114 ServerIron ADX Global Server Load Balancing Guide
53-1002437-01

DNSSEC

1
Verification with DIG

The following example shows dig being used to validate a DNSSEC response.

DNSSEC GSLB in DNS proxy mode

The ServerIron ADX supports GSLB for DNSSEC in the DNS proxy mode. In this mode, when the

ServerIron ADX sees a DNS response, it re-orders the response such that it has the 'best IP

address' as the first address in the answer RRset. It also sets the TTL of each of the answer records

(This is for UDP). In the ADNS or the LDNS, the signature in the RRSIG record is calculated by

ordering the individual resource records in canonical order. Only the RR type, class and the value

[16:31:54 root@rhl-236 ~]# dig +dnssec mydnssec.com +multiline +sigchase
+trusted-key=/root/dnssec/Kmydnssec.com.+005+08340.key
;; RRset to chase:
mydnssec.com. 86400 IN A 10.35.62.235
;; RRSIG of the RRset to chase:
mydnssec.com. 86400 IN RRSIG A 5 2 86400 20100513221145 (
20100413221145 8340 mydnssec.com.
XdrNlVeH/Hc6sMCAOFCWerqtFRgCyNNlOcHrwnLZ+ApI
plN2t2QdpmEqhltmNyINJK2WH6xzP59bkynjOUcg8QQr
OBPRyjlZCXkTS0y8JFNGd0OIjW8KJkLmZ/cag0zFcvA+
xvNQsSM5w9hiprH364JDhSoQYASxFslLkX+MtGw= )
Launch a query to find a RRset of type DNSKEY for zone: mydnssec.com.
;; DNSKEYset that signs the RRset to chase:
mydnssec.com. 86400 IN DNSKEY 256 3 5 (
AwEAAacXnVRCUEnP7nRuCaGHWw5K7H+IedN5xWnnCUfe
f9upLZESWMPiY0b08biliRQ5Uqt6wCNINM9nBGGxxOhV
i/oT+DEkrjOhNN4o5L7Bd+PwYV0Vh+Fq383jvGdHtr8n
Q+mc69OgQjdARn6ofH6sDcOQFsvKsgtA/EQUa/mc9V2B
) ; key id = 8340
;; RRSIG of the DNSKEYset that signs the RRset to chase:
mydnssec.com. 86400 IN RRSIG DNSKEY 5 2 86400 20100513221145 (
20100413221145 8340 mydnssec.com.
WdGTjFIGfFf6jpTm04iDYIj44WgvG+XMGJyzMS7jC5k7
LYk8HtjUAjVs920sgrz9HED7JKs9tMjzIiPZEKRsa+HI
7Re2Rvvrb5PbwNwWFi/smDI57NztLvCNoOWdYEk1r6jW
S8YVLnvd5rsN9d2DY+wr8UZSemRWAURn8G3GRLA= )
Launch a query to find a RRset of type DS for zone: mydnssec.com.
;; NO ANSWERS: no more
;; WARNING There is no DS for the zone: mydnssec.com.
;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for mydnssec.com.
with DNSKEY:8340: success ;; OK We found DNSKEY (or more) to validate the RRset
;; Ok, find a Trusted Key in the DNSKEY RRset: 8340 ;; VERIFYING DNSKEY RRset for
mydnssec.com. with DNSKEY:8340: success
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
[16:32:06 root@rhl-236 ~]#