lost and found ( for me ? )

DNSSEC : how to make chain of trust

内部DNSの構築、各ゾーンのDNSSEC 対応までできたので、
最後は chain of trust (信頼の連鎖)を作成する。

以下、1 , 2 の作業後の環境を使用し、chain of trust を作成する。

chain of trust となれば、キャッシュサーバは ルートDNS の KSKを trusted-keys
に登録するだけで、下位ドメインのDNSSECの検証が行えるようになる。

1. 内部DNS ( internal root , jp ,test.co.jp ) の構築

http://lost-and-found-narihiro.blogspot.com/2010/06/dns-how-to-deploy-internal-root-zone-jp.html

2. 内部DNS ( internal root , jp , test.co.jp ) の各ゾーンのDNSSEC対応


chain of trust とするには、上位DNSが下位DNSのKSK公開鍵が検証できるように、下位の DSレコードを上位DNSに登録する

具体的には、下記を行う。

internal jp の DS レコードを internal root へ登録
test.co.jp の DS を internal jp へ登録

DSレコードは dnssec-signzone を実施したときに作成されているので、これを使用する。

- internal jp

[root@hat2-vm named]# cat dsset-jp.
jp. IN DS 12355 8 1 617CEF37F4B623A1A2879CEDDFA6FC82CD9B0329
jp. IN DS 12355 8 2 EAC2A034E8F6F6404561A7A4EBFAB2F3B3450425991D16A1DB9D18EF 3C529892


- internal test.co.jp

[root@hat3-vm named]# cat dsset-test.co.jp.
test.co.jp. IN DS 30865 8 1 2FDAB20398A72546C84A404FF8DA1801DD86A8A3
test.co.jp. IN DS 30865 8 2 CCE2D1914034CD64930A63B15341977BC0C05606595ACC9806E41AE7 A8320232

- internal root に internal jp の DS レコードを登録する。DSレコードを登録するゾーンファイルは既に書名している *.singed に追加する

[root@hat1-vm named]# cat root_zone_internal.db.signed dsset-jp. > root_zone_internal.db.new

シリアルをインクリメントする

[root@hat1-vm named]# diff root_zone_internal.db.new root_zone_internal.db.signed
4c4
< 2010070201 ; serial
---
> 2010062304 ; serial
127,128d126
< jp. IN DS 12355 8 1 617CEF37F4B623A1A2879CEDDFA6FC82CD9B0329
< jp. IN DS 12355 8 2 EAC2A034E8F6F6404561A7A4EBFAB2F3B3450425991D16A1DB9D18EF 3C529892

ゾーンファイルを変更したので、再度ゾーンファイルを書名する。

[root@hat1-vm named]# dnssec-signzone -o . root_zone_internal.db.new
dnssec-signzone: warning: root_zone_internal.db.new:127: using RFC1035 TTL semantics
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
root_zone_internal.db.new.signed


前のゾーンファイルをバックアップ

[root@hat1-vm named]# mv root_zone_internal.db.signed root_zone_internal.db.signed.2010062304

新しいゾーンファイルに変更

[root@hat1-vm named]# mv root_zone_internal.db.new.signed root_zone_internal.db.signed

[root@hat1-vm named]# diff root_zone_internal.db.signed root_zone_internal.db.signed.2010062304 | grep DS
< 9xQAWnaFr/08W4ZcDSk6BrnThnqB6fI2BbRQ
> uVp0oow5zazUCvs7d3d0PkInLRGTDSXPvTwr
< 3600 DS 12355 8 1 (
< 3600 DS 12355 8 2 (
< 3600 RRSIG DS 8 1 3600 20100731143511 (
< 3600 NSEC x.root-servers.net. NS DS RRSIG NSEC
< lcX0SWxzmPRnb59vDSsrSV8zpW+VSaeD8Iyr

[root@hat1-vm named]# rndc reload
server reload successful

- 同様に internal jp に test.co.jp の DSレコードを追加する

[root@hat2-vm named]# cat jp_zone_internal.db.signed dsset-test.co.jp. > jp_zone_internal.db.new

[root@hat2-vm named]# dnssec-signzone -o jp jp_zone_internal.db.new
dnssec-signzone: warning: jp_zone_internal.db.new:127: using RFC1035 TTL semantics
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
jp_zone_internal.db.new.signed

[root@hat2-vm named]# mv jp_zone_internal.db.new.signed jp_zone_internal.db.signed

[root@hat2-vm named]# rndc reload
server reload successful

これで chain of trust (信頼の連鎖)ができたので、キャッシュサーバに internal root の KSK だけ登録して、
www.test.co.jp の DNSSEC検証ができるようになる。

- キャッシュサーバ

うまくいかなかった時のために、DNSSEC のログを有効にする。

logging {

channel dnssec_log {
        file "/var/log/bind/dnssec.log" versions 3 size 5m;
        severity debug 3;
        print-severity yes;
        print-time yes;
        };

category dnssec { dnssec_log; };

