身近なリゾルバーのDNSSEC検証の有無 - ゆとりインフラエンジニアのブログ的な何か

きっかけ

DNSSEC 署名検証チェック https://t.co/leUckKrt5A
— 浸透いうな/伝播いうな/反映いうな (@tss_ontap_o) 2017年8月8日

アクセス可能なリゾルバーが検証しているか、していないかを調べてください。よろしく。
— DNSはインフラですか (@beyondDNS) 2017年8月8日

dnssec-failed.orgとは

dnssec-failed.org | DNSViz
DNSSECの状態を可視化できるDNSVizというサイトを見るとわかりやすい。
KSKのDNSKEYと、上位のゾーン(org)に登録されているDSレコードが等価でないので信頼の連鎖が途切れている状態。
つまり、DNSSEC検証が失敗するはずのドメイン名。

方法

digの場合は

$ dig +dnssec @[リゾルバーのIP] dnssec-failed.org

drillの場合は

$ drill -D @[リゾルバーのIP] dnssec-failed.org

+dnssecとは

digのmanより

[no]dnssec

Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.

DNSSEC検証が有効なリゾルバーの応答例

DNSSECを有効にする方法 – 日本Unboundユーザー会
 上記設定のunbound(127.0.0.1でlisten)はstatusがSERVFAILになり、名前解決に失敗する。

$ dig +dnssec @127.0.0.1 dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52581
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 1280 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; MSG SIZE  rcvd: 46

ちなみに、SERVFAILがDNSSEC検証が原因か、他の要素が原因かを切り分けるには+cdオプション(CheckDisable)をつけるとよい。
dig +cdで名前解決が可能であれば、DNSSEC検証に失敗しているとわかる。

身近なリゾルバー

リゾルバーの選定基準: 利用しているorしていたサービス

ISP

名前	DNSSEC検証	RRSIG
IIJ	無効	有り
nifty	無効	有り

ホスティングサービス

名前	DNSSEC検証	RRSIG
IDCF cloud	無効	無し
ConoHa	無効	有り

パブリックDNS(Google Public DNS)

名前	DNSSEC検証	RRSIG
Google Public DNS	有効	-
OpenDNS	無効	無し
Verisign	有効	-

他にも見つけたら徐々に追加していく予定。

dig詳細

※IPは公開されていないもの以外はマスキング。

ISP(IIJ)

$ dig +dnssec @***.***.***.*** dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11651
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
dnssec-failed.org.      7200    IN      A       69.252.80.75
dnssec-failed.org.      7200    IN      RRSIG   A 5 2 7200 20170820135541 20170809135041 3102 dnssec-failed.org. DR082+VURJkoeJATGvuqD4PgrrdmUj7AcKxlixQE4HO8ifvvBmgGK17y pK5PiieG9ahXh0IGF4FDlRJr381lU6uG57Al1Rklq072bOogaWxfgJST ktlyCNWVrh3jzUX7A0FpIvtKst0n3yuHYMw8N9ARHWCCYk+XRiRZrB0V 824=

;; Query time: 6 msec
;; MSG SIZE  rcvd: 239

ISP(nifty)

$ dig +dnssec @***.***.***.*** dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12174
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 21

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7200    IN      A       69.252.80.75
dnssec-failed.org.      7200    IN      RRSIG   A 5 2 7200 20170813135541 20170802135041 3102 dnssec-failed.org. exy8ihGkBxIqxk4SOotfqOQtvrRxFwDomnx0BR8Pm6L2eexeu/FC4Op7 PYhj6DrnNT3dmyZtTN1yig4HcjMp0FFT563nhE7aK5Tlerhd4VoYr/jx L5BVBU4aakl5HNuSqgZOE3ZyOAX7LGKTNEsDZ2eppHfsCODWkI87uv6o IHw=

;; AUTHORITY SECTION:
dnssec-failed.org.      86400   IN      NS      dns102.comcast.net.
dnssec-failed.org.      86400   IN      NS      dns101.comcast.net.
dnssec-failed.org.      86400   IN      NS      dns104.comcast.net.
dnssec-failed.org.      86400   IN      NS      dns105.comcast.net.
dnssec-failed.org.      86400   IN      NS      dns103.comcast.net.

