DNSSEC対応
barasu.orgをDNSSEC対応にしてみる。
まず公開鍵、秘密鍵を作成する。 時間がかかりますがぼーっと待ちましょう。 まぁdnssec-keygenは乱数の生成に /dev/randomを使うらしいので時間がかかるのは当然らしい。
# /usr/sbin/dnssec-keygen -a RSAMD5 -b 512 -n ZONE barasu.org. Kbarasu.org.+001+46385
公開鍵をKEYレコードとしてゾーンファイルに追加 私の場合は/var/named/chroot/var/named/master/barasu.orgにKbarasu.org.*.keyを追加
zoneの署名を行う
# /usr/sbin/dnssec-signzone -o barasu.org. barasu.org barasu.org.signed
named.conf修正 trusted-keys を追加
trusted-keys { barasu.org. 256 3 1 "AwEAAflwBup8+(略)"; };
optionsの中にdnssec-enableを追記
dnssec-enable yes;
zoneファイルを署名を行ったファイル(barasu.org.signed)に変更
zone "barasu.org" { allow-query { any; }; type master; file "master/barasu.org.signed"; };
DNS再起動
/etc/rc.d/init.d/named restart
テスト DNSSEC OFF
dig @vps.barasu.org www.barasu.org +norec
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org www.barasu.org +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42412 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.barasu.org. IN A ;; ANSWER SECTION: www.barasu.org. 10800 IN CNAME ec2a.barasu.org. ec2a.barasu.org. 86400 IN A 175.41.130.150 ;; AUTHORITY SECTION: barasu.org. 86400 IN NS umintyu.barasu.org. barasu.org. 86400 IN NS vps.barasu.org. barasu.org. 86400 IN NS ec2a.barasu.org. barasu.org. 86400 IN NS olug.barasu.org. ;; ADDITIONAL SECTION: vps.barasu.org. 86400 IN A 59.106.183.188 olug.barasu.org. 86400 IN A 210.145.57.98 umintyu.barasu.org. 86400 IN A 218.45.175.203 ;; Query time: 77 msec ;; SERVER: 59.106.183.188#53(59.106.183.188) ;; WHEN: Sat Oct 2 02:35:52 2010 ;; MSG SIZE rcvd: 188
DNSSEC ON
dig @vps.barasu.org +dnssec www.barasu.org +norec
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org +dnssec www.barasu.org +norec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60195 ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.barasu.org. IN A ;; ANSWER SECTION: www.barasu.org. 10800 IN CNAME ec2a.barasu.org. www.barasu.org. 10800 IN RRSIG CNAME 1 3 10800 20101031155906 20101001155906 46385 barasu.org. LGagg1aoEJfm187HjZcRUpXCju8oaiiCY8w+hpCzBPigArgoJQ7Bv6rG Ci0fWu7rpdeDSXAo603mRfVN+DS5rw== ec2a.barasu.org. 86400 IN A 175.41.130.150 ec2a.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VzzTMZ3f/rFGVYDJykB52IA1pp1sXizdlCNHZxh7RWnMGN79V794SQ1B 1ASK7oTpk+W/xi7Haxk7SVhXqZByUQ== ;; AUTHORITY SECTION: barasu.org. 86400 IN NS vps.barasu.org. barasu.org. 86400 IN NS ec2a.barasu.org. barasu.org. 86400 IN NS olug.barasu.org. barasu.org. 86400 IN NS umintyu.barasu.org. barasu.org. 86400 IN RRSIG NS 1 2 86400 20101031155906 20101001155906 46385 barasu.org. Y+xJkdqUt39NIChWHzI3fzTMAEb3FCDEEygRcfFBxPPxon5C+4qXGHa5 RdHVHwbr9lliwdxr2CBWQz7Y3djf+w== ;; ADDITIONAL SECTION: vps.barasu.org. 86400 IN A 59.106.183.188 olug.barasu.org. 86400 IN A 210.145.57.98 umintyu.barasu.org. 86400 IN A 218.45.175.203 vps.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VpD15nCRnCKoL7GNjhRGpoIZzCqQhKNNtHQMeZDltiRehm/uhCFzj1ap jWPvhYC8QruLLMZalyOo67myC+DwRA== olug.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. xuBegL0UoOQ/4E76eJNRAzMucwwryAUt1i1A7/5lRCg4I34DmlmKjZne B7forEKZflQvUSMwz3hbgA313s2U/w== umintyu.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. sKAEv4bm9uojHlKjpvO4U44pypaRAwigwSnVJhmfxHHAcsV/9ww2gzIC uhu5SrvXIAinpTTYdO39PkztjDJTIA== ;; Query time: 76 msec ;; SERVER: 59.106.183.188#53(59.106.183.188) ;; WHEN: Sat Oct 2 02:33:59 2010 ;; MSG SIZE rcvd: 835
MSG SIZEが全然違うねー DNSSECなし: MSG SIZE rcvd: 188 DNSSECあり: MSG SIZE rcvd: 835 約4倍なのか
参考にしたサイトは:LOST AND FOUND ( FOR ME ? )
第5版とかになっているよ!!!!