};

[root@hat4-vm ~]# mkdir /var/log/bind
[root@hat4-vm ~]# touch /var/log/bind/dnssec.log
[root@hat4-vm ~]# chmod g+w /var/log/bind
[root@hat4-vm ~]# chgrp named /var/log/bind/dnssec.log

trusted-keys を ルートDNS の KSK だけにする。

      1 options {
      2         directory "/var/named";
      3         pid-file "/var/run/named/named.pid";
      4         max-cache-size 5M;
      5         recursion yes;
      6         version "";
      7         dnssec-enable yes;
      8 #       dnssec-enable no;
      9         dnssec-validation yes;
     10 };

     66 trusted-keys {
     67
     68 "." 257 3 8 "AwEAAbMQ3cEdLfYbAitpiWvfJkWKncHe2PyNwd77jHCwy0eSm7EBtqqo rZ     68 ic53HgeolqwoAxut/m+BmGCTHU8pcbrphiGIxrSz1o4KjzCcchKmvz vClM78IrB9XZA8Z1t     68 wTMf/n2i1aMxSbIrmaP9Ik4eu7xr2RwNu2y6LaJ fFGSF/7Z";
     69
     70 };

[root@hat4-vm ~]# rndc reload
server reload successful
[root@hat4-vm ~]# rndc flush


adビットが立っているので、DNSSECの検証ができた。
( internal root -> internal jp -> test.co.jp で chain of trust となっている )

[root@hat4-vm ~]# dig @127.1 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.1 <<>> @127.1 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1003
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp. IN A

;; ANSWER SECTION:
www.test.co.jp. 86400 IN A 10.0.0.1
www.test.co.jp. 86400 IN RRSIG A 8 4 86400 20100729153623 (
20100629153623 8448 test.co.jp.
imNyayZKrqEdE4m+bnmE3lRNi0XAMfqEEJ+mnZyUhA3c
+4x6M/OAIVdJjDINT33G6N8rFaV37vsGWcSPePndd12e
ejn2ZIbhtgDAfQXIUFp4k+KEVsOf6ihlIb4L7yfmqT7T
NhBUxalEoiL1CWwnbXz7hK3DkVcuX7rOjOjpiSEQLTZ5
n5fZelzE36ThDWd8nkS0C0mxeLPmzQIDS6O4fMZKHIGN
yWS3JMgUF5NMr8N5seSrJkGLtpA1wUQLCvoV/JzMZrGi
BBPJ53LAZQHvy46R6DaUnLS+izfRgWs8TS7B0y2Lz8zj
fXVVeNwYeeg7NsRmXqtYU6v5+NLu141kFA== )

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.
test.co.jp. 86400 IN RRSIG NS 8 3 86400 20100729153623 (
20100629153623 8448 test.co.jp.
wAVapgwcoYN/BRZODCUC/JeFp/Nfg2r4cVP5vZGQZzal
QRmSomVO6IwvVLlZkajq2XLbS1v5LHIeu/wAWBaA0ms2
MQ4eXSUZNmVIMXj3pyYgVTA2WSENhzKZ2MsNoOJn3D2y
pXxrRLB8SF2zLKHI9N4yRNtT6MDUD8PNT46cf2mEQMfo
tZdmd5tS2A/J13+nB2gCFN8MBxPWvJLnKoDYZUfc3y3t
he4b3KpyJMswO4kvy4VqR9rHVYntIr4D5QFcIqxt+GtB
jgAgx/W3C8TE+2caakdiwhnwNuBKCSnAfH+njuc9+J0R
eHa+CJO+XIhVCHRF8QBNImxR7odcuRD7VA== )

;; ADDITIONAL SECTION:
ns.test.co.jp. 86400 IN A 192.168.1.52
ns.test.co.jp. 86400 IN RRSIG A 8 4 86400 20100729153623 (
20100629153623 8448 test.co.jp.
bZgXs0iHMhS8VCbKSYMtYSvbM1qWd2bym4HeMsM2Bihm
YaFkm9M1BmTypQEv9Jpb3MuZmW7iA6GWyX2u0xepbRI3
CKmZMlzGX6MhuK8a1GgprH+R2nlx0sLlkP6VT0dmOh1F
1ANu6M4RE1zo2lHR++X9vacpqZzpJPhAegNrAq09u35R
nUcUSLo7miQGuO11/CESK76w1GXLXEDjxzkaqEIxIwVC
wA9tE4mx7WG3U9zOqMlRgo9vJ5o06EcANhVDASGNCrw9
I6AUPr9AYFn/lH/swIE0eDZPqDkklxATNBCaGqOKL5j5
eXEY4sjFSzHn82A0j/2JQkK2EZ/sEqeCrw== )

