MoinQ:

kresd/2018-12-29について、ここに記述してください。

start 直後に実行 mode('strict')

1. 始める

$ dig a.brau.jp @127.0.0.4

; <<>> DiG 9.12.3 <<>> a.brau.jp @127.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2657
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.brau.jp.                     IN      A

;; ANSWER SECTION:
a.brau.jp.              300     IN      A       127.0.0.1

;; Query time: 219 msec
;; SERVER: 127.0.0.4#53(127.0.0.4)
;; WHEN: 土 12月 29 08:28:34 JST 2018
;; MSG SIZE  rcvd: 54

[00000.00][plan] plan 'a.brau.jp.' type 'A' uid [02657.00]
[02657.00][iter]   'a.brau.jp.' type 'A' new uid was assigned .01, parent uid .00
[02657.01][cach]   => no NSEC* cached for zone: .
[02657.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[02657.01][cach]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
[02657.01][resl]   => going insecure because there's no covering TA
[02657.01][zcut]   found cut: . (rank 020 return codes: DS -2, DNSKEY -2)
[02657.01][resl]   => id: '30209' querying: '198.97.190.53#00053' score: 11 zone cut: '.' qname: 'jP.' qtype: 'NS' proto: 'udp'
[02657.01][resl]   => id: '30209' querying: '192.112.36.4#00053' score: 11 zone cut: '.' qname: 'jP.' qtype: 'NS' proto: 'udp'
[02657.01][iter]   <= loaded 8 glue addresses
[02657.01][iter]   <= referral response, follow
[02657.01][cach]   => stashed jp. NS, rank 002, 110 B total, incl. 0 RRSIGs
[02657.01][cach]   => stashed also 15 nonauth RRsets
[02657.01][resl]   <= server: '198.97.190.53' rtt: >= 43 ms
[02657.01][iter]   'a.brau.jp.' type 'A' new uid was assigned .02, parent uid .00
[02657.02][resl]   => id: '10111' querying: '65.22.40.25#00053' score: 10 zone cut: 'jp.' qname: 'BRaU.JP.' qtype: 'NS' proto: 'udp'
[02657.02][iter]   <= loaded 1 glue addresses
[02657.02][iter]   <= referral response, follow
[02657.02][cach]   => stashed brau.jp. NS, rank 002, 30 B total, incl. 0 RRSIGs
[02657.02][cach]   => stashed also 1 nonauth RRsets
[02657.02][resl]   <= server: '65.22.40.25' rtt: 165 ms
[02657.02][iter]   'a.brau.jp.' type 'A' new uid was assigned .03, parent uid .00
[02657.03][resl]   => id: '07349' querying: '14.192.44.29#00053' score: 10 zone cut: 'brau.jp.' qname: 'A.BRAU.JP.' qtype: 'A' proto: 'udp'
[02657.03][iter]   <= rcode: NOERROR
[02657.03][cach]   => stashed a.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs
[02657.03][cach]   => not overwriting NS brau.jp.
[02657.03][resl]   <= server: '14.192.44.29' rtt: 11 ms
[02657.03][resl]   AD: request NOT classified as SECURE
[02657.03][resl]   finished: 0, queries: 1, mempool: 65600 B

2. 続く問合せ

$ dig b.brau.jp @127.0.0.4

; <<>> DiG 9.12.3 <<>> b.brau.jp @127.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26507
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b.brau.jp.                     IN      A

;; ANSWER SECTION:
b.brau.jp.              300     IN      A       127.0.0.1

;; Query time: 11 msec
;; SERVER: 127.0.0.4#53(127.0.0.4)
;; WHEN: 土 12月 29 08:32:29 JST 2018
;; MSG SIZE  rcvd: 54

[00000.00][plan] plan 'b.brau.jp.' type 'A' uid [26507.00]
[26507.00][iter]   'b.brau.jp.' type 'A' new uid was assigned .01, parent uid .00
[26507.01][cach]   => no NSEC* cached for zone: brau.jp.
[26507.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[26507.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[26507.01][resl]   => going insecure because there's no covering TA
[26507.01][zcut]   found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2)
[26507.01][resl]   => id: '42894' querying: '14.192.44.29#00053' score: 10 zone cut: 'brau.jp.' qname: 'b.BrAU.JP.' qtype: 'A' proto: 'udp'
[26507.01][iter]   <= rcode: NOERROR
[26507.01][cach]   => stashed b.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs
[26507.01][cach]   => not overwriting NS brau.jp.
[26507.01][resl]   <= server: '14.192.44.29' rtt: 11 ms
[26507.01][resl]   AD: request NOT classified as SECURE
[26507.01][resl]   finished: 0, queries: 1, mempool: 65600 B

毒は入らない。(Answerありの返答ではNSなどは捨てる)

3. しかし

だが、a.ns.brau.jp を問い合わせると、 ...

