ubuntu-1 ( internal root ) , ubuntu-2 ( inernal jp ) , ubuntu-3 ( abc.co.jp )
|
ubuntu-4 ( caching name server )
[ 手順 ]
KSK Rollover Using the Double Signature Method
The Double Signature Method has seven phases that are entered when it
is time to perform KSK rollover:
1. wait for old zone data to expire from caches
2. generate a new (published) KSK
3. wait for the old DNSKEY RRset to expire from caches
4. roll the KSKs
5. transfer new keyset to the parent
6. wait for parent to publish the new DS record
7. reload the zone
[ ログ ]
・テスト用のゾーン abc.co.jp を DNSSEC 対応にする
root@ubuntu-3:/var/cache/bind# cat abc.co.jp $TTL 60 abc.co.jp. 60 IN SOA root.abc.co.jp. admin.abc.co.jp. ( 2010110801 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 60 ; minimum (10 minutes) ) 60 NS ns.abc.co.jp. ns 60 IN A 192.168.11.132 www 60 IN A 192.0.2.2 |
zonesigner で署名。-ksklife で KSK の roll over 時間を指定。
テストなのでroll over の時間は600秒と短く設定した。
root@ubuntu-3:/var/cache/bind# zonesigner -genkeys -ksklife 600 -zone abc.co.jp abc.co.jp if zonesigner appears hung, strike keys until the program completes (see the "Entropy" section in the man page for details) Generating key pair.............++++++ .......++++++ Generating key pair..........++++++ ......++++++ Generating key pair................................+++ ............................................................................+++ Verifying the zone using the following algorithms: RSASHA1. Zone signing complete: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 1 stand-by, 0 revoked zone signed successfully abc.co.jp: KSK (cur) 16627 -b 2048 11/08/10 (abc.co.jp-signset-3) ZSK (cur) 27501 -b 1024 11/08/10 (abc.co.jp-signset-1) ZSK (pub) 39507 -b 1024 11/08/10 (abc.co.jp-signset-2) zone will expire in 4 weeks, 2 days, 0 seconds DO NOT delete the keys until this time has passed. |
named.confを修正
root@ubuntu-3:/var/cache/bind# egrep abc /etc/bind/named.conf.local zone "abc.co.jp" in { # file "abc.co.jp"; file "abc.co.jp.signed"; |
root@ubuntu-3:/var/cache/bind# /etc/init.d/bind9 restart |
root@ubuntu-3:/var/cache/bind# dig @127.1 abc.co.jp rrsig | head -15 ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp rrsig ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51516 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;abc.co.jp. IN RRSIG ;; ANSWER SECTION: abc.co.jp. 60 IN RRSIG SOA 5 3 60 20101208014359 20101108014359 27501 abc.co.jp. FctPlLlU1pRPJm0pa4DQ1qio1PH6T8AuTkGREk4exTtPOuzsS7Asme/C Ev09TZBsvlbqD8hsyKYC407OigmruPu6w+LtCU6y4sz1zxxJSDo7w+Zu DsxoGSZG+ZiUifa2+a+zrKE7dkSE20EOA2oSKrb1YCOi64MtSea9YMhj t7o= abc.co.jp. 60 IN RRSIG NS 5 3 60 20101208014359 20101108014359 27501 abc.co.jp. cf3d3MM8GbJYdZrjrHIrfwIDCP+RF1gi/cv/7fyu4QM1r0ERz+q4jYzB LbzzV/iNcIBxwzCCflvucLdLv62//frSiKBWRsrB2PYGyKCqVD5ivNZW Uvda+ZcJPSikbdueQVHk542IRE8bNNgb79tPdmwb7T9kMTu/6kJAh2P8 FBo= |
・rollrec ファイルを作成
root@ubuntu-3:/var/cache/bind# rollinit abc.co.jp -zonefile /var/cache/bind/abc.co.jp.signed -keyrec /var/cache/bind/abc.co.jp.krf -admin admin@abc.co.jp > abc.co.jp.rollrec |
