lost and found ( for me ? )

DNSSEC tools : zonesigner

[ DNSSEC tools とは ]

http://www.dnssec-tools.org/

DNSSECの運用、解析に役立つツール群。
権威サーバ向け、キャッシュサーバ向け、ログ解析用など多数のツールが提供されている。

[ 設定内容 ]

インターナル root , インターナル jp , インターナル test.co.jp を用意。
dnssec-toolsを用い、各々のゾーンを 署名する。
その後、 root , jp , test.co.jp ゾーンを信頼の連鎖 ( chain of trust ) にする。

ubuntu-1 : インターナル root ( 192.168.11.130 , BIND 9.7.0-P1 )
ubuntu-2 : インターナル jp ( 192.168.11.131 , BIND 9.7.0-P1)
ubuntu-3 : インターナル test.co.jp ( 192.168.11.132 , BIND 9.7.0-P1 )
ubuntu-4 : キャッシュサーバ ( 192.168.11.133 , BIND 9.7.0-P1 or unbound 1.4.1)

[ dnssec-tools の zonesigner を使った印象 ]

・署名(再署名)を1回のコマンドでできる
・シリアルを自動でインクリメントしてくれる
・元のゾーンファイル(非DNSSECのゾーンファイル)を使用し続けられ、かつ、元のゾーンファイルは最新の状態で保持できる -> 非DNSSECに戻すのが楽(かも)

[ インストール方法 ]

・dnssec-tools をインストール
root@ubuntu-3:~# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"

root@ubuntu-3:~# apt-get install dnssec-tools


色々なコマンドがある。
root@ubuntu-3:~# dpkg -L dnssec-tools | grep bin
/usr/bin
/usr/bin/donuts
/usr/bin/donutsd
/usr/bin/mapper
/usr/bin/dtdefs
/usr/bin/dtconfchk
/usr/bin/rollerd
/usr/bin/lsroll
snip


[ ゾーン test.co.jp を dnssec-tools を使用し署名]

・zonesigner コマンドで署名

鍵の生成、ゾーンの署名を行うツール

テスト用のゾーンを準備
root@ubuntu-3:~# named -v
BIND 9.7.0-P1

root@ubuntu-3:/var/cache/bind# cat test.co.jp.db
$TTL 3600
test.co.jp.   600     IN SOA  root.test.co.jp. admin.test.co.jp. (
                                      2010101501   ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      600        ; minimum (10 minutes)
                                      )
                       600     NS      ns.test.co.jp.

ns                      600     IN A    192.168.11.132
www                     600     IN A    192.0.2.2


初めての署名時は -genkeys を指定する。( KSK , ZSK を生成する )
zonesigner -genkeys -zone ゾーン名 ゾーンファイル名
root@ubuntu-3:/var/cache/bind# zonesigner -genkeys -zone test.co.jp test.co.jp.db

       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Generating key pair.....++++++ ......................++++++
Generating key pair.......................++++++ ...++++++
Generating key pair.............................+++ .................................+++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

test.co.jp:
       KSK (cur) 32254  -b 2048  10/15/10      (test.co.jp-signset-3)
       ZSK (cur) 59217  -b 1024  10/15/10      (test.co.jp-signset-1)
       ZSK (pub) 36507  -b 1024  10/15/10      (test.co.jp-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.


実行したディレクトリに署名されたゾーン test.co.jp.db.signed が生成された。
4週間と2日後に署名がexpireする。
ゾーンの変更有無にかかわらず、再署名する必要がある。
root@ubuntu-3:/var/cache/bind# ls
Ktest.co.jp.+005+32254.key      Ktest.co.jp.+005+59217.key      test.co.jp.db
Ktest.co.jp.+005+32254.private  Ktest.co.jp.+005+59217.private  
Ktest.co.jp.+005+36507.key      dsset-test.co.jp.               test.co.jp.db.signed
Ktest.co.jp.+005+36507.private  internal_db.root                test.co.jp.krf


