DNSSEC trust-anchors ( www.ripe.net )

www.ripe.net の trust-anchors (DNSSEC)をためしてみたのでメモ。

下記URL(NLnet Labs)にDNSSEC , DLV の仕組み、実装方法 ( キャッシュ , Auth ),
トラブルシューティングのドキュメントがあり、充実している。

DNSSEC How To
http://www.nlnetlabs.nl/publications/dnssec_howto/index.html

# named -v
BIND 9.5.2

https://www.ripe.net/projects/disi/keys/ から
ripe-ncc-dnssec-keys-new.txt ( BINDフォーマット形式 )をダウンロード

# cat /etc/named.conf ripe-ncc-dnssec-keys-new.txt > aaa
# mv aaa /etc/named.conf

- named.conf

trusted-keys {

"0.4.1.0.0.2.ip6.arpa." 257 3 5
"AwEAAaZOYKV/YG3O59Xh957bNGLLDNn1OzWK
SFefZJFyWRlOHdcb5d0NTYvmau7Q7liPiVv7
l5cnKDuwbmRwpd7EU2gZA9vQekKdu7yPJngy

- 動作確認

データが認証されたら、 ad ビットがたつ。

# dig @127.1 ripencc.org SOA +dnssec +multiline

; <<>> DiG 9.5.2 <<>> @127.1 ripencc.org SOA +dnssec +multiline
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46887
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripencc.org. IN SOA

;; ANSWER SECTION:
ripencc.org. 3600 IN SOA ns-pri.ripe.net. ops.ripe.net. (
2009111300 ; serial
43200 ; refresh (12 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
7200 ; minimum (2 hours)
)
ripencc.org. 3600 IN RRSIG SOA 5 2 172800 20091213060004 (
20091113060004 62463 ripencc.org.
B2jj/XjbOJ428QJnC7jz6fZsC1x4nB+hCKNijVZ8489y
o3yzpb5u642kUGd3+UxZn1VNLO3d0xpe07uS8zBjgeEm
2osrMeEuzPr2vILqXbDCM1NAvH5Ru6FwVdVKXDatzVbs
GJabHNqQj1NAxbqZ9Qg+9vPWVQwhAY/G0B7CZSqRqhjb
bTn+olFoqOqBRiOYDZHw4YqF )

- BINDのログで確認

named.conf に追加

logging {
channel dnssec_log { // a DNSSEC log channel
file "log/dnssec" size 20m;
print-time yes; // timestamp the entries
print-category yes; // add category name to entries
print-severity yes; // add severity level to entries
severity debug 3; // print debug message <= 3 t

};

category dnssec { dnssec_log; };

};

# rndc reload
server reload successful

# rndc flush
# dig @127.1 ripencc.org SOA +dnssec +multiline

verify rdataset (keyid=10201): success　。
key id は Auth で 署名したゾーンの最後の数字。 ( 例: Kexample.jp.+001+12345 )

# cat /var/named/data/log/dnssec
validating @0x937f448: ripencc.org SOA: starting
validating @0x937f448: ripencc.org SOA: attempting positive response validation
validating @0x92b2148: ripencc.org DNSKEY: starting
validating @0x92b2148: ripencc.org DNSKEY: attempting positive response validation
validating @0x92b2148: ripencc.org DNSKEY: verify rdataset (keyid=10201): success
validating @0x92b2148: ripencc.org DNSKEY: signed by trusted key; marking as secure
validator @0x92b2148: dns_validator_destroy
validating @0x937f448: ripencc.org SOA: in fetch_callback_validator
validating @0x937f448: ripencc.org SOA: keyset with trust 7
validating @0x937f448: ripencc.org SOA: resuming validate
validating @0x937f448: ripencc.org SOA: verify rdataset (keyid=62463): success
validating @0x937f448: ripencc.org SOA: marking as secure
validator @0x937f448: dns_validator_destroy