root@ubuntu-3:/var/cache/bind# cat abc.co.jp.rollrec roll "abc.co.jp" zonefile "/var/cache/bind/abc.co.jp.signed" keyrec "/var/cache/bind/abc.co.jp.krf" administrator "admin@abc.co.jp" kskphase "0" zskphase "0" ksk_rolldate " " ksk_rollsecs "0" zsk_rolldate " " zsk_rollsecs "0" maxttl "0" display "1" phasestart "new" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" |
・rollerd を起動
rndc のパスを dnssec-tools.conf に記述しておく。
root@ubuntu-3:~# egrep rndc /etc/dnssec-tools/dnssec-tools.conf rndc /usr/sbin/rndc |
rollerd 起動
root@ubuntu-3:/var/cache/bind# rollerd -verbose -loglevel info -logfile /root/abc.co.jp_rollover -rrfile abc.co.jp.rollrec -sleep 60 -directory /var/cache/bind |
root@ubuntu-3:/var/cache/bind# ps aux | grep roller | grep -v grep root 909 0.0 5.3 14996 9988 ? Ss 02:50 0:00 /usr/bin/perl /usr/bin/rollerd -verbose -loglevel info -logfile /root/abc.co.jp_rollover -rrfile abc.co.jp.rollrec -sleep 60 -directory /var/cache/bind |
root@ubuntu-3:/var/cache/bind# rollctl -status boot-time: Mon Nov 8 02:50:31 2010 directory: /var/cache/bind rollrec file: /var/cache/bind/abc.co.jp.rollrec logfile: /root/abc.co.jp_rollover loglevel: 4 sleeptime: 60 root@ubuntu-3:/var/cache/bind# root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp abc.co.jp roll ZSK 0: Not Rolling |
KSKを rolling するかしばらくまつ。その間に上位 ( internal jp ) に abc.co.jp の DS レコードを登録
interna jp に abc.co.jp の DSレコードをコピー
root@ubuntu-3:/var/cache/bind# scp dsset-abc.co.jp. root@192.168.11.131: |
internal jp ( ubuntu-2 ) で 、abc.co.jp の DS の登録。再署名。
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds ;abc.co.jp. IN DS abc.co.jp. 3600 IN DS 16627 5 1 8DA6CDF36AA2E1B025CFE38A8922C7034EB9FD41 abc.co.jp. 3600 IN DS 16627 5 2 0EC1CEC7A6D657D46E392F1EA47B50D9DCD9549021082492B02638E3 63F66C8C |
キャッシュサーバ ( ubuntu-4 ) で、validation ができるかチェック。
ad bit が立っているので検証成功
root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39461 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;abc.co.jp. IN SOA ;; ANSWER SECTION: abc.co.jp. 19 IN SOA root.abc.co.jp. admin.abc.co.jp. ( 2010110803 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 60 ; minimum (1 minute) ) abc.co.jp. 19 IN RRSIG SOA 5 3 60 20101208020347 ( 20101108020347 27501 abc.co.jp. XXT4WnKDNd42vy5iX14LuxEMw2G+VF59Yk/IzOP7lFtT QS14pthnz90MFd//KrZSrB0up8G8r4rj9OvTBdetySaI bXgSR6TSyZ67KIK/eAfgWikyjeRARWb2bGIOouTqx7BV GdHija9M+0LQatPPsWRDh5VuOTWNTP6TiElQ6Jo= ) |
unbound-host コマンドでも一応確認。secure
root@ubuntu-4:~# unbound-host -r -v -F dnskey_root.txt -t soa abc.co.jp abc.co.jp has SOA record root.abc.co.jp. admin.abc.co.jp. 2010110803 7200 3600 604800 60 (secure) |
あ、roll over してる。。
phase 1 : wait for old zone data to expire from caches
root@ubuntu-3:~# egrep -i "phase 1" abc.co.jp_rollover Nov 8 03:01:36 2010: abc.co.jp: KSK phase 1 Nov 8 03:02:41 2010: abc.co.jp: KSK phase 1 (Waiting for the old zone data to expire from caches); cache expires in 55 seconds |
phase 2 : generate a new (published) KSK
Nov 8 03:03:46 2010: abc.co.jp: KSK phase 2 Nov 8 03:03:46 2010: abc.co.jp: executing "/usr/bin/zonesigner -newpubksk abc.co.jp abc.co.jp.signed" |
-newpubksk
Generate new Published KSKs for the zone. Any existing Published
KSKs will be marked as obsolete.
