DNSSECキャッシュがどういう手順でDNS RRのintegrityを検証しているのかを調べる。DNS/DNSSEC/query
root の trust anchor は正しく設定されているものと信じる。
JPサーバのNSレコードを入手する。
$ dig +dnssec jp ns @a.root-servers.net
; <<>> DiG 9.7.1-P2 <<>> +dnssec jp ns @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8225 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;jp. IN NS ;; AUTHORITY SECTION: jp. 172800 IN NS a.dns.jp. jp. 172800 IN NS b.dns.jp. jp. 172800 IN NS c.dns.jp. jp. 172800 IN NS d.dns.jp. jp. 172800 IN NS e.dns.jp. jp. 172800 IN NS f.dns.jp. jp. 172800 IN NS g.dns.jp. jp. 86400 IN DS 1369 8 1 59E20603E1BBA03E0A42FF5648A517FD238AE6D9 jp. 86400 IN DS 1369 8 2 1F3F4A66E954C27FB16DF88CA5EA0E88CA9384690BBCE3A6B7F54E9E 6BCA169B jp. 86400 IN RRSIG DS 8 1 86400 20110306000000 20110226230000 21639 . GAxRRVx+lRNwER11fGIaVhiYbRjDPF/ERL4lJ4bwrmXTnUCxPSd4Tl5a VOuu7IvCiuu7eBzz8Go1JUWEuOBuMphaa3/A0hf9ODOdEAS8ho/ErXae MRNWwoLlzJz/nENlX/ouKTe5g/0+8e7HrKCUShcfNHiYr+P7XBN9Sc+e Npg= ;; ADDITIONAL SECTION: a.dns.jp. 86400 IN AAAA 2001:dc4::1 a.dns.jp. 86400 IN A 203.119.1.1 b.dns.jp. 86400 IN AAAA 2001:dc2::1 b.dns.jp. 86400 IN A 202.12.30.131 c.dns.jp. 86400 IN AAAA 2001:502:ad09::5 c.dns.jp. 86400 IN A 156.154.100.5 d.dns.jp. 86400 IN AAAA 2001:240::53 d.dns.jp. 86400 IN A 210.138.175.244 e.dns.jp. 86400 IN AAAA 2001:200:c000::35 e.dns.jp. 86400 IN A 192.50.43.53 f.dns.jp. 86400 IN AAAA 2001:2f8:0:100::153 f.dns.jp. 86400 IN A 150.100.2.3 g.dns.jp. 86400 IN A 203.119.40.1 ;; Query time: 99 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Feb 28 13:55:45 2011 ;; MSG SIZE rcvd: 670