上位のゾーンに登録する DSレコードファイルも生成される。
root@ubuntu-3:/var/cache/bind# cat dsset-test.co.jp.
test.co.jp.             IN DS 32254 5 1 A76914F5D6346B9815977115310ACD6EA62A3F36
test.co.jp.             IN DS 32254 5 2 72F7C5F96A0E53F90221B45B8E3AC5800828CBFD6E9540DF457EB729 ECFDCD6D


シリアルもインクリメントしてくれる。
root@ubuntu-3:/var/cache/bind# head -15 test.co.jp.db.signed
; File written on Fri Oct 15 16:50:25 2010
; dnssec_signzone version 9.7.0-P1
test.co.jp.             600     IN SOA  root.test.co.jp. admin.test.co.jp. (
                                       2010101507 ; serial
                                       7200       ; refresh (2 hours)
                                       3600       ; retry (1 hour)
                                       604800     ; expire (1 week)
                                       600        ; minimum (10 minutes)
                                       )
                       600     RRSIG   SOA 5 3 600 20101114065025 (
                                       20101015065025 59217 test.co.jp.
                                       fSmJzu5dOA/eOdSwNoEJfGJ3KslTKV0Tw1uo
                                       lC+DWDCypwqIdM+87nL5jZw6zmZbrjn7O+Nl
                                       U2MVu6eRveTZ/MPqaHPY9TVog0N8BNexYKIx
                                       hvwOWYHZDCKbGMN2OTNAmqlB+JUKaJeiQc0g


オリジナルのゾーンファイルのシリアルもインクリしてくれる。
root@ubuntu-3:/var/cache/bind# egrep serial test.co.jp.db
                                      2010101507   ; serial


named.conf を編集
root@ubuntu-3:/var/cache/bind# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "test.co.jp" in {
       type master;
#       file "test.co.jp.db";
       file "test.co.jp.db.signed";
       };


リロード
root@ubuntu-3:~# rndc reload
server reload successful


digでチェック
root@ubuntu-3:~# dig @127.1 www.test.co.jp. +dnssec +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.test.co.jp. +dnssec +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6049
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         600     IN      A       192.0.2.2
www.test.co.jp.         600     IN      RRSIG   A 5 4 600 20101114065025 20101015065025 59217 test.co.jp. HUPk/rAMusq2PPZ3qGC4oWsqqal5yHI56u/Pdk20chE0Q3Zy4Yi9pa4/ jU2RRIqYTOo0qgzgNk4w9uXeFXBABmt+BuNnpPu2KT3jDt269Lj5CX1h R9pBkiYuOz9hFB1KUihy46RYbQX0VCg0d+etrnxmfZS7DO/Qnif+HQBj o7c=

;; AUTHORITY SECTION:
test.co.jp.             600     IN      NS      ns.test.co.jp.
test.co.jp.             600     IN      RRSIG   NS 5 3 600 20101114065025 20101015065025 59217 test.co.jp. FdM+hvexVBGF+pXJUspetMewQgb+mBQE517DjXp/z0xH2PuA12dQiw3W 8QVdRSv/dMpKlHxTIFp1stlOQ9POdwRRwGG667RoPiye02H/U9LHVEot NCxx+sLBgXa+2gbwUlza0JBcW05Dty/oPsqjmH9nzkdiIQI/96xA8w8r tR8=

;; ADDITIONAL SECTION:
ns.test.co.jp.          600     IN      A       192.168.11.132
ns.test.co.jp.          600     IN      RRSIG   A 5 4 600 20101114065025 20101015065025 59217 test.co.jp. XhAASvWf3qbHdvhrtKPLPw1jdGUJGr8xqtOO0Ntf1UE+SKHnZi6z2D/x jJnJWkFNsdy6w92n0Bb6BsLVNM0pg0R/+1rf/rXNZbdrV5a2YwFekEvE P5Ac46v+ij0SVF+ddZfAhjjhviDwfBGvyZ/IKj1HEGjJ+78mnfFlqObR vgk=


[ リソースレコードを追加し、ゾーンを再署名 ]