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul  2 00:55:01 2010
;; MSG SIZE  rcvd: 986

[root@hat4-vm ~]#

DNSSECのログ

[root@hat4-vm ~]# cat /var/log/bind/dnssec.log
02-Jul-2010 00:55:01.210 debug 3: validating @0x8831690: . NS: starting
02-Jul-2010 00:55:01.210 debug 3: validating @0x8831690: . NS: attempting positive response validation
02-Jul-2010 00:55:01.211 debug 3: validating @0x884a350: . DNSKEY: starting
02-Jul-2010 00:55:01.211 debug 3: validating @0x884a350: . DNSKEY: attempting positive response validation
02-Jul-2010 00:55:01.212 debug 3: validating @0x884a350: . DNSKEY: verify rdataset (keyid=24796): success
02-Jul-2010 00:55:01.212 debug 3: validating @0x884a350: . DNSKEY: signed by trusted key; marking as secure
02-Jul-2010 00:55:01.212 debug 3: validator @0x884a350: dns_validator_destroy
02-Jul-2010 00:55:01.212 debug 3: validating @0x8831690: . NS: in fetch_callback_validator
02-Jul-2010 00:55:01.212 debug 3: validating @0x8831690: . NS: keyset with trust 8
02-Jul-2010 00:55:01.212 debug 3: validating @0x8831690: . NS: resuming validate
02-Jul-2010 00:55:01.212 debug 3: validating @0x8831690: . NS: verify rdataset (keyid=18525): success
02-Jul-2010 00:55:01.212 debug 3: validating @0x8831690: . NS: marking as secure, noqname proof not needed
02-Jul-2010 00:55:01.212 debug 3: validator @0x8831690: dns_validator_destroy
02-Jul-2010 00:55:01.214 debug 3: validating @0x8831690: www.test.co.jp A: starting
02-Jul-2010 00:55:01.214 debug 3: validating @0x8831690: www.test.co.jp A: attempting positive response validation
02-Jul-2010 00:55:01.214 debug 3: validating @0x884a350: test.co.jp DNSKEY: starting
02-Jul-2010 00:55:01.215 debug 3: validating @0x884a350: test.co.jp DNSKEY: attempting positive response validation
02-Jul-2010 00:55:01.216 debug 3: validating @0x8837120: test.co.jp DS: starting
02-Jul-2010 00:55:01.216 debug 3: validating @0x8837120: test.co.jp DS: attempting positive response validation
02-Jul-2010 00:55:01.217 debug 3: validating @0x8837b88: jp DNSKEY: starting
02-Jul-2010 00:55:01.217 debug 3: validating @0x8837b88: jp DNSKEY: attempting positive response validation
02-Jul-2010 00:55:01.219 debug 3: validating @0x88385f0: jp DS: starting
02-Jul-2010 00:55:01.219 debug 3: validating @0x88385f0: jp DS: attempting positive response validation
02-Jul-2010 00:55:01.219 debug 3: validating @0x88385f0: jp DS: keyset with trust 8
02-Jul-2010 00:55:01.219 debug 3: validating @0x88385f0: jp DS: verify rdataset (keyid=18525): success
02-Jul-2010 00:55:01.219 debug 3: validating @0x88385f0: jp DS: marking as secure, noqname proof not needed
02-Jul-2010 00:55:01.219 debug 3: validator @0x88385f0: dns_validator_destroy
02-Jul-2010 00:55:01.219 debug 3: validating @0x8837b88: jp DNSKEY: in dsfetched
02-Jul-2010 00:55:01.219 debug 3: validating @0x8837b88: jp DNSKEY: dsset with trust 8
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837b88: jp DNSKEY: verify rdataset (keyid=12355): success
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837b88: jp DNSKEY: marking as secure (DS)
02-Jul-2010 00:55:01.220 debug 3: validator @0x8837b88: dns_validator_destroy
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837120: test.co.jp DS: in fetch_callback_validator
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837120: test.co.jp DS: keyset with trust 8
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837120: test.co.jp DS: resuming validate
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837120: test.co.jp DS: verify rdataset (keyid=20163): success
02-Jul-2010 00:55:01.220 debug 3: validating @0x8837120: test.co.jp DS: marking as secure, noqname proof not needed
02-Jul-2010 00:55:01.220 debug 3: validator @0x8837120: dns_validator_destroy
02-Jul-2010 00:55:01.220 debug 3: validating @0x884a350: test.co.jp DNSKEY: in dsfetched
02-Jul-2010 00:55:01.220 debug 3: validating @0x884a350: test.co.jp DNSKEY: dsset with trust 8
02-Jul-2010 00:55:01.220 debug 3: validating @0x884a350: test.co.jp DNSKEY: verify rdataset (keyid=30865): success
02-Jul-2010 00:55:01.220 debug 3: validating @0x884a350: test.co.jp DNSKEY: marking as secure (DS)
02-Jul-2010 00:55:01.220 debug 3: validator @0x884a350: dns_validator_destroy
02-Jul-2010 00:55:01.220 debug 3: validating @0x8831690: www.test.co.jp A: in fetch_callback_validator
02-Jul-2010 00:55:01.220 debug 3: validating @0x8831690: www.test.co.jp A: keyset with trust 8
02-Jul-2010 00:55:01.220 debug 3: validating @0x8831690: www.test.co.jp A: resuming validate
02-Jul-2010 00:55:01.221 debug 3: validating @0x8831690: www.test.co.jp A: verify rdataset (keyid=8448): success
02-Jul-2010 00:55:01.221 debug 3: validating @0x8831690: www.test.co.jp A: marking as secure, noqname proof not needed
02-Jul-2010 00:55:01.221 debug 3: validator @0x8831690: dns_validator_destroy
[root@hat4-vm ~]#

