lost and found ( for me ? )

DNS-based Blocking と DNSSEC

ふとこんな記事を発見したのでためしてみた。

DNSブロッキングとDNSSECを共存させるための手法について
http://jprs.jp/tech/notice/2010-07-28-dns-blocking-dnssec.html

DNSブロッキングに賛成 or not について興味はなく、単純に動作がどうなるんだろーという興味本位。
あーんど、一応ログ、キャプチャなどで確認しましたが、確認不足、知識不足で間違っている可能性があるので内容に責任もてませぬ。。なんか回避策があるかも。。

下記構成でためしてみた。
偽回答情報をキャッシュサーバ上に持つ方法も考えられるが、今回は forward で偽回答DNSに転送する構成でためした。

[ 構成 ]

               偽回答DNS ( bad.test.co.jp = 1.1.1.1 )
                    | ← 偽回答 はキャッシュサーバが偽回答DNSに forward 。
resolver --- cache --- internal root
                             internal  jp
     test.co.jp
    ( 良いサイト www.test.co.jp = 192.0.2.2 , 悪いサイト bad.test.co.jp = 192.0.2.4)

internal root : ubuntu-1 192.168.11.130 ( BIND 9.7.0-P1 )
internal jp : ubuntu-2 192.168.11.131 ( BIND 9.7.0-P1 )
test.co.jp : ubuntu-3 192.168.11.132 ( BIND 9.7.0-P1  )
cache : ubuntu-4 192.168.11.134 ( BIND 9.7.0-P1 or unbound 1.4.1 )
偽回答DNS : ubuntu-5  192.168.11.135 ( unbound 1.4.1 )
resolver : ubuntu-6 192.168.11.136

internal root , internal jp , test.co.jp は DNSSECに対応しており、信頼の連鎖( chain of trust ) も設定済み。
internal root の trusted keys のみで DNSSECの検証ができる。( キャッシュサーバには internal root の trusted key だけ登録 )

偽回答DNSの偽回答は unbound.conf の local-data で指定。

偽回答DNSサーバ。偽の回答のみ登録。
root@ubuntu-5:~# egrep "bad.test.co.jp" /etc/unbound/unbound.conf
        local-data: "bad.test.co.jp. 0 IN A 1.1.1.1"


[ 確認内容 ]

権威サーバがDNSSEC に対応した環境で、キャッシュが DNSSEC or not , リゾルバが DNSSEC or not で違いを比較。

・良いサイト www.test.co.jptest.co.jp のNS から回答を得られること

resolver --- cache --- internal root
 --- internal jp
 --- test.co.jp

・悪いサイト bad.test.co.jp のクエリは test.co.jp に名前解決せずに、偽回答DNSに転送し、違う回答( bad.test.co.jp = 1.1.1.1 ) を返す。

         1. bad.test.co.jp ?               2.  bad.test.co.jp ?
resolver ---------------------------> cache ---------------------> 偽回答DNS
           <-------------------------             <---------------------
              4. bad.test.co.jp = 1.1.1.1   3. bad.test.co.jp = 1.1.1.1

[ 結果]

リゾルバ ( non DNSSEC or DNSSEC ) かつキャッシュサーバDNSSEC かつ 権威サーバ DNSSEC でうまくいったのは、unbound with forward + domain-insecure オプションを使ったときだけだった。

失敗ケース:

・キャッシュ - 権威サーバ間がDNSSEC : BIND forward only , unbound with forwad + domain-insecure なし

ServFail

キャッシュサーバと権威サーバがDNSSEC対応環境下では、キャッシュサーバが foward により 偽回答を偽回答DNS(ubuntu-5)から得たあとに、本当のtest.co.jpのNS(ubuntu-3) にDNSSECの検証が走り、DNSSEC検証失敗するため。

・キャッシュ - 権威サーバ間がDNSSEC : BIND forward first

偽回答ではなく、本物のNSからの回答となる

偽回答DNSから偽の回答をえたあと、DNSSECの検証で本物のNSに確認しまい、偽回答が本物の回答に上書き(表現正しい??)されるため

・キャッシュ - 権威サーバ間がDNSSEC : unbound with forward + domain-insecure あり

unbound の場合、DNSSECの検証をさせないdomain-insecure オプションで偽回答の FQDN を指定することで、上記事象を回避でき、キャッシュサーバと権威サーバがDNSSEC対応でも、偽回答が得られることができた。
ただし、偽回答はnon DNSSEC の回答となる。

・キャッシュサーバが BIND 9.7.0-P1 with forward only

横に見てね。

例えば、リゾルバ non DNSSEC , キャッシュ non DNSSEC , 権威サーバ DNSSEC 対応だと、
www.test.co.jptest.co.jp の NS から回答を得られる。また bad.test.co.jp は偽回答DNSから回答を得られる。
リゾルバ
キャッシュ(BIND)
権威サーバ(BIND)
www.test.co.jp
(本物のNSから回答を得られる)
bad.test.co.jp
(偽回答DNSから回答を得られる)
non DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
non DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決NG
( ServFail )
DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決NG
( ServFail )



・キャッシュサーバが BIND 9.7.0-P1 with forward first
リゾルバ
キャッシュ(BIND)
権威サーバ(BIND)
www.test.co.jp
(本物のNSから回答を得られる)
bad.test.co.jp
(偽回答DNSから回答を得られる)
non DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
non DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
NG
名前解決できるが本物のNSからの回答で偽回答ではない
DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
NG
名前解決できるが本物のNSからの回答で偽回答ではない



・キャッシュサーバが unbound 1.4.1  with forward + domain-insecure: "bad.test.co.jp" オプションあり
リゾルバ
キャッシュ(BIND)
権威サーバ(unbound)
www.test.co.jp
(本物のNSから回答を得られる)
bad.test.co.jp
(偽回答DNSから回答を得られる)
non DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
non DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決OK
偽の回答
偽回答はnon DNSSEC
DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決OK
偽の回答
偽回答はnon DNSSEC)


偽回答は DNSSEC環境下でも non DNSSEC となる。

・キャッシュサーバが unbound 1.4.1 with forward + domain-insecure: "bad.test.co.jp" オプションなし
リゾルバ
キャッシュ(BIND)
権威サーバ(unbound)
www.test.co.jp
(本物のNSから回答を得られる)
bad.test.co.jp
(偽回答DNSから回答を得られる)
non DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
non DNS  SEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決NG
( ServFail )
DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決NG
( ServFail )



