MoinQ:

DNS/watch/iij.ad.jpについて、ここに記述してください。

DNSSECでなにが保護されるのか。iij.ad.jp の登録レコードを例にして、考える。

$ dig +dnssec ns iij.ad.jp @a.dns.jp

; <<>> DiG 9.7.3 <<>> +dnssec ns iij.ad.jp @a.dns.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47379
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;iij.ad.jp.                     IN      NS

;; AUTHORITY SECTION:
iij.ad.jp.              86400   IN      NS      dns1.iij.ad.jp.
iij.ad.jp.              86400   IN      NS      dns0.iij.ad.jp.
iij.ad.jp.              86400   IN      DS      38536 8 1 E4BD7DEDEE6E2320409E6E23D16A35F924DD505B
iij.ad.jp.              86400   IN      DS      38536 8 2 7F8502A41EA1C844FFBFC556BE24BC81DB6EDC255B929EB0B6B2B74C F55FEE72
iij.ad.jp.              86400   IN      RRSIG   DS 8 3 86400 20110704174503 20110604174503 3189 jp. kL4WAoVZYJ6OdOLm78ZlLWht2WJkADB6b+N/ybkqbL7dPS4MVWm5yOcQ UP2Hr6C4Vqh1h3zj5Ql1zv+dtofVatakH/KDtOv3FtTCohDgOFqE9fqS 0ntKvpjLF5RF8o7TNMEStlEhJcweVSSfvu7g33cSBenGW6xLcHIDHTiX DaU=

;; ADDITIONAL SECTION:
dns0.iij.ad.jp.         86400   IN      A       210.138.174.16
dns0.iij.ad.jp.         86400   IN      AAAA    2001:240:bb41:8002::1:16
dns1.iij.ad.jp.         86400   IN      A       210.138.175.5
dns1.iij.ad.jp.         86400   IN      AAAA    2001:240:bb4c:8000::1:5

;; Query time: 37 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: Sat Jun 11 21:43:23 2011
;; MSG SIZE  rcvd: 410

JPサーバにDSレコードが登録されていることから、iij.ad.jpではDNSSECが運用されていることを確認できる。

1. RRSIG はDSにだけつく

NS query に対して、 DSつきの返答が返る。DSにはRRSIGがついている。

www.iij.ad.jp の A レコードを問い合わせた場合の返事も同様である。 -- ToshinoriMaeno 2011-06-13 11:16:37

上の情報がキャッシュされているとして、www.iij.ad.jpの偽情報をキャッシュさせるにはどうすればいいかは演習問題としておく。

2. A レコードを問い合わせ

$ dnsq a dns0.iij.ad.jp a.dns.jp

1 dns0.iij.ad.jp:
153 bytes, 1+0+2+4 records, response, noerror
query: 1 dns0.iij.ad.jp
authority: iij.ad.jp 86400 NS dns1.iij.ad.jp
authority: iij.ad.jp 86400 NS dns0.iij.ad.jp
additional: dns0.iij.ad.jp 86400 A 210.138.174.16
additional: dns0.iij.ad.jp 86400 28 \040\001\002@\273A\200\002\000\000\000\000\000\001\000\026
additional: dns1.iij.ad.jp 86400 A 210.138.175.5
additional: dns1.iij.ad.jp 86400 28 \040\001\002@\273L\200\000\000\000\000\000\000\001\000\005

answer section はなく、 additional section にA/AAAAがある。 (BIND の動作)

djbdns(tinydns)では異なる。 -- ToshinoriMaeno 2011-06-11 13:45:14

$ dig +dnssec a dns0.iij.ad.jp @210.138.174.16

; <<>> DiG 9.7.3 <<>> +dnssec a dns0.iij.ad.jp @210.138.174.16
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48541
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dns0.iij.ad.jp.                        IN      A

