 Type, 但是如果您使用的是 DNSSEC 的查詢，則此資源紀錄會被附加在 Answer 區段中，也就是說，如果你是 DNSSEC 的查詢，是不需要另外查詢 RRSIG 來取得數位簽章，但若是想單獨查詢 RRSIG 這個 Type，也是不會影響任何查詢的。 RRSIG 有幾個特性： RRSIG 本身不需要簽章同一個 FQDN 和 Type 之需要一個RRSIG簽章 SubDomain 之 NS(Name Server)不需要簽章 External Host 不需要進行簽章簽章有效時間與過期時間第一點透過字面解釋容易理解。第二點主要是 DNS 在查詢的時候會其實同一個 FQDN 與 TYPE 都會 ”一次回應”，譬如說您查詢 google.com.(FQDN) 的 MX(Type)，都會固定獲得五筆資料，不論是任何人查詢皆是如此，所以我們不用特別針對五筆資料簽署五個RRSIG，只要把這些資料 Group 起來，簽署一個RRSIG即可。第三點主要是在 SubDomain 的授權後，該 NS 之RRSIG 紀錄應該由該網域的權威伺服器取得，而不是在上層取得。第四點與第三點非常類似，主要也是網域已被授權，RRSIG 應該從權威伺服器取得。第五點的特性是說明每一個 RRSIG 在簽署的時候會有兩個時間，也就是這個數位簽章的開始時間與有效時間，過了有效時間之後，此資源紀錄就無法在被使用，此時間與TTL不同喔，在設定的時候要多加注意。 ISC BIND 9 RRSIG记录类型远程拒绝服务漏洞来源：中国反病毒小组更新时间：2010-8-6 17 受影响系统： ISC BIND 9.7.1-P1 ISC BIND 9.7.1 不受影响系统： ISC BIND 9.7.1-P2 描述： -------------------------------------------------------------------------------- BUGTRAQ ID: 41730 CVE(CAN) ID: CVE-2010-0213 BIND是一个应用非常广泛的DNS协议的实现，由ISC负责维护，具体的开发由Nominum公司完成。如果用户向运行BIND的验证递归服务器提交了RRSIG类型记录的查询请求，且服务器静态的或通过DLV配置了一个或多个信任锚，则在缓存中不存在应答的情况下，服务器就会陷入为包含有所查询名称区域的权威服务器反复生成RRSIG查询的循环。在正常操作中很少会出现这种情况，因为在启用了DNSSEC且存在记录的情况下，RRSIG已经包含在了对所涵盖RR类型查询的响应中。 <*来源：Marco Davids 链接：https://www.isc.org/software/bind/advisories/cve-2010-0213 http://secunia.com/advisories/40652/ http://laoyaoba.com/forums/viewthread.php?tid=423351&from=recommend_f 上传的附件： 1151143141-1.jpg （50.19kb，63次下载） p13-1.jpg （49.54kb，62次下载） 10082616338416b324b4ff0f51.jpg （15.83kb，62次下载） 10082616338ccc8c86e2636324.jpg （16.66kb，63次下载） p3-1.gif （29.49kb，63次下载） 2011-12-14 16:39 0
我是土匪雪币： 546 活跃值： (1605) 能力值： ( LV12，RANK：210 ) 在线值：发帖 75 回帖 787 粉丝 7 关注私信	我是土匪 4 3 楼这个很强大，我国没搞是有原因的 2011-12-14 17:19 0
lilianjie 雪币： 433 活跃值： (45) 能力值： ( LV4，RANK：50 ) 在线值：发帖 141 回帖 549 粉丝 1 关注私信	lilianjie 1 4 楼看来真有原因的，可到底甚麽原因 IL/TM /TW/INFO/PRI/FORM/MUM/XN/US/UK都有两台，HK/CN/CC还没有，UK的强 WHITEHOUSE。GOV FBI。GOV 全是绿的可 CIA。GOV gchq.gov.uk GOV。CN 还是有红的上传的附件： 10082616337b5759044b0b122a.jpg.thumb.jpg （69.74kb，33次下载） 2011-12-14 18:50 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复