[ DNSSEC : フィルタリングなし環境 ( キャッシュサーバに forward 設定なし) ]

DNSSECの設定が正しいか確認するのが目的

# フィルタリングという言葉が適切かは ? なので、言葉の定義に関してはご容赦を。。

リゾルバ ubuntu-6 から名前解決

良いサイト www.test.co.jp
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61584
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


悪いサイト bad.test.co.jp。
bad.test.co.jp 192.0.2.4 をフィルタリングで 1.1.1.1 にしたい。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7631
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         10      IN      A       192.0.2.4

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


DNSSECで dig

www.test.co.jp 。ad bit が立っているので検証できている。
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13974
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2
www.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               ziLymA/GG79bOyC94u2K3KH3C6aehUeb54OiBjpfybKr
                               e9dVPW1TJJvBLVkGPOeksP/iFHQtKkTRWwN/xxd8h7lh
                               TH0YA9VWwFMujHCwF4wMT5h8eu2mHN6NpDVnhv7vjf7Q
                               GlFIVILmIzrq/dHVNrNCN1Z+5E0l3rDcrHQzMgc= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )



リゾルバ unbound-6 から unbound-host コマンドで secure か一応確認。secure 。
root@ubuntu-6:~# cat /etc/resolv.conf
nameserver 192.168.11.133
#nameserver 127.0.0.1
root@ubuntu-6:~#

root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt www.test.co.jp
www.test.co.jp has address 192.0.2.2 (secure)
www.test.co.jp has no IPv6 address (secure)
www.test.co.jp has no mail handler record (secure)


キャッシュサーバ ubuntu-4 の DNSSEC ログ。 making as secure
root@ubuntu-4:/etc/bind# echo > /var/cache/bind/dnssec.log
root@ubuntu-4:/etc/bind# egrep -i secure /var/cache/bind/dnssec.log
21-Oct-2010 01:21:57.769 debug 3: validating @0xb84e5010: . DNSKEY: signed by trusted key; marking as secure
21-Oct-2010 01:21:57.769 debug 3: validating @0xb8371a30: . NS: marking as secure, noqname proof not needed
21-Oct-2010 01:21:57.775 debug 3: validating @0xb84e5f70: jp DS: marking as secure, noqname proof not needed
21-Oct-2010 01:21:57.777 debug 3: validating @0xb84e54f8: jp DNSKEY: marking as secure (DS)
21-Oct-2010 01:21:57.778 debug 3: validating @0xb84e4a80: test.co.jp DS: marking as secure, noqname proof not needed
21-Oct-2010 01:21:57.779 debug 3: validating @0xb84e4008: test.co.jp DNSKEY: marking as secure (DS)
21-Oct-2010 01:21:57.780 debug 3: validating @0xb8371a30: www.test.co.jp A: marking as secure, noqname proof not needed


bad.test.co.jp 。ad bit が立っているので検証できている。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4540
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         10 IN A 192.0.2.4
bad.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               GT0qQkfYPs5OR6VSN//LkqZM1qtZtzCHP/P4qZqjLybZ
                               GsXvNpCInQAtD3ndIwnJ/6lKxz2REqMD5huc714gxgfx
                               0UWQsnSrs/sSADa1FVhsVfgvosZNESmZTRkHSDajqh7v
                               tIVcpWEnwHXii6pZ4KRYSylvMVIEMBFP23IoBQ0= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )


リゾルバ unbound-6 から unbound-host コマンドで secure か一応確認。secure 。
root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt bad.test.co.jp
bad.test.co.jp has address 192.0.2.4 (secure)
bad.test.co.jp has no IPv6 address (secure)
bad.test.co.jp has no mail handler record (secure)


キャッシュサーバ ubuntu-4 の DNSSEC ログ。 making as secure
oot@ubuntu-4:/etc/bind# egrep -i secure /var/cache/bind/dnssec.log
21-Oct-2010 01:25:22.693 debug 3: validating @0xb845b220: . DNSKEY: signed by trusted key; marking as secure
21-Oct-2010 01:25:22.693 debug 3: validating @0xb8458798: . NS: marking as secure, noqname proof not needed
21-Oct-2010 01:25:22.702 debug 3: validating @0xb845d718: jp DS: marking as secure, noqname proof not needed
21-Oct-2010 01:25:22.704 debug 3: validating @0xb845cca0: jp DNSKEY: marking as secure (DS)
21-Oct-2010 01:25:22.704 debug 3: validating @0xb845c228: test.co.jp DS: marking as secure, noqname proof not needed
21-Oct-2010 01:25:22.706 debug 3: validating @0xb83709d8: test.co.jp DNSKEY: marking as secure (DS)
21-Oct-2010 01:25:22.707 debug 3: validating @0xb8458798: bad.test.co.jp A: marking as secure, noqname proof not needed


[ non DNSSEC : フィルタリングあり環境 ( キャッシュサーバに forward 設定あり) ]

まずはDNSSECなしの環境。権威サーバはDNSSECに対応しているので、キャッシュサーバで DNSSEC を無効にする。

・キャッシュサーバが BINDのケース ( キャッシュサーバは non DNSSEC )

DNSSEC を無効
root@ubuntu-4:/etc/bind# cat named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
#        dnssec-enable yes;
#        dnssec-validation yes;
       dnssec-enable no;
      dnssec-validation no;
};


forward で、bad.test.co.jp は 偽回答DNS ubuntu-5  192.168.11.135 へ。
test.co.jp を指定すると、*.test.co.jp すべて forward されてしまうので、偽の回答をしたい FQDN bad.test.co.jp を指定した。
root@ubuntu-4:/etc/bind# egrep -v ^// named.conf.local | egrep -v ^$
zone "bad.test.co.jp." {
       type forward;
       forward only;
       forwarders { 192.168.11.134; };
};


偽回答DNS ubuntu-5 192.168.11.134 は unbound.conf の local-data で下記を記載して、偽の回答をかえす。
root@ubuntu-5:~# egrep "bad.test.co.jp" /etc/unbound/unbound.conf
        local-data: "bad.test.co.jp. 0 IN A 1.1.1.1"


こんな感じ
root@ubuntu-5:~# dig @127.1 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @127.1 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39790
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1 ← 偽回答


リゾルバ ubuntu-6 からチェック ( キャッシュサーバは non DNSSEC )

良いサイト www.test.co.jp 。OK
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9040
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.


