DNSSEC対応ゾーン作成方法 for testing
# named -v
BIND 9.5.2
# cat /var/named/example.com.zone
$TTL 864000
@ IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh 8hr
14400 ; retry 4hr
604800 ; expire 1w
86400 ; default_ttl 24hr
)
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 192.168.100.2
ns2 IN A 192.168.100.3
www IN A 10.0.0.1
- example.com 用の公開鍵、秘密鍵のペアを作成する
ゾーンに対して署名をおこなうための鍵(ZONE Key)
# dnssec-keygen -a RSA -b 512 -n ZONE example.com.
The use of RSA (RSAMD5) is not recommended.
If you still wish to use RSA (RSAMD5) please specify "-a RSAMD5"
RSAは推奨されていないみたい。
# dnssec-keygen -a RSAMD5 -b 512 -n ZONE example.com.
Kexample.com.+001+40602
*.key 公開鍵
*.private 秘密鍵
# ls K*
Kexample.com.+001+40602.key Kexample.com.+001+40602.private
# cat Kexample.com.+001+40602.key
example.com. IN DNSKEY 256 3 1 AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=
# cat Kexample.com.+001+40602.private
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: 3s6e75K7/pP6IryAYE4ImfbM9MC7cji1mZgkurFtvv++eV6y69Imp0n/24QI6nmGxxzQegNIuM6qLPnxVp6agQ==
PublicExponent: AQAB
PrivateExponent: ukN500aUKyuCPW/g0qHpxuzwQtys17xY9OKgMgMKgFS1WtWChvtlu/snGLoflXPBbSJtW/pTDwbjoGaZgvMZUQ==
Prime1: 9s6xHpaghO21zkjczSFyNkRz29F2VZh+qtGYFalCnIM=
Prime2: 5xsWG4RSVham7PFjZ78k//OMs/9n0RXDGSJUTHvwhas=
Exponent1: zm3cqSf1RJmKKeq5e31RCODCQwZ0Qm2U7Iz39o4mn78=
Exponent2: C1AAHQi1HxGsyhxmyUVKAl1hnc36vvlZu3k6tyO5+lE=
Coefficient: xIovLgpjHUWdjP+4bQX96MtOYBfr5+mbnKGmZmuhg/0=
-ゾーンへの署名
公開鍵の内容をKEYレコードとしてゾーンファイルに追加する。
# cat example.com.zone Kexample.com.+001+40602.key > aaa
# mv aaa example.com.zone
# cat example.com.zone
$TTL 864000
@ IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh 8hr
14400 ; retry 4hr
604800 ; expire 1w
86400 ; default_ttl 24hr
)
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 192.168.100.2
ns2 IN A 192.168.100.3
www IN A 10.0.0.1
example.com. IN DNSKEY 256 3 1 AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=
ゾーンに署名を行う。
# dnssec-signzone -o example.com. example.com.zone
example.com.zone.signed
署名されたゾーンファイルが生成される。
# head -20 example.com.zone.signed
; dnssec_signzone version 9.5.2
example.com. 864000 IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
864000 RRSIG SOA 1 2 864000 20091128072549 (
20091029072549 40602 example.com.
nfMMQDVSNNkjlYy+zX9tC1FlhUrQG/u2JK1r
W8jaTrzE2qZ+4TWSbgtvbBflifUAxGoz/DB8
qj7g1BJLq0juJQ== )
864000 NS ns1.example.com.
864000 NS ns2.example.com.
864000 RRSIG NS 1 2 864000 20091128072549 (
20091029072549 40602 example.com.
gCUzVdSl2pw2EPwEGuz+KgkjJ3L2U6TW7MM1
lHBOKOW/YPExvFiC2PIrTeKADekvka8FHZNR
- named.conf の設定
trusted-keys ステートメントを追加
trusted-keys {
example.com. 256 3 1 "AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=";
};
zone "example.com" {
type master;
# file "example.com.zone";
file "example.com.zone.signed";
};
[動作確認]
named を再起動
レスポンスサイズ大きくなるな~。
DNSSECあり: MSG SIZE rcvd: 556
DNSSECなし: MSG SIZE rcvd: 117
-DNSSECなし
# dig @127.1 www.example.com. +norec
; <<>> DiG 9.5.2 <<>> @127.1 www.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27153
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 864000 IN A 10.0.0.1
;; AUTHORITY SECTION:
example.com. 864000 IN NS ns1.example.com.
