Describe DNS/DNSSEC/query here.
1. DNSSEC ドメインの確認方法
2. 対応ゾーン
キャッシュは 8.8.8.8 を使っている。(途中のキャッシュがDNSSEC関連レコードを落としてくれるため)
$ dig +dnssec www.udp53.org a
; <<>> DiG 9.7.1-P2 <<>> +dnssec www.udp53.org a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58011 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.udp53.org. IN A ;; ANSWER SECTION: www.udp53.org. 3600 IN A 127.0.0.1 www.udp53.org. 3600 IN RRSIG A 5 3 3600 20110305182641 20110203180942 9234 udp53.org. QXCVwxiqjC+Sx1N6+8NA4pvRyT8jEIsjlRv/QHG6/wjODOwFf2G6cdxy oTVeyajWpUKqAfHXRs05leaBqkfteg== ;; Query time: 287 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Feb 24 23:10:25 2011 ;; MSG SIZE rcvd: 163
iijでやってみた。
$ dig +dnssec www.iij.ad.jp a
; <<>> DiG 9.7.1-P2 <<>> +dnssec www.iij.ad.jp a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20063 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.iij.ad.jp. IN A ;; ANSWER SECTION: www.iij.ad.jp. 300 IN A 210.130.137.80 www.iij.ad.jp. 300 IN RRSIG A 8 4 300 20110325151004 20110223151004 43611 iij.ad.jp. Kvw0V3ZYVypkL4r/mWUFcSmXYcPz7rCAbCfUo/if37e6IfGZa3ujLDuk lRsDVvbnVtL6Kw6xs0GC1i0hPlGt0MgyRNF6LhRfIBYbLpsJXLVupeGz 4++nr7Pi7nLAweGdDa5k0R7g2mHeBtwee5qbe+kwM3dK+vtdMEo36iTz u1I= ;; Query time: 120 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Feb 24 23:13:57 2011 ;; MSG SIZE rcvd: 227
$ dig +cd +multi iij.ad.jp dnskey
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.1-P2 <<>> +cd +multi iij.ad.jp dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6861
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;iij.ad.jp. IN DNSKEY
;; ANSWER SECTION:
iij.ad.jp. 86400 IN DNSKEY 257 3 8 (
AwEAAcXnf05SMGoskgsnNQ1M5NCK9L5gMuakKqZN+hm/
1bkhCdQaX3voitJLGsF3Tou/O5i0WPVLagnwZfMS30Pt
3m4DaQGydPPRzr8U76udWpOCCvOSrNRiGI7zop790q35
9QayFlC3RnYSxXacbeyp8DMr6Aq6WTf5g2zjdgXFNaCo
10zsva/1rVMw8kLQRvFCI6sFTpPSMa8ne7SHetevFuXN
DMcwWK0yebp0SpfB45Q/xqyDPorokskfTM39JS054yXo
YqoN692pstYVI2d09sS8YQs3rB6bqG0UhzXKTlsl3jbL
s8xnr02ucsUf0y8IOZ3EiRprhz2Z9eKnjKwnBaM=
) ; key id = 38536
iij.ad.jp. 86400 IN DNSKEY 256 3 8 (
AwEAAeoyMdPoRCU4WDNAx1mRGwx31q50A35xm5QM6tKz
7TM1e9eDiPxq/N9MxJ1QjuaiPA2WsudQf7IywNWTOnaf
ZvKeiiCfUwD0wHWjxuev4t7NcdJyouetlgSzuSe/mRfr
HV/56k7noTJAXsfC/VtQj2Amkt58qF8Nl8WLKmBpWkkx
) ; key id = 43611
iij.ad.jp. 86400 IN DNSKEY 256 3 8 (
AwEAAaIfCqc+VpzsvPSE1Kr+lxFYKrMoOatUH9C7Pu0y
sphAEfLd9lzsvShHSo1Psjq+K1mJQeX+Fp0CPJ0MDwg4
azPItu6HZo9hAUcbKi2oIA0vBJEsOG/OZX/Z1rHWba5E