悪いサイト bad.test.co.jp
偽回答 1.1.1.1 がかえってきたので OK。
でも Autohority Section にtest.co.jp から回答を得たわけではないのに、 test.co.jp の NS がでちゃうのは嫌だな。。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1 ←偽の回答

;; AUTHORITY SECTION:
test.co.jp.             9       IN      NS      ns.test.co.jp. ← ns.test.co.jp から回答を得てない


これは最初の www.test.co.jptest.co.jp の NS をキャッシュしたから表示される。
キャッシュが空の状態で、 bad.test.co.jp に問い合わせると、test.co.jp の NS はキャッシュしないので、Auth Section は表示されない。

キャッシュクリア
root@ubuntu-4:/etc/bind# rndc flush


リゾルバから bad.test.co.jp へ dig
test.co.jp の NS に問い合わせていない(キャッシュしていないので) 、Auth Section は表示されない。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36629
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1


キャッシュサーバでキャプチャしたデータ

192.168.11.135 : resolver
192.168.11.133 : cache
192.168.11.134 : 偽回答DNS
test.co.jp の NS 192.168.11.132 へ問い合わせていない
root@ubuntu-4:/etc/bind# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000961 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.002144 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.002696 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
^C4 packets captured


上記の状態から www.test.co.jp へ dig
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.


キャッシュサーバ上のキャプチャデータ。
test.co.jp の NS 192.168.11.132 へ問い合わせが発生するので、test.co.jp の NS をキャッシュする。
root@ubuntu-4:/etc/bind# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A www.test.co.jp
 0.000966 192.168.11.133 -> 192.168.11.130 DNS Standard query A www.test.co.jp
 0.001236 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.006470 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.006496 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.009139 192.168.11.133 -> 192.168.11.131 DNS Standard query A www.test.co.jp
 0.010453 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.011098 192.168.11.133 -> 192.168.11.132 DNS Standard query A www.test.co.jp
 0.012541 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.2 RRSIG
 0.012929 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.2


このあと、bad.test.co.jp へ dig すると Auth Section に ns.test.co.jp が表示される。
と思ったら、x.dns.jp になった。
原因は ns.test.co.jp の TTL が 10秒で、jp ( x.dns.jp ) の TTL を 600秒にしているからだ。。
ns.test.co.jp のキャッシュが expire して、x.dns.jp のキャッシュが残っているから。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55373
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1 ←偽の回答

;; AUTHORITY SECTION:
jp.                     495     IN      NS      x.dns.jp. <- authority section が変


キャッシュサーバのキャプチャデータ。偽回答DNSにしか問い合わせていない。
root@ubuntu-4:/etc/bind# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000750 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.001884 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.002026 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1


うーん、キャッシュの状態によって、Auth Section の表示内容が異なったり、表示されないなど一貫性がないなー。
Auth Section を表示しないように設定にしてみよう。。
キャッシュサーバに minimal-responses yes; を追加
root@ubuntu-4:/etc/bind# cat named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
#        dnssec-enable yes;
#        dnssec-validation yes;
       dnssec-enable no;
      dnssec-validation no;
       minimal-responses yes;
};

root@ubuntu-4:/etc/bind# rndc reload
server reload successful


これで Auth Section は表示されなくなる。

キャッシュをクリア
root@ubuntu-4:/etc/bind# rndc flush


リゾルバから www.test.co.jp -> bad.test.co.jp の順番で dig
Auth Section が表示されなくなった
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22366
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1 ← 偽回答


リゾルバから DNSSECクエリを送信 ( キャッシュサーバは non DNSSEC )

キャッシュサーバが non DNSSEC なので、リゾルバが DNSSEC クエリを送信しても問題ない
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2

root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22021
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         0 IN A  1.1.1.1


リゾルバで DNSSEC の検証をすると insecure となる。これはキャッシュサーバが non DNSSEC なので、想定された動作。
root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt www.test.co.jp
www.test.co.jp has address 192.0.2.2 (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust
www.test.co.jp has no IPv6 address (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust
www.test.co.jp has no mail handler record (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust

root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt bad.test.co.jp
bad.test.co.jp has address 1.1.1.1 (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust
bad.test.co.jp has no IPv6 address (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust
bad.test.co.jp has no mail handler record (BOGUS (security failure))
validation failure : no signatures from 192.168.11.133 for trust anchor . while building chain of trust


・キャッシュサーバが unbound のケース ( キャッシュサーバは non DNSSEC )

キャッシュサーバ unbound.conf の設定。forwad の設定を記述
trusted-keys は読み込まない
forward-zone:
       name: "bad.test.co.jp"
       forward-addr: 192.168.11.134 ← 偽回答DNSのIP

#trusted-keys-file: "/etc/unbound/dnskey_root.txt" <- trusted-keys

root@ubuntu-4:/etc/unbound# cat /etc/unbound/dnskey_root.txt
trusted-keys {
"."     257 3 5 "AwEAAeEk9j1Bp2rVnZRosH+0xtXy9d6QbBMXEbmkzsCutyXkdDRSaGaP GePkuQOkA+kgYPNuI2OnwD5vEIglUaDRlBerOOXXuL3KrGkNENTAbFiY X6Vl0ph23uwESZkpNC7YtU5J4oOVNX/j5Bnj3Y5wqLDLoWsQVk80jvLR 071gISC3fMhznGC3YcAEsZPj73BfDJyEEeMS8cdqZUAPTFdR4H2EfIwt I+IMRjbItwRaB1WQWV+wIMaOjdOxWU5cmm/XwPd0whZaqfHyXhVG/EHj c3xGtz/9+zhYFueTalS2a4bxw/7Ibz6erEn02iI1ub5nHe1TN/fB9sA2 CRTNzfBeUC8=";
};


リゾルバから non DNSSEC クエリ、DNSSEC クエリのどちらがきても問題なし

non DNSSEC クエリ
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13679
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


unbound は forward で得た回答の場合Auth Section追加しないみたい。
何か設定があるのかも。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51048
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1