example.com. 864000 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 864000 IN A 192.168.100.2
ns2.example.com. 864000 IN A 192.168.100.3
;; MSG SIZE rcvd: 117
#
- DNSSEC あり ( DOビット オン )
# dig @127.1 +dnssec www.example.com +norec
; <<>> DiG 9.5.2 <<>> @127.1 +dnssec www.example.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41894
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 864000 IN A 10.0.0.1
www.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. Ab43G3mYzy4//dBVJ/kA71y8Jjc1F67EtqHPG9EV67D6+069I14W0OKQ fMF4fgPfmdJuvtODVYzq37hzemUerw==
;; AUTHORITY SECTION:
example.com. 864000 IN NS ns1.example.com.
example.com. 864000 IN NS ns2.example.com.
example.com. 864000 IN RRSIG NS 1 2 864000 20091128072549 20091029072549 40602 example.com. gCUzVdSl2pw2EPwEGuz+KgkjJ3L2U6TW7MM1lHBOKOW/YPExvFiC2PIr TeKADekvka8FHZNR+B7DQBDxhHgW3g==
;; ADDITIONAL SECTION:
ns1.example.com. 864000 IN A 192.168.100.2
ns2.example.com. 864000 IN A 192.168.100.3
ns1.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. V1M2yTaSbRXODBqtecgS3DyOadHlx9elOvR1oJmE81Goew84RVHB3eSr PgSOOGCtFGDL6VOUHW9ZgcqVNY61rA==
ns2.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. OHHnlwgoM7OG/HnLvjuTSlz0IEdeeAvc5NAJ6vT1hn1jrkh5vtKkC+FY EG2KILflP1ndQqXFQH1I/h1KaRPcRA==
;; MSG SIZE rcvd: 556
#
DNSSEC有効だと、NXDOMAINでもかなりのサイズになる。。
全部DNSSECになったら、帯域えらいふえるなー。
NXDOMAINアタックとかで、帯域つぶせる。。。??
NXDOMAIN DNSSECあり: MSG SIZE rcvd: 493
NXDOMAIN DNSSECなし: MSG SIZE rcvd: 82
# dig +dnssec @127.1 nx.example.com. +norec
; <<>> DiG 9.5.2 <<>> +dnssec @127.1 nx.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36343
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nx.example.com. IN A
;; AUTHORITY SECTION:
example.com. 86400 IN SOA localhost. root.localhost. 2009102901 28800 14400 604800 86400
example.com. 86400 IN RRSIG SOA 1 2 864000 20091128072549 20091029072549 40602 example.com. nfMMQDVSNNkjlYy+zX9tC1FlhUrQG/u2JK1rW8jaTrzE2qZ+4TWSbgtv bBflifUAxGoz/DB8qj7g1BJLq0juJQ==
example.com. 86400 IN NSEC ns1.example.com. NS SOA RRSIG NSEC DNSKEY
example.com. 86400 IN RRSIG NSEC 1 2 86400 20091128072549 20091029072549 40602 example.com. 070Ug+0iJeDN+CoSlz4/jnHDppEIYYquJxn1MLEsiZXO+0rDFDsrhynF 1+cc68ynhVefeZQPDAIG1l8dKouLXw==
ns2.example.com. 86400 IN NSEC www.example.com. A RRSIG NSEC
ns2.example.com. 86400 IN RRSIG NSEC 1 3 86400 20091128072549 20091029072549 40602 example.com. FiRA+jxD9gZj7bNhkNEg3+nMXWKr6bfB4cSt2y33T38KTt7kj+V31mO0 bRSGYVSAZpu66RgZesjIVFS0s0LPwA==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE rcvd: 493
# dig @127.1 nx.example.com. +norec
; <<>> DiG 9.5.2 <<>> @127.1 nx.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46370
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nx.example.com. IN A
;; AUTHORITY SECTION:
example.com. 86400 IN SOA localhost. root.localhost. 2009102901 28800 14400 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE rcvd: 82
# named -v
BIND 9.5.2
# cat /var/named/example.com.zone
$TTL 864000
@ IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh 8hr
14400 ; retry 4hr
604800 ; expire 1w
86400 ; default_ttl 24hr
)
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 192.168.100.2
ns2 IN A 192.168.100.3
www IN A 10.0.0.1
- example.com 用の公開鍵、秘密鍵のペアを作成する
ゾーンに対して署名をおこなうための鍵(ZONE Key)
# dnssec-keygen -a RSA -b 512 -n ZONE example.com.
The use of RSA (RSAMD5) is not recommended.