xPHCP9OeTlgWmVsu9i2Mb94hNalw5c5VvJQ1192x/0dX
) ; key id = 43830
;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 24 23:17:00 2011
;; MSG SIZE rcvd: 599ZSK, KSK を入手できた。(JPサーバからDS RRを入手すれば、KSKが検証できる。)
こっちをやるのだった。
$ dig +dnssec iij.ad.jp ns @dns0.iij.ad.jp
; <<>> DiG 9.7.1-P2 <<>> +dnssec iij.ad.jp ns @dns0.iij.ad.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30445 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iij.ad.jp. IN NS ;; ANSWER SECTION: iij.ad.jp. 604800 IN NS dns1.iij.ad.jp. iij.ad.jp. 604800 IN NS dns0.iij.ad.jp. iij.ad.jp. 604800 IN RRSIG NS 8 3 604800 20110326151005 20110224151005 43611 iij.ad.jp. pWCETvqqY+IACy4QedR7RsUWAgV73TUCavJub8l/0F2uFsqZBOFOmCf8 USvjzjT5XnGz7M+Fs1dkR67n1wSfmjrsjixuhDlvKYDmUvyyeffryT3W zfDSHxSMIZYpBJHMFCaXhetaMdtmTonyZFM/7eMng1L3e7o1M23kF7vk Ln8= ;; ADDITIONAL SECTION: dns0.iij.ad.jp. 86400 IN A 210.138.174.16 dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16 dns1.iij.ad.jp. 86400 IN A 210.138.175.5 dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5 dns0.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110326151005 20110224151005 43611 iij.ad.jp. JoCfiGpBiDC/LrNo4aIdXHjRN/dY1+kxgFEM4oXV3tWlAuHPRV/W7K5L 4AuqQwrG15hGs/QnJZ5I899DWhmWgc10ZS8/7b932YfkeeKELR+xOGtY PlcffrgBiLr9gE3LKCZyVWncXXsXDYQmbkaT3gHGHt3jplCZMNAUsmq6 Vlo= dns0.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110326151005 20110224151005 43611 iij.ad.jp. VN6uSlf23+ivlWfGsnmNi5rzcyZZO5B8LLNo5jZpRDaw5WmOTcDqZcZj hNRtCXxK/rB4P2T7L/GFxSYsNl6+KoU9zUQEGfxzwHZ4nnkxGXVgvVwe AaiHMRy9tZQxTpWKAID+09pTf1fwdToddD848M4TeNVpZFYDT9RVX6WN eco= dns1.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110326151005 20110224151005 43611 iij.ad.jp. HqPolGbsloPJt8fDjDZ+rnM6GKOoNuXVzEcZtk71blP6l60kkqm9To/4 SyDcjQDZGXcJdjzdzlPECrYdGgZ5i1+hmK5aCE35vRcT3pgp3YCFjOYR Oo2VRmfrsjqYGdObE233d86J4lW9dwFQPpWrk2n/bQbYG1FDKFqKr9nP yjY= dns1.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110326151005 20110224151005 43611 iij.ad.jp. K2wEPcdILH1gOvejVtwd2g4QY4zpzomue1pibVGqdqITB8pkjepwU7Us QKpbz3M8b72nA3+3hhxgKIN09iFjw0gkwdy3jr7bF2FZXDbm6u4JHXJ9 ddz6L3djz/RDH7VXdp2Ra/B8h20R6+oizjQ/JeiXVKTYgiqlCLvbBE9x K98= ;; Query time: 39 msec ;; SERVER: 210.138.174.16#53(210.138.174.16) ;; WHEN: Fri Feb 25 15:49:17 2011 ;; MSG SIZE rcvd: 1009
$ dig +dnssec iij.ad.jp mx