$ dig a.ns.brau.jp @127.0.0.4

; <<>> DiG 9.12.3 <<>> a.ns.brau.jp @127.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62350
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.ns.brau.jp.                  IN      A

;; ANSWER SECTION:
a.ns.brau.jp.           360     IN      A       192.168.10.10

;; Query time: 23 msec
;; SERVER: 127.0.0.4#53(127.0.0.4)
;; WHEN: 土 12月 29 08:34:19 JST 2018
;; MSG SIZE  rcvd: 57

[00000.00][plan] plan 'a.ns.brau.jp.' type 'A' uid [62350.00]
[62350.00][iter]   'a.ns.brau.jp.' type 'A' new uid was assigned .01, parent uid .00
[62350.01][cach]   => skipping exact RR: rank 001 (min. 020), new TTL 86054
[62350.01][cach]   => no NSEC* cached for zone: brau.jp.
[62350.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[62350.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[62350.01][resl]   => going insecure because there's no covering TA
[62350.01][zcut]   found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2)
[62350.01][resl]   => id: '09413' querying: '14.192.44.29#00053' score: 11 zone cut: 'brau.jp.' qname: 'Ns.bRAu.jp.' qtype: 'NS' proto: 'udp'
[62350.01][iter]   <= loaded 1 glue addresses
[62350.01][iter]   <= rcode: NOERROR
[62350.01][iter]   <= retrying with non-minimized name
[62350.01][cach]   => not overwriting A a.ns.brau.jp.
[62350.01][cach]   => stashed packet: rank 020, TTL 2560, NS ns.brau.jp. (119 B)
[62350.01][resl]   <= server: '14.192.44.29' rtt: 12 ms
[62350.01][iter]   'a.ns.brau.jp.' type 'A' new uid was assigned .02, parent uid .00
[62350.02][resl]   => id: '21511' querying: '14.192.44.5#00053' score: 10 zone cut: 'brau.jp.' qname: 'A.Ns.brAu.jp.' qtype: 'A' proto: 'udp'
[62350.02][iter]   <= rcode: NOERROR
[62350.02][cach]   => stashed a.ns.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs
[62350.02][cach]   => not overwriting NS brau.jp.
[62350.02][resl]   <= server: '14.192.44.5' rtt: 11 ms
[62350.02][resl]   AD: request NOT classified as SECURE
[62350.02][resl]   finished: 0, queries: 1, mempool: 65600 B

4. そして

$ dig c.brau.jp @127.0.0.4

; <<>> DiG 9.12.3 <<>> c.brau.jp @127.0.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40847
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c.brau.jp.                     IN      A

;; Query time: 2298 msec
;; SERVER: 127.0.0.4#53(127.0.0.4)
;; WHEN: 土 12月 29 08:36:38 JST 2018
;; MSG SIZE  rcvd: 38

[00000.00][plan] plan 'c.brau.jp.' type 'A' uid [40847.00]
[40847.00][iter]   'c.brau.jp.' type 'A' new uid was assigned .01, parent uid .00
[40847.01][cach]   => no NSEC* cached for zone: brau.jp.
[40847.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[40847.01][cach]   => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2
[40847.01][resl]   => going insecure because there's no covering TA
[40847.01][zcut]   found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2)
[40847.01][resl]   => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp'
[40847.01][resl]   => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp'
[40847.01][resl]   => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp'
[40847.01][resl]   => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp'
[40847.01][wrkr]   => server: '192.168.10.10#00053' flagged as 'bad'
[40847.01][iter]   'c.brau.jp.' type 'A' new uid was assigned .02, parent uid .00
[40847.02][resl]   => id: '18388' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'c.brau.jp.' qtype: 'A' proto: 'tcp'
[40847.02][wrkr]   => connecting to: '192.168.10.10#00053'
[wrkr]=> connect to '192.168.10.10#00053' failed (connection refused), flagged as 'bad'
[40847.02][iter]   'c.brau.jp.' type 'A' new uid was assigned .03, parent uid .00
[40847.03][resl]   => no NS with an address
[40847.03][iter]   'c.brau.jp.' type 'A' new uid was assigned .04, parent uid .00
[40847.04][resl]   => no NS with an address
[40847.04][resl]   AD: request NOT classified as SECURE
[40847.04][resl]   finished: 0, queries: 1, mempool: 65600 B