;; ANSWER SECTION:
dns0.iij.ad.jp.         86400   IN      A       210.138.174.16
dns0.iij.ad.jp.         86400   IN      RRSIG   A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. QJ2P4HAnje/Cgl46ofEiyr0ZdLGFeRH7TAb5TUtujZWtMbvESVFuBDJq qPcI9wko/zp2AIZG17+cErjbya8UsFohzc7GQNWpXjkosyCwGufRnEu2 /RaA15hbxmQY+M5e4vZ5ZhSfK1pnmyDOCxQirklR7FQExe+/OAxuLLXi K/0=

;; AUTHORITY SECTION:
iij.ad.jp.              604800  IN      NS      dns1.iij.ad.jp.
iij.ad.jp.              604800  IN      NS      dns0.iij.ad.jp.
iij.ad.jp.              604800  IN      RRSIG   NS 8 3 604800 20110712151005 20110612151005 21105 iij.ad.jp. Te6HTPTdff1y7xWMXV5Cf4lEoOqmMB5msofIT6/WZMq32gtm9Tyl+/+M o9OZrCCa28wY5QjaJ5gA3irT8YhC8+9k9O+dko1m6exwg/Xa0jY/r9To 5+FOEjzq6/CetH2rOC0g0Y9Eeem57LfwQIXfZtH7J8jnu9qlURS7E1PH hPk=

;; ADDITIONAL SECTION:
dns0.iij.ad.jp.         86400   IN      AAAA    2001:240:bb41:8002::1:16
dns1.iij.ad.jp.         86400   IN      A       210.138.175.5
dns1.iij.ad.jp.         86400   IN      AAAA    2001:240:bb4c:8000::1:5
dns0.iij.ad.jp.         86400   IN      RRSIG   AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. BFEms4x2hIHO3Dk61xT4w3BxPM12uBqjgdHAtTgiM72RZYLnZ0mqEgjO HGbWfyKKSE2D0h74o2TPPRarB3y1e/rbJqSfbfUozIdb5e0t8qKmTtc0 d9iFsspjW+Rys5TQx3Iw+reuvKHdJbbCCXeNRmUKu97Ixig6nDO7JUni OZ4=
dns1.iij.ad.jp.         86400   IN      RRSIG   A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. NqcDzwI/OEzWfSbjEgdyG8OPiDdj5nxPMTJ1L8IJASfXpjjQbHaEyt/9 +jKq+vyJvUuspxvjv3kecQjT7598MaeKXdqTfaK3pHfnrqozafCaFIML w8hihkCXSVOMFLL3jT9HNLb1dY5/m0kNKkgjIgN6oJaQAOwt6PisBdn6 rQ4=
dns1.iij.ad.jp.         86400   IN      RRSIG   AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. I+9SPQqRaum6dNFw0h0DpqfYxdWAwEiP0NB2IIHS7NGNN8UDm2riTRJU CseDp4K+gTnF1nL50TzSPBD8PK9fI9He4cqpkGrcEzeKuSolqPgp6oyV BJWkkKBEyVCqZbTrqpvqi7kfom4muUnvqme5yuhjXKUKkTAcRc5E8O+s aA0=

;; Query time: 39 msec
;; SERVER: 210.138.174.16#53(210.138.174.16)
;; WHEN: Mon Jun 13 14:11:43 2011
;; MSG SIZE  rcvd: 1009

ここではRRSIGはA, AAAA, NS などに対応している。

3. www.iij.ad.jp

$ dig +dnssec a www.iij.ad.jp @210.138.174.16

; <<>> DiG 9.7.3 <<>> +dnssec a www.iij.ad.jp @210.138.174.16
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35571
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.iij.ad.jp.                 IN      A