オリジナルのゾーンファイル(非DNSSECゾーンファイル)を使用し続けられる。
(非DNSSECゾーンファイルも最新の状態で維持できる)
万が一、非DNSSECとするときも容易。

www2 を追加。シリアルはインクリメントしない。
root@ubuntu-3:/var/cache/bind# cat test.co.jp.db
$TTL 3600
test.co.jp.   600     IN SOA  root.test.co.jp. admin.test.co.jp. (
                                      2010101507   ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      600        ; minimum (10 minutes)
                                      )
                       600     NS      ns.test.co.jp.

ns                      600     IN A    192.168.11.132
www                     600     IN A    192.0.2.2
www2                    600     IN A    192.0.2.3


再署名。-genkeys は指定しない。
root@ubuntu-3:/var/cache/bind# zonesigner -zone test.co.jp test.co.jp.db

       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

test.co.jp:
       KSK (cur) 32254  -b 2048  10/15/10      (test.co.jp-signset-3)
       ZSK (cur) 59217  -b 1024  10/15/10      (test.co.jp-signset-1)
       ZSK (pub) 36507  -b 1024  10/15/10      (test.co.jp-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.


シリアルを自動でインクリメントしてくれてる。
root@ubuntu-3:/var/cache/bind# egrep serial test.co.jp.db
                                      2010101508   ; serial

root@ubuntu-3:/var/cache/bind# egrep serial test.co.jp.db.signed
                                       2010101508 ; serial


リロード
root@ubuntu-3:/var/cache/bind# rndc reload test.co.jp
zone reload queued


digで確認
root@ubuntu-3:/var/cache/bind# dig @127.1 www2.test.co.jp. +dnssec +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 www2.test.co.jp. +dnssec +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51232
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www2.test.co.jp.               IN      A

;; ANSWER SECTION:
www2.test.co.jp.        600     IN      A       192.0.2.3
www2.test.co.jp.        600     IN      RRSIG   A 5 4 600 20101114072324 20101015072324 59217 test.co.jp. AY23y0RubSQ05nX2Rz3nRKbt/uyQpV5CopskRadA1NTvFsZt5DVnhrU5 azuQxEx1LfwD1RqyoXBUFW+F3/r+GAhLnIv1mH6XVQYJBht1xJc8rPxy 66XOe/2RBBFUpKVyGSC8Er2u+8LesybIOVSimJsA5aCRZuYGU2RDlEAu 9/U=

;; AUTHORITY SECTION:
test.co.jp.             600     IN      NS      ns.test.co.jp.
test.co.jp.             600     IN      RRSIG   NS 5 3 600 20101114072324 20101015072324 59217 test.co.jp. m/SQNsBAL52Khk10Zd6tn+BW0+fFE0SZcA78/BrYcbpDXpw/Bx0STeC/ ACcSLpyYe0V2fvQYZzp6g4kzTfFBF1BBz5v5yasCKVSPkD1KhPKfKqS2 mKheDi+4bx8yHO0dsxs0xErNtUdPaXwU35ZHZNcF9lROVGlHvquJ55PU Xsg=

;; ADDITIONAL SECTION:
ns.test.co.jp.          600     IN      A       192.168.11.132
ns.test.co.jp.          600     IN      RRSIG   A 5 4 600 20101114072324 20101015072324 59217 test.co.jp. hDCoc3o69/BXgirny3hF/r+6/lkZ5VvyT7mBIAxCZjzS+EEgZfmnCX4P MLjveYJ9cg8EcNLRO1l2DzW8zqgIBU+tuig8hoZdMvfk0vcrRT4Lx7If o34SN6B9HS/1naiDFxOXpApUCYqin546ZCoqpb21Reza/Fdd50pOBTyq 7YQ=


[ インターナル jp ゾーンの署名 ]
root@ubuntu-2:~# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "jp" in {
       type master;
       file "jp_zone_internal.db";
       };

root@ubuntu-2:~# cat /var/cache/bind/jp_zone_internal.db
$TTL 3600
jp. 600 IN SOA root.x.dns.jp. admin.x.dns.jp. (
                                      2010101501 ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      600        ; minimum (10 minutes)
                                      )