DNSSECクエリ。キャッシュサーバ non DNSSEC なので回答は得られる。
ただ、権威サーバがDNSSECに対応しているとDNSSECがらみの回答も付与される。
検証はしない ( ad ビットはたたない )
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4901
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2
www.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               ziLymA/GG79bOyC94u2K3KH3C6aehUeb54OiBjpfybKr
                               e9dVPW1TJJvBLVkGPOeksP/iFHQtKkTRWwN/xxd8h7lh
                               TH0YA9VWwFMujHCwF4wMT5h8eu2mHN6NpDVnhv7vjf7Q
                               GlFIVILmIzrq/dHVNrNCN1Z+5E0l3rDcrHQzMgc= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )

root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         0 IN A  1.1.1.1


リゾルバがDNSSECの検証をすると ( キャッシュサーバは non DNSSEC )

リゾルバがもっている trusted key とキャッシュサーバ経由の権威サーバからの回答を検証する。
キャッシュサーバが non DNSSEC でも、キャッシュサーバから DNSSEC関係の回答が付与されていれば、検証できる。dig で、キャッシュサーバに検証を依頼したときは、キャッシュサーバは non DNSSEC なので検証できない。
root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt www.test.co.jp
www.test.co.jp has address 192.0.2.2 (secure)
www.test.co.jp has no IPv6 address (secure)
www.test.co.jp has no mail handler record (secure)

root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt bad.test.co.jp
bad.test.co.jp has address 1.1.1.1 (BOGUS (security failure))
validation failure : misc failure
bad.test.co.jp has no IPv6 address (BOGUS (security failure))
validation failure : misc failure
bad.test.co.jp has no mail handler record (BOGUS (security failure))
validation failure : misc failure


[ DNSSEC : フィルタリングあり環境 ( キャッシュサーバに forward 設定あり) ]

・キャッシュサーバが BINDのケース ( キャッシュサーバはDNSSEC有効 )

キャッシュサーバの設定

DNSSEC有効
root@ubuntu-4:~# cat /etc/bind/named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
       dnssec-enable yes;
       dnssec-validation yes;
#        dnssec-enable no;
#       dnssec-validation no;
#       minimal-responses yes;
};

root@ubuntu-4:~# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "bad.test.co.jp." {
       type forward;
       forward only;
       forwarders { 192.168.11.134; };
};


リゾルバから non DNSSEC クエリを送信

www.test.co.jp ( non DNSSEC クエリ )
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56633
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


キャッシュサーバが DNSSEC に対応しているので、リゾルバ - キャッシュサーバ間が non DNSSEC でも、キャッシュサーバ - 権威サーバ間は DNSSEC クエリとなる。

キャッシュサーバと権威サーバがDNSSECに対応していると、リゾルバのクエリが DNSSEC or non DNSSEC にかかわらず、DNSSECの検証を行う。
root@ubuntu-4:~# egrep -i secure /var/cache/bind/dnssec.log
21-Oct-2010 03:53:41.049 debug 3: validating @0xb7df3800: . DNSKEY: signed by trusted key; marking as secure
21-Oct-2010 03:53:41.050 debug 3: validating @0xb7ad9f28: . NS: marking as secure, noqname proof not needed
21-Oct-2010 03:53:41.059 debug 3: validating @0xb7dfc0a8: jp DS: marking as secure, noqname proof not needed
21-Oct-2010 03:53:41.060 debug 3: validating @0xb7dfb630: jp DNSKEY: marking as secure (DS)
21-Oct-2010 03:53:41.061 debug 3: validating @0xb7dfabb8: test.co.jp DS: marking as secure, noqname proof not needed
21-Oct-2010 03:53:41.063 debug 3: validating @0xb7d15dc0: test.co.jp DNSKEY: marking as secure (DS)
21-Oct-2010 03:53:41.063 debug 3: validating @0xb7ad9f28: www.test.co.jp A: marking as secure, noqname proof not needed


www.test.co.jp ( non DNSSEC ) クエリの名前解決をしたときのキャッシュサーバ上でキャプチャしたデータ

11.135 : resolver
11.133 : cache
11.130 : internal root
11.131 : internal jp
11.132 : test.co.jp の NS
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A www.test.co.jp
 0.001004 192.168.11.133 -> 192.168.11.130 DNS Standard query A www.test.co.jp
 0.001363 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.002593 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.002666 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.003448 192.168.11.133 -> 192.168.11.131 DNS Standard query A www.test.co.jp
 0.004378 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.005666 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.008717 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.009486 192.168.11.133 -> 192.168.11.132 DNS Standard query A www.test.co.jp
 0.010977 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.2 RRSIG
 0.011931 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.013229 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.014165 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.015410 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.016242 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.017564 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.018419 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.019707 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.026319 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.2


bad.test.co.jp ( non DNSSEC クエリ )
ServFail になる。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48002
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A


原因は、キャッシュサーバが DNSSECの検証に失敗したから。
root@ubuntu-4:~# cat /var/cache/bind/dnssec.log

21-Oct-2010 03:56:16.176 debug 3: validating @0xb7d16df0: bad.test.co.jp A: starting
21-Oct-2010 03:56:16.176 debug 3: validating @0xb7d16df0: bad.test.co.jp A: attempting insecurity proof
21-Oct-2010 03:56:16.176 debug 3: validating @0xb7d16df0: bad.test.co.jp A: checking existence of DS at 'jp'
21-Oct-2010 03:56:16.178 debug 3: validating @0xb7c402d0: jp DS: starting
21-Oct-2010 03:56:16.178 debug 3: validating @0xb7c402d0: jp DS: attempting positive response validation
21-Oct-2010 03:56:16.179 debug 3: validating @0xb7c40d48: . NS: starting
21-Oct-2010 03:56:16.179 debug 3: validating @0xb7c40d48: . NS: attempting positive response validation
21-Oct-2010 03:56:16.180 debug 3: validating @0xb7dec7c8: . DNSKEY: starting
21-Oct-2010 03:56:16.180 debug 3: validating @0xb7dec7c8: . DNSKEY: attempting positive response validation
21-Oct-2010 03:56:16.181 debug 3: validating @0xb7dec7c8: . DNSKEY: verify rdataset (keyid=54916): success
21-Oct-2010 03:56:16.181 debug 3: validating @0xb7dec7c8: . DNSKEY: signed by trusted key; marking as secure
21-Oct-2010 03:56:16.181 debug 3: validator @0xb7dec7c8: dns_validator_destroy
21-Oct-2010 03:56:16.181 debug 3: validating @0xb7c40d48: . NS: in fetch_callback_validator
21-Oct-2010 03:56:16.181 debug 3: validating @0xb7c40d48: . NS: keyset with trust 8
21-Oct-2010 03:56:16.181 debug 3: validating @0xb7c40d48: . NS: resuming validate
21-Oct-2010 03:56:16.182 debug 3: validating @0xb7c40d48: . NS: verify rdataset (keyid=13896): success
21-Oct-2010 03:56:16.182 debug 3: validating @0xb7c40d48: . NS: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.182 debug 3: validator @0xb7c40d48: dns_validator_destroy
21-Oct-2010 03:56:16.182 debug 3: validating @0xb7c402d0: jp DS: in fetch_callback_validator
21-Oct-2010 03:56:16.182 debug 3: validating @0xb7c402d0: jp DS: keyset with trust 8
21-Oct-2010 03:56:16.182 debug 3: validating @0xb7c402d0: jp DS: resuming validate
21-Oct-2010 03:56:16.183 debug 3: validating @0xb7c402d0: jp DS: verify rdataset (keyid=13896): success
21-Oct-2010 03:56:16.183 debug 3: validating @0xb7c402d0: jp DS: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.183 debug 3: validator @0xb7c402d0: dns_validator_destroy
21-Oct-2010 03:56:16.183 debug 3: validating @0xb7d16df0: bad.test.co.jp A: in dsfetched2: success
21-Oct-2010 03:56:16.183 debug 3: validating @0xb7d16df0: bad.test.co.jp A: resuming proveunsecure
21-Oct-2010 03:56:16.183 debug 3: validating @0xb7d16df0: bad.test.co.jp A: checking existence of DS at 'co.jp'
21-Oct-2010 03:56:16.187 debug 3: validating @0xb7def7e0: co.jp DS: starting
21-Oct-2010 03:56:16.187 debug 3: validating @0xb7def7e0: co.jp DS: attempting negative response validation
21-Oct-2010 03:56:16.187 debug 3:   validating @0xb7df0258: jp SOA: starting
21-Oct-2010 03:56:16.187 debug 3:   validating @0xb7df0258: jp SOA: attempting positive response validation
21-Oct-2010 03:56:16.189 debug 3: validating @0xb7df0cd0: jp DNSKEY: starting
21-Oct-2010 03:56:16.189 debug 3: validating @0xb7df0cd0: jp DNSKEY: attempting positive response validation
21-Oct-2010 03:56:16.190 debug 3: validating @0xb7df0cd0: jp DNSKEY: verify rdataset (keyid=29452): success
21-Oct-2010 03:56:16.190 debug 3: validating @0xb7df0cd0: jp DNSKEY: marking as secure (DS)
21-Oct-2010 03:56:16.190 debug 3: validator @0xb7df0cd0: dns_validator_destroy
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7df0258: jp SOA: in fetch_callback_validator
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7df0258: jp SOA: keyset with trust 8
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7df0258: jp SOA: resuming validate
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7df0258: jp SOA: verify rdataset (keyid=32667): success
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7df0258: jp SOA: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.191 debug 3:   validator @0xb7df0258: dns_validator_destroy
21-Oct-2010 03:56:16.191 debug 3: validating @0xb7def7e0: co.jp DS: in authvalidated
21-Oct-2010 03:56:16.191 debug 3: validating @0xb7def7e0: co.jp DS: resuming nsecvalidate
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7c402d0: jp NSEC: starting
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7c402d0: jp NSEC: attempting positive response validation
21-Oct-2010 03:56:16.191 debug 3:   validating @0xb7c402d0: jp NSEC: keyset with trust 8
21-Oct-2010 03:56:16.192 debug 3:   validating @0xb7c402d0: jp NSEC: verify rdataset (keyid=32667): success
21-Oct-2010 03:56:16.192 debug 3:   validating @0xb7c402d0: jp NSEC: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.192 debug 3:   validator @0xb7c402d0: dns_validator_destroy
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7def7e0: co.jp DS: in authvalidated
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7def7e0: co.jp DS: looking for relevant nsec
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7def7e0: co.jp DS: nsec proves name exist (empty)
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7def7e0: co.jp DS: resuming nsecvalidate
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7def7e0: co.jp DS: nonexistence proof(s) found
21-Oct-2010 03:56:16.192 debug 3: validator @0xb7def7e0: dns_validator_destroy
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7d16df0: bad.test.co.jp A: in dsfetched2: ncache nxrrset
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7d16df0: bad.test.co.jp A: resuming proveunsecure
21-Oct-2010 03:56:16.192 debug 3: validating @0xb7d16df0: bad.test.co.jp A: checking existence of DS at 'test.co.jp'
21-Oct-2010 03:56:16.194 debug 3: validating @0xb7def7e0: test.co.jp DS: starting
21-Oct-2010 03:56:16.194 debug 3: validating @0xb7def7e0: test.co.jp DS: attempting positive response validation
21-Oct-2010 03:56:16.194 debug 3: validating @0xb7def7e0: test.co.jp DS: keyset with trust 8
21-Oct-2010 03:56:16.195 debug 3: validating @0xb7def7e0: test.co.jp DS: verify rdataset (keyid=32667): success
21-Oct-2010 03:56:16.195 debug 3: validating @0xb7def7e0: test.co.jp DS: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.195 debug 3: validator @0xb7def7e0: dns_validator_destroy
21-Oct-2010 03:56:16.195 debug 3: validating @0xb7d16df0: bad.test.co.jp A: in dsfetched2: success
21-Oct-2010 03:56:16.195 debug 3: validating @0xb7d16df0: bad.test.co.jp A: resuming proveunsecure
21-Oct-2010 03:56:16.195 debug 3: validating @0xb7d16df0: bad.test.co.jp A: checking existence of DS at 'bad.test.co.jp'
21-Oct-2010 03:56:16.199 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: starting
21-Oct-2010 03:56:16.199 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: attempting negative response validation
21-Oct-2010 03:56:16.199 debug 3:   validating @0xb7df2268: test.co.jp SOA: starting
21-Oct-2010 03:56:16.199 debug 3:   validating @0xb7df2268: test.co.jp SOA: attempting positive response validation
21-Oct-2010 03:56:16.201 debug 3: validating @0xb7df2ce0: test.co.jp DNSKEY: starting
21-Oct-2010 03:56:16.201 debug 3: validating @0xb7df2ce0: test.co.jp DNSKEY: attempting positive response validation
21-Oct-2010 03:56:16.202 debug 3: validating @0xb7df2ce0: test.co.jp DNSKEY: verify rdataset (keyid=40096): success
21-Oct-2010 03:56:16.203 debug 3: validating @0xb7df2ce0: test.co.jp DNSKEY: marking as secure (DS)
21-Oct-2010 03:56:16.203 debug 3: validator @0xb7df2ce0: dns_validator_destroy
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7df2268: test.co.jp SOA: in fetch_callback_validator
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7df2268: test.co.jp SOA: keyset with trust 8
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7df2268: test.co.jp SOA: resuming validate
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7df2268: test.co.jp SOA: verify rdataset (keyid=31620): success
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7df2268: test.co.jp SOA: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.203 debug 3:   validator @0xb7df2268: dns_validator_destroy
21-Oct-2010 03:56:16.203 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: in authvalidated
21-Oct-2010 03:56:16.203 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: resuming nsecvalidate
21-Oct-2010 03:56:16.203 debug 3:   validating @0xb7c402d0: bad.test.co.jp NSEC: starting
21-Oct-2010 03:56:16.204 debug 3:   validating @0xb7c402d0: bad.test.co.jp NSEC: attempting positive response validation
21-Oct-2010 03:56:16.204 debug 3:   validating @0xb7c402d0: bad.test.co.jp NSEC: keyset with trust 8
21-Oct-2010 03:56:16.204 debug 3:   validating @0xb7c402d0: bad.test.co.jp NSEC: verify rdataset (keyid=31620): success
21-Oct-2010 03:56:16.204 debug 3:   validating @0xb7c402d0: bad.test.co.jp NSEC: marking as secure, noqname proof not needed
21-Oct-2010 03:56:16.204 debug 3:   validator @0xb7c402d0: dns_validator_destroy
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: in authvalidated
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: looking for relevant nsec
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: nsec proves name exists (owner) data=0
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: resuming nsecvalidate
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7df17f0: bad.test.co.jp DS: nonexistence proof(s) found
21-Oct-2010 03:56:16.204 debug 3: validator @0xb7df17f0: dns_validator_destroy
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7d16df0: bad.test.co.jp A: in dsfetched2: ncache nxrrset
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7d16df0: bad.test.co.jp A: resuming proveunsecure
21-Oct-2010 03:56:16.204 debug 3: validating @0xb7d16df0: bad.test.co.jp A: insecurity proof failed
21-Oct-2010 03:56:16.205 debug 3: validator @0xb7d16df0: dns_validator_destroy


