这是我得到的答案.com.my. DNSKEY
:
com.my. 3600 IN DNSKEY 257 3 8 BQEAAAABu3FxmZrMlOMXlk2I2LeTsoMre8QaJKw75gSH9G8VCNX6AaVo8hT8qQyfNWDtdM+xiGqmYhWYFlABsIurfdfXVHNFep4Odn0klVD9tz11l9J4csNRRnJwOMYZV2q6yiBbyJuTvx6Z0xWuTsxtELIA597gxuGNQPumkIvllrTzauwhBtZp+m/GZwehVNAa1Vc6VxCLCPkXVK/6PliezJOTcJJXJmBTrML5x7UrYEYTW0EKDQCW4wHWbDrIXTuIXeBNW2S9ITX97WpLJXU5hSJPRteV8NK/j5KEbHxeq852cbU7CWa6whBz+sR/BoPuzTkX4M1e1PBJs7eppNNYffnsvw==
com.my. 3600 IN DNSKEY 257 3 8 BQEAAAAB51ZYIFm8oIy4aaNzWPC0UmEuG7D/QB7fETcAf7bIYqVUpKnmgFPqmMwOSSSvbpJfJR9SvF/N5Gbaao3bI+GGVYRMo2nQ7djcAGkzrv0f1ZOHO1sdV0XQrjNTj+BpI1tTqQRun+78WxIU+Km8gRRaZE9NM9riELyhu7pAJiFEAs7Y1CjiFp00+Q5w6Xc2YOhiFy9h957Kq9YRhc1ELlJ8m276ekcda0bdJ2FF5iad8BbcC6+Iep7Mhc9TP7u4cI39j8TJRW0V9nTo/dc7Z1eIDQYxZ0hvkk1AY/f2SOT1/72M35yBQZLAAsStfX/w0F+Sg8ndoIcRBCvhajbckjFQQQ==
com.my. 3600 IN DNSKEY 256 3 8 AwEAAcYcelsQmHJIShuGUB7QZQRx3jq253RbvLr8b2Piwmo6M9jvQBbNgMHkOiFI+v+AczufDzcf9lia38rAK5fmZqxHsft9meoFB1uXE9pp/ZB27rP+PTs9gGvuZKB/HyKjcwiwYWEhYQMrRaXk0Pr081MGzBjamZTMvvKTyRcmA+G9
com.my. 3600 IN RRSIG DNSKEY 8 2 3600 20200628013603 20200529003005 14256 com.my. MfavTkDT/Ar+31EN5BpCOt8ehR6QW8z/UaAZOLonvxEc3d8Xgx72dt09kyZworhXjg9FyUWtEJTWkrXcuIrMtrNcKg6smdnVzX04xbrDWDfKLYJh+0IxvtxPJeOQZ/ii0DpGn7oCPYqwc7qo3hZYPbgijiFsSVP+QJSepLCAnqjGfmYlmwltRgmlc9LCtCfbsO3ySlOVkhHtACa9BEYMG66rT8fAszFw48j8b3N7RdV/mRFYt/FHPgFpP2p4m6jNxWXDr1EQzuzLfswvUEs8Zl6swRHbutvm5j58mlJ+oM47x4qIpxLskeIfTwI33Bqv21HuRh3IwpG8tZNZbAxqcQ==
com.my. 3600 IN RRSIG DNSKEY 8 2 3600 20200628013603 20200529003005 52884 com.my. DaN+2IviGp8h7mGkWEpvCgOSsPZW0O9TORE6k/cfK9kbOg3ckjRtm1vAJ4VeXV/vOJzvjRkm2g9T31dhOTI9XgF4ro/0rvrZ9uwifaPWbKle/Q5mgfreCinEE13KGa2VIDacbRSFwtEeheCwGcvXivDDhkW7uQ4/a8Agxy0vS1VYduF9gY7WJhivZbko1ERwYdpqJCrb6Ppo9NFTWl5gZtHFc+WbF+pYkegGq6uPfcjGhi5C46d1gyjGy4NDOLP9hLDaConKWgayDIEzzHcvUR7rk4fCLfTfGimvFR8MBBcExKyc0xsz8YtEk/lo2Y3l+4gCJeJ/FOuJbzjjUVr8gg==
我不知道如何验证 RRSIG。对于两个 RRSIG,我找到一个具有相同 KeyTag/Algo/SignerName 的密钥,但对于两个 RRSIG,验证均失败。
我不明白为什么它会返回两个 RRSIG 和两个 KSK。当我nst.com.my
尝试https://dnsviz.net效果很好(https://dnsviz.net/d/nst.com.my/dnssec/),那么他们如何验证这些记录呢?