; <<>> DiG 9.7.1-P2 <<>> +dnssec iij.ad.jp mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40771 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;iij.ad.jp. IN MX ;; ANSWER SECTION: iij.ad.jp. 86400 IN MX 10 omgi.iij.ad.jp. iij.ad.jp. 86400 IN RRSIG MX 8 3 604800 20110326151005 20110224151005 43611 iij.ad.jp. EEu0oNm6rvVQZkCtb9cRkW2eaczkrEvyqp8Qi0uFot2BAxxPpd5kpLzb 0sgEJYjR7CWdtyMyAAUIrhfap1fTCWqhnNLXZxKqQxsrRzpBW60qiP0t kxraxoWOqUxnrYapfpCHjEDNxensUVbctxDZtdlPkjWMS4+zgmSlCIlw rjk= ;; Query time: 129 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Feb 25 09:20:53 2011 ;; MSG SIZE rcvd: 228
$ dig +dnssec iij.ad.jp ns
; <<>> DiG 9.7.1-P2 <<>> +dnssec iij.ad.jp ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11791 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;iij.ad.jp. IN NS ;; ANSWER SECTION: iij.ad.jp. 66066 IN NS dns0.iij.ad.jp. iij.ad.jp. 66066 IN NS dns1.iij.ad.jp. iij.ad.jp. 66066 IN RRSIG NS 8 3 604800 20110326151005 20110224151005 43611 iij.ad.jp. pWCETvqqY+IACy4QedR7RsUWAgV73TUCavJub8l/0F2uFsqZBOFOmCf8 USvjzjT5XnGz7M+Fs1dkR67n1wSfmjrsjixuhDlvKYDmUvyyeffryT3W zfDSHxSMIZYpBJHMFCaXhetaMdtmTonyZFM/7eMng1L3e7o1M23kF7vk Ln8= ;; Query time: 70 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Feb 25 09:21:59 2011 ;; MSG SIZE rcvd: 245
additional なし。
上位サーバがどういう振る舞いをするか。
$ dig +dnssec iij.ad.jp ns @a.dns.jp
; <<>> DiG 9.7.1-P2 <<>> +dnssec iij.ad.jp ns @a.dns.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63473 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iij.ad.jp. IN NS ;; AUTHORITY SECTION: iij.ad.jp. 86400 IN NS dns0.iij.ad.jp. iij.ad.jp. 86400 IN NS dns1.iij.ad.jp. iij.ad.jp. 86400 IN DS 38536 8 2 7F8502A41EA1C844FFBFC556BE24BC81DB6EDC255B929EB0B6B2B74C F55FEE72 iij.ad.jp. 86400 IN DS 38536 8 1 E4BD7DEDEE6E2320409E6E23D16A35F924DD505B iij.ad.jp. 86400 IN RRSIG DS 8 3 86400 20110321174504 20110219174504 33696 jp. BDMlewgBOu6HehIiui1iZaZLay9N7bbm7hfRW7qjcTFibySrIZGeAEEu vp3vPBd1eASIVBKCEMpm1Iytdq1x7VTRC+AFDOzWBIlQmBSa0MATBrDc TjK1/4L7StXrxDb4CezdTZGGnf8T8QoZEwkUfWOPzywiIpWMD/jMMm9n FcM= ;; ADDITIONAL SECTION: dns0.iij.ad.jp. 86400 IN A 210.138.174.16 dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16 dns1.iij.ad.jp. 86400 IN A 210.138.175.5 dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5 ;; Query time: 34 msec ;; SERVER: 203.119.1.1#53(203.119.1.1) ;; WHEN: Fri Feb 25 09:24:04 2011 ;; MSG SIZE rcvd: 410
a.dns.jp が責任をもつのはDSレコードだけだと分かる。
- 「NS, A の確認は自分でやれ」ということですね。
| << < 2024 / 11 > >> | ||||||
|---|---|---|---|---|---|---|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | |