Closed Noiri closed 3 years ago
[user@dns-cache-server ~]$ dig @192.168.2.131 pc1.ictsc.net
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.2.131 pc1.ictsc.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27369
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 956
; COOKIE: 68c9887beb0eaae9afa0cc0e6042e9ea0f0be2fdbe8a6708 (good)
;; QUESTION SECTION:
;pc1.ictsc.net. IN A
;; Query time: 22 msec
;; SERVER: 192.168.2.131#53(192.168.2.131)
;; WHEN: Sat Mar 06 11:33:14 JST 2021
;; MSG SIZE rcvd: 70
[user@dns-cache-server ~]$ dig @192.168.2.131 pc1.ictsc.net +dnssec
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.2.131 pc1.ictsc.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21869
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 956
; COOKIE: 6019c2c2eba83ecd65cab1166042e9fc4c8a8f76502ff2d5 (good)
;; QUESTION SECTION:
;pc1.ictsc.net. IN A
;; Query time: 2 msec
;; SERVER: 192.168.2.131#53(192.168.2.131)
;; WHEN: Sat Mar 06 11:33:32 JST 2021
;; MSG SIZE rcvd: 70
[user@dns-cache-server ~]$
権威に直接聞きに行ってみる
[user@dns-cache-server ~]$ dig @192.168.2.20 any pc1.ictsc.net +dnssec
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.2.20 any pc1.ictsc.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56520
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 00c0a99bfe3827e3f29a70966042eb31a905fa065d9700ce (good)
;; QUESTION SECTION:
;pc1.ictsc.net. IN ANY
;; ANSWER SECTION:
pc1.ictsc.net. 86400 IN A 192.168.2.151
pc1.ictsc.net. 86400 IN RRSIG A 8 3 86400 20210210004000 20210111004000 63885 ictsc.net. LKUDgH/UnLNfChUjqN8wPHQVVk0oXnfpPcAGy3CmMDlAYP4mJw6i8IVQ AnqEaou/0furcRJN6e/GbzZ2hoi2ubTguV7YvjKQ7QnA/AjcTLItqZ0J oBzrUIl+uGKsUtCPevAON45yliZV95b+vwtVA5Adh7kxsb959/1xSBG3 Swo=
pc1.ictsc.net. 3600 IN NSEC pc2.ictsc.net. A RRSIG NSEC
pc1.ictsc.net. 3600 IN RRSIG NSEC 8 3 3600 20210210004000 20210111004000 63885 ictsc.net. Supt4zse23Fb4/iuCVl8DWtM3Ytc2+wfhmyckUoGv55XRpgRmIuI50Ur KuPMZwrkpBDTfcjFuYCQgXUYQbUFGJ0FE9IAFxqP4tsqiVZ6I9xB3rja LjLuVhJQxF37Ku1OO4fCF1ZMYB8qmeEGyjTu8swRIvjM+J6SubUB3DT9 400=
;; AUTHORITY SECTION:
ictsc.net. 86400 IN NS master-ns.ictsc.net.
ictsc.net. 86400 IN RRSIG NS 8 2 86400 20210210004000 20210111004000 63885 ictsc.net. Ylkqu21praVTVlbUCZPaYAPHQ72PCXrPJA0bbq8OXIg8/pKYqO+rtmqO ZQVWizDzpYdtFnY4LoE+S/vl5taF2RVkwmV3ZJ3xyEwWRzSXwGnbWwyu /MfWOK3LUQc7UtHBGTJoaqKsiga7mpkfN9QGxqrSAmJP767vs9rcmh58 aYg=
;; ADDITIONAL SECTION:
master-ns.ictsc.net. 86400 IN A 192.168.2.20
master-ns.ictsc.net. 86400 IN RRSIG A 8 3 86400 20210210004000 20210111004000 63885 ictsc.net. WrOunB2EHrzvt6yEpnwYcFiTKkWz+decS+VdDVzyoFTkdHBiquh+u5+6 mmxJd6vAhi851MZ5R4aAcDMCfHG9ya4PyWoyylMAWOlmWJ7kf9q07ZX7 95Md438M8cqbXSEvQYs9Y7G0wRe2WFaWVB6diI72Enu8YtdJzWz+R1te EnY=
;; Query time: 2 msec
;; SERVER: 192.168.2.20#53(192.168.2.20)
;; WHEN: Sat Mar 06 11:38:41 JST 2021
;; MSG SIZE rcvd: 837
https://www.nic.ad.jp/ja/dns/ksk-rollover/
このKSKロールオーバーの更新で必要となる対応は、 DNSSEC検証を有効にしているキャッシュサーバ等のトラストアンカーを更新すること、 およびKSKロールオーバーの更新作業中に発生するDNS応答のサイズ増大に対応することです。 パケットの大きさが変化するタイミングは以下の通りです。
とのこと
1.DNSSEC検証を有効にしているキャッシュサーバ(192.168.2.131)のトラストアンカーを更新すること
2.KSKロールオーバーの更新作業中に発生するDNS応答のサイズ増大に対応することです。 (これは必要なら)
BINDの場合、named.confのtrusted-keysディレクティブで鍵を指定します。
Unboundの場合、/etc/unbound/root.keyとして鍵を置きます。 またはunbound-anchorコマンドを利用して更新します。
多分だけど新しいkskに対応するものがキャッシュ側にないのが原因っぽいね
[user@dns_master_server ~]$ sudo ls -la /var/named/
total 68
drwxrwx--T. 6 root named 4096 Feb 28 17:05 .
