# dig -- only RRSIG present.

## dE_logics

I'm trying to see DNSSEC response of various sites; my DNS server is 8.8.8.8 (google's public DNS service)

Response is as such - 

```
dig +dnssec -t SOA org           

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20306

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 512

;; QUESTION SECTION:

;org.                           IN      SOA

;; ANSWER SECTION:

org.                    899     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2009954959 1800 900 604800 86400

org.                    899     IN      RRSIG   SOA 7 1 900 20120304071611 20120212061611 55440 org. M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 1371 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Feb 12 12:49:02 2012

;; MSG SIZE  rcvd: 258
```

As we can see, the DNSKEY and DS RR is missing which's mandatory for this to be of any use. So where is it?

If I explicitly specify the name server to be one of the root nameservers - 

```
dig +dnssec -t SOA org 198.41.0.4

; <<>> DiG 9.8.1 <<>> +dnssec -t SOA org 198.41.0.4

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62972

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 512

;; QUESTION SECTION:

;org.                           IN      SOA

;; ANSWER SECTION:

org.                    451     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2009954959 1800 900 604800 86400

org.                    451     IN      RRSIG   SOA 7 1 900 20120304071611 20120212061611 55440 org. M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c=

;; Query time: 131 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Feb 12 12:56:30 2012

;; MSG SIZE  rcvd: 258

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26058

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 512

;; QUESTION SECTION:

;198.41.0.4.                    IN      SOA

;; AUTHORITY SECTION:

.                       0       IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2012021200 1800 900 604800 86400

.                       0       IN      RRSIG   SOA 8 0 86400 20120219000000 20120211230000 51201 . Es1RsMErjNpgyBqjHbUIVQ77hrA6quuq45ZNhiL1CwXkLpd9wnPVSlcu xAcF675og+exWPBUMUBrXNTpYOI4a2Wrvkafd7629kT21alDyiUa28FC P/P/pWOFVa0ceDDQGnwKg7ec4r+UyhoTLGmvlVpDjqMhmR17a02SLz31 a/Q=

.                       86399   IN      NSEC    ac. NS SOA RRSIG NSEC DNSKEY

.                       86399   IN      RRSIG   NSEC 8 0 86400 20120219000000 20120211230000 51201 . hFSp9EIMo7fEbc3gKaZD8gH5XzUUjNy9rRGf0cW3mtHy8FoqaLg1eIfg 9CGjjWqx58t2R68O+/f7sQ6F4aysMA30aiYsOJXJRENEuzGKSGQiuRZE nP3K5AjqcKmxgkllKAQWMITFU2HDXzgHH3iWOhxh6zdCV8hZe4xPv60Z Zp4=

;; Query time: 195 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sun Feb 12 12:56:30 2012

;; MSG SIZE  rcvd: 454

```

I get 3 completely different RRSIGs, and the DNSKEY and DS are still missing.

The last thing that I want to ask is that, this string - 

"M5Bi8pDPV3ux+FEK5GnJtxpL3X06reEIA+zkFk5YZK9U/LSAwAO+EdgG EQVOBpegjTTobmKJZLxl2e9E3t3zm0zaoYXXLGBfnSSNRiI4x4NtTqXE ElFtDCIyfqMwAMaiD9CAHwH/tiRfkV9VlWeAmCgIKZ6w7QVtXLPHwYA3 x2c="

Which's a part of the RRSIG, is this a single key or multiple keys?

----------