named.conf

"ripencc.org." 257 3 5
"AwEAAb56pKUvi3gk9SHVnhQ/HbjK7n1AHFny
UZcjX4+5OcoE9ir2keA6+gQHuumoUkXlK7f7
ReRLfwpjFm3X7tWw/QgZWR6+109leJt1Xbab
pdRkG9ukB7Ij4FzzXnNB8KodRV9sfRTasZL3
JC3tOesw2bv4ILKWSkcNYTg1yZJjckZoBxE/
VNYbvV0/yOCjYIcgmvgOYrMDkFXyiqsn8Uc1
NqdoW5LUYj4QpK8MM/2qi/cfE2j8iXakWI/k
e7MkKwi3C94KE1bA3VD3eNPc8OXHl+ZXJUui
VK3OAVspbxov9XQt/JnNdBoWgCK0QQobEwUG
5D16e3qovuBwmlcfbVI1j0s=";
// Key ID= 10201 (to be deprecated!)


named のキャッシュダンプ。

86394 NS sunic.sunet.se.
86394 NS ns-pri.ripe.net.
; secure
172795 RRSIG NS 5 2 172800 20091213060004 (
20091113060004 62463 ripencc.org.
D8hM/sgx2HtwuGQy+vyMAzDJdkbk9TblI3tp
GEje/vhTTrRfbn24jl5A7xNmWX2MpbJJAuwl
GTM9ku8YDmWyt216oGjJ1BCyATgi4kBBmRXL
gyJXkMKeTUZhhTCsDqrh71jUMgo422L1cCwt
0OvINJzRx/dDojYZZf3L5QEDZp6Q+r1J16sm
ABAAMyXQARO//qE6SEBz )
; secure
3595 DNSKEY 256 3 5 (
AwEAAbl07L8Fgdz/QT2TaC8g9w/yZjdYfcSw
KWdGLEGjkBk2vv6H818sBwUjgorxtCdUhLoB
QilO+/pMHGZU/dHSGOqZy/vF1YLcSioi6mLJ
l7L/9tFoRZogn9GZBNmwqSHgqx3cPSR2bfXT
3leoqGf101NUsHJDoUJIqGzx7dYFgZtCycZ6
NJVQpvVGuVi1HTlnJtRBSPNWVw== )

ためしに、named.conf の 上記、鍵を変更。

変更前

"ripencc.org." 257 3 5
"AwEAAb56pKUvi3gk9SHVnhQ/HbjK7n1AHFny

変更後 ( 最初の 3文字 AwE -> BAD に変更 )

"ripencc.org." 257 3 5
"BADAAb56pKUvi3gk9SHVnhQ/HbjK7n1AHFny


SERVFAIL になった。

# dig @127.1 ripencc.org SOA +dnssec +multiline

; <<>> DiG 9.5.2 <<>> @127.1 ripencc.org SOA +dnssec +multiline
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15070
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripencc.org. IN SOA


ログも ripencc.org SOA: fetch_callback_validator: got failure となる。

# cat /var/named/data/log/dnssec
validating @0x9e46160: ripencc.org SOA: starting
validating @0x9e46160: ripencc.org SOA: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: starting
validating @0x9e46968: ripencc.org DNSKEY: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'ripencc.org'
validator @0x9e46968: dns_validator_destroy
validating @0x9e46968: ripencc.org DNSKEY: starting
validating @0x9e46968: ripencc.org DNSKEY: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'ripencc.org'
validator @0x9e46968: dns_validator_destroy
validating @0x9e46160: ripencc.org SOA: in fetch_callback_validator
validating @0x9e46160: ripencc.org SOA: fetch_callback_validator: got failure
validator @0x9e46160: dns_validator_destroy
validating @0x9e46160: ripencc.org SOA: starting
validating @0x9e46160: ripencc.org SOA: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: starting
validating @0x9e46968: ripencc.org DNSKEY: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'ripencc.org'
validator @0x9e46968: dns_validator_destroy
validating @0x9e46968: ripencc.org DNSKEY: starting
validating @0x9e46968: ripencc.org DNSKEY: attempting positive response validation
validating @0x9e46968: ripencc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches one of specified trusted-keys for 'ripencc.org'
validator @0x9e46968: dns_validator_destroy
validating @0x9e46160: ripencc.org SOA: in fetch_callback_validator
validating @0x9e46160: ripencc.org SOA: fetch_callback_validator: got failure
validator @0x9e46160: dns_validator_destroy