drwxr-xr-x. 21 root root 4096 Jan 11 09:50 ..
-rw-r--r--. 1 root root 601 Jan 11 10:36 Kictsc.net.+008+63439.key
-rw-------. 1 root root 1776 Jan 11 10:36 Kictsc.net.+008+63439.private
-rw-r--r--. 1 root root 601 Jan 11 09:59 Kictsc.net.+008+63829.key
-rw-------. 1 root root 1776 Jan 11 09:59 Kictsc.net.+008+63829.private
-rw-r--r--. 1 root root 427 Jan 11 09:59 Kictsc.net.+008+63885.key
-rw-------. 1 root root 1012 Jan 11 09:59 Kictsc.net.+008+63885.private
drwxr-x---. 7 root named 61 Jan 11 09:50 chroot
drwxrwx---. 2 named named 66 Feb 28 14:22 data
-rw-r--r--. 1 root root 160 Jan 11 10:37 dsset-ictsc.net-63439.
-rw-r--r--. 1 root root 326 Jan 11 10:40 dsset-ictsc.net.
drwxrwx---. 2 named named 60 Mar 5 18:57 dynamic
-rw-r--r--. 1 root root 722 Jan 11 10:38 ictsc.net.zone
-rw-r--r--. 1 root root 6792 Jan 11 10:40 ictsc.net.zone.signed
-rw-r-----. 1 root named 2253 Aug 25 2020 named.ca
-rw-r-----. 1 root named 152 Aug 25 2020 named.empty
-rw-r-----. 1 root named 152 Aug 25 2020 named.localhost
-rw-r-----. 1 root named 168 Aug 25 2020 named.loopback
drwxrwx---. 2 named named 6 Aug 25 2020 slaves
生成されている鍵軍
[user@dns_master_server ~]$ sudo cat /var/named/Kictsc.net.+008+63439.key
; This is a key-signing key, keyid 63439, for ictsc.net.
; Created: 20210111013644 (Mon Jan 11 10:36:44 2021)
; Publish: 20210111013644 (Mon Jan 11 10:36:44 2021)
; Activate: 20210111013644 (Mon Jan 11 10:36:44 2021)
ictsc.net. IN DNSKEY 257 3 8 AwEAAePGnJDVqiEhjCRcnYYNP+Pf2DFnJwoj3sTlJwkh2aM1LZR4ajtR sxidDJi59Hf/lcwCBiEnW8eNvpuHz5NfrUTuc/hI/jKI38VkH4m+b68B feNyJtS9IUn8Naln/9r4hQBFCCEHJNmiMo5XnKdD3oEuDSgIsCeP8IOJ c1tlEcimyfBfijuQleTr7MyoxW3iK0Q7kUuy8kIGelWKMogbUwrFFeBV CNvIAiofQOy7UDkjuGe9UpEXozZ5LNQkrBONzkUvr8Dt3YlhhWWYAjbX W5WzrLiQS9PTr3HMRlOOvTk4XlxQu0LDyqalyuBQnvMMg0AleQ7Q5c+M LU3l96yAg50=
[user@dns_master_server ~]$ sudo cat /var/named/Kictsc.net.+008+63829.key
; This is a key-signing key, keyid 63829, for ictsc.net.