If you still wish to use RSA (RSAMD5) please specify "-a RSAMD5"
RSAは推奨されていないみたい。
# dnssec-keygen -a RSAMD5 -b 512 -n ZONE example.com.
Kexample.com.+001+40602
*.key 公開鍵
*.private 秘密鍵
# ls K*
Kexample.com.+001+40602.key Kexample.com.+001+40602.private
# cat Kexample.com.+001+40602.key
example.com. IN DNSKEY 256 3 1 AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=
# cat Kexample.com.+001+40602.private
Private-key-format: v1.2
Algorithm: 1 (RSA)
Modulus: 3s6e75K7/pP6IryAYE4ImfbM9MC7cji1mZgkurFtvv++eV6y69Imp0n/24QI6nmGxxzQegNIuM6qLPnxVp6agQ==
PublicExponent: AQAB
PrivateExponent: ukN500aUKyuCPW/g0qHpxuzwQtys17xY9OKgMgMKgFS1WtWChvtlu/snGLoflXPBbSJtW/pTDwbjoGaZgvMZUQ==
Prime1: 9s6xHpaghO21zkjczSFyNkRz29F2VZh+qtGYFalCnIM=
Prime2: 5xsWG4RSVham7PFjZ78k//OMs/9n0RXDGSJUTHvwhas=
Exponent1: zm3cqSf1RJmKKeq5e31RCODCQwZ0Qm2U7Iz39o4mn78=
Exponent2: C1AAHQi1HxGsyhxmyUVKAl1hnc36vvlZu3k6tyO5+lE=
Coefficient: xIovLgpjHUWdjP+4bQX96MtOYBfr5+mbnKGmZmuhg/0=
-ゾーンへの署名
公開鍵の内容をKEYレコードとしてゾーンファイルに追加する。
# cat example.com.zone Kexample.com.+001+40602.key > aaa
# mv aaa example.com.zone
# cat example.com.zone
$TTL 864000
@ IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh 8hr
14400 ; retry 4hr
604800 ; expire 1w
86400 ; default_ttl 24hr
)
IN NS ns1.example.com.
IN NS ns2.example.com.
ns1 IN A 192.168.100.2
ns2 IN A 192.168.100.3
www IN A 10.0.0.1
example.com. IN DNSKEY 256 3 1 AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=
ゾーンに署名を行う。
# dnssec-signzone -o example.com. example.com.zone
example.com.zone.signed
署名されたゾーンファイルが生成される。
# head -20 example.com.zone.signed
; dnssec_signzone version 9.5.2
example.com. 864000 IN SOA localhost. root.localhost. (
2009102901 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
864000 RRSIG SOA 1 2 864000 20091128072549 (
20091029072549 40602 example.com.
nfMMQDVSNNkjlYy+zX9tC1FlhUrQG/u2JK1r
W8jaTrzE2qZ+4TWSbgtvbBflifUAxGoz/DB8
qj7g1BJLq0juJQ== )
864000 NS ns1.example.com.
864000 NS ns2.example.com.
864000 RRSIG NS 1 2 864000 20091128072549 (
20091029072549 40602 example.com.
gCUzVdSl2pw2EPwEGuz+KgkjJ3L2U6TW7MM1
lHBOKOW/YPExvFiC2PIrTeKADekvka8FHZNR
- named.conf の設定
trusted-keys ステートメントを追加
trusted-keys {
example.com. 256 3 1 "AwEAAd7Onu+Su/6T+iK8gGBOCJn2zPTAu3I4tZmYJLqxbb7/vnlesuvS JqdJ/9uECOp5hscc0HoDSLjOqiz58VaemoE=";
};
zone "example.com" {
type master;
# file "example.com.zone";
file "example.com.zone.signed";
};
[動作確認]
named を再起動
レスポンスサイズ大きくなるな~。
DNSSECあり: MSG SIZE rcvd: 556
DNSSECなし: MSG SIZE rcvd: 117
-DNSSECなし
# dig @127.1 www.example.com. +norec
; <<>> DiG 9.5.2 <<>> @127.1 www.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27153
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 864000 IN A 10.0.0.1
;; AUTHORITY SECTION:
example.com. 864000 IN NS ns1.example.com.