phase 3 : wait for the old DNSKEY RRset to expire from caches
Nov 8 03:03:47 2010: abc.co.jp: KSK phase 3 Nov 8 03:03:47 2010: abc.co.jp: KSK phase 3 (Waiting for cache or holddown timer expiration); cache expires in 2 minutes, 0 seconds Nov 8 03:04:52 2010: abc.co.jp: KSK phase 3 (Waiting for cache or holddown timer expiration); cache expires in 55 seconds Nov 8 03:04:57 2010: Nov 8 03:04:57 2010: |
phase 4 : roll the KSKs
Nov 8 03:06:02 2010: abc.co.jp: KSK phase 4 Nov 8 03:06:02 2010: abc.co.jp: executing "/usr/bin/zonesigner -rollksk abc.co.jp abc.co.jp.signed" |
-rollksk
Force a rollover of the KSK keys. The Current KSK keys are marked
as Obsolete and the Published KSK keys are marked as Current. The
zone is then signed with the new set of Current KSK keys. If the
zone's keyrec does not list a Current or Published KSK, an error
message is printed and zonesigner stops execution.
The zone's keyrec file is updated to show the new key state.
The keyrecs of the KSK keys are adjusted as follows:
The Current KSK keys are marked as Obsolete.
The Published KSK keys are marked as Current.
The obsolete KSK keys are moved to the archive directory.
phase 5 : transfer new keyset to the parent
Nov 8 03:06:02 2010: abc.co.jp: KSK phase 5 Nov 8 03:06:03 2010: abc.co.jp: KSK phase 5: admin notified to transfer keyset |
メールで通知されるんだけど、Mailサーバ立ててなかったので通知内容をチェックできなかった。。
通知先は、rollrec ファイル作成時のアドレス ( admin@abc.co.jp )
root@ubuntu-3:/var/cache/bind# rollinit abc.co.jp -zonefile /var/cache/bind/abc.co.jp.signed -keyrec /var/cache/bind/abc.co.jp.krf -admin admin@abc.co.jp > abc.co.jp.rollrec |
phase 6 : wait for parent to publish the new DS record
Nov 8 03:06:03 2010: abc.co.jp: KSK phase 6 Nov 8 03:06:03 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record Nov 8 03:07:08 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record Nov 8 03:08:13 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record Nov 8 03:09:18 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record Nov 8 03:10:23 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record Nov 8 03:11:28 2010: abc.co.jp: KSK phase 6: waiting for parental publication of DS record |
上位NS ( internal jp : ubuntu-2 ) に 新しい DS レコードを登録
internal jp に DS を登録して再署名
root@ubuntu-2: zonesigner -zone jp jp_zone_internal.db root@ubuntu-2: rndc reload jp |
before
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds ;abc.co.jp. IN DS abc.co.jp. 3600 IN DS 16627 5 1 8DA6CDF36AA2E1B025CFE38A8922C7034EB9FD41 abc.co.jp. 3600 IN DS 16627 5 2 0EC1CEC7A6D657D46E392F1EA47B50D9DCD9549021082492B02638E3 63F66C8C |
after
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds ;abc.co.jp. IN DS abc.co.jp. 3600 IN DS 30247 5 1 2EEF5DF6AA6235E1CE8692191A20B361C956A192 abc.co.jp. 3600 IN DS 30247 5 2 ADD74370A3332CFF1F7CEFB839901140271C4CB4E58056C8D43F85F9 D13F2632 |
phase 7 : reload the zone
phase 6 が完了したので、phase 7 へ。
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp roll KSK 6: Waiting for the parent to publish the new DS record |
rollctrl で 上位NS へ DS の publish が完了したことを伝えたいんだが、、、どうすればいいんだろう。。
In step 6, after the
parent has published a new DS record, the administrator uses rollctl to
inform rollerd that the DS record has been published and rollover may
continue.
