MoinQ:

DNSSEC/jpについて、ここに記述してください。

NS+DS (+RRSIG) http://dnsviz.net/d/dns.jp/dnssec/

$ dig +dnssec -t ns jp @a.root-servers.net

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> +dnssec -t ns jp @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25221
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;jp.                            IN      NS

;; AUTHORITY SECTION:
jp.                     172800  IN      NS      a.dns.jp.
jp.                     172800  IN      NS      b.dns.jp.
jp.                     172800  IN      NS      c.dns.jp.
jp.                     172800  IN      NS      d.dns.jp.
jp.                     172800  IN      NS      e.dns.jp.
jp.                     172800  IN      NS      f.dns.jp.
jp.                     172800  IN      NS      g.dns.jp.
jp.                     86400   IN      DS      53899 8 1 00DED0BB8203CFB6ABB054318EC95C4F13F4B5B0
jp.                     86400   IN      DS      53899 8 2 C02BA0E5A47E49181EE132BB0612D950766AD9C62FD29BDEEAFBC463 B9D37FDE
jp.                     86400   IN      RRSIG   DS 8 1 86400 20160215170000 20160205160000 54549 . MayV9tL2ESLpZIvDJOf3laQm34vsNh9kAdv9lwZSKaYYh3LegZMnN7Qd TnxIYM17s3WgdzI1QpEg/1MIqcQqWsXDfNS0pNbkv1/48AQ6QnyTej+C SjLkuWdAXVvjHhzDZlwmWfhjU3+y/w28Ulq1GemoGFlZK8gd32+MkqUE fFc=

;; ADDITIONAL SECTION:
a.dns.jp.               172800  IN      A       203.119.1.1
b.dns.jp.               172800  IN      A       202.12.30.131
c.dns.jp.               172800  IN      A       156.154.100.5
d.dns.jp.               172800  IN      A       210.138.175.244
e.dns.jp.               172800  IN      A       192.50.43.53
f.dns.jp.               172800  IN      A       150.100.6.8
g.dns.jp.               172800  IN      A       203.119.40.1
a.dns.jp.               172800  IN      AAAA    2001:dc4::1
b.dns.jp.               172800  IN      AAAA    2001:dc2::1
c.dns.jp.               172800  IN      AAAA    2001:502:ad09::5
d.dns.jp.               172800  IN      AAAA    2001:240::53
e.dns.jp.               172800  IN      AAAA    2001:200:c000::35
f.dns.jp.               172800  IN      AAAA    2001:2f8:0:100::153

;; Query time: 55 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Feb 06 12:50:00 JST 2016
;; MSG SIZE  rcvd: 670

$ dig +dnssec -t ns jp @a.dns.jp

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> +dnssec -t ns jp @a.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30182
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp.                            IN      NS

;; ANSWER SECTION:
jp.                     86400   IN      NS      d.dns.jp.
jp.                     86400   IN      NS      g.dns.jp.
jp.                     86400   IN      NS      b.dns.jp.
jp.                     86400   IN      NS      e.dns.jp.
jp.                     86400   IN      NS      c.dns.jp.
jp.                     86400   IN      NS      a.dns.jp.
jp.                     86400   IN      NS      f.dns.jp.
jp.                     86400   IN      RRSIG   NS 8 1 86400 20160229174503 20160130174503 55308 jp. bguHO6L9p95r4ntOLfDc2PAZ/H+HcqAjDZcFtpvwBx48VhHb5LuZXyuz HXddUFiHA+UDMdUEZZgoVzpDvgaZycngaBR699V6FlLJGsdZAb3Za4jG 0g1AqC+PLWSErf6rOngYbR0iQJiYTiDneLeru+jQvv5MP+oDAEpChWjX naM=

;; Query time: 7 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: Sat Feb 06 12:50:19 JST 2016
;; MSG SIZE  rcvd: 309

A レコードが正しいかはこの時点では確認できない。

そこで、信用できるか、確認する作業が必要になる。

$ dig +dnssec -t a a.dns.jp @a.dns.jp

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> +dnssec -t a a.dns.jp @a.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6148
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.dns.jp.                      IN      A