;; ANSWER SECTION:
www.iij.ad.jp.          300     IN      A       210.130.137.80
www.iij.ad.jp.          300     IN      RRSIG   A 8 4 300 20110712151005 20110612151005 21105 iij.ad.jp. LzPKkFl2alkBILTeBWmPksjmYYJLmn2jkuDpKbIUCYFzx6RK/zCVbMSU fzFJnwedp9DkxNYLiewySu6OFMEPCHlsX9KHHiqhgaZIpCKDtKDCgXXS AJt6twRFiYkswy5of4jY8htBzzow17oCzPCHa9EnXHJRH/IReegcr166 eko=

;; AUTHORITY SECTION:
iij.ad.jp.              604800  IN      NS      dns1.iij.ad.jp.
iij.ad.jp.              604800  IN      NS      dns0.iij.ad.jp.
iij.ad.jp.              604800  IN      RRSIG   NS 8 3 604800 20110712151005 20110612151005 21105 iij.ad.jp. Te6HTPTdff1y7xWMXV5Cf4lEoOqmMB5msofIT6/WZMq32gtm9Tyl+/+M o9OZrCCa28wY5QjaJ5gA3irT8YhC8+9k9O+dko1m6exwg/Xa0jY/r9To 5+FOEjzq6/CetH2rOC0g0Y9Eeem57LfwQIXfZtH7J8jnu9qlURS7E1PH hPk=

;; ADDITIONAL SECTION:
dns0.iij.ad.jp.         86400   IN      A       210.138.174.16
dns0.iij.ad.jp.         86400   IN      AAAA    2001:240:bb41:8002::1:16
dns1.iij.ad.jp.         86400   IN      A       210.138.175.5
dns1.iij.ad.jp.         86400   IN      AAAA    2001:240:bb4c:8000::1:5
dns0.iij.ad.jp.         86400   IN      RRSIG   A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. QJ2P4HAnje/Cgl46ofEiyr0ZdLGFeRH7TAb5TUtujZWtMbvESVFuBDJq qPcI9wko/zp2AIZG17+cErjbya8UsFohzc7GQNWpXjkosyCwGufRnEu2 /RaA15hbxmQY+M5e4vZ5ZhSfK1pnmyDOCxQirklR7FQExe+/OAxuLLXi K/0=
dns0.iij.ad.jp.         86400   IN      RRSIG   AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. BFEms4x2hIHO3Dk61xT4w3BxPM12uBqjgdHAtTgiM72RZYLnZ0mqEgjO HGbWfyKKSE2D0h74o2TPPRarB3y1e/rbJqSfbfUozIdb5e0t8qKmTtc0 d9iFsspjW+Rys5TQx3Iw+reuvKHdJbbCCXeNRmUKu97Ixig6nDO7JUni OZ4=
dns1.iij.ad.jp.         86400   IN      RRSIG   A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. NqcDzwI/OEzWfSbjEgdyG8OPiDdj5nxPMTJ1L8IJASfXpjjQbHaEyt/9 +jKq+vyJvUuspxvjv3kecQjT7598MaeKXdqTfaK3pHfnrqozafCaFIML w8hihkCXSVOMFLL3jT9HNLb1dY5/m0kNKkgjIgN6oJaQAOwt6PisBdn6 rQ4=
dns1.iij.ad.jp.         86400   IN      RRSIG   AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. I+9SPQqRaum6dNFw0h0DpqfYxdWAwEiP0NB2IIHS7NGNN8UDm2riTRJU CseDp4K+gTnF1nL50TzSPBD8PK9fI9He4cqpkGrcEzeKuSolqPgp6oyV BJWkkKBEyVCqZbTrqpvqi7kfom4muUnvqme5yuhjXKUKkTAcRc5E8O+s aA0=

;; Query time: 39 msec
;; SERVER: 210.138.174.16#53(210.138.174.16)
;; WHEN: Mon Jun 13 14:13:39 2011
;; MSG SIZE  rcvd: 1198

MoinQ: watchNS/ad.jp/iij.ad.jp (last edited 2022-04-01 04:31:22 by ToshinoriMaeno)