lost and found ( for me ? )

[ DNSSEC tools : Rollerd KSKのロールオーバー Double-signature ]


ubuntu-1 ( internal root )  , ubuntu-2 ( inernal jp ) , ubuntu-3 ( abc.co.jp )
  |
ubuntu-4 ( caching name server )

[ 手順 ]

 KSK Rollover Using the Double Signature Method

      The Double Signature Method has seven phases that are entered when it
      is time to perform KSK rollover:

          1. wait for old zone data to expire from caches
          2. generate a new (published) KSK
          3. wait for the old DNSKEY RRset to expire from caches
          4. roll the KSKs
          5. transfer new keyset to the parent
          6. wait for parent to publish the new DS record
          7. reload the zone

[ ログ ]

・テスト用のゾーン abc.co.jp を DNSSEC 対応にする
root@ubuntu-3:/var/cache/bind# cat abc.co.jp
$TTL 60
abc.co.jp.   60     IN SOA  root.abc.co.jp. admin.abc.co.jp. (
                                      2010110801   ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      60        ; minimum (10 minutes)
                                      )
                       60     NS      ns.abc.co.jp.

ns                      60     IN A    192.168.11.132
www                     60     IN A    192.0.2.2


zonesigner で署名。-ksklife で KSK の roll over 時間を指定。
テストなのでroll over の時間は600秒と短く設定した。
root@ubuntu-3:/var/cache/bind# zonesigner -genkeys -ksklife 600 -zone abc.co.jp abc.co.jp

       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Generating key pair.............++++++ .......++++++
Generating key pair..........++++++ ......++++++
Generating key pair................................+++ ............................................................................+++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

abc.co.jp:
       KSK (cur) 16627  -b 2048  11/08/10      (abc.co.jp-signset-3)
       ZSK (cur) 27501  -b 1024  11/08/10      (abc.co.jp-signset-1)
       ZSK (pub) 39507  -b 1024  11/08/10      (abc.co.jp-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.


named.confを修正
root@ubuntu-3:/var/cache/bind# egrep abc /etc/bind/named.conf.local
zone "abc.co.jp" in {
#       file "abc.co.jp";
       file "abc.co.jp.signed";

root@ubuntu-3:/var/cache/bind# /etc/init.d/bind9 restart

root@ubuntu-3:/var/cache/bind# dig @127.1 abc.co.jp rrsig | head -15
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp rrsig
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51516
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;abc.co.jp.                     IN      RRSIG

;; ANSWER SECTION:
abc.co.jp.              60      IN      RRSIG   SOA 5 3 60 20101208014359 20101108014359 27501 abc.co.jp. FctPlLlU1pRPJm0pa4DQ1qio1PH6T8AuTkGREk4exTtPOuzsS7Asme/C Ev09TZBsvlbqD8hsyKYC407OigmruPu6w+LtCU6y4sz1zxxJSDo7w+Zu DsxoGSZG+ZiUifa2+a+zrKE7dkSE20EOA2oSKrb1YCOi64MtSea9YMhj t7o=
abc.co.jp.              60      IN      RRSIG   NS 5 3 60 20101208014359 20101108014359 27501 abc.co.jp. cf3d3MM8GbJYdZrjrHIrfwIDCP+RF1gi/cv/7fyu4QM1r0ERz+q4jYzB LbzzV/iNcIBxwzCCflvucLdLv62//frSiKBWRsrB2PYGyKCqVD5ivNZW Uvda+ZcJPSikbdueQVHk542IRE8bNNgb79tPdmwb7T9kMTu/6kJAh2P8 FBo=


・rollrec ファイルを作成
root@ubuntu-3:/var/cache/bind# rollinit abc.co.jp -zonefile /var/cache/bind/abc.co.jp.signed -keyrec /var/cache/bind/abc.co.jp.krf -admin admin@abc.co.jp > abc.co.jp.rollrec

root@ubuntu-3:/var/cache/bind# cat abc.co.jp.rollrec
roll    "abc.co.jp"
       zonefile        "/var/cache/bind/abc.co.jp.signed"
       keyrec          "/var/cache/bind/abc.co.jp.krf"
       administrator   "admin@abc.co.jp"
       kskphase        "0"
       zskphase        "0"
       ksk_rolldate    " "
       ksk_rollsecs    "0"
       zsk_rolldate    " "
       zsk_rollsecs    "0"
       maxttl          "0"
       display         "1"
       phasestart      "new"
       # optional records for RFC5011 rolling:
       istrustanchor           "no"
       holddowntime            "60D"


