1. DNSSEC/unbound
Contents
Unbound DNS Tutorial https://calomel.org/unbound_dns.html
DNSSECの実装をチェックする。
2. anchor
http://unbound.jp/unbound/howto_anchor/
3. turnoff dnssec
https://www.unbound.net/documentation/howto_turnoff_dnssec.html
http://unbound.jp/unbound/howto_turnoff_dnssec/
2. トラストアンカーを削除する
- unbound.confファイルからトラストアンカーの記述を削除すれば、 DNSSECは記述を削除した対象のドメインには使われなくなります。
3. validatorモジュールを無効にする
- DLVも含め他のドメインの検証も無効にします。unbound.confファイルの記述は次のようになります:
server:
module-config: "iterator"
4. 起動スクリプト
起動スクリプトのなかで、unbound-anchorを実行しているようなので、 それも潰すのがいいかも。
https://twitter.com/yuuturn5/status/893379572476944385
Unbound users ML https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-August/004869.html
Otherwise, unbound shouldn't be fetching the DNSKEY itself then, but downstream clients could still be asking for it.
5. bug
http://www.debian.org/security/2011/dsa-2243.ja.html
6. conf option
harden-dnssec-stripped: <yes or no>
Require DNSSEC data for trust-anchored zones, if such data is
absent, the zone becomes bogus. If turned off, and no DNSSEC
data is received (or the DNSKEY data fails to validate), then
the zone is made insecure, this behaves like there is no trust
anchor. You could turn this off if you are sometimes behind an
intrusive firewall (of some sort) that removes DNSSEC data from
packets, or a zone changes from signed to unsigned to badly
signed often. If turned off you run the risk of a downgrade
attack that disables security for a zone. Default is on.disable-dnssec-lame-check: <yes or no>
If true, disables the DNSSEC lameness check in the iterator.
This check sees if RRSIGs are present in the answer, when dnssec
is expected, and retries another authority if RRSIGs are unex‐
pectedly missing. The validator will insist in RRSIGs for
DNSSEC signed domains regardless of this setting, if a trust
anchor is loaded.