bad.test.co.jp ( non DNSSEC ) クエリの名前解決をしたときのキャッシュサーバ上でキャプチャしたデータ

11.135 : resolver
11.134 : 偽回答DNS
11.133 : cache
11.130 : internal root
11.131 : internal jp
11.132 : test.co.jp の NS

最初に偽回答DNS から bad.test.co.jp は 1.1.1.1 という回答をえる。

0.000863 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
0.003087 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1

そのあとに、DNSSECの検証で、本当の test.co.jp の NS 192.168.11.132 に検証しにいくので検証失敗となる。
あるドメイン・FQDN に関して(今回だと bad.test.co.jp ) 、 DNSSEC の検証をしないオプションがないか探したけど、見つからず。。

 0.021402 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.022447 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.022876 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.023848 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000863 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.003087 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.004199 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.004558 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.005199 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.005264 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.006194 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.007366 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.008542 192.168.11.133 -> 192.168.11.130 DNS Standard query DS co.jp
 0.009785 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.012937 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.013964 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.014867 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.016094 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.018170 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.019111 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.020028 192.168.11.133 -> 192.168.11.131 DNS Standard query DS bad.test.co.jp
 0.021019 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.021402 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.022447 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.022876 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.023848 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.025958 192.168.11.133 -> 192.168.11.135 DNS Standard query response, Server failure


リゾルバから DNSSECクエリを送信。non DNSSEC と同じ結果となる。

www.test.co.jp : OK
bad.test.co.jp : ServFail

www.test.co.jp 。 ad ビットがたっているので検証OK
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49763
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2
www.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               ziLymA/GG79bOyC94u2K3KH3C6aehUeb54OiBjpfybKr
                               e9dVPW1TJJvBLVkGPOeksP/iFHQtKkTRWwN/xxd8h7lh
                               TH0YA9VWwFMujHCwF4wMT5h8eu2mHN6NpDVnhv7vjf7Q
                               GlFIVILmIzrq/dHVNrNCN1Z+5E0l3rDcrHQzMgc= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )


bad.test.co.jp 。 ServFail 。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7943
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A


・キャッシュサーバが unbound のケース ( キャッシュサーバはDNSSEC有効 )

unbound だと DNSSECの検証をしないオプション domain-insecure があるので、froward するFQDN bad.test.co.jp を domain-insecure に登録

unbound.conf
trusted-keys-file: "/etc/unbound/dnskey_root.txt"

# Ignore chain of trust. Domain is treated as insecure.
        domain-insecure: "bad.test.co.jp"

forward-zone:
       name: "bad.test.co.jp"
       forward-addr: 192.168.11.134


リゾルバから non DNSSEC クエリを送信  ( キャッシュサーバは DNSSEC有効 )

www.test.co.jp ( non DNSSEC クエリ )
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20102
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


キャッシュサーバ上でキャプチャしたデータ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A www.test.co.jp
 0.002948 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.004372 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.005921 192.168.11.133 -> 192.168.11.130 DNS Standard query A www.test.co.jp
 0.007198 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.011060 192.168.11.133 -> 192.168.11.131 DNS Standard query A www.test.co.jp
 0.012332 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.014961 192.168.11.133 -> 192.168.11.132 DNS Standard query A www.test.co.jp
 0.016282 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.2 RRSIG
 0.017831 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.019134 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.022651 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.023873 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.026481 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.027699 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.030148 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.031398 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.034894 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.2


