Firefox に DNSSEC validation のプラグインがあるので使ってみた。
- unbound の準備
ITAR の準備ができている状態とする
root@arizona:/etc/unbound# unbound -v
[1275843653] unbound[1701:0] notice: Start of unbound 1.4.1.
root@arizona:/etc/unbound# egrep "trust-anchor-file" unbound.conf | grep -v "#"
trust-anchor-file: "/etc/unbound/anchors.mf"
- DNSSEC クエリの解決ができるかチェック
ad bit が flag にたっていれば、OK
root@arizona:/etc/unbound# dig @127.1 www.isc.org +dnssec +multiline
; <<>> DiG 9.7.0-P1 <<>> @127.1 www.isc.org +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1402
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org. IN A
;; ANSWER SECTION:
www.isc.org. 240 IN A 149.20.64.42
www.isc.org. 240 IN RRSIG A 5 3 600 2010070523333
DNSSECに対応していないFQDN に dig すると ad ビットは立たない
root@arizona:/etc/unbound# dig @127.1 www.google.com +dnssec +multiline
; <<>> DiG 9.7.0-P1 <<>> @127.1 www.google.com +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22658
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
unbound-host -C コンフィグファイル FQDN -v でも確認できる。
root@arizona:/etc/unbound# unbound-host -C unbound.conf www.isc.org -v
[1275844036] libunbound[1821:0] notice: init module 0: validator
[1275844036] libunbound[1821:0] notice: init module 1: iterator
www.isc.org has address 149.20.64.42 (secure)
www.isc.org has IPv6 address 2001:4f8:0:2::d (secure)
www.isc.org has no mail handler record (secure)
root@arizona:/etc/unbound#
root@arizona:/etc/unbound# unbound-host -C unbound.conf www.google.com -v
[1275844044] libunbound[1860:0] notice: init module 0: validator
[1275844044] libunbound[1860:0] notice: init module 1: iterator
www.google.com is an alias for www.l.google.com. (insecure)
www.l.google.com has address 66.249.89.104 (insecure)
www.l.google.com has address 66.249.89.99 (insecure)
www.l.google.com has no IPv6 address (insecure)
www.l.google.com has no mail handler record (insecure)
- Firefox 3.6.3 に DNSSEC valitation の add-on を追加
add-on のダウンロード
https://addons.mozilla.org/en-US/firefox/addon/64247/
使い方
http://www.dnssec-validator.cz/
Firefox -> ツール -> アドオン から DNSSEC 対応の キャッシュサーバ ( 今回は unbound ) の IP を指定する
DNSSECで名前解決できる www.isc.org にアクセス
URLバーに、DNSSEC の検証ができたかアイコンが表示される。
赤色だと、DNSSEC 対応ドメインだけど、IPアドレスが変わってる or DNSSEC の signature が壊れてる。
root@arizona:~# unbound-host -C /etc/unbound/unbound.conf www.rhybar.cz -v
[1275845463] libunbound[4671:0] notice: init module 0: validator
[1275845463] libunbound[4671:0] notice: init module 1: iterator
www.rhybar.cz has address 217.31.205.50 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has IPv6 address 2001:1488:0:3::2 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has no mail handler record (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.12.1 for key rhybar.cz. while building chain of trust
Firefox -> キャッシュサーバでキャプチャ
DO bit を有効にして、問い合わせてる。
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
www.rhybar.cz: type A, class IN
Name: www.rhybar.cz
Type: A (Host address)
Class: IN (0x0001)
Additional records
Name:
Type: OPT (EDNS0 option)
UDP payload size: 4096
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x8000
Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
Bits 1-15: 0x0 (reserved)
Data length: 0
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.