       600     IN      NS      x.dns.jp.
x.dns.jp.       600     IN      A       192.168.11.131

test.co.jp.     600     NS      ns.test.co.jp.
ns.test.co.jp.  600     IN      A       192.168.11.132


署名
root@ubuntu-2:/var/cache/bind# zonesigner -genkeys -zone jp jp_zone_internal.db

       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Generating key pair.....++++++ ..........................................++++++
Generating key pair..........................................................................++++++ ....++++++
Generating key pair........................................+++ ................................................+++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

jp:
       KSK (cur) 12409  -b 2048  10/15/10      (jp-signset-3)
       ZSK (cur) 13146  -b 1024  10/15/10      (jp-signset-1)
       ZSK (pub) 42711  -b 1024  10/15/10      (jp-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@ubuntu-2:/var/cache/bind#


named.conf を修正
root@ubuntu-2:/var/cache/bind# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "jp" in {
       type master;
#       file "jp_zone_internal.db";
       file "jp_zone_internal.db.signed";
       };


リロード
root@ubuntu-2:/var/cache/bind# rndc reload
server reload successful


digで確認
root@ubuntu-2:/var/cache/bind# dig @127.1 jp. soa +dnssec +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 jp. soa +dnssec +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63925
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp.                            IN      SOA

;; ANSWER SECTION:
jp.                     600     IN      SOA     root.x.dns.jp. admin.x.dns.jp. 2010101502 7200 3600 604800 600
jp.                     600     IN      RRSIG   SOA 5 1 600 20101114082044 20101015082044 13146 jp. kc+wRFghghmMWCDy+bOOBs/CQX2lMvG35pz/5VhtZcYswjtjMLfT8M0c cEvOqofJTiegSmZ6/GMui1W0GxZqN1aX2XJkyCc4JhJ/BwHNkBEN52wN u53tXydaeSYsTx3mB2v4q6zmlbyTY7Txkqj9tlc/yLdBIVVyvMtu5hfa fHU=


[ インターナル root ゾーンの署名 ]
root@ubuntu-1:~# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "." in {
       type master;
       file "root_zone_internal.db";
       };

root@ubuntu-1:/var/cache/bind# cat root_zone_internal.db
$TTL 3600
. 600 IN SOA root.x.root-servers.net. admin.x.root-servers.net. (
                                      2010101801 ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      600        ; minimum (10 minutes)
                                      )

                       600     IN      NS      x.root-servers.net.
x.root-servers.net.     600     IN      A       192.168.11.130

jp.                     600     IN      NS      x.dns.jp.
x.dns.jp.               600     IN      A       192.168.11.131

co.jp.                  600     IN      NS      x.dns.jp.


署名
root@ubuntu-1:/var/cache/bind# zonesigner -genkeys -zone . root_zone_internal.db
       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Generating key pair..................................................................................++++++ ...................++++++
Generating key pair..............++++++ .++++++
Generating key pair...........................+++ ..........+++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

.:
       KSK (cur) 47929  -b 2048  10/18/10      (.-signset-3)
       ZSK (cur) 05196  -b 1024  10/18/10      (.-signset-1)
       ZSK (pub) 08931  -b 1024  10/18/10      (.-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.


named.conf を修正
root@ubuntu-1:~# egrep -v ^// /etc/bind/named.conf.local | egrep -v ^$
zone "." in {
       type master;
#       file "root_zone_internal.db";
       file "root_zone_internal.db.signed";
       };


リロード
root@ubuntu-1:~# rndc reload
server reload successful


チェック
root@ubuntu-1:~# dig @127.1 . soa +dnssec +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 . soa +dnssec +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62264
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      SOA

;; ANSWER SECTION:
.                       600     IN      SOA     root.x.root-servers.net. admin.x.root-servers.net. 2010101801 7200 3600 604800 600
.                       600     IN      RRSIG   SOA 5 0 600 20101117000035 20101018000035 5196 . DxNrjbhn1PxG/n/MHPQXIool1lB9VWp6c5VGeFIz+p2ZAzysTvQaD0ts IUgRZuPNrMJKXXwanOqWG+PWQLaVS7XqTftyentX++JCEJ2wPXWBuoSS JfCuEwM7z17RHJ7AdHgrZ2dBwpU3i0+X+J8soGKjbjUj4SYuAbXM+gYw DbM=

;; AUTHORITY SECTION:
.                       600     IN      NS      x.root-servers.net.
.                       600     IN      RRSIG   NS 5 0 600 20101117000035 20101018000035 5196 . y8VQLAP58Hmw5wvQvSJQhN5AaVuqYRZiUkMoyKXL+srv/mWbTNbqlg4R jcxCFCbOKscvEoz2N0B7D4bojMbsZcbTw0gVwQusaO0GAqe6eBZrlJvE 7YCWbYbFGcx0Z/kSLz5jQCUv9iz5Fmo/9zmcw8zrg/Hn8ZcaZo2IP77v 4pA=


[ 信頼の連鎖 ( chain of trust ) の作成 ]

chain of trust とするには、上位DNSが下位DNSのKSK公開鍵が検証できるように、下位の DSレコードを上位DNSに登録する

具体的には、下記を行う。

internal jp の DS レコードを internal root へ登録
test.co.jp の DS を internal jp へ登録

DSレコードは zonesigner を実施したときに作成されているので、これを使用する。

・インターナル root に jp の DS を署名

jp の DSレコード
root@ubuntu-1:/var/cache/bind# cat dsset-jp.
jp.                     IN DS 12409 5 1 4905452D184469497DEF7176729CD412AB749E94
jp.                     IN DS 12409 5 2 6FA3ECC24DC142B0F92E31ABDF9958A43FFEBFA3827AFF35BE44BDE1 10DE21F3


*.signed ではなく、オリジナルファイルに DSレコードを追加。
root@ubuntu-1:/var/cache/bind# cat root_zone_internal.db dsset-jp. > aaa
root@ubuntu-1:/var/cache/bind# cp aaa root_zone_internal.db


再署名
root@ubuntu-1:/var/cache/bind# zonesigner -zone . root_zone_internal.db

root@ubuntu-1:/var/cache/bind# rndc reload
server reload successful

root@ubuntu-1:/var/cache/bind# dig @127.1 jp. ds +norec +dnssec

; <<>> DiG 9.7.0-P1 <<>> @127.1 jp. ds +norec +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48045
;; flags: qr aa ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp.                            IN      DS

;; ANSWER SECTION:
jp.                     3600    IN      DS      12409 5 1 4905452D184469497DEF7176729CD412AB749E94
jp.                     3600    IN      DS      12409 5 2 6FA3ECC24DC142B0F92E31ABDF9958A43FFEBFA3827AFF35BE44BDE1 10DE21F3
jp.                     3600    IN      RRSIG   DS 5 1 3600 20101117001652 20101018001652 5196 . HsXrYksYpS8JxeKjuuI/35s07YYgHurhjJXNUHv66fvsvrHXeR/VkrEQ clbIRZFc1P+ztMHZ2EtCCw3eUrcwO8qaQb0h5numgwFfdsYl8/lv/saB F8aUeedJpc0a/q4ChlnLI3QIhqwOWelYTtZhaQJo5P4SuWYR/V2wFScA BjI=


・インターナル jp に test.co.jp の DS を署名

DSレコードを登録
root@ubuntu-2:/var/cache/bind# cat jp_zone_internal.db dsset-test.co.jp. > aaa
root@ubuntu-2:/var/cache/bind# cp aaa jp_zone_internal.db


再署名
root@ubuntu-2:/var/cache/bind# zonesigner -zone jp jp_zone_internal.db


リロード
root@ubuntu-2:/var/cache/bind# rndc reload
server reload successful


チェック
root@ubuntu-2:/var/cache/bind# dig @127.1 test.co.jp ds +norec +dnssec

; <<>> DiG 9.7.0-P1 <<>> @127.1 test.co.jp ds +norec +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50255
;; flags: qr aa ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.co.jp.                    IN      DS

;; ANSWER SECTION:
test.co.jp.             3600    IN      DS      32254 5 2 72F7C5F96A0E53F90221B45B8E3AC5800828CBFD6E9540DF457EB729 ECFDCD6D
test.co.jp.             3600    IN      DS      32254 5 1 A76914F5D6346B9815977115310ACD6EA62A3F36
test.co.jp.             3600    IN      RRSIG   DS 5 3 3600 20101117005703 20101018005703 13146 jp. J3/1kt5keywLsywZ7n6moj5WzS8Aomp1KrImH1h1rsfnLK7LgpkouTbl iYzNfXPes3lfu8YnLO2hHZ8rSfFGGVbEW0hzNEwf/8ETe2kmCFhw4R5S e8yFrfhXiwW4RhoGYbxeR0fudQTFaGnfwuW5Z+dLXy2idpIjHQmOWS78 jY8=


chain of trust になっているか確認。
キャッシュサーバに インターナル root の鍵を登録し、test.co.jpゾーン の validation ができるか確認する。

キャッシュサーバにインターナル root の鍵を登録 ( この登録方法は insecure だけどテストなので。。 )

KSK ( 257 ) を登録する
root@ubuntu-4:~# dig @192.168.11.130 . dnskey
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.130 . dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12256
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      DNSKEY

;; ANSWER SECTION:
.                       3600    IN      DNSKEY  256 3 5 AwEAAbwB25ZcmErDEbP8oJi04ffll/LohkZgL0znxQne2O9cNLPl5lAY werbe9V4M2HgUiYZ8fsP4q+lLEx3o6A4jYmv4dOuDKhY6B0Tvc5ZMlC3 J1iAxltPnm1cHHUM6iCoykc9qioQ5OAQwY1scFeOFmB+sLqiNHDUa9nx NUKoFi6V
.                       3600    IN      DNSKEY  256 3 5 AwEAAcwX9j26EVRYoLZRU4FCNnaZ8d6fLuyFNkB4a7dnG18Vq+aIY+ye 0dJUCD2rok+gUL6HDnKiP39lIKpTOfCvaLljEyRUI57m4u4c80m8SBAB fdZT7sLv5wytdVJlOqrP/28Ta4yTyW/wrcYwhtpg27igiLfPeRaDuH0j ibrsUu+5
.                       3600    IN      DNSKEY  257 3 5 AwEAAbx8C4xvUn9WfR86+QbbfopFjVnqR7uNh0VeL4tFUy1G+Ch4iUdP ajOIgKFien6R01j66efkk2NbO0vgaTi/3Xcr9RYZ1ZVdYz+Q1BFJe4Oa 2VGutFO/gXAJ3KU7RSUovqLBVubnZiVfEUj+9gPEVNWGzTpYeCbL8Mmb oDaQRQZ2cADDEpWe3z8+9FQpJyugFesVVtHnupgo7jQGld+AO+3Xqgbb drN9U9Ui5QgfK5jXui4o+JRfG8VW++LYizP2bbxjjnkX+wG11XPf7nXp /kN3KJOkI4n/2gZvB11v2k7AdZqyLMOOXPrnZa8y+xEMQmO2vSvR9rAi a6NRsn/nUp8=

root@ubuntu-4:/etc/bind# cat named.conf.options
options {
       directory "/var/cache/bind";
       max-cache-size 3M;
       recursion yes;
       dnssec-enable yes;
       dnssec-validation yes;
};

logging {

channel dnssec_log {
       file "/var/cache/bind/dnssec.log" versions 3 size 5m;
       severity debug 3;
       print-severity yes;
       print-time yes;
       };

category dnssec { dnssec_log; };