;; ADDITIONAL SECTION:
dns101.comcast.net.     64      IN      A       69.252.250.103
dns102.comcast.net.     64      IN      A       68.87.85.132
dns103.comcast.net.     64      IN      A       68.87.76.228
dns104.comcast.net.     64      IN      A       68.87.68.244
dns105.comcast.net.     64      IN      A       68.87.72.244
dns101.comcast.net.     64      IN      AAAA    2001:558:fe23:8:69:252:250:103
dns102.comcast.net.     64      IN      AAAA    2001:558:1004:7:68:87:85:132
dns103.comcast.net.     64      IN      AAAA    2001:558:1014:c:68:87:76:228
dns104.comcast.net.     64      IN      AAAA    2001:558:100a:5:68:87:68:244
dns105.comcast.net.     64      IN      AAAA    2001:558:100e:5:68:87:72:244
dns101.comcast.net.     64      IN      RRSIG   A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. pF+NsFYJKfqgRtD9FxrEHqFU0PkJh1KDYLJCtU1xGCaW9HuElgUn3rwo /xdqBYHBfMFFaVKUyvuLNypFFN1zKzn11DDTxOW/ZjnU2Z5PjSg397Bb cWc1turkAezzaOW0f6jKYU8hH73BV2JQW3p6uDzRBNBsJk6n6Tg6jBxB QMc=
dns101.comcast.net.     64      IN      RRSIG   AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. MBPu/sbUgTF1kQdwptQTryAHX3ZNNYi40QFYq0j1u+W8OG5nEnb5xtO8 gDfRL/mkly9oHw4mOP7rO2oKGa1x4iLTA6w36WOTQ/vxqvDrNXtdCTzA aRLebk0nJgvg0LgsBre1ESB+mr3sR8+mjka4cQzpiNv54P0XsRIDNyjI B7M=
dns102.comcast.net.     64      IN      RRSIG   A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. HGhphozOfzoK7kGyGeG/hJMzowu7VQCLZeo1piA/SMDsklyEGtfo9/kN 58cZZ7q0zhROFR9PgaXRapH6EWACkZG03PTHeXHOvFltrBFdWjbM6BPl EWsxp1hNc+JfEj6k8m1CDUAGkovnwff4XW1QuTo1ST2MrB2oHJhNRBrc Vxw=
dns102.comcast.net.     64      IN      RRSIG   AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. M4BEM0ASRxcHMIt/cAUDVxw95SfABcIAp0xFEZ/j8d4lCtvAepK+N5gs 7ZoFdr4eVEYT3h/EXUhXbY/nt58PELkOW3TlopNc62pOZhaLCjG5NCgo GA4HhsUJV8Cl7ctPPxfHtUW+v2bXdqCh6l2wRFqpV6hmuoz3F9FT0alJ R8c=
dns103.comcast.net.     64      IN      RRSIG   A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. wxTLUAyBuyBAH+H65gPznV74AtGsqRPtFh7wR7RZGrohzITOaO0SpNJ6 RAiKQzeYrgbURWNP3H6aaaFvKbg5ZslTms4jpblQIK5jy9b35DMA/8ck UFQgXzLoEjXo5kxlET+EgjR7yFt6o6vZ+/tIU+gZUezwFQRmCjOiRAYl kEk=
dns103.comcast.net.     64      IN      RRSIG   AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. tuY1W6YWN9tBPLG+ZZ8oUk3ATVtATKf21Wu4NNyG59DtNAGUgpF7GrHP //nJzQ0s5EmeL916q+4DcmLSPGetVzGa9rGzW+ANVcU9www1BlE9PZUH 3RrrazGpVHHxSMpBg0rAR+K4lPxjRvT4ddKfJZlqtfKY/CDLW74rQiFY Rqg=
dns104.comcast.net.     64      IN      RRSIG   A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. cR8gpg/G1+AU5cMBkQEiUoXdqewM05FgC426vx1+P1aGU6SIVcCF1iPL VO9h2lz08+WmMdD8zILoK2Jck8Yo4AKzNzXifEw6BX7gXOeh0KYZjbWe Cn6d+9eTA6GGCnoT2FLxRj/SlUG1HuUzZYnGjpuNjwQaAfJRZvl/kdkm X1Q=
dns104.comcast.net.     64      IN      RRSIG   AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. uzaYuRcU/jKm+MRxiDBxGBUU0yGVE5VtD0kbe+AA+v8Y/zmSIZvBbGte 915Q2QEQzXbLyZU9b/FhQt8vMbTPYiu0+tLIONLbcds/+u+W+G0OaZGU 79b4oP8NjkAw6nlTjl/Uovw1GPB/1xb8pMAWpcpmg7L3ybym7nZKwPid yx0=
dns105.comcast.net.     64      IN      RRSIG   A 5 3 7200 20170813135252 20170802134752 27912 comcast.net. bM37FYZ6uWXnmvI+jSp0Ge3qKwr7aDfTcaLDIboKLQb2Pd3F0Ulg4ao6 wH8EUonzwpiLadR9WBiNH5AveHVINDRy5fw8GPku0ws8kTaW2rFcJ7W/ cvNxe/ApiTvULTmakqVWF0GkIeixy6rosjwjiim8JRQPaFEhu4vJMrca j78=
dns105.comcast.net.     64      IN      RRSIG   AAAA 5 3 7200 20170813135252 20170802134752 27912 comcast.net. odxaZLBIJjGzOcNqPyXO0tQ+fL/Rws1ctK+TQ6S7uvJbrQgwKVUt0xhg UBljV2E28Yb6qsDvx3eZmAYqnaOypEdvr89RJ77+rx38Hi2Gt+XHkgl7 7sb85AX9JB+W42r1/wbK7eAuoqbbgda7bbOPH1RBrs+jFJErUMqL/VEt kxM=

