身近なリゾルバーのDNSSEC検証の有無
きっかけ
DNSSEC 署名検証チェック https://t.co/leUckKrt5A
— 浸透いうな/伝播いうな/反映いうな (@tss_ontap_o) 2017年8月8日
アクセス可能なリゾルバーが検証しているか、していないかを調べてください。よろしく。
— DNSはインフラですか (@beyondDNS) 2017年8月8日
dnssec-failed.orgとは
dnssec-failed.org | DNSViz
DNSSECの状態を可視化できるDNSVizというサイトを見るとわかりやすい。
KSKのDNSKEYと、上位のゾーン(org)に登録されているDSレコードが等価でないので信頼の連鎖が途切れている状態。
つまり、DNSSEC検証が失敗するはずのドメイン名。
方法
digの場合は
$ dig +dnssec @[リゾルバーのIP] dnssec-failed.org
drillの場合は
$ drill -D @[リゾルバーのIP] dnssec-failed.org
+dnssecとは
digのmanより
- [no]dnssec
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
DNSSEC検証が有効なリゾルバーの応答例
DNSSECを有効にする方法 – 日本Unboundユーザー会
上記設定のunbound(127.0.0.1でlisten)はstatusがSERVFAILになり、名前解決に失敗する。
$ dig +dnssec @127.0.0.1 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52581 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 1280 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; MSG SIZE rcvd: 46
ちなみに、SERVFAILがDNSSEC検証が原因か、他の要素が原因かを切り分けるには+cdオプション(CheckDisable)をつけるとよい。
dig +cdで名前解決が可能であれば、DNSSEC検証に失敗しているとわかる。
身近なリゾルバー
リゾルバーの選定基準: 利用しているorしていたサービス
ホスティングサービス
名前 | DNSSEC検証 | RRSIG |
---|---|---|
IDCF cloud | 無効 | 無し |
ConoHa | 無効 | 有り |
パブリックDNS(Google Public DNS)
名前 | DNSSEC検証 | RRSIG |
---|---|---|
Google Public DNS | 有効 | - |
OpenDNS | 無効 | 無し |
Verisign | 有効 | - |
他にも見つけたら徐々に追加していく予定。
dig詳細
※IPは公開されていないもの以外はマスキング。
ISP(IIJ)
$ dig +dnssec @***.***.***.*** dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11651 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 dnssec-failed.org. 7200 IN RRSIG A 5 2 7200 20170820135541 20170809135041 3102 dnssec-failed.org. DR082+VURJkoeJATGvuqD4PgrrdmUj7AcKxlixQE4HO8ifvvBmgGK17y pK5PiieG9ahXh0IGF4FDlRJr381lU6uG57Al1Rklq072bOogaWxfgJST ktlyCNWVrh3jzUX7A0FpIvtKst0n3yuHYMw8N9ARHWCCYk+XRiRZrB0V 824= ;; Query time: 6 msec ;; MSG SIZE rcvd: 239
ISP(nifty)
$ dig +dnssec @***.***.***.*** dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12174 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 21 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 dnssec-failed.org. 7200 IN RRSIG A 5 2 7200 20170813135541 20170802135041 3102 dnssec-failed.org. exy8ihGkBxIqxk4SOotfqOQtvrRxFwDomnx0BR8Pm6L2eexeu/FC4Op7 PYhj6DrnNT3dmyZtTN1yig4HcjMp0FFT563nhE7aK5Tlerhd4VoYr/jx L5BVBU4aakl5HNuSqgZOE3ZyOAX7LGKTNEsDZ2eppHfsCODWkI87uv6o IHw= ;; AUTHORITY SECTION: dnssec-failed.org. 86400 IN NS dns102.comcast.net. dnssec-failed.org. 86400 IN NS dns101.comcast.net. dnssec-failed.org. 86400 IN NS dns104.comcast.net. dnssec-failed.org. 86400 IN NS dns105.comcast.net. dnssec-failed.org. 86400 IN NS dns103.comcast.net. ;; ADDITIONAL SECTION: dns101.comcast.net. 64 IN A 69.252.250.103 dns102.comcast.net. 64 IN A 68.87.85.132 dns103.comcast.net. 64 IN A 68.87.76.228 dns104.comcast.net. 64 IN A 68.87.68.244 dns105.comcast.net. 64 IN A 68.87.72.244 dns101.comcast.net. 64 IN AAAA 2001:558:fe23:8:69:252:250:103 dns102.comcast.net. 64 IN AAAA 2001:558:1004:7:68:87:85:132 dns103.comcast.net. 64 IN AAAA 2001:558:1014:c:68:87:76:228 dns104.comcast.net. 64 IN AAAA 2001:558:100a:5:68:87:68:244 dns105.comcast.net. 64 IN AAAA 2001:558:100e:5:68:87:72:244 dns101.comcast.net. 64 IN RRSIG A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. pF+NsFYJKfqgRtD9FxrEHqFU0PkJh1KDYLJCtU1xGCaW9HuElgUn3rwo /xdqBYHBfMFFaVKUyvuLNypFFN1zKzn11DDTxOW/ZjnU2Z5PjSg397Bb cWc1turkAezzaOW0f6jKYU8hH73BV2JQW3p6uDzRBNBsJk6n6Tg6jBxB QMc= dns101.comcast.net. 64 IN RRSIG AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. MBPu/sbUgTF1kQdwptQTryAHX3ZNNYi40QFYq0j1u+W8OG5nEnb5xtO8 gDfRL/mkly9oHw4mOP7rO2oKGa1x4iLTA6w36WOTQ/vxqvDrNXtdCTzA aRLebk0nJgvg0LgsBre1ESB+mr3sR8+mjka4cQzpiNv54P0XsRIDNyjI