lost and found ( for me ? )

Unbound : End-to-End DNSSEC w/ Firefox

Firefox に DNSSEC validation のプラグインがあるので使ってみた。

- unbound の準備

ITAR の準備ができている状態とする

root@arizona:/etc/unbound# unbound -v
[1275843653] unbound[1701:0] notice: Start of unbound 1.4.1.

root@arizona:/etc/unbound# egrep "trust-anchor-file" unbound.conf | grep -v "#"
         trust-anchor-file: "/etc/unbound/anchors.mf"

- DNSSEC クエリの解決ができるかチェック

ad bit が flag にたっていれば、OK

root@arizona:/etc/unbound# dig @127.1 www.isc.org +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.isc.org +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1402
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org.           IN A

;; ANSWER SECTION:
www.isc.org.            240 IN A 149.20.64.42
www.isc.org.            240 IN RRSIG A 5 3 600 2010070523333


DNSSECに対応していないFQDN に dig すると ad ビットは立たない

root@arizona:/etc/unbound# dig @127.1 www.google.com +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.google.com +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22658
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.                IN A


unbound-host  -C コンフィグファイル FQDN -v でも確認できる。

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.isc.org -v
[1275844036] libunbound[1821:0] notice: init module 0: validator
[1275844036] libunbound[1821:0] notice: init module 1: iterator
www.isc.org has address 149.20.64.42 (secure)
www.isc.org has IPv6 address 2001:4f8:0:2::d (secure)
www.isc.org has no mail handler record (secure)
root@arizona:/etc/unbound#

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.google.com -v
[1275844044] libunbound[1860:0] notice: init module 0: validator
[1275844044] libunbound[1860:0] notice: init module 1: iterator
www.google.com is an alias for www.l.google.com. (insecure)
www.l.google.com has address 66.249.89.104 (insecure)
www.l.google.com has address 66.249.89.99 (insecure)
www.l.google.com has no IPv6 address (insecure)
www.l.google.com has no mail handler record (insecure)

- Firefox 3.6.3 に DNSSEC valitation の add-on を追加 

add-on のダウンロード

https://addons.mozilla.org/en-US/firefox/addon/64247/

使い方

http://www.dnssec-validator.cz/

Firefox -> ツール -> アドオン から DNSSEC 対応の キャッシュサーバ ( 今回は unbound ) の IP を指定する



DNSSECで名前解決できる www.isc.org にアクセス

URLバーに、DNSSEC の検証ができたかアイコンが表示される。



赤色だと、DNSSEC 対応ドメインだけど、IPアドレスが変わってる or DNSSEC の signature が壊れてる。


root@arizona:~# unbound-host -C /etc/unbound/unbound.conf www.rhybar.cz -v
[1275845463] libunbound[4671:0] notice: init module 0: validator
[1275845463] libunbound[4671:0] notice: init module 1: iterator
www.rhybar.cz has address 217.31.205.50 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has IPv6 address 2001:1488:0:3::2 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has no mail handler record (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.12.1 for key rhybar.cz. while building chain of trust

Firefox -> キャッシュサーバでキャプチャ

DO bit を有効にして、問い合わせてる。

    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        www.rhybar.cz: type A, class IN
            Name: www.rhybar.cz
            Type: A (Host address)
            Class: IN (0x0001)
    Additional records
        : type OPT
            Name:
            Type: OPT (EDNS0 option)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x0
            EDNS0 version: 0
            Z: 0x8000
                Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
                Bits 1-15: 0x0 (reserved)
            Data length: 0


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.