DNSSEC対応
barasu.orgをDNSSEC対応にしてみる。
まず公開鍵、秘密鍵を作成する。
時間がかかりますがぼーっと待ちましょう。
まぁdnssec-keygenは乱数の生成に /dev/randomを使うらしいので時間がかかるのは当然らしい。
# /usr/sbin/dnssec-keygen -a RSAMD5 -b 512 -n ZONE barasu.org.
Kbarasu.org.+001+46385
公開鍵をKEYレコードとしてゾーンファイルに追加
私の場合は/var/named/chroot/var/named/master/barasu.orgにKbarasu.org.*.keyを追加
zoneの署名を行う
# /usr/sbin/dnssec-signzone -o barasu.org. barasu.org
barasu.org.signed
named.conf修正
trusted-keys を追加
trusted-keys {
barasu.org. 256 3 1 “AwEAAflwBup8+(略)”;
};
optionsの中にdnssec-enableを追記
dnssec-enable yes;
zoneファイルを署名を行ったファイル(barasu.org.signed)に変更
zone “barasu.org” {
allow-query { any; };
type master;
file “master/barasu.org.signed”;
};
DNS再起動
/etc/rc.d/init.d/named restart
テスト
DNSSEC OFF
dig @vps.barasu.org www.barasu.org +norec
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org www.barasu.org +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42412
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3;; QUESTION SECTION:
;www.barasu.org. IN A;; ANSWER SECTION:
www.barasu.org. 10800 IN CNAME ec2a.barasu.org.
ec2a.barasu.org. 86400 IN A 175.41.130.150;; AUTHORITY SECTION:
barasu.org. 86400 IN NS umintyu.barasu.org.
barasu.org. 86400 IN NS vps.barasu.org.
barasu.org. 86400 IN NS ec2a.barasu.org.
barasu.org. 86400 IN NS olug.barasu.org.;; ADDITIONAL SECTION:
vps.barasu.org. 86400 IN A 59.106.183.188
olug.barasu.org. 86400 IN A 210.145.57.98
umintyu.barasu.org. 86400 IN A 218.45.175.203;; Query time: 77 msec
;; SERVER: 59.106.183.188#53(59.106.183.188)
;; WHEN: Sat Oct 2 02:35:52 2010
;; MSG SIZE rcvd: 188
DNSSEC ON
dig @vps.barasu.org +dnssec www.barasu.org +norec
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org +dnssec www.barasu.org +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60195
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 7;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.barasu.org. IN A;; ANSWER SECTION:
www.barasu.org. 10800 IN CNAME ec2a.barasu.org.
www.barasu.org. 10800 IN RRSIG CNAME 1 3 10800 20101031155906 20101001155906 46385 barasu.org. LGagg1aoEJfm187HjZcRUpXCju8oaiiCY8w+hpCzBPigArgoJQ7Bv6rG Ci0fWu7rpdeDSXAo603mRfVN+DS5rw==
ec2a.barasu.org. 86400 IN A 175.41.130.150
ec2a.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VzzTMZ3f/rFGVYDJykB52IA1pp1sXizdlCNHZxh7RWnMGN79V794SQ1B 1ASK7oTpk+W/xi7Haxk7SVhXqZByUQ==;; AUTHORITY SECTION:
barasu.org. 86400 IN NS vps.barasu.org.
barasu.org. 86400 IN NS ec2a.barasu.org.
barasu.org. 86400 IN NS olug.barasu.org.
barasu.org. 86400 IN NS umintyu.barasu.org.
barasu.org. 86400 IN RRSIG NS 1 2 86400 20101031155906 20101001155906 46385 barasu.org. Y+xJkdqUt39NIChWHzI3fzTMAEb3FCDEEygRcfFBxPPxon5C+4qXGHa5 RdHVHwbr9lliwdxr2CBWQz7Y3djf+w==;; ADDITIONAL SECTION:
vps.barasu.org. 86400 IN A 59.106.183.188
olug.barasu.org. 86400 IN A 210.145.57.98
umintyu.barasu.org. 86400 IN A 218.45.175.203
vps.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VpD15nCRnCKoL7GNjhRGpoIZzCqQhKNNtHQMeZDltiRehm/uhCFzj1ap jWPvhYC8QruLLMZalyOo67myC+DwRA==
olug.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. xuBegL0UoOQ/4E76eJNRAzMucwwryAUt1i1A7/5lRCg4I34DmlmKjZne B7forEKZflQvUSMwz3hbgA313s2U/w==
umintyu.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. sKAEv4bm9uojHlKjpvO4U44pypaRAwigwSnVJhmfxHHAcsV/9ww2gzIC uhu5SrvXIAinpTTYdO39PkztjDJTIA==;; Query time: 76 msec
;; SERVER: 59.106.183.188#53(59.106.183.188)
;; WHEN: Sat Oct 2 02:33:59 2010
;; MSG SIZE rcvd: 835
MSG SIZEが全然違うねー
DNSSECなし: MSG SIZE rcvd: 188
DNSSECあり: MSG SIZE rcvd: 835
約4倍なのか
参考にしたサイトは:LOST AND FOUND ( FOR ME ? )
第5版とかになっているよ!!!!
セカンダリに対してはなにもやらなくてDNSSECな情報が飛んでいる感じ。
dig @www.barasu.org +dnssec www.barasu.org +norec
; > DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 > @www.barasu.org +dnssec www.barasu.org +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER
気になるのは
dnssec-keygenでキーを作るときの
RSAMD5でいいのか?DSAとかHMAC-SHA256がいいの?
key sizeは512でいいのか?
このあたりは気になります。