;; AUTHORITY SECTION:
dns.jp.                 86400   IN      NS      nsd.dns.jp.
dns.jp.                 86400   IN      NS      nsg.dns.jp.
dns.jp.                 86400   IN      NS      nse.dns.jp.
dns.jp.                 86400   IN      NS      nsb.dns.jp.
dns.jp.                 86400   IN      NS      nsa.dns.jp.
dns.jp.                 86400   IN      NS      nsf.dns.jp.
B2UT3K7LVEJOGMKEJ26D84H1BQDDB06K.jp. 900 IN NSEC3 1 1 8 2BF4F00612 B46QT3E5HR3ATCLG3VI3FKKJT5OK1KTI NS SOA RRSIG DNSKEY NSEC3PARAM
B2UT3K7LVEJOGMKEJ26D84H1BQDDB06K.jp. 900 IN RRSIG NSEC3 8 2 900 20160229174503 20160130174503 55308 jp. QFqiK+y72tj+8xlIt74Y1S/I/sETu+T0nvF1sW6EddGA8jCIXoFiqh45 66y50V4fJhUtY1E47WTkcP75KqGMxZsLxHX/kGm1MQyNim05cPl4EIpz KAqQFdbwI641PHzoXgYhwIrRDDHbU4DwDAeMGbgQL0R86OYpSn1woADO s1s=
9TGMUMND2PRVVD0RNJQ4UDFCG0EMBPEU.jp. 900 IN NSEC3 1 1 8 2BF4F00612 9UATCC9AOVD64VJS4ACD7UQIC3DP2N3D NS DS RRSIG
9TGMUMND2PRVVD0RNJQ4UDFCG0EMBPEU.jp. 900 IN RRSIG NSEC3 8 2 900 20160229174503 20160130174503 55308 jp. N7Ge/WpApyh95xC7TuzwJjzZHea8AaE7ts8BD6DmeWVqt0FL6Zs2ab2+ g3B89Cdf4j1MvmDVXm3UpODjzt8ZnVoR581LkA3DgUXRfoKp49PjIeli BMRKY4u5vtWG1g0Yt294qgydKy8+keo9eBjhrsAdzFgaWjJYzjTv0svk eHQ=

;; ADDITIONAL SECTION:
nsa.dns.jp.             86400   IN      A       203.119.1.4
nsa.dns.jp.             86400   IN      AAAA    2001:dc4::4
nsb.dns.jp.             86400   IN      A       202.12.30.134
nsb.dns.jp.             86400   IN      AAAA    2001:dc2::2
nsd.dns.jp.             86400   IN      A       210.138.175.245
nsd.dns.jp.             86400   IN      AAAA    2001:240::54
nse.dns.jp.             86400   IN      A       192.50.43.153
nse.dns.jp.             86400   IN      AAAA    2001:200:c000::99
nsf.dns.jp.             86400   IN      A       150.100.6.12
nsf.dns.jp.             86400   IN      AAAA    2001:2f8:0:100::163
nsg.dns.jp.             86400   IN      A       203.119.40.4

;; Query time: 7 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: Sat Feb 06 12:58:10 JST 2016
;; MSG SIZE  rcvd: 874

だが、dns.jpについては nsa.dns.jp に聞いてくれ、という返事が返ってくる。w

$ dig +dnssec -t a a.dns.jp @nsa.dns.jp

; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> +dnssec -t a a.dns.jp @nsa.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45918
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 12
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.dns.jp.                      IN      A

;; ANSWER SECTION:
a.dns.jp.               86400   IN      A       203.119.1.1

;; AUTHORITY SECTION:
dns.jp.                 86400   IN      NS      nsa.dns.jp.
dns.jp.                 86400   IN      NS      nsb.dns.jp.
dns.jp.                 86400   IN      NS      nsg.dns.jp.
dns.jp.                 86400   IN      NS      nsf.dns.jp.
dns.jp.                 86400   IN      NS      nsd.dns.jp.
dns.jp.                 86400   IN      NS      nse.dns.jp.

;; ADDITIONAL SECTION:
nsa.dns.jp.             86400   IN      A       203.119.1.4
nsa.dns.jp.             86400   IN      AAAA    2001:dc4::4
nsb.dns.jp.             86400   IN      A       202.12.30.134
nsb.dns.jp.             86400   IN      AAAA    2001:dc2::2
nsd.dns.jp.             86400   IN      A       210.138.175.245
nsd.dns.jp.             86400   IN      AAAA    2001:240::54
nse.dns.jp.             86400   IN      A       192.50.43.153
nse.dns.jp.             86400   IN      AAAA    2001:200:c000::99
nsf.dns.jp.             86400   IN      A       150.100.6.12
nsf.dns.jp.             86400   IN      AAAA    2001:2f8:0:100::163
nsg.dns.jp.             86400   IN      A       203.119.40.4

;; Query time: 8 msec
;; SERVER: 203.119.1.4#53(203.119.1.4)
;; WHEN: Sat Feb 06 13:00:28 JST 2016
;; MSG SIZE  rcvd: 397

あれ、dns.jp はDNSSECを使っていないの。

-- ToshinoriMaeno 2016-02-06 04:02:10