・rollerd を起動

rndc のパスを dnssec-tools.conf に記述しておく。
root@ubuntu-3:~# egrep rndc /etc/dnssec-tools/dnssec-tools.conf
rndc            /usr/sbin/rndc


rollerd 起動
root@ubuntu-3:/var/cache/bind# rollerd -verbose -loglevel info -logfile /root/abc.co.jp_rollover -rrfile abc.co.jp.rollrec -sleep 60 -directory /var/cache/bind

root@ubuntu-3:/var/cache/bind# ps aux | grep roller | grep -v grep
root       909  0.0  5.3  14996  9988 ?        Ss   02:50   0:00 /usr/bin/perl /usr/bin/rollerd -verbose -loglevel info -logfile /root/abc.co.jp_rollover -rrfile abc.co.jp.rollrec -sleep 60 -directory /var/cache/bind

root@ubuntu-3:/var/cache/bind# rollctl -status
boot-time:          Mon Nov  8 02:50:31 2010
directory:          /var/cache/bind
rollrec file:       /var/cache/bind/abc.co.jp.rollrec
logfile:            /root/abc.co.jp_rollover
loglevel:           4
sleeptime:          60
root@ubuntu-3:/var/cache/bind#

root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp
abc.co.jp       roll    ZSK 0: Not Rolling


KSKを rolling するかしばらくまつ。その間に上位 ( internal jp ) に abc.co.jp の DS レコードを登録

interna jp に abc.co.jp の DSレコードをコピー
root@ubuntu-3:/var/cache/bind# scp dsset-abc.co.jp. root@192.168.11.131:


internal jp ( ubuntu-2 ) で 、abc.co.jp の DS の登録。再署名。
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds
; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds
;abc.co.jp.                     IN      DS
abc.co.jp.              3600    IN      DS      16627 5 1 8DA6CDF36AA2E1B025CFE38A8922C7034EB9FD41
abc.co.jp.              3600    IN      DS      16627 5 2 0EC1CEC7A6D657D46E392F1EA47B50D9DCD9549021082492B02638E3 63F66C8C


キャッシュサーバ ( ubuntu-4 ) で、validation ができるかチェック。
ad bit が立っているので検証成功
root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39461
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;abc.co.jp.             IN SOA

;; ANSWER SECTION:
abc.co.jp.              19 IN SOA root.abc.co.jp. admin.abc.co.jp. (
                               2010110803 ; serial
                               7200       ; refresh (2 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               60         ; minimum (1 minute)
                               )
abc.co.jp.              19 IN RRSIG SOA 5 3 60 20101208020347 (
                               20101108020347 27501 abc.co.jp.
                               XXT4WnKDNd42vy5iX14LuxEMw2G+VF59Yk/IzOP7lFtT
                               QS14pthnz90MFd//KrZSrB0up8G8r4rj9OvTBdetySaI
                               bXgSR6TSyZ67KIK/eAfgWikyjeRARWb2bGIOouTqx7BV
                               GdHija9M+0LQatPPsWRDh5VuOTWNTP6TiElQ6Jo= )


unbound-host コマンドでも一応確認。secure
root@ubuntu-4:~# unbound-host -r -v -F dnskey_root.txt -t soa abc.co.jp
abc.co.jp has SOA record root.abc.co.jp. admin.abc.co.jp. 2010110803 7200 3600 604800 60 (secure)


あ、roll over してる。。

phase 1 : wait for old zone data to expire from caches
root@ubuntu-3:~# egrep -i "phase 1" abc.co.jp_rollover
Nov  8 03:01:36 2010: abc.co.jp: KSK phase 1
Nov  8 03:02:41 2010: abc.co.jp: KSK phase 1 (Waiting for the old zone data to expire from caches); cache expires in 55 seconds


phase 2 : generate a new (published) KSK
Nov  8 03:03:46 2010: abc.co.jp: KSK phase 2
Nov  8 03:03:46 2010: abc.co.jp: executing "/usr/bin/zonesigner -newpubksk abc.co.jp abc.co.jp.signed"


      -newpubksk
          Generate new Published KSKs for the zone.  Any existing Published
          KSKs will be marked as obsolete.

phase 3 : wait for the old DNSKEY RRset to expire from caches
Nov  8 03:03:47 2010: abc.co.jp: KSK phase 3
Nov  8 03:03:47 2010: abc.co.jp: KSK phase 3 (Waiting for cache or holddown timer expiration); cache expires in 2 minutes, 0 seconds
Nov  8 03:04:52 2010: abc.co.jp: KSK phase 3 (Waiting for cache or holddown timer expiration); cache expires in 55 seconds
Nov  8 03:04:57 2010: : zone status:
Nov  8 03:04:57 2010: :        abc.co.jp       roll    KSK 3: Waiting for cache or holddown timer expiration


phase 4 : roll the KSKs
Nov  8 03:06:02 2010: abc.co.jp: KSK phase 4
Nov  8 03:06:02 2010: abc.co.jp: executing "/usr/bin/zonesigner -rollksk abc.co.jp abc.co.jp.signed"


      -rollksk
          Force a rollover of the KSK keys.  The Current KSK keys are marked
          as Obsolete and the Published KSK keys are marked as Current.  The
          zone is then signed with the new set of Current KSK keys.  If the
          zone's keyrec does not list a Current or Published KSK, an error
          message is printed and zonesigner stops execution.

          The zone's keyrec file is updated to show the new key state.

          The keyrecs of the KSK keys are adjusted as follows:

              The Current KSK keys are marked as Obsolete.
              The Published KSK keys are marked as Current.
              The obsolete KSK keys are moved to the archive directory.


phase 5 : transfer new keyset to the parent
Nov  8 03:06:02 2010: abc.co.jp: KSK phase 5
Nov  8 03:06:03 2010: abc.co.jp: KSK phase 5:  admin notified to transfer keyset


メールで通知されるんだけど、Mailサーバ立ててなかったので通知内容をチェックできなかった。。
通知先は、rollrec ファイル作成時のアドレス ( admin@abc.co.jp )
root@ubuntu-3:/var/cache/bind# rollinit abc.co.jp -zonefile /var/cache/bind/abc.co.jp.signed -keyrec /var/cache/bind/abc.co.jp.krf -admin admin@abc.co.jp > abc.co.jp.rollrec


phase 6 : wait for parent to publish the new DS record
Nov  8 03:06:03 2010: abc.co.jp: KSK phase 6
Nov  8 03:06:03 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record
Nov  8 03:07:08 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record
Nov  8 03:08:13 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record
Nov  8 03:09:18 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record
Nov  8 03:10:23 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record
Nov  8 03:11:28 2010: abc.co.jp: KSK phase 6:  waiting for parental publication of DS record


上位NS ( internal jp : ubuntu-2  ) に 新しい DS レコードを登録

internal jp に DS を登録して再署名
root@ubuntu-2: zonesigner -zone jp jp_zone_internal.db
root@ubuntu-2: rndc reload jp


before
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds
; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds
;abc.co.jp.                     IN      DS
abc.co.jp.              3600    IN      DS      16627 5 1 8DA6CDF36AA2E1B025CFE38A8922C7034EB9FD41
abc.co.jp.              3600    IN      DS      16627 5 2 0EC1CEC7A6D657D46E392F1EA47B50D9DCD9549021082492B02638E3 63F66C8C


after
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds
; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds
;abc.co.jp.                     IN      DS
abc.co.jp.              3600    IN      DS      30247 5 1 2EEF5DF6AA6235E1CE8692191A20B361C956A192
abc.co.jp.              3600    IN      DS      30247 5 2 ADD74370A3332CFF1F7CEFB839901140271C4CB4E58056C8D43F85F9 D13F2632


phase 7 : reload the zone

phase 6 が完了したので、phase 7 へ。
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus
abc.co.jp       roll    KSK 6: Waiting for the parent to publish the new DS record


rollctrl で 上位NS へ DS の publish が完了したことを伝えたいんだが、、、どうすればいいんだろう。。

In step 6, after the
      parent has published a new DS record, the administrator uses
rollctl to
      inform
rollerd that the DS record has been published and rollover may
      continue.