; Created: 20210111005950 (Mon Jan 11 09:59:50 2021)
; Publish: 20210111005950 (Mon Jan 11 09:59:50 2021)
; Activate: 20210111005950 (Mon Jan 11 09:59:50 2021)
ictsc.net. IN DNSKEY 257 3 8 AwEAAavtx9P+9GefmVjvmdcR9XccQKR8mrWvFlQQ+kLY2qh1qlyoZs5T YVcmiWVr/EjJsmLw4W0XIQjd1e0x8Si6OSL8dFtQbGq+1kbLBzbAdeuw S5zRubLhUWVTuwQseEo6hRfaRFTdqf/lViOddl+OnJwIf4RFvmIuI7ho VCVf8Tui4CbzxanyubTGqL0fPh6sWTqGS8QBmrmXo0HoIaodVSPT5vW2 1jrAVF7oUoQBf87s5xhewLaz6bAX41DYpUj5cKukOZ56TEantH70mQwq gurKLbqrGnfsOOSWtxZNkI557lHZAx/WGNV0YnKSJ5WT8seWVkL03J8c +a9YV7VK0m0=
[user@dns_master_server ~]$ sudo cat /var/named/Kictsc.net.+008+63885.key
; This is a zone-signing key, keyid 63885, for ictsc.net.
; Created: 20210111005935 (Mon Jan 11 09:59:35 2021)
; Publish: 20210111005935 (Mon Jan 11 09:59:35 2021)
; Activate: 20210111005935 (Mon Jan 11 09:59:35 2021)
ictsc.net. IN DNSKEY 256 3 8 AwEAAcDG8kmdIuHXkMGPJ02xI8H8cdSubmwbg0IMcdC7w3uFtXwy/spd jaq81Ww9kjQG/Nx2ft+fXTETH8D6Ihp8fRGfyi1lykjDZjuPppFZcd3v dV794+UoBEr4/FFFjtxyhdWE8YAhspxxsz4ECPDxmoQGdSTpl6hD8S9M +xYHres9
var/named/Kictsc.net.+008+63439.key
たぶんこいつが一番新しい
[user@dns_master_server ~]$ sudo cat /var/named/Kictsc.net.+008+63439.key
; This is a key-signing key, keyid 63439, for ictsc.net.
; Created: 20210111013644 (Mon Jan 11 10:36:44 2021)
; Publish: 20210111013644 (Mon Jan 11 10:36:44 2021)
; Activate: 20210111013644 (Mon Jan 11 10:36:44 2021)
ictsc.net. IN DNSKEY 257 3 8 AwEAAePGnJDVqiEhjCRcnYYNP+Pf2DFnJwoj3sTlJwkh2aM1LZR4ajtR sxidDJi59Hf/lcwCBiEnW8eNvpuHz5NfrUTuc/hI/jKI38VkH4m+b68B feNyJtS9IUn8Naln/9r4hQBFCCEHJNmiMo5XnKdD3oEuDSgIsCeP8IOJ c1tlEcimyfBfijuQleTr7MyoxW3iK0Q7kUuy8kIGelWKMogbUwrFFeBV CNvIAiofQOy7UDkjuGe9UpEXozZ5LNQkrBONzkUvr8Dt3YlhhWWYAjbX W5WzrLiQS9PTr3HMRlOOvTk4XlxQu0LDyqalyuBQnvMMg0AleQ7Q5c+M LU3l96yAg50=
[user@dns-cache-server ~]$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "locals" {
192.168.2.0/24;
127.0.0.1;
};
options {
listen-on port 53 { 127.0.0.1; 192.168.2.131; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { locals; };
recursion yes;
allow-recursion { locals; };
allow-query-cache { locals; };
dnssec-enable yes;
dnssec-validation yes;
version none;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ictsc.net" {
type stub;
masters { 192.168.2.20; };
};
zone "googlec.om" {
type stub;
masters { 8.8.8.8 };
};
trusted-keys {
"ictsc.net." 257 3 8 "AwEAAb6i+WmnWT5NGT/5TvCliRH4YjpVf5j4OM86Qm6A2dDPPLhHem2n k3oXYURGfptVo+9E/S+ZFWZ/nfT5F6qRoNXu+U9adfbbRQV/gp1OiteU PJ1CB0NGbSaGHB4x7lmt1z4mf0AtMUVdc2LpK9qewXO5UO8J78YJ+0OS vM/8d+VNWUISenE7CDM1sk6QMfe+ldNMg5Zguz42RJpuLxUNgLo9lRjz hUWE9XDrWGTDtehqOvVOz4d1mQIbZVDSJ3Jdt/BSnJuSznFb1aiOTRYq dyqjjwcabZGeO+YGJqM