これかな。
-dspub zone
Indicates that zone's parent has published a new DS record for
zone.
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus ← 今 phase 6 abc.co.jp roll KSK 6: Waiting for the parent to publish the new DS record root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp ← phase 6 から 7 へ rollerd informed that parent has published DS record for zone abc.co.jp root@ubuntu-3:/var/cache/bind# rollctl -zonestatus ← phase 7 になった abc.co.jp roll KSK 7: Reloading the zone |
rollerd のログ。phase 7 になった。
Nov 8 04:47:47 2010: Nov 8 04:47:54 2010: abc.co.jp: KSK phase 7 Nov 8 04:47:58 2010: Nov 8 04:47:58 2010: Nov 8 04:48:17 2010: abc.co.jp: KSK phase 7: unable to archive KSK keys, rc - 0 Nov 8 04:48:17 2010: abc.co.jp: KSK phase 0 Nov 8 04:48:17 2010: abc.co.jp: KSK expiration in 10 minutes, 0 seconds |
rollctl -dspub abc.co.jp を実行後、named が relaod された
Nov 8 04:48:17 ubuntu-3 named[1135]: reloading configuration succeeded Nov 8 04:48:17 ubuntu-3 named[1135]: reloading zones succeeded |
完了
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp roll ZSK 0: Not Rolling |
root@ubuntu-4:~# unbound-host -r -v -F dnskey_root.txt -t soa abc.co.jp abc.co.jp has SOA record root.abc.co.jp. admin.abc.co.jp. 2010110804 7200 3600 604800 60 (secure) |
rollerd を使用して、ZSK , KSK の roll over の確認ができた。
便利なツールだ。
上位 ( jp ) に登録した DS レコードの TTL が 3600秒で、abc.co.jp のTTLは60秒にしちゃったので、
pahse 7 で リロードしたあと、キャッシュサーバに過去のDSがキャッシュされたままで、
キャッシュが expire するまで、検証に失敗した。TTL を考慮せねば。。。
internal jp に登録した DS の TTL は 600 秒
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds | grep -i ds ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds ;abc.co.jp. IN DS abc.co.jp. 3600 IN DS 36592 5 1 2264E553D4AB390EA0807C846BADA1F46A8587A0 abc.co.jp. 3600 IN DS 36592 5 2 6D6213F16B82FBF566F3A057A9E5371812B5CB3DA5D9242902FBB28E 97A145A8 |
abc.co.jp の各RR の TTL は 60秒。
root@ubuntu-3:/var/cache/bind# dig @127.1 abc.co.jp any +norec ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp any +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38278 ;; flags: qr aa ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;abc.co.jp. IN ANY ;; ANSWER SECTION: abc.co.jp. 60 IN SOA root.abc.co.jp. admin.abc.co.jp. 2010110806 7200 3600 604800 60 abc.co.jp. 60 IN RRSIG SOA 5 3 60 20101208040342 20101108040342 27501 abc.co.jp. k3Iy8kQbFg4ozSzzxqQZaVOIyqb9Egy742pZxCO6he5MwexRNQ+mlVuN EdW3yRZZVY0KnGUaFVC83mBDk8op1HKofNySF1Y+wn8ttGYPBfuEHlcP gJlCnki1GJaWk2yheVmLeTeFm871JwF/SgZs+5rmQyJbJ3LJ+iE3sCZG OKM= abc.co.jp. 60 IN NS ns.abc.co.jp. abc.co.jp. 60 IN RRSIG NS 5 3 60 20101208040342 20101108040342 27501 abc.co.jp. hJa5lyybDUeS2Vdmyh55w/cBrsX1RolkmV6Nr4h0Jknefb4DRgokB9MV 7KCx6OBIEGzTV+aHDbK/oyrTZtem71juW0kXaCGDaVXzjvJM4IF6k9kb 4zfwomxxT5Ejydzt5GtpVLbsu9fBQEBoVg1dAcHaUagJr1cqFoRNCmjG nOM= |
phase 7 のあと、キャッシュサーバの過去のDSがexpire されるまで ( 新しいDSをキャッシュするまで ) 、ServFail となってしまった。
internal jp の DS の TTL を 600 秒