B7M= dns102.comcast.net. 64 IN RRSIG A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. HGhphozOfzoK7kGyGeG/hJMzowu7VQCLZeo1piA/SMDsklyEGtfo9/kN 58cZZ7q0zhROFR9PgaXRapH6EWACkZG03PTHeXHOvFltrBFdWjbM6BPl EWsxp1hNc+JfEj6k8m1CDUAGkovnwff4XW1QuTo1ST2MrB2oHJhNRBrc Vxw= dns102.comcast.net. 64 IN RRSIG AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. M4BEM0ASRxcHMIt/cAUDVxw95SfABcIAp0xFEZ/j8d4lCtvAepK+N5gs 7ZoFdr4eVEYT3h/EXUhXbY/nt58PELkOW3TlopNc62pOZhaLCjG5NCgo GA4HhsUJV8Cl7ctPPxfHtUW+v2bXdqCh6l2wRFqpV6hmuoz3F9FT0alJ R8c= dns103.comcast.net. 64 IN RRSIG A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. wxTLUAyBuyBAH+H65gPznV74AtGsqRPtFh7wR7RZGrohzITOaO0SpNJ6 RAiKQzeYrgbURWNP3H6aaaFvKbg5ZslTms4jpblQIK5jy9b35DMA/8ck UFQgXzLoEjXo5kxlET+EgjR7yFt6o6vZ+/tIU+gZUezwFQRmCjOiRAYl kEk= dns103.comcast.net. 64 IN RRSIG AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. tuY1W6YWN9tBPLG+ZZ8oUk3ATVtATKf21Wu4NNyG59DtNAGUgpF7GrHP //nJzQ0s5EmeL916q+4DcmLSPGetVzGa9rGzW+ANVcU9www1BlE9PZUH 3RrrazGpVHHxSMpBg0rAR+K4lPxjRvT4ddKfJZlqtfKY/CDLW74rQiFY Rqg= dns104.comcast.net. 64 IN RRSIG A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. cR8gpg/G1+AU5cMBkQEiUoXdqewM05FgC426vx1+P1aGU6SIVcCF1iPL VO9h2lz08+WmMdD8zILoK2Jck8Yo4AKzNzXifEw6BX7gXOeh0KYZjbWe Cn6d+9eTA6GGCnoT2FLxRj/SlUG1HuUzZYnGjpuNjwQaAfJRZvl/kdkm X1Q= dns104.comcast.net. 64 IN RRSIG AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. uzaYuRcU/jKm+MRxiDBxGBUU0yGVE5VtD0kbe+AA+v8Y/zmSIZvBbGte 915Q2QEQzXbLyZU9b/FhQt8vMbTPYiu0+tLIONLbcds/+u+W+G0OaZGU 79b4oP8NjkAw6nlTjl/Uovw1GPB/1xb8pMAWpcpmg7L3ybym7nZKwPid yx0= dns105.comcast.net. 64 IN RRSIG A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. bM37FYZ6uWXnmvI+jSp0Ge3qKwr7aDfTcaLDIboKLQb2Pd3F0Ulg4ao6 wH8EUonzwpiLadR9WBiNH5AveHVINDRy5fw8GPku0ws8kTaW2rFcJ7W/ cvNxe/ApiTvULTmakqVWF0GkIeixy6rosjwjiim8JRQPaFEhu4vJMrca j78= dns105.comcast.net. 64 IN RRSIG AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. odxaZLBIJjGzOcNqPyXO0tQ+fL/Rws1ctK+TQ6S7uvJbrQgwKVUt0xhg UBljV2E28Yb6qsDvx3eZmAYqnaOypEdvr89RJ77+rx38Hi2Gt+XHkgl7 7sb85AX9JB+W42r1/wbK7eAuoqbbgda7bbOPH1RBrs+jFJErUMqL/VEt kxM= ;; Query time: 133 msec ;; MSG SIZE rcvd: 2285
ホスティング事業者(IDCF cloud)
$ dig +dnssec @***.***.***.*** dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20707 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1220 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 ;; Query time: 129 msec ;; MSG SIZE rcvd: 62
$ dig +dnssec @***.***.***.*** dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20678 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 dnssec-failed.org. 7200 IN RRSIG A 5 2 7200 20170820135541 20170809135041 3102 dnssec-failed.org. DR082+VURJkoeJATGvuqD4PgrrdmUj7AcKxlixQE4HO8ifvvBmgGK17y pK5PiieG9ahXh0IGF4FDlRJr381lU6uG57Al1Rklq072bOogaWxfgJST ktlyCNWVrh3jzUX7A0FpIvtKst0n3yuHYMw8N9ARHWCCYk+XRiRZrB0V 824= ;; Query time: 142 msec ;; MSG SIZE rcvd: 239
パブリックDNS(Google Public DNS)
$ dig +dnssec @8.8.8.8 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1303 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 436 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; MSG SIZE rcvd: 46
パブリックDNS(OpenDNS)
$ dig +dnssec @208.67.222.222 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64208 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 ;; Query time: 176 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; MSG SIZE rcvd: 62
パブリックDNS(verisign)
# dig +dnssec @64.6.64.6 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48287 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 429 msec ;; SERVER: 64.6.64.6#53(64.6.64.6) ;; MSG SIZE rcvd: 46