これかな。

      -dspub zone
          Indicates that zone's parent has published a new DS record for
          zone.
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus  ← 今 phase 6
abc.co.jp       roll    KSK 6: Waiting for the parent to publish the new DS record

root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp  ← phase 6 から 7 へ
rollerd informed that parent has published DS record for zone abc.co.jp

root@ubuntu-3:/var/cache/bind# rollctl -zonestatus ← phase 7 になった
abc.co.jp       roll    KSK 7: Reloading the zone


rollerd のログ。phase 7 になった。
Nov  8 04:47:47 2010: :        abc.co.jp       roll    KSK 6: Waiting for the parent to publish the new DS record
Nov  8 04:47:54 2010: abc.co.jp: KSK phase 7
Nov  8 04:47:58 2010: : zone status:
Nov  8 04:47:58 2010: :        abc.co.jp       roll    KSK 7: Reloading the zone
Nov  8 04:48:17 2010: abc.co.jp: KSK phase 7:  unable to archive KSK keys, rc - 0
Nov  8 04:48:17 2010: abc.co.jp: KSK phase 0
Nov  8 04:48:17 2010: abc.co.jp:     KSK expiration in 10 minutes, 0 seconds


rollctl -dspub abc.co.jp を実行後、named が relaod された
Nov  8 04:48:17 ubuntu-3 named[1135]: reloading configuration succeeded
Nov  8 04:48:17 ubuntu-3 named[1135]: reloading zones succeeded


完了
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus
abc.co.jp       roll    ZSK 0: Not Rolling

root@ubuntu-4:~# unbound-host -r -v -F dnskey_root.txt -t soa abc.co.jp
abc.co.jp has SOA record root.abc.co.jp. admin.abc.co.jp. 2010110804 7200 3600 604800 60 (secure)


rollerd を使用して、ZSK , KSK の roll over の確認ができた。
便利なツールだ。

上位 ( jp ) に登録した DS レコードの TTL が 3600秒で、abc.co.jp のTTLは60秒にしちゃったので、
pahse 7 で リロードしたあと、キャッシュサーバに過去のDSがキャッシュされたままで、
キャッシュが expire するまで、検証に失敗した。TTL を考慮せねば。。。

internal jp に登録した DS の TTL は 600 秒
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds
; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds
;abc.co.jp.                     IN      DS
abc.co.jp.              3600    IN      DS      36592 5 1 2264E553D4AB390EA0807C846BADA1F46A8587A0
abc.co.jp.              3600    IN      DS      36592 5 2 6D6213F16B82FBF566F3A057A9E5371812B5CB3DA5D9242902FBB28E 97A145A8


abc.co.jp の各RR の TTL は 60秒。
root@ubuntu-3:/var/cache/bind# dig @127.1 abc.co.jp any +norec
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp any +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38278
;; flags: qr aa ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;abc.co.jp.                     IN      ANY

;; ANSWER SECTION:
abc.co.jp.              60      IN      SOA     root.abc.co.jp. admin.abc.co.jp. 2010110806 7200 3600 604800 60
abc.co.jp.              60      IN      RRSIG   SOA 5 3 60 20101208040342 20101108040342 27501 abc.co.jp. k3Iy8kQbFg4ozSzzxqQZaVOIyqb9Egy742pZxCO6he5MwexRNQ+mlVuN EdW3yRZZVY0KnGUaFVC83mBDk8op1HKofNySF1Y+wn8ttGYPBfuEHlcP gJlCnki1GJaWk2yheVmLeTeFm871JwF/SgZs+5rmQyJbJ3LJ+iE3sCZG OKM=
abc.co.jp.              60      IN      NS      ns.abc.co.jp.
abc.co.jp.              60      IN      RRSIG   NS 5 3 60 20101208040342 20101108040342 27501 abc.co.jp. hJa5lyybDUeS2Vdmyh55w/cBrsX1RolkmV6Nr4h0Jknefb4DRgokB9MV 7KCx6OBIEGzTV+aHDbK/oyrTZtem71juW0kXaCGDaVXzjvJM4IF6k9kb 4zfwomxxT5Ejydzt5GtpVLbsu9fBQEBoVg1dAcHaUagJr1cqFoRNCmjG nOM=