abc.co.jp の 全RRs の TTL を 60 秒
としたので、過去のDSがexpire する前に、abc.co.jp の RRs が expire する。。
i.e. 過去のDS を使って、DNSSECの検証をしてしまうので、過去のDSが expire するまで検証失敗(ServFail)となる。
abc.co.jp ( ubuntu-3 )
root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp rollerd informed that parent has published DS record for zone abc.co.jp root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp roll KSK 7: Reloading the zone |
internal jp (ubuntu-2 ) の DS レコード
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds +norec ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29609 ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc.co.jp. IN DS ;; ANSWER SECTION: abc.co.jp. 3600 IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8 abc.co.jp. 3600 IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40 |
キャッシュサーバ ( ubuntu-4 ) でキャッシュしているDSレコード
root@ubuntu-4:~# rndc dumpdb |
過去のDSをキャッシュしたまま。
; secure abc.co.jp. 3052 DS 36592 5 1 ( 2264E553D4AB390EA0807C846BADA1F46A85 87A0 ) 3052 DS 36592 5 2 ( 6D6213F16B82FBF566F3A057A9E5371812B5 CB3DA5D9242902FBB28E97A145A8 ) |
dig すると検証に失敗する。
root@ubuntu-4:~# dig @127.1 www.abc.co.jp +dnssec +multiline ; <<>> DiG 9.7.0-P1 <<>> @127.1 www.abc.co.jp +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19203 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.abc.co.jp. IN A |
root@ubuntu-4:~# egrep failure /var/cache/bind/dnssec.log 08-Nov-2010 05:29:03.081 debug 3: validating @0xb7dbbed8: www.abc.co.jp A: fetch_callback_validator: got failure |
キャッシュをクリアすると、成功。
root@ubuntu-4:~# rndc flush |
root@ubuntu-4:~# dig @127.1 www.abc.co.jp +dnssec +multiline ; <<>> DiG 9.7.0-P1 <<>> @127.1 www.abc.co.jp +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20971 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.abc.co.jp. IN A ;; ANSWER SECTION: www.abc.co.jp. 60 IN A 192.0.2.2 www.abc.co.jp. 60 IN RRSIG A 5 4 60 20101208042244 ( 20101108042244 27501 abc.co.jp. llelbBYFPrZ3yWXCV8KfmhXSeAc3pq2U1t1rAJDpTukp DfVKhXg0y+CHQhHLS5GO88dOflye7gOIuka5loqTWQLh 3eTpmRykjXa4sh4I0USuu+niJLpUO1he2Eajldw2+XNi wEI4yoYhdzskisHcLpJ2fsF0fPQkNF+eBmQnY0g= ) ;; AUTHORITY SECTION: abc.co.jp. 60 IN NS ns.abc.co.jp. abc.co.jp. 60 IN RRSIG NS 5 3 60 20101208042244 ( 20101108042244 27501 abc.co.jp. Kj87qZFpnKY6f7rWE8k6datJqwTw7qxiuppRpP2XsP7h STxCLHKP9RqXcXItIOgnlCsn1X1sk/T2Wccn+sb+yYTa +7nuioAA69yIXhMrbCwXTQdIZC16kwpcK3FJXqldApLt nVb1TmYDlrAsw/fhdybbRCVJXBIeEe2HjW80d1s= ) ;; ADDITIONAL SECTION: ns.abc.co.jp. 60 IN A 192.168.11.132 ns.abc.co.jp. 60 IN RRSIG A 5 4 60 20101208042244 ( 20101108042244 27501 abc.co.jp. lCltwxoA1wb6kFLGmUvy8aXtS/uhrfjQWJgGMMZ0fhLM NFmPgJt9Bz5jDXxC3tg3z8MV8bJTIyGVncSGA8saxeSz Qn36YJi0l356HQKeQ6cwcRvqgj0F/w9EnhISuJ05ZzZj 1e05fEU1TN1ze22Yav3MyWC60xGtLEF9B5dgaAo= ) |