答案1
您所寻找的那种临时验证的简单工具之一是delv
。
如果您(为了某些故障排除目的)想要验证 RRset,com.my. IN DNSKEY
您可以简单地运行:
$ delv com.my DNSKEY
; fully validated
com.my. 3541 IN DNSKEY 256 3 8 AwEAAcYcelsQmHJIShuGUB7QZQRx3jq253RbvLr8b2Piwmo6M9jvQBbN gMHkOiFI+v+AczufDzcf9lia38rAK5fmZqxHsft9meoFB1uXE9pp/ZB2 7rP+PTs9gGvuZKB/HyKjcwiwYWEhYQMrRaXk0Pr081MGzBjamZTMvvKT yRcmA+G9 ; ZSK; alg = RSASHA256 ; key id = 23091
com.my. 3541 IN DNSKEY 257 3 8 BQEAAAABu3FxmZrMlOMXlk2I2LeTsoMre8QaJKw75gSH9G8VCNX6AaVo 8hT8qQyfNWDtdM+xiGqmYhWYFlABsIurfdfXVHNFep4Odn0klVD9tz11 l9J4csNRRnJwOMYZV2q6yiBbyJuTvx6Z0xWuTsxtELIA597gxuGNQPum kIvllrTzauwhBtZp+m/GZwehVNAa1Vc6VxCLCPkXVK/6PliezJOTcJJX JmBTrML5x7UrYEYTW0EKDQCW4wHWbDrIXTuIXeBNW2S9ITX97WpLJXU5 hSJPRteV8NK/j5KEbHxeq852cbU7CWa6whBz+sR/BoPuzTkX4M1e1PBJ s7eppNNYffnsvw== ; KSK; alg = RSASHA256 ; key id = 14256
com.my. 3541 IN DNSKEY 257 3 8 BQEAAAAB51ZYIFm8oIy4aaNzWPC0UmEuG7D/QB7fETcAf7bIYqVUpKnm gFPqmMwOSSSvbpJfJR9SvF/N5Gbaao3bI+GGVYRMo2nQ7djcAGkzrv0f 1ZOHO1sdV0XQrjNTj+BpI1tTqQRun+78WxIU+Km8gRRaZE9NM9riELyh u7pAJiFEAs7Y1CjiFp00+Q5w6Xc2YOhiFy9h957Kq9YRhc1ELlJ8m276 ekcda0bdJ2FF5iad8BbcC6+Iep7Mhc9TP7u4cI39j8TJRW0V9nTo/dc7 Z1eIDQYxZ0hvkk1AY/f2SOT1/72M35yBQZLAAsStfX/w0F+Sg8ndoIcR BCvhajbckjFQQQ== ; KSK; alg = RSASHA256 ; key id = 52884
com.my. 3541 IN RRSIG DNSKEY 8 2 3600 20200628013603 20200529003005 14256 com.my. MfavTkDT/Ar+31EN5BpCOt8ehR6QW8z/UaAZOLonvxEc3d8Xgx72dt09 kyZworhXjg9FyUWtEJTWkrXcuIrMtrNcKg6smdnVzX04xbrDWDfKLYJh +0IxvtxPJeOQZ/ii0DpGn7oCPYqwc7qo3hZYPbgijiFsSVP+QJSepLCA nqjGfmYlmwltRgmlc9LCtCfbsO3ySlOVkhHtACa9BEYMG66rT8fAszFw 48j8b3N7RdV/mRFYt/FHPgFpP2p4m6jNxWXDr1EQzuzLfswvUEs8Zl6s wRHbutvm5j58mlJ+oM47x4qIpxLskeIfTwI33Bqv21HuRh3IwpG8tZNZ bAxqcQ==
com.my. 3541 IN RRSIG DNSKEY 8 2 3600 20200628013603 20200529003005 52884 com.my. DaN+2IviGp8h7mGkWEpvCgOSsPZW0O9TORE6k/cfK9kbOg3ckjRtm1vA J4VeXV/vOJzvjRkm2g9T31dhOTI9XgF4ro/0rvrZ9uwifaPWbKle/Q5m gfreCinEE13KGa2VIDacbRSFwtEeheCwGcvXivDDhkW7uQ4/a8Agxy0v S1VYduF9gY7WJhivZbko1ERwYdpqJCrb6Ppo9NFTWl5gZtHFc+WbF+pY kegGq6uPfcjGhi5C46d1gyjGy4NDOLP9hLDaConKWgayDIEzzHcvUR7r k4fCLfTfGimvFR8MBBcExKyc0xsz8YtEk/lo2Y3l+4gCJeJ/FOuJbzjj UVr8gg==
$
并查找必要的记录,验证并输出验证结果。
但是,对于正常使用,您没有理由使用delv
或其他类似的工具,而只是利用解析器实现中内置的验证逻辑。
至于为什么com.my
(实际上也my
)有多个 KSK 密钥处于活动状态,实际上无法确定。但有人可能会推测他们正在进行 KSK 轮转。
如果您想知道他们这样做的原因,您必须将问题直接提交给com.my
操作员(或者从他们那里找到一些已发布的信息,如果有的话)。