phase 7 のあと、キャッシュサーバの過去のDSがexpire されるまで ( 新しいDSをキャッシュするまで ) 、ServFail となってしまった。

internal jp の DS の TTL を 600 秒
abc.co.jp の 全RRs の TTL を 60 秒 

としたので、過去のDSがexpire する前に、abc.co.jp の RRs が expire する。。

i.e. 過去のDS を使って、DNSSECの検証をしてしまうので、過去のDSが expire するまで検証失敗(ServFail)となる。

abc.co.jp ( ubuntu-3 )
root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp
rollerd informed that parent has published DS record for zone abc.co.jp
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus
abc.co.jp       roll    KSK 7: Reloading the zone


internal jp (ubuntu-2 ) の DS レコード
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29609
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.co.jp.                     IN      DS

;; ANSWER SECTION:
abc.co.jp.              3600    IN      DS      49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8
abc.co.jp.              3600    IN      DS      49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40


キャッシュサーバ ( ubuntu-4 ) でキャッシュしているDSレコード
root@ubuntu-4:~# rndc dumpdb


過去のDSをキャッシュしたまま。
; secure
abc.co.jp.              3052    DS      36592 5 1 (
                                       2264E553D4AB390EA0807C846BADA1F46A85
                                       87A0 )
                       3052    DS      36592 5 2 (
                                       6D6213F16B82FBF566F3A057A9E5371812B5
                                       CB3DA5D9242902FBB28E97A145A8 )


dig すると検証に失敗する。
root@ubuntu-4:~# dig @127.1 www.abc.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.abc.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.abc.co.jp.         IN A

root@ubuntu-4:~# egrep failure /var/cache/bind/dnssec.log
08-Nov-2010 05:29:03.081 debug 3: validating @0xb7dbbed8: www.abc.co.jp A: fetch_callback_validator: got failure


キャッシュをクリアすると、成功。
root@ubuntu-4:~# rndc flush

root@ubuntu-4:~# dig @127.1 www.abc.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.abc.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20971
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.abc.co.jp.         IN A

;; ANSWER SECTION:
www.abc.co.jp.          60 IN A 192.0.2.2
www.abc.co.jp.          60 IN RRSIG A 5 4 60 20101208042244 (
                               20101108042244 27501 abc.co.jp.
                               llelbBYFPrZ3yWXCV8KfmhXSeAc3pq2U1t1rAJDpTukp
                               DfVKhXg0y+CHQhHLS5GO88dOflye7gOIuka5loqTWQLh
                               3eTpmRykjXa4sh4I0USuu+niJLpUO1he2Eajldw2+XNi
                               wEI4yoYhdzskisHcLpJ2fsF0fPQkNF+eBmQnY0g= )

;; AUTHORITY SECTION:
abc.co.jp.              60 IN NS ns.abc.co.jp.
abc.co.jp.              60 IN RRSIG NS 5 3 60 20101208042244 (
                               20101108042244 27501 abc.co.jp.
                               Kj87qZFpnKY6f7rWE8k6datJqwTw7qxiuppRpP2XsP7h
                               STxCLHKP9RqXcXItIOgnlCsn1X1sk/T2Wccn+sb+yYTa
                               +7nuioAA69yIXhMrbCwXTQdIZC16kwpcK3FJXqldApLt
                               nVb1TmYDlrAsw/fhdybbRCVJXBIeEe2HjW80d1s= )