root@ubuntu-4:~# egrep secure /var/cache/bind/dnssec.log 08-Nov-2010 05:30:53.594 debug 3: validating @0xb7e9dfb8: . DNSKEY: signed by trusted key; marking as secure 08-Nov-2010 05:30:53.595 debug 3: validating @0xb7e95458: . NS: marking as secure, noqname proof not needed 08-Nov-2010 05:30:53.606 debug 3: validating @0xb7ea1048: jp DS: marking as secure, noqname proof not needed 08-Nov-2010 05:30:53.607 debug 3: validating @0xb7e97950: jp DNSKEY: marking as secure (DS) 08-Nov-2010 05:30:53.608 debug 3: validating @0xb7e96ed8: abc.co.jp DS: marking as secure, noqname proof not needed 08-Nov-2010 05:30:53.609 debug 3: validating @0xb7ce53e0: abc.co.jp DNSKEY: marking as secure (DS) 08-Nov-2010 05:30:53.610 debug 3: validating @0xb7e95458: www.abc.co.jp A: marking as secure, noqname proof not needed |
ちなみに。昔のDSも internal jp に残していてもダメ。
新しい abc.co.jp のRRs は新しいKSK で署名されているので、昔のDSを internal jp に残しておいてもダメ。
過去のDS
root@ubuntu-2:/var/cache/bind# cat dsset-abc.co.jp. abc.co.jp. IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40 abc.co.jp. IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8 |
新DS
root@ubuntu-2:/var/cache/bind# cat /root/dsset-abc.co.jp. abc.co.jp. IN DS 19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372 abc.co.jp. IN DS 19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE |
過去のDS + 新DS の両方を登録。んで署名。
root@ubuntu-2:/var/cache/bind# cat jp_zone_internal.db abc.co.jp. 600 NS ns.abc.co.jp. ns.abc.co.jp. 600 IN A 192.168.11.132 abc.co.jp. IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40 abc.co.jp. IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8 abc.co.jp. IN DS 19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372 abc.co.jp. IN DS 19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE |
root@ubuntu-2:/var/cache/bind# zonesigner -zone jp jp_zone_internal.db |
root@ubuntu-2:/var/cache/bind# rndc reload jp |
過去DS : 49729
新DS : 19426
root@ubuntu-2:/var/cache/bind# dig @127.1 abc.co.jp ds +norec ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp ds +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36253 ;; flags: qr aa ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;abc.co.jp. IN DS ;; ANSWER SECTION: abc.co.jp. 3600 IN DS 19426 5 1 E8C74C18A340A8445671861806F6DF590AC6C372 abc.co.jp. 3600 IN DS 19426 5 2 75CCFB6523DD6D3522DBE6754915475E53B99E4823CF07E57A243B1F 86B4E8CE abc.co.jp. 3600 IN DS 49729 5 1 C223A47543911F7F91D4D5740916B3F01ACE5E40 abc.co.jp. 3600 IN DS 49729 5 2 484895DA912FBD60CCE0ACD8DDD25888B38BFE584667E4B0EC1539C1 0A0E0EB8 |
abc.co.jp ( ubuntu-3 ) 。phase 6 から phase 7 へ
root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp roll KSK 6: Waiting for the parent to publish the new DS record root@ubuntu-3:/var/cache/bind# rollctl -dspub abc.co.jp rollerd informed that parent has published DS record for zone abc.co.jp root@ubuntu-3:/var/cache/bind# rollctl -zonestatus abc.co.jp roll KSK 7: Reloading the zone |
キャッシュサーバ ( ubuntu-4 )
root@ubuntu-4:~# rndc dumpdb |
過去のDSをキャッシュしている