example.com. 864000 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 864000 IN A 192.168.100.2
ns2.example.com. 864000 IN A 192.168.100.3
;; MSG SIZE rcvd: 117
#
- DNSSEC あり ( DOビット オン )
# dig @127.1 +dnssec www.example.com +norec
; <<>> DiG 9.5.2 <<>> @127.1 +dnssec www.example.com +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41894
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 864000 IN A 10.0.0.1
www.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. Ab43G3mYzy4//dBVJ/kA71y8Jjc1F67EtqHPG9EV67D6+069I14W0OKQ fMF4fgPfmdJuvtODVYzq37hzemUerw==
;; AUTHORITY SECTION:
example.com. 864000 IN NS ns1.example.com.
example.com. 864000 IN NS ns2.example.com.
example.com. 864000 IN RRSIG NS 1 2 864000 20091128072549 20091029072549 40602 example.com. gCUzVdSl2pw2EPwEGuz+KgkjJ3L2U6TW7MM1lHBOKOW/YPExvFiC2PIr TeKADekvka8FHZNR+B7DQBDxhHgW3g==
;; ADDITIONAL SECTION:
ns1.example.com. 864000 IN A 192.168.100.2
ns2.example.com. 864000 IN A 192.168.100.3
ns1.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. V1M2yTaSbRXODBqtecgS3DyOadHlx9elOvR1oJmE81Goew84RVHB3eSr PgSOOGCtFGDL6VOUHW9ZgcqVNY61rA==
ns2.example.com. 864000 IN RRSIG A 1 3 864000 20091128072549 20091029072549 40602 example.com. OHHnlwgoM7OG/HnLvjuTSlz0IEdeeAvc5NAJ6vT1hn1jrkh5vtKkC+FY EG2KILflP1ndQqXFQH1I/h1KaRPcRA==
;; MSG SIZE rcvd: 556
#
DNSSEC有効だと、NXDOMAINでもかなりのサイズになる。。
全部DNSSECになったら、帯域えらいふえるなー。
NXDOMAINアタックとかで、帯域つぶせる。。。??
NXDOMAIN DNSSECあり: MSG SIZE rcvd: 493
NXDOMAIN DNSSECなし: MSG SIZE rcvd: 82
# dig +dnssec @127.1 nx.example.com. +norec
; <<>> DiG 9.5.2 <<>> +dnssec @127.1 nx.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36343
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nx.example.com. IN A
;; AUTHORITY SECTION:
example.com. 86400 IN SOA localhost. root.localhost. 2009102901 28800 14400 604800 86400
example.com. 86400 IN RRSIG SOA 1 2 864000 20091128072549 20091029072549 40602 example.com. nfMMQDVSNNkjlYy+zX9tC1FlhUrQG/u2JK1rW8jaTrzE2qZ+4TWSbgtv bBflifUAxGoz/DB8qj7g1BJLq0juJQ==
example.com. 86400 IN NSEC ns1.example.com. NS SOA RRSIG NSEC DNSKEY
example.com. 86400 IN RRSIG NSEC 1 2 86400 20091128072549 20091029072549 40602 example.com. 070Ug+0iJeDN+CoSlz4/jnHDppEIYYquJxn1MLEsiZXO+0rDFDsrhynF 1+cc68ynhVefeZQPDAIG1l8dKouLXw==
ns2.example.com. 86400 IN NSEC www.example.com. A RRSIG NSEC
ns2.example.com. 86400 IN RRSIG NSEC 1 3 86400 20091128072549 20091029072549 40602 example.com. FiRA+jxD9gZj7bNhkNEg3+nMXWKr6bfB4cSt2y33T38KTt7kj+V31mO0 bRSGYVSAZpu66RgZesjIVFS0s0LPwA==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE rcvd: 493
# dig @127.1 nx.example.com. +norec
; <<>> DiG 9.5.2 <<>> @127.1 nx.example.com. +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46370
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nx.example.com. IN A
;; AUTHORITY SECTION:
example.com. 86400 IN SOA localhost. root.localhost. 2009102901 28800 14400 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE rcvd: 82