;; Query time: 133 msec
;; MSG SIZE  rcvd: 2285

ホスティング事業者(IDCF cloud)

$ dig +dnssec @***.***.***.*** dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20707
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7200    IN      A       69.252.80.75

;; Query time: 129 msec
;; MSG SIZE  rcvd: 62

$ dig +dnssec @***.***.***.*** dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20678
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7200    IN      A       69.252.80.75
dnssec-failed.org.      7200    IN      RRSIG   A 5 2 7200 20170820135541 20170809135041 3102 dnssec-failed.org. DR082+VURJkoeJATGvuqD4PgrrdmUj7AcKxlixQE4HO8ifvvBmgGK17y pK5PiieG9ahXh0IGF4FDlRJr381lU6uG57Al1Rklq072bOogaWxfgJST ktlyCNWVrh3jzUX7A0FpIvtKst0n3yuHYMw8N9ARHWCCYk+XRiRZrB0V 824=

;; Query time: 142 msec
;; MSG SIZE  rcvd: 239

パブリックDNS(Google Public DNS)

$ dig +dnssec @8.8.8.8 dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1303
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 436 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; MSG SIZE  rcvd: 46

パブリックDNS(OpenDNS)

$ dig +dnssec @208.67.222.222 dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64208
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7200    IN      A       69.252.80.75

;; Query time: 176 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; MSG SIZE  rcvd: 62

パブリックDNS(verisign)

# dig +dnssec @64.6.64.6 dnssec-failed.org

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48287
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 429 msec
;; SERVER: 64.6.64.6#53(64.6.64.6)
;; MSG SIZE  rcvd: 46