セカンダリに対してはなにもやらなくてDNSSECな情報が飛んでいる感じ。
dig @www.barasu.org +dnssec www.barasu.org +norec
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @www.barasu.org +dnssec www.barasu.org +norec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33048 ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.barasu.org. IN A ;; ANSWER SECTION: www.barasu.org. 10800 IN CNAME ec2a.barasu.org. www.barasu.org. 10800 IN RRSIG CNAME 1 3 10800 20101031213133 20101001213133 46385 barasu.org. MP5td5Qs4OJ/+P5/MezTQjCftAeXHB+HN7PfuhyGlJgFmbRukDnF8dLe Te4wct2uPHPuVzw7ZZ8nBqOIFR4rhA== ec2a.barasu.org. 86400 IN A 175.41.130.150 ec2a.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031213133 20101001213133 46385 barasu.org. lODGRmUo0xe0FgkkSv7vm8tkFj8xuQGIY2JWWvOOpHwWJ81NlntntgcE QXvGuU3oxhMu36Gk0y/+R3SjILlGgQ== ;; AUTHORITY SECTION: barasu.org. 86400 IN NS ec2a.barasu.org. barasu.org. 86400 IN NS umintyu.barasu.org. barasu.org. 86400 IN NS vps.barasu.org. barasu.org. 86400 IN NS olug.barasu.org. barasu.org. 86400 IN RRSIG NS 1 2 86400 20101031213133 20101001213133 46385 barasu.org. 2m3QdP2H27CW/R6bNqRbuTf4/AnCcPxlfWT6PbLznQAk0l13XBSHgQnc bmjczsFA/FYRcqehhuhS8LZRuBmEAQ== ;; ADDITIONAL SECTION: vps.barasu.org. 86400 IN A 59.106.183.188 olug.barasu.org. 86400 IN A 210.145.57.98 umintyu.barasu.org. 86400 IN A 218.45.175.203 vps.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031213133 20101001213133 46385 barasu.org. 3kqxtODOqrO5RPLiYJXPgZq+kSRzw1+de9CqpCF33GwLWwinVP5MzOKT NbIJY7mGTg5NjEht0B/BdrPEt8geTg== olug.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031213133 20101001213133 46385 barasu.org. vmNOJ4LcPCAJ7kFtV1w3f1tKOdCsqcEi5tCxA+52Hx2C8FgEIW52W0XG W6504ACOIrXhMibkomQYrXjdA1s2Uw== umintyu.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031213133 20101001213133 46385 barasu.org. jWP7KqDIiu9PSqBwlsAjP2Lx6cYg6EGgtrVGhYJhru765O/o8+kKd6QC eFXiDIsI9sz29JlsKlUsfRPURqrvtw== ;; Query time: 82 msec ;; SERVER: 175.41.130.150#53(175.41.130.150) ;; WHEN: Sat Oct 2 07:35:40 2010 ;; MSG SIZE rcvd: 835
気になるのは dnssec-keygenでキーを作るときの RSAMD5でいいのか?DSAとかHMAC-SHA256がいいの? key sizeは512でいいのか?
このあたりは気になります。
