## page was renamed from watchNS/iij.ad.jp ## page was renamed from DNS/watch/iij.ad.jp DNS/watch/iij.ad.jpについて、ここに記述してください。 DNSSECでなにが保護されるのか。iij.ad.jp の登録レコードを例にして、考える。 $ dig +dnssec ns iij.ad.jp @a.dns.jp {{{ ; <<>> DiG 9.7.3 <<>> +dnssec ns iij.ad.jp @a.dns.jp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47379 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;iij.ad.jp. IN NS ;; AUTHORITY SECTION: iij.ad.jp. 86400 IN NS dns1.iij.ad.jp. iij.ad.jp. 86400 IN NS dns0.iij.ad.jp. iij.ad.jp. 86400 IN DS 38536 8 1 E4BD7DEDEE6E2320409E6E23D16A35F924DD505B iij.ad.jp. 86400 IN DS 38536 8 2 7F8502A41EA1C844FFBFC556BE24BC81DB6EDC255B929EB0B6B2B74C F55FEE72 iij.ad.jp. 86400 IN RRSIG DS 8 3 86400 20110704174503 20110604174503 3189 jp. kL4WAoVZYJ6OdOLm78ZlLWht2WJkADB6b+N/ybkqbL7dPS4MVWm5yOcQ UP2Hr6C4Vqh1h3zj5Ql1zv+dtofVatakH/KDtOv3FtTCohDgOFqE9fqS 0ntKvpjLF5RF8o7TNMEStlEhJcweVSSfvu7g33cSBenGW6xLcHIDHTiX DaU= ;; ADDITIONAL SECTION: dns0.iij.ad.jp. 86400 IN A 210.138.174.16 dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16 dns1.iij.ad.jp. 86400 IN A 210.138.175.5 dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5 ;; Query time: 37 msec ;; SERVER: 203.119.1.1#53(203.119.1.1) ;; WHEN: Sat Jun 11 21:43:23 2011 ;; MSG SIZE rcvd: 410 }}} JPサーバにDSレコードが登録されていることから、iij.ad.jpではDNSSECが運用されていることを確認できる。 == RRSIG はDSにだけつく == NS query に対して、 DSつきの返答が返る。DSにはRRSIGがついている。  しかし、NS と additional section (A/AAAA) にはない。 このNS+Aは偽者の可能性がある。(DJBの指摘による) www.iij.ad.jp の A レコードを問い合わせた場合の返事も同様である。 -- ToshinoriMaeno <> 上の情報がキャッシュされているとして、www.iij.ad.jpの偽情報をキャッシュさせるにはどうすればいいかは演習問題としておく。 委譲情報にはRRSIGが付かないことを悪用できる可能性がある。可能なら、DNSSECに欠陥が見つかったことになる。 == A レコードを問い合わせ == $ dnsq a dns0.iij.ad.jp a.dns.jp {{{ 1 dns0.iij.ad.jp: 153 bytes, 1+0+2+4 records, response, noerror query: 1 dns0.iij.ad.jp authority: iij.ad.jp 86400 NS dns1.iij.ad.jp authority: iij.ad.jp 86400 NS dns0.iij.ad.jp additional: dns0.iij.ad.jp 86400 A 210.138.174.16 additional: dns0.iij.ad.jp 86400 28 \040\001\002@\273A\200\002\000\000\000\000\000\001\000\026 additional: dns1.iij.ad.jp 86400 A 210.138.175.5 additional: dns1.iij.ad.jp 86400 28 \040\001\002@\273L\200\000\000\000\000\000\000\001\000\005 }}} answer section はなく、 additional section にA/AAAAがある。 (BIND の動作) djbdns(tinydns)では異なる。 -- ToshinoriMaeno <> $ dig +dnssec a dns0.iij.ad.jp @210.138.174.16 {{{ ; <<>> DiG 9.7.3 <<>> +dnssec a dns0.iij.ad.jp @210.138.174.16 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48541 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dns0.iij.ad.jp. IN A ;; ANSWER SECTION: dns0.iij.ad.jp. 86400 IN A 210.138.174.16 dns0.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. QJ2P4HAnje/Cgl46ofEiyr0ZdLGFeRH7TAb5TUtujZWtMbvESVFuBDJq qPcI9wko/zp2AIZG17+cErjbya8UsFohzc7GQNWpXjkosyCwGufRnEu2 /RaA15hbxmQY+M5e4vZ5ZhSfK1pnmyDOCxQirklR7FQExe+/OAxuLLXi K/0= ;; AUTHORITY SECTION: iij.ad.jp. 604800 IN NS dns1.iij.ad.jp. iij.ad.jp. 604800 IN NS dns0.iij.ad.jp. iij.ad.jp. 604800 IN RRSIG NS 8 3 604800 20110712151005 20110612151005 21105 iij.ad.jp. Te6HTPTdff1y7xWMXV5Cf4lEoOqmMB5msofIT6/WZMq32gtm9Tyl+/+M o9OZrCCa28wY5QjaJ5gA3irT8YhC8+9k9O+dko1m6exwg/Xa0jY/r9To 5+FOEjzq6/CetH2rOC0g0Y9Eeem57LfwQIXfZtH7J8jnu9qlURS7E1PH hPk= ;; ADDITIONAL SECTION: dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16 dns1.iij.ad.jp. 86400 IN A 210.138.175.5 dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5 dns0.