};

trusted-keys {
"." 257 3 5 "AwEAAbx8C4xvUn9WfR86+QbbfopFjVnqR7uNh0VeL4tFUy1G+Ch4iUdP ajOIgKFien6R01j66efkk2NbO0vgaTi/3Xcr9RYZ1ZVdYz+Q1BFJe4Oa 2VGutFO/gXAJ3KU7RSUovqLBVubnZiVfEUj+9gPEVNWGzTpYeCbL8Mmb oDaQRQZ2cADDEpWe3z8+9FQpJyugFesVVtHnupgo7jQGld+AO+3Xqgbb drN9U9Ui5QgfK5jXui4o+JRfG8VW++LYizP2bbxjjnkX+wG11XPf7nXp /kN3KJOkI4n/2gZvB11v2k7AdZqyLMOOXPrnZa8y+xEMQmO2vSvR9rAi a6NRsn/nUp8=";
};

root@ubuntu-4:/etc/bind# rndc reload
server reload successful


dig でチェック。
ad ビットがたっているので、検証できた。
root@ubuntu-4:/etc/bind# dig @127.1 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55306
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         600 IN A 192.0.2.2
www.test.co.jp.         600 IN RRSIG A 5 4 600 20101114072324 (
                               20101015072324 59217 test.co.jp.
                               BT0eWZe4tc6czc9+260luyUTv7npuVTdDvSwtbdKcSG0
                               tsmZ4zb25nwUn4pbvSuEALxSurE3IYupk7j+MK7A2H7s
                               eypIV7RGjmKmE4keu2JneIwdpGAsOsXJ6QcDCObtJ9QZ
                               H1/CUAHwTss3did33lPdSid62vftaF/ISDeidXY= )

;; AUTHORITY SECTION:
test.co.jp.             600 IN NS ns.test.co.jp.
test.co.jp.             600 IN RRSIG NS 5 3 600 20101114072324 (
                               20101015072324 59217 test.co.jp.
                               m/SQNsBAL52Khk10Zd6tn+BW0+fFE0SZcA78/BrYcbpD
                               Xpw/Bx0STeC/ACcSLpyYe0V2fvQYZzp6g4kzTfFBF1BB
                               z5v5yasCKVSPkD1KhPKfKqS2mKheDi+4bx8yHO0dsxs0
                               xErNtUdPaXwU35ZHZNcF9lROVGlHvquJ55PUXsg= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          600 IN A 192.168.11.132
ns.test.co.jp.          600 IN RRSIG A 5 4 600 20101114072324 (
                               20101015072324 59217 test.co.jp.
                               hDCoc3o69/BXgirny3hF/r+6/lkZ5VvyT7mBIAxCZjzS
                               +EEgZfmnCX4PMLjveYJ9cg8EcNLRO1l2DzW8zqgIBU+t
                               uig8hoZdMvfk0vcrRT4Lx7Ifo34SN6B9HS/1naiDFxOX
                               pApUCYqin546ZCoqpb21Reza/Fdd50pOBTyq7YQ= )


DNSSECのログ ( making as secure )
root@ubuntu-4:/etc/bind# egrep -i secure /var/cache/bind/dnssec.log
18-Oct-2010 11:58:54.523 debug 3: validating @0xb914ff30: . DNSKEY: signed by trusted key; marking as secure
18-Oct-2010 11:58:54.524 debug 3: validating @0xb9151808: . NS: marking as secure, noqname proof not needed
18-Oct-2010 11:58:54.536 debug 3: validating @0xb8e85d28: jp DS: marking as secure, noqname proof not needed
18-Oct-2010 11:58:54.536 debug 3: validating @0xb8e852b0: jp DNSKEY: marking as secure (DS)
18-Oct-2010 11:58:54.537 debug 3: validating @0xb8ec4e18: test.co.jp DS: marking as secure, noqname proof not needed
18-Oct-2010 11:58:54.537 debug 3: validating @0xb9151808: test.co.jp DNSKEY: marking as secure (DS)
18-Oct-2010 11:58:54.537 debug 3: validating @0xb914ff30: www.test.co.jp A: marking as secure, noqname proof not needed