キャッシュサーバ - 権威サーバ間は DNSSEC
unbound のログ。検証に成功。
[1287634928] unbound[998:0] debug: verify result: sec_status_secure
[1287634928] unbound[998:0] info: verify rrset
[1287634928] unbound[998:0] debug: verify sig 31620 5
[1287634928] unbound[998:0] debug: verify result: sec_status_secure
[1287634928] unbound[998:0] debug: Validating a positive response
[1287634928] unbound[998:0] debug: Successfully validated positive response
[1287634928] unbound[998:0] debug: verify sig 31620 5
[1287634928] unbound[998:0] debug: verify result: sec_status_secure
[1287634928] unbound[998:0] debug: Validating a positive response
[1287634928] unbound[998:0] debug: Successfully validated positive response
[1287634928] unbound[998:0] info: validate(positive): sec_status_secure
[1287634928] unbound[998:0] debug: val handle processing q with state VAL_FINISHED_STATE
[1287634928] unbound[998:0] info: validation success


bad.test.co.jp  ( non DNSSEC クエリ )
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35607
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1


キャッシュサーバ上のキャプチャデータ

forward-zone:
       name: "bad.test.co.jp"
       forward-addr: 192.168.11.134

により、偽回答DNS に forward。

domain-insecure: "bad.test.co.jp" により、bad.test.co.jp は検証しない
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.004088 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.005271 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.006178 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
^C4 packets captured


リゾルバから DNSSEC クエリを送信 ( キャッシュサーバは DNSSEC有効 )

www.test.co.jp ( DNSSEC クエリ)
検証OK 。 ad ビットがたっている。
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35495
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2
www.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               ziLymA/GG79bOyC94u2K3KH3C6aehUeb54OiBjpfybKr
                               e9dVPW1TJJvBLVkGPOeksP/iFHQtKkTRWwN/xxd8h7lh
                               TH0YA9VWwFMujHCwF4wMT5h8eu2mHN6NpDVnhv7vjf7Q
                               GlFIVILmIzrq/dHVNrNCN1Z+5E0l3rDcrHQzMgc= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )

root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt www.test.co.jp
www.test.co.jp has address 192.0.2.2 (secure)
www.test.co.jp has no IPv6 address (secure)
www.test.co.jp has no mail handler record (secure)


bad.test.co.jp ( DNSSEC クエリ )

回答は non DNSSEC となる。
偽回答は得られる。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41831
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         0 IN A  1.1.1.1  ←偽回答


キャッシュサーバ上のキャプチャ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.005169 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.006362 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.007305 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
^C4 packets captured


リゾルバが検証すると、キャッシュサーバのunbound.conf で bad.test.co.jp は検証しない設定をいれているので、bad.test.co.jp は DNSSECに対応していないことになる。
回答が変だよという意味ではなく、non DNSSEC ですよ、という意味。
root@ubuntu-6:~# unbound-host -r -v -F dnskey_root.txt bad.test.co.jp
bad.test.co.jp has address 1.1.1.1 (BOGUS (security failure))
validation failure : misc failure
bad.test.co.jp has no IPv6 address (BOGUS (security failure))
validation failure : misc failure
bad.test.co.jp has no mail handler record (BOGUS (security failure))
validation failure : misc failure


キャッシュサーバ上のキャプチャデータ

11.135 : resolver
11.134 : 偽回答DNS
11.133 : cache
11.130 : internal root
11.131 : internal jp
11.132 : test.co.jp の NS
root@ubuntu-4:~# tshark -i eth0 port 53 | egrep -v '(AAAA|MX)'
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000697 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.001587 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.001829 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
 0.002643 192.168.11.135 -> 192.168.11.133 DNS Standard query DNSKEY
 0.004742 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.005530 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.005922 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.006601 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.006870 192.168.11.133 -> 192.168.11.135 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.007915 192.168.11.135 -> 192.168.11.133 DNS Standard query DS jp
 0.008136 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.008840 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.009654 192.168.11.133 -> 192.168.11.135 DNS Standard query response DS DS RRSIG
 0.011000 192.168.11.135 -> 192.168.11.133 DNS Standard query DNSKEY jp
 0.011244 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY jp
 0.011916 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.012271 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.012925 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.013192 192.168.11.133 -> 192.168.11.135 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.015413 192.168.11.135 -> 192.168.11.133 DNS Standard query DS co.jp
 0.016343 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.017256 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.017545 192.168.11.133 -> 192.168.11.135 DNS Standard query response
 0.018343 192.168.11.135 -> 192.168.11.133 DNS Standard query DS test.co.jp
 0.018978 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.020181 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.020471 192.168.11.133 -> 192.168.11.135 DNS Standard query response DS DS RRSIG
 0.021538 192.168.11.135 -> 192.168.11.133 DNS Standard query DNSKEY test.co.jp
 0.021859 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY test.co.jp
 0.023007 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.024232 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.025332 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.026171 192.168.11.133 -> 192.168.11.135 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.027731 192.168.11.135 -> 192.168.11.133 DNS Standard query DS bad.test.co.jp
 0.028105 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.028984 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.029408 192.168.11.133 -> 192.168.11.135 DNS Standard query response
 0.030513 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.030800 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.031902 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.032206 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
 0.033144 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.033683 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.034612 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.034938 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
 0.035876 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.036365 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.037294 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.037627 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
^C86 packets captured


ちなみに、domain-insecure: "bad.test.co.jp" をなくすと BIND 同様に ServFail となる。
root@ubuntu-4:~# egrep -i domain-insecure /etc/unbound/unbound.conf
       # domain-insecure: "bad.test.co.jp"

root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57430
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A


キャッシュサーバ上のキャプチャデータ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000646 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.001828 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.002904 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.004355 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.005383 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.006674 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.009271 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.010467 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.012212 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY jp
 0.013489 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.014423 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.015730 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.018318 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.019594 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.021487 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.022677 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.024537 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY test.co.jp
 0.025914 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.026903 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.028257 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.030809 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.032119 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.033822 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.034953 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.036631 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.037758 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.039387 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.040468 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.042094 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.043204 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.044841 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.045981 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.047317 192.168.11.133 -> 192.168.11.135 DNS Standard query response, Server failure
^C34 packets captured


[ DNSSEC 環境 BIND で forward first だったら ? ]

名前解決はできるが、偽回答を得られず。

リゾルバ non DNSSEC
キャッシュ DNSSEC ( forward first )
権威サーバ DNSSEC

キャッシュサーバの設定
root@ubuntu-4:~# less /etc/bind/named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
       dnssec-enable yes;
       dnssec-validation yes;
#        dnssec-enable no;
#       dnssec-validation no;
#       minimal-responses yes;
};

root@ubuntu-4:~# egrep -v // /etc/bind/named.conf.local | egrep -v ^$
zone "bad.test.co.jp." {
       type forward;
#       forward only;
       forward first;
       forwarders { 192.168.11.134; };
};


www.test.co.jp ( non DNSSEC クエリ )