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. BFEms4x2hIHO3Dk61xT4w3BxPM12uBqjgdHAtTgiM72RZYLnZ0mqEgjO HGbWfyKKSE2D0h74o2TPPRarB3y1e/rbJqSfbfUozIdb5e0t8qKmTtc0 d9iFsspjW+Rys5TQx3Iw+reuvKHdJbbCCXeNRmUKu97Ixig6nDO7JUni OZ4= dns1.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. NqcDzwI/OEzWfSbjEgdyG8OPiDdj5nxPMTJ1L8IJASfXpjjQbHaEyt/9 +jKq+vyJvUuspxvjv3kecQjT7598MaeKXdqTfaK3pHfnrqozafCaFIML w8hihkCXSVOMFLL3jT9HNLb1dY5/m0kNKkgjIgN6oJaQAOwt6PisBdn6 rQ4= dns1.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. I+9SPQqRaum6dNFw0h0DpqfYxdWAwEiP0NB2IIHS7NGNN8UDm2riTRJU CseDp4K+gTnF1nL50TzSPBD8PK9fI9He4cqpkGrcEzeKuSolqPgp6oyV BJWkkKBEyVCqZbTrqpvqi7kfom4muUnvqme5yuhjXKUKkTAcRc5E8O+s aA0= ;; Query time: 39 msec ;; SERVER: 210.138.174.16#53(210.138.174.16) ;; WHEN: Mon Jun 13 14:11:43 2011 ;; MSG SIZE rcvd: 1009 }}} ここではRRSIGはA, AAAA, NS などに対応している。 == www.iij.ad.jp == $ dig +dnssec a www.iij.ad.jp @210.138.174.16 {{{ ; <<>> DiG 9.7.3 <<>> +dnssec a www.iij.ad.jp @210.138.174.16 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35571 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.iij.ad.jp. IN A ;; ANSWER SECTION: www.iij.ad.jp. 300 IN A 210.130.137.80 www.iij.ad.jp. 300 IN RRSIG A 8 4 300 20110712151005 20110612151005 21105 iij.ad.jp. LzPKkFl2alkBILTeBWmPksjmYYJLmn2jkuDpKbIUCYFzx6RK/zCVbMSU fzFJnwedp9DkxNYLiewySu6OFMEPCHlsX9KHHiqhgaZIpCKDtKDCgXXS AJt6twRFiYkswy5of4jY8htBzzow17oCzPCHa9EnXHJRH/IReegcr166 eko= ;; AUTHORITY SECTION: iij.ad.jp. 604800 IN NS dns1.iij.ad.jp. iij.ad.jp. 604800 IN NS dns0.iij.ad.jp. iij.ad.jp. 604800 IN RRSIG NS 8 3 604800 20110712151005 20110612151005 21105 iij.ad.jp. Te6HTPTdff1y7xWMXV5Cf4lEoOqmMB5msofIT6/WZMq32gtm9Tyl+/+M o9OZrCCa28wY5QjaJ5gA3irT8YhC8+9k9O+dko1m6exwg/Xa0jY/r9To 5+FOEjzq6/CetH2rOC0g0Y9Eeem57LfwQIXfZtH7J8jnu9qlURS7E1PH hPk= ;; ADDITIONAL SECTION: dns0.iij.ad.jp. 86400 IN A 210.138.174.16 dns0.iij.ad.jp. 86400 IN AAAA 2001:240:bb41:8002::1:16 dns1.iij.ad.jp. 86400 IN A 210.138.175.5 dns1.iij.ad.jp. 86400 IN AAAA 2001:240:bb4c:8000::1:5 dns0.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. QJ2P4HAnje/Cgl46ofEiyr0ZdLGFeRH7TAb5TUtujZWtMbvESVFuBDJq qPcI9wko/zp2AIZG17+cErjbya8UsFohzc7GQNWpXjkosyCwGufRnEu2 /RaA15hbxmQY+M5e4vZ5ZhSfK1pnmyDOCxQirklR7FQExe+/OAxuLLXi K/0= dns0.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. BFEms4x2hIHO3Dk61xT4w3BxPM12uBqjgdHAtTgiM72RZYLnZ0mqEgjO HGbWfyKKSE2D0h74o2TPPRarB3y1e/rbJqSfbfUozIdb5e0t8qKmTtc0 d9iFsspjW+Rys5TQx3Iw+reuvKHdJbbCCXeNRmUKu97Ixig6nDO7JUni OZ4= dns1.iij.ad.jp. 86400 IN RRSIG A 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. NqcDzwI/OEzWfSbjEgdyG8OPiDdj5nxPMTJ1L8IJASfXpjjQbHaEyt/9 +jKq+vyJvUuspxvjv3kecQjT7598MaeKXdqTfaK3pHfnrqozafCaFIML w8hihkCXSVOMFLL3jT9HNLb1dY5/m0kNKkgjIgN6oJaQAOwt6PisBdn6 rQ4= dns1.iij.ad.jp. 86400 IN RRSIG AAAA 8 4 86400 20110712151005 20110612151005 21105 iij.ad.jp. I+9SPQqRaum6dNFw0h0DpqfYxdWAwEiP0NB2IIHS7NGNN8UDm2riTRJU CseDp4K+gTnF1nL50TzSPBD8PK9fI9He4cqpkGrcEzeKuSolqPgp6oyV BJWkkKBEyVCqZbTrqpvqi7kfom4muUnvqme5yuhjXKUKkTAcRc5E8O+s aA0= ;; Query time: 39 msec ;; SERVER: 210.138.174.16#53(210.138.174.16) ;; WHEN: Mon Jun 13 14:13:39 2011 ;; MSG SIZE rcvd: 1198 }}}