キャッシュサーバを unbound にして確認。

unbound.conf に下記を追加。
        root-hints: "/var/cache/bind/internal_db.root"
        trusted-keys-file: "/etc/unbound/dnskey_root.txt"

root@ubuntu-4:/etc/unbound# cat /var/cache/bind/internal_db.root
.                        3600000  IN  NS    X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET.      3600000      A     192.168.11.130
root@ubuntu-4:/etc/unbound#

root@ubuntu-4:/etc/unbound# cat /etc/unbound/dnskey_root.txt
trusted-keys {
"." 257 3 5 "AwEAAbx8C4xvUn9WfR86+QbbfopFjVnqR7uNh0VeL4tFUy1G+Ch4iUdP ajOIgKFien6R01j66efkk2NbO0vgaTi/3Xcr9RYZ1ZVdYz+Q1BFJe4Oa 2VGutFO/gXAJ3KU7RSUovqLBVubnZiVfEUj+9gPEVNWGzTpYeCbL8Mmb oDaQRQZ2cADDEpWe3z8+9FQpJyugFesVVtHnupgo7jQGld+AO+3Xqgbb drN9U9Ui5QgfK5jXui4o+JRfG8VW++LYizP2bbxjjnkX+wG11XPf7nXp /kN3KJOkI4n/2gZvB11v2k7AdZqyLMOOXPrnZa8y+xEMQmO2vSvR9rAi a6NRsn/nUp8=";
};

root@ubuntu-4:/etc/unbound# cat dnskey_root.txt
trusted-keys {
"." 257 3 5 "AwEAAbx8C4xvUn9WfR86+QbbfopFjVnqR7uNh0VeL4tFUy1G+Ch4iUdP ajOIgKFien6R01j66efkk2NbO0vgaTi/3Xcr9RYZ1ZVdYz+Q1BFJe4Oa 2VGutFO/gXAJ3KU7RSUovqLBVubnZiVfEUj+9gPEVNWGzTpYeCbL8Mmb oDaQRQZ2cADDEpWe3z8+9FQpJyugFesVVtHnupgo7jQGld+AO+3Xqgbb drN9U9Ui5QgfK5jXui4o+JRfG8VW++LYizP2bbxjjnkX+wG11XPf7nXp /kN3KJOkI4n/2gZvB11v2k7AdZqyLMOOXPrnZa8y+xEMQmO2vSvR9rAi a6NRsn/nUp8=";
};

root@ubuntu-4:~# /etc/init.d/unbound start

root@ubuntu-4:~# dig @127.1 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3224
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         600 IN A 192.0.2.2
www.test.co.jp.         600 IN RRSIG A 5 4 600 20101114072324 (
                               20101015072324 59217 test.co.jp.
                               BT0eWZe4tc6czc9+260luyUTv7npuVTdDvSwtbdKcSG0
                               tsmZ4zb25nwUn4pbvSuEALxSurE3IYupk7j+MK7A2H7s
                               eypIV7RGjmKmE4keu2JneIwdpGAsOsXJ6QcDCObtJ9QZ
                               H1/CUAHwTss3did33lPdSid62vftaF/ISDeidXY= )

ubuntu-4:/etc/unbound# unbound-host -r -v -F dnskey_root.txt -t a www.test.co.jp.
www.test.co.jp. has address 192.0.2.2 (secure)


キャプチャデータ ( インターナル root )
root@ubuntu-1:/etc/bind# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.000183 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.002294 192.168.11.133 -> 192.168.11.130 DNS Standard query A www.test.co.jp
 0.002586 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.013264 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.013570 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
^C6 packets captured


キャプチャデータ ( インターナル jp )
root@ubuntu-2:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.133 -> 192.168.11.131 DNS Standard query A www.test.co.jp
 0.000148 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.011487 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.011647 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.015671 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.015981 192.168.11.131 -> 192.168.11.133 DNS Standard query response
^C6 packets captured


キャプチャデータ ( test.co.jp )
root@ubuntu-3:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.133 -> 192.168.11.132 DNS Standard query A www.test.co.jp
 0.000156 192.168.11.132 -> 192.168.11.133 DNS Standard query response A 192.0.2.2 RRSIG
 0.016685 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.016935 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
^C4 packets captured

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.