; secure abc.co.jp. 2936 DS 49729 5 1 ( C223A47543911F7F91D4D5740916B3F01ACE 5E40 ) 2936 DS 49729 5 2 ( 484895DA912FBD60CCE0ACD8DDD25888B38B FE584667E4B0EC1539C10A0E0EB8 ) |
NG
root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1484 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;abc.co.jp. IN SOA |
キャッシュをクリアすれば、新DSを読み込むのでOK
root@ubuntu-4:~# rndc flush |
root@ubuntu-4:~# dig @127.1 abc.co.jp soa +dnssec +multiline ; <<>> DiG 9.7.0-P1 <<>> @127.1 abc.co.jp soa +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18606 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;abc.co.jp. IN SOA ;; ANSWER SECTION: abc.co.jp. 60 IN SOA root.abc.co.jp. admin.abc.co.jp. ( 2010110810 ; serial 7200 ; refresh (2 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 60 ; minimum (1 minute) ) abc.co.jp. 60 IN RRSIG SOA 5 3 60 20101208044337 ( 20101108044337 27501 abc.co.jp. DvZcYBeP05/0ZfoBR5Ws66Oh9Eea+pN3itWX4DnZ4/Td jHHPtsDRJCi5kLeyURUYSpX+2OFNk3/qqT6x3qMV+RnS PfwdUsSmKpeSVgN6ct6oTIMDkiXnxspF16lZvu6TxIPO l+bA4j4G0w+j4KSLEiaw8A8KSqI6x3S03FKq+8g= ) ;; AUTHORITY SECTION: abc.co.jp. 60 IN NS ns.abc.co.jp. abc.co.jp. 60 IN RRSIG NS 5 3 60 20101208044337 ( 20101108044337 27501 abc.co.jp. fPpSE4QswocnALXIGQE6tqHb9VcbmEWPwkr98pOsXjc0 myPyEMOjoNl04Ushp46UJijpADR7Vz4A+vrAC4rXMdr+ N/HU+P6jQai2paRtNDBXTkFR0S3lAbOL7f13e+eoPKvV AF83XXKdl4sHdoARW6yuBeF04CexlC4vuy88inw= ) ;; ADDITIONAL SECTION: ns.abc.co.jp. 60 IN A 192.168.11.132 ns.abc.co.jp. 60 IN RRSIG A 5 4 60 20101208044337 ( 20101108044337 27501 abc.co.jp. cefSIOzjmGpc1jMcl5dgTM/YiIfAOVAD31BVfyKvXi+A w83FcPRILOJvV6+8ivWbEjqbnJioylAETgdp/cwIuZML mfZjw2AzzeMxXKRJN5QeZtX1MG7U3p1aAvUf2NvFdhHd DXXJnz+rliqDgIwmNJ5FnXD6yUma+ctjdEhlVms= ) |
キャッシュダンプ
; secure abc.co.jp. 3533 DS 19426 5 1 ( E8C74C18A340A8445671861806F6DF590AC6 C372 ) 3533 DS 19426 5 2 ( 75CCFB6523DD6D3522DBE6754915475E53B9 9E4823CF07E57A243B1F86B4E8CE ) 3533 DS 49729 5 1 ( C223A47543911F7F91D4D5740916B3F01ACE 5E40 ) 3533 DS 49729 5 2 ( 484895DA912FBD60CCE0ACD8DDD25888B38B FE584667E4B0EC1539C10A0E0EB8 ) |
named ログ
root@ubuntu-4:~# egrep secure /var/cache/bind/dnssec.log 08-Nov-2010 05:55:54.565 debug 3: validating @0xb7e967d0: . DNSKEY: signed by trusted key; marking as secure 08-Nov-2010 05:55:54.565 debug 3: validating @0xb7e9df90: . NS: marking as secure, noqname proof not needed 08-Nov-2010 05:55:54.574 debug 3: validating @0xb7ea0f00: jp DS: marking as secure, noqname proof not needed 08-Nov-2010 05:55:54.576 debug 3: validating @0xb7ea0488: jp DNSKEY: marking as secure (DS) 08-Nov-2010 05:55:54.576 debug 3: validating @0xb7e9fa10: abc.co.jp DS: marking as secure, noqname proof not needed 08-Nov-2010 05:55:54.578 debug 3: validating @0xb7ce53e0: abc.co.jp DNSKEY: marking as secure (DS) 08-Nov-2010 05:55:54.579 debug 3: validating @0xb7e9df90: abc.co.jp SOA: marking as secure, noqname proof not needed |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.