;; ADDITIONAL SECTION:
ns.abc.co.jp.           60 IN A 192.168.11.132
ns.abc.co.jp.           60 IN RRSIG A 5 4 60 20101208042244 (
                               20101108042244 27501 abc.co.jp.
                               lCltwxoA1wb6kFLGmUvy8aXtS/uhrfjQWJgGMMZ0fhLM
                               NFmPgJt9Bz5jDXxC3tg3z8MV8bJTIyGVncSGA8saxeSz
                               Qn36YJi0l356HQKeQ6cwcRvqgj0F/w9EnhISuJ05ZzZj
                               1e05fEU1TN1ze22Yav3MyWC60xGtLEF9B5dgaAo= )

root@ubuntu-4:~# egrep secure /var/cache/bind/dnssec.log
08-Nov-2010 05:30:53.594 debug 3: validating @0xb7e9dfb8: . DNSKEY: signed by trusted key; marking as secure
08-Nov-2010 05:30:53.595 debug 3: validating @0xb7e95458: . NS: marking as secure, noqname proof not needed
08-Nov-2010 05:30:53.606 debug 3: validating @0xb7ea1048: jp DS: marking as secure, noqname proof not needed
08-Nov-2010 05:30:53.607 debug 3: validating @0xb7e97950: jp DNSKEY: marking as secure (DS)
08-Nov-2010 05:30:53.608 debug 3: validating @0xb7e96ed8: abc.co.jp DS: marking as secure, noqname proof not needed
08-Nov-2010 05:30:53.609 debug 3: validating @0xb7ce53e0: abc.co.jp DNSKEY: marking as secure (DS)
08-Nov-2010 05:30:53.610 debug 3: validating @0xb7e95458: www.abc.co.jp A: marking as secure, noqname proof not needed


ちなみに。昔のDSも internal jp に残していてもダメ。
新しい abc.co.jp のRRs は新しいKSK で署名されているので、昔のDSを internal jp に残しておいてもダメ。

過去のDS
root@ubuntu-2:/var/cache/bind# cat dsset-abc.co.jp.
abc.co.jp.              IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40
abc.co.jp.              IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8


新DS
root@ubuntu-2:/var/cache/bind# cat /root/dsset-abc.co.jp.
abc.co.jp.              IN DS 19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372
abc.co.jp.              IN DS 19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE


過去のDS + 新DS の両方を登録。んで署名。
root@ubuntu-2:/var/cache/bind# cat jp_zone_internal.db
abc.co.jp.      600     NS      ns.abc.co.jp.
ns.abc.co.jp.   600     IN      A       192.168.11.132
abc.co.jp.              IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40
abc.co.jp.              IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8
abc.co.jp.              IN DS 19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372
abc.co.jp.              IN DS 19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE

root@ubuntu-2:/var/cache/bind# zonesigner -zone jp jp_zone_internal.db

root@ubuntu-2:/var/cache/bind# rndc reload jp


過去DS : 49729
新DS : 19426
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds +norec

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36253
;; flags: qr aa ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.co.jp.                     IN      DS

;; ANSWER SECTION:
abc.co.jp.              3600    IN      DS      19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372
abc.co.jp.              3600    IN      DS      19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE
abc.co.jp.              3600    IN      DS      49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40
abc.co.jp.              3600    IN      DS      49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8


abc.co.jp ( ubuntu-3 ) 。phase 6 から phase 7 へ
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus
abc.co.jp       roll    KSK 6: Waiting for the parent to publish the new DS record

root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp
rollerd informed that parent has published DS record for zone abc.co.jp

root@ubuntu-3:/var/cache/bind# rollctl -zonestatus
abc.co.jp       roll    KSK 7: Reloading the zone


キャッシュサーバ ( ubuntu-4 )
root@ubuntu-4:~# rndc dumpdb


過去のDSをキャッシュしている
; secure
abc.co.jp.              2936    DS      49729 5 1 (
                                       C223A47543911F7F91D4D5740916B3F01ACE
                                       5E40 )
                       2936    DS      49729 5 2 (
                                       484895DA912FBD60CCE0ACD8DDD25888B38B
                                       FE584667E4B0EC1539C10A0E0EB8 )


NG
root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;abc.co.jp.             IN SOA


キャッシュをクリアすれば、新DSを読み込むのでOK
root@ubuntu-4:~# rndc flush


root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18606
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;abc.co.jp.             IN SOA