リゾルバ上でdig
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63902
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         10      IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


キャプチャ on キャッシュサーバ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A www.test.co.jp
 0.000839 192.168.11.133 -> 192.168.11.130 DNS Standard query A www.test.co.jp
 0.001102 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.002303 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.002325 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.002907 192.168.11.133 -> 192.168.11.131 DNS Standard query A www.test.co.jp
 0.003674 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.004371 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.004904 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.005128 192.168.11.133 -> 192.168.11.132 DNS Standard query A www.test.co.jp
 0.006515 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.2 RRSIG
 0.008414 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.009599 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.010405 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.011643 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.012479 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.013714 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.014516 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.015757 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.022187 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.2


bad.test.co.jp ( non DNSSEC クエリ )

偽の回答にならない
root@ubuntu-6:~# dig bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> bad.test.co.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38834
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         10      IN      A       192.0.2.4  ← 偽回答じゃない

;; AUTHORITY SECTION:
test.co.jp.             10      IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          10      IN      A       192.168.11.132


最初に、11.134 (偽回答DNS)から回答を得るが、その後 DNSSECの検証で本物の test.co.jp の NS ( 11.132 ) に問い合わせが発生するため。
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.005829 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.005902 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp 偽回答DNSへ
 0.007069 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.007233 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.008468 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.008928 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.009519 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.010027 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.013429 192.168.11.133 -> 192.168.11.130 DNS Standard query DS co.jp
 0.014699 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.017798 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.019186 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.020071 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.021313 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.025757 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.027047 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.028586 192.168.11.133 -> 192.168.11.131 DNS Standard query DS bad.test.co.jp
 0.029895 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.033942 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.035252 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.036111 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.037365 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.041866 192.168.11.133 -> 192.168.11.130 DNS Standard query A bad.test.co.jp
 0.043193 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.043818 192.168.11.133 -> 192.168.11.132 DNS Standard query A bad.test.co.jp 本物のNSへ
 0.045070 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.4 RRSIG
 0.047407 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.4


DNSSECクエリも同様の結果となる。

www.test.co.jp ( DNSSECクエリ )
root@ubuntu-6:~# dig www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> www.test.co.jp +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49577
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         10 IN A 192.0.2.2
www.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               ziLymA/GG79bOyC94u2K3KH3C6aehUeb54OiBjpfybKr
                               e9dVPW1TJJvBLVkGPOeksP/iFHQtKkTRWwN/xxd8h7lh
                               TH0YA9VWwFMujHCwF4wMT5h8eu2mHN6NpDVnhv7vjf7Q
                               GlFIVILmIzrq/dHVNrNCN1Z+5E0l3rDcrHQzMgc= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )


bad.test.co.jp
偽回答( bad.test.co.jp = 1.1.1.1 ) を得られない。
root@ubuntu-6:~# dig bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> bad.test.co.jp +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18056
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         10 IN A 192.0.2.4 ←偽の回答じゃない
bad.test.co.jp.         10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               GT0qQkfYPs5OR6VSN//LkqZM1qtZtzCHP/P4qZqjLybZ
                               GsXvNpCInQAtD3ndIwnJ/6lKxz2REqMD5huc714gxgfx
                               0UWQsnSrs/sSADa1FVhsVfgvosZNESmZTRkHSDajqh7v
                               tIVcpWEnwHXii6pZ4KRYSylvMVIEMBFP23IoBQ0= )

;; AUTHORITY SECTION:
test.co.jp.             10 IN NS ns.test.co.jp.
test.co.jp.             10 IN RRSIG NS 5 3 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               PkwZ1AQwHSn63Qn3Pa4BlfSveEZugLxViZqZBQ1Q2xsT
                               +DMHSOA+0/dVlxQMTEkl/K2V0HDC8Whrr/8jch1+p669
                               V7xpqDB7fXkBXGJBNkgAXCnv0D/bWZryX+BfC1LVtc8n
                               vWK1+lPh+YvTBxJxHQG/4YsNPFBJ4xveD9hGF1I= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          10 IN A 192.168.11.132
ns.test.co.jp.          10 IN RRSIG A 5 4 10 20101119235024 (
                               20101020235024 31620 test.co.jp.
                               QJxjq9q/4MTpRJJDIGzDM9okjwADHwa27oz5FxYa9XI0
                               LZKVa1e6zfOBbyAvYl5/PTIS0CgOSV7PjCkTbezZ7Iul
                               VrApCE2p0t9LGDbt8MkbvWM85FEktt/RQw1+sW2yAF5n
                               rMV4sV5R6F3GHMjVzcjHLe4NJBZINPbe0tAqoNg= )


キャプチャ on キャッシュサーバ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.001383 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.007001 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.009254 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.011700 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.014756 192.168.11.133 -> 192.168.11.131 DNS Standard query DS bad.test.co.jp
 0.016119 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.016894 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.018314 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.019148 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.020479 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.025053 192.168.11.133 -> 192.168.11.131 DNS Standard query A bad.test.co.jp
 0.026342 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.027336 192.168.11.133 -> 192.168.11.132 DNS Standard query A bad.test.co.jp
 0.028669 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.4 RRSIG
 0.031702 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 192.0.2.4 RRSIG
^C16 packets captured


[ non DNSSEC 環境 BIND で forward first だったら ? ]

DNSSEC環境ではない場合、DNSSECの検証が走らないので、偽回答をえられる

キャッシュサーバの設定
root@ubuntu-4:~# less /etc/bind/named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
#        dnssec-enable yes;
#        dnssec-validation yes;
       dnssec-enable no;
      dnssec-validation no;
#       minimal-responses yes;
};


bad.test.co.jp ( non DNSSECクエリ )
root@ubuntu-6:~# dig bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> bad.test.co.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1  ←偽の回答


キャプチャデータ on キャッシュサーバ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.001979 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.002118 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.002813 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.003053 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
 0.003284 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG


bad.test.co.jp ( DNSSEC クエリ )
root@ubuntu-6:~# dig bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> bad.test.co.jp +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17366
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         0 IN A  1.1.1.1 ←偽の回答


キャプチャデータ on キャッシュサーバ
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000874 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.001133 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.001955 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.002326 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.002362 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1
^C6 packets captured