Brocade Communications Systems 12.4.00 manual Verification with DIG, Dnssec Gslb in DNS proxy mode

1 DNSSEC

Verification with DIG

The following example shows dig being used to validate a DNSSEC response.

[16:31:54 root@rhl-236 ~]# dig +dnssec mydnssec.com +multiline +sigchase +trusted-key=/root/dnssec/Kmydnssec.com.+005+08340.key

20100413221145 8340 mydnssec.com. XdrNlVeH/Hc6sMCAOFCWerqtFRgCyNNlOcHrwnLZ+ApI plN2t2QdpmEqhltmNyINJK2WH6xzP59bkynjOUcg8QQr OBPRyjlZCXkTS0y8JFNGd0OIjW8KJkLmZ/cag0zFcvA+ xvNQsSM5w9hiprH364JDhSoQYASxFslLkX+MtGw= )

Launch a query to find a RRset of type DNSKEY for zone: mydnssec.com.

;; DNSKEYset that signs the RRset to chase:

mydnssec.com.86400 IN DNSKEY 256 3 5 ( AwEAAacXnVRCUEnP7nRuCaGHWw5K7H+IedN5xWnnCUfe f9upLZESWMPiY0b08biliRQ5Uqt6wCNINM9nBGGxxOhV i/oT+DEkrjOhNN4o5L7Bd+PwYV0Vh+Fq383jvGdHtr8n Q+mc69OgQjdARn6ofH6sDcOQFsvKsgtA/EQUa/mc9V2B ) ; key id = 8340

;; RRSIG of the DNSKEYset that signs the RRset to chase:

Launch a query to find a RRset of type DS for zone: mydnssec.com.

;;NO ANSWERS: no more

;;WARNING There is no DS for the zone: mydnssec.com.

;;WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING A RRset for mydnssec.com. with DNSKEY:8340: success ;; OK We found DNSKEY (or more) to validate the RRset

;;Ok, find a Trusted Key in the DNSKEY RRset: 8340 ;; VERIFYING DNSKEY RRset for mydnssec.com. with DNSKEY:8340: success

;;Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

[16:32:06 root@rhl-236 ~]#

DNSSEC GSLB in DNS proxy mode

The ServerIron ADX supports GSLB for DNSSEC in the DNS proxy mode. In this mode, when the ServerIron ADX sees a DNS response, it re-orders the response such that it has the 'best IP address' as the first address in the answer RRset. It also sets the TTL of each of the answer records (This is for UDP). In the ADNS or the LDNS, the signature in the RRSIG record is calculated by ordering the individual resource records in canonical order. Only the RR type, class and the value