;; ANSWER SECTION:
abc.co.jp.              60 IN SOA root.abc.co.jp. admin.abc.co.jp. (
                               2010110810 ; serial
                               7200       ; refresh (2 hours)
                               3600       ; retry (1 hour)
                               604800     ; expire (1 week)
                               60         ; minimum (1 minute)
                               )
abc.co.jp.              60 IN RRSIG SOA 5 3 60 20101208044337 (
                               20101108044337 27501 abc.co.jp.
                               DvZcYBeP05/0ZfoBR5Ws66Oh9Eea+pN3itWX4DnZ4/Td
                               jHHPtsDRJCi5kLeyURUYSpX+2OFNk3/qqT6x3qMV+RnS
                               PfwdUsSmKpeSVgN6ct6oTIMDkiXnxspF16lZvu6TxIPO
                               l+bA4j4G0w+j4KSLEiaw8A8KSqI6x3S03FKq+8g= )

;; AUTHORITY SECTION:
abc.co.jp.              60 IN NS ns.abc.co.jp.
abc.co.jp.              60 IN RRSIG NS 5 3 60 20101208044337 (
                               20101108044337 27501 abc.co.jp.
                               fPpSE4QswocnALXIGQE6tqHb9VcbmEWPwkr98pOsXjc0
                               myPyEMOjoNl04Ushp46UJijpADR7Vz4A+vrAC4rXMdr+
                               N/HU+P6jQai2paRtNDBXTkFR0S3lAbOL7f13e+eoPKvV
                               AF83XXKdl4sHdoARW6yuBeF04CexlC4vuy88inw= )

;; ADDITIONAL SECTION:
ns.abc.co.jp.           60 IN A 192.168.11.132
ns.abc.co.jp.           60 IN RRSIG A 5 4 60 20101208044337 (
                               20101108044337 27501 abc.co.jp.
                               cefSIOzjmGpc1jMcl5dgTM/YiIfAOVAD31BVfyKvXi+A
                               w83FcPRILOJvV6+8ivWbEjqbnJioylAETgdp/cwIuZML
                               mfZjw2AzzeMxXKRJN5QeZtX1MG7U3p1aAvUf2NvFdhHd
                               DXXJnz+rliqDgIwmNJ5FnXD6yUma+ctjdEhlVms= )


キャッシュダンプ
; secure
abc.co.jp.              3533    DS      19426 5 1 (
                                       E8C74C18A340A8445671861806F6DF590AC6
                                       C372 )
                       3533    DS      19426 5 2 (
                                       75CCFB6523DD6D3522DBE6754915475E53B9
                                       9E4823CF07E57A243B1F86B4E8CE )
                       3533    DS      49729 5 1 (
                                       C223A47543911F7F91D4D5740916B3F01ACE
                                       5E40 )
                       3533    DS      49729 5 2 (
                                       484895DA912FBD60CCE0ACD8DDD25888B38B
                                       FE584667E4B0EC1539C10A0E0EB8 )


named ログ

root@ubuntu-4:~# egrep secure /var/cache/bind/dnssec.log
08-Nov-2010 05:55:54.565 debug 3: validating @0xb7e967d0: . DNSKEY: signed by trusted key; marking as secure
08-Nov-2010 05:55:54.565 debug 3: validating @0xb7e9df90: . NS: marking as secure, noqname proof not needed
08-Nov-2010 05:55:54.574 debug 3: validating @0xb7ea0f00: jp DS: marking as secure, noqname proof not needed
08-Nov-2010 05:55:54.576 debug 3: validating @0xb7ea0488: jp DNSKEY: marking as secure (DS)
08-Nov-2010 05:55:54.576 debug 3: validating @0xb7e9fa10: abc.co.jp DS: marking as secure, noqname proof not needed
08-Nov-2010 05:55:54.578 debug 3: validating @0xb7ce53e0: abc.co.jp DNSKEY: marking as secure (DS)
08-Nov-2010 05:55:54.579 debug 3: validating @0xb7e9df90: abc.co.jp SOA: marking as secure, noqname proof not needed

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.