DNSSEC対応

2010年10月2日

barasu.orgをDNSSEC対応にしてみる。

まず公開鍵、秘密鍵を作成する。
時間がかかりますがぼーっと待ちましょう。
まぁdnssec-keygenは乱数の生成に /dev/randomを使うらしいので時間がかかるのは当然らしい。

# /usr/sbin/dnssec-keygen -a RSAMD5 -b 512 -n ZONE barasu.org.
Kbarasu.org.+001+46385

公開鍵をKEYレコードとしてゾーンファイルに追加
私の場合は/var/named/chroot/var/named/master/barasu.orgにKbarasu.org.*.keyを追加

zoneの署名を行う

# /usr/sbin/dnssec-signzone -o barasu.org. barasu.org
barasu.org.signed

named.conf修正
trusted-keys を追加

trusted-keys {
barasu.org. 256 3 1 “AwEAAflwBup8+(略)”;
};

optionsの中にdnssec-enableを追記

dnssec-enable yes;

zoneファイルを署名を行ったファイル(barasu.org.signed)に変更

zone “barasu.org” {
allow-query { any; };
type master;
file “master/barasu.org.signed”;
};

DNS再起動

/etc/rc.d/init.d/named restart

テスト
DNSSEC OFF

dig @vps.barasu.org www.barasu.org +norec

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org www.barasu.org +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42412
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3

;; QUESTION SECTION:
;www.barasu.org. IN A

;; ANSWER SECTION:
www.barasu.org. 10800 IN CNAME ec2a.barasu.org.
ec2a.barasu.org. 86400 IN A 175.41.130.150

;; AUTHORITY SECTION:
barasu.org. 86400 IN NS umintyu.barasu.org.
barasu.org. 86400 IN NS vps.barasu.org.
barasu.org. 86400 IN NS ec2a.barasu.org.
barasu.org. 86400 IN NS olug.barasu.org.

;; ADDITIONAL SECTION:
vps.barasu.org. 86400 IN A 59.106.183.188
olug.barasu.org. 86400 IN A 210.145.57.98
umintyu.barasu.org. 86400 IN A 218.45.175.203

;; Query time: 77 msec
;; SERVER: 59.106.183.188#53(59.106.183.188)
;; WHEN: Sat Oct 2 02:35:52 2010
;; MSG SIZE rcvd: 188

DNSSEC ON

dig @vps.barasu.org +dnssec www.barasu.org +norec

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.6.amzn1 <<>> @vps.barasu.org +dnssec www.barasu.org +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60195
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.barasu.org. IN A

;; ANSWER SECTION:
www.barasu.org. 10800 IN CNAME ec2a.barasu.org.
www.barasu.org. 10800 IN RRSIG CNAME 1 3 10800 20101031155906 20101001155906 46385 barasu.org. LGagg1aoEJfm187HjZcRUpXCju8oaiiCY8w+hpCzBPigArgoJQ7Bv6rG Ci0fWu7rpdeDSXAo603mRfVN+DS5rw==
ec2a.barasu.org. 86400 IN A 175.41.130.150
ec2a.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VzzTMZ3f/rFGVYDJykB52IA1pp1sXizdlCNHZxh7RWnMGN79V794SQ1B 1ASK7oTpk+W/xi7Haxk7SVhXqZByUQ==

;; AUTHORITY SECTION:
barasu.org. 86400 IN NS vps.barasu.org.
barasu.org. 86400 IN NS ec2a.barasu.org.
barasu.org. 86400 IN NS olug.barasu.org.
barasu.org. 86400 IN NS umintyu.barasu.org.
barasu.org. 86400 IN RRSIG NS 1 2 86400 20101031155906 20101001155906 46385 barasu.org. Y+xJkdqUt39NIChWHzI3fzTMAEb3FCDEEygRcfFBxPPxon5C+4qXGHa5 RdHVHwbr9lliwdxr2CBWQz7Y3djf+w==

;; ADDITIONAL SECTION:
vps.barasu.org. 86400 IN A 59.106.183.188
olug.barasu.org. 86400 IN A 210.145.57.98
umintyu.barasu.org. 86400 IN A 218.45.175.203
vps.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. VpD15nCRnCKoL7GNjhRGpoIZzCqQhKNNtHQMeZDltiRehm/uhCFzj1ap jWPvhYC8QruLLMZalyOo67myC+DwRA==
olug.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. xuBegL0UoOQ/4E76eJNRAzMucwwryAUt1i1A7/5lRCg4I34DmlmKjZne B7forEKZflQvUSMwz3hbgA313s2U/w==
umintyu.barasu.org. 86400 IN RRSIG A 1 3 86400 20101031155906 20101001155906 46385 barasu.org. sKAEv4bm9uojHlKjpvO4U44pypaRAwigwSnVJhmfxHHAcsV/9ww2gzIC uhu5SrvXIAinpTTYdO39PkztjDJTIA==

;; Query time: 76 msec
;; SERVER: 59.106.183.188#53(59.106.183.188)
;; WHEN: Sat Oct 2 02:33:59 2010
;; MSG SIZE rcvd: 835

MSG SIZEが全然違うねー
DNSSECなし: MSG SIZE rcvd: 188
DNSSECあり: MSG SIZE rcvd: 835
約4倍なのか

参考にしたサイトは:LOST AND FOUND ( FOR ME ? )

第5版とかになっているよ!!!!

セカンダリに対してはなにもやらなくてDNSSECな情報が飛んでいる感じ。

dig @www.barasu.org +dnssec www.barasu.org +norec

; > DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 > @www.barasu.org +dnssec www.barasu.org +norec
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER

気になるのは
dnssec-keygenでキーを作るときの
RSAMD5でいいのか?DSAとかHMAC-SHA256がいいの?
key sizeは512でいいのか?

このあたりは気になります。