- キャプチャデータ

キャッシュサーバ

[root@hat4-vm ~]# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.1.80 -> 192.168.1.50 DNS Standard query A www.test.co.jp
  0.000029 192.168.1.80 -> 192.168.1.50 DNS Standard query NS
  0.002173 192.168.1.50 -> 192.168.1.80 DNS Standard query response
  0.002981 192.168.1.50 -> 192.168.1.80 DNS Standard query response NS x.root-servers.net RRSIG
  0.005201 192.168.1.80 -> 192.168.1.50 DNS Standard query DNSKEY
  0.006535 192.168.1.50 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
  0.007075 192.168.1.80 -> 192.168.1.51 DNS Standard query A www.test.co.jp
  0.010325 192.168.1.51 -> 192.168.1.80 DNS Standard query response
  0.017052 192.168.1.80 -> 192.168.1.52 DNS Standard query A www.test.co.jp
  0.018623 192.168.1.52 -> 192.168.1.80 DNS Standard query response A 10.0.0.1 RRSIG
  0.020636 192.168.1.80 -> 192.168.1.52 DNS Standard query DNSKEY test.co.jp
  0.022198 192.168.1.52 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
  0.026609 192.168.1.80 -> 192.168.1.51 DNS Standard query DS test.co.jp
  0.028054 192.168.1.51 -> 192.168.1.80 DNS Standard query response DS DS RRSIG
  0.028813 192.168.1.80 -> 192.168.1.51 DNS Standard query DNSKEY jp
  0.029957 192.168.1.51 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
  0.033359 192.168.1.80 -> 192.168.1.50 DNS Standard query DS jp
  0.035040 192.168.1.50 -> 192.168.1.80 DNS Standard query response DS DS RRSIG
18 packets captured
[root@hat4-vm ~]#

internal root

[root@hat1-vm ~]# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.1.80 -> 192.168.1.50 DNS Standard query A www.test.co.jp
  0.000063 192.168.1.80 -> 192.168.1.50 DNS Standard query NS
  0.000846 192.168.1.50 -> 192.168.1.80 DNS Standard query response
  0.001540 192.168.1.50 -> 192.168.1.80 DNS Standard query response NS x.root-servers.net RRSIG
  0.005028 192.168.1.80 -> 192.168.1.50 DNS Standard query DNSKEY
  0.005151 192.168.1.50 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
  0.033376 192.168.1.80 -> 192.168.1.50 DNS Standard query DS jp
  0.033572 192.168.1.50 -> 192.168.1.80 DNS Standard query response DS DS RRSIG
8 packets captured
[root@hat1-vm ~]#

internal jp

[root@hat2-vm ~]# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.1.80 -> 192.168.1.51 DNS Standard query A www.test.co.jp
  0.000307 192.168.1.51 -> 192.168.1.80 DNS Standard query response
  0.020025 192.168.1.80 -> 192.168.1.51 DNS Standard query DS test.co.jp
  0.020094 192.168.1.51 -> 192.168.1.80 DNS Standard query response DS DS RRSIG
  0.021702 192.168.1.80 -> 192.168.1.51 DNS Standard query DNSKEY jp
  0.021760 192.168.1.51 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
6 packets captured
[root@hat2-vm ~]#

test.co.jp

[root@hat3-vm named]# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.1.80 -> 192.168.1.52 DNS Standard query A www.test.co.jp
  0.000298 192.168.1.52 -> 192.168.1.80 DNS Standard query response A 10.0.0.1 RRSIG
  0.003729 192.168.1.80 -> 192.168.1.52 DNS Standard query DNSKEY test.co.jp
  0.003908 192.168.1.52 -> 192.168.1.80 DNS Standard query response DNSKEY DNSKEY RRSIG RRSIG
4 packets captured
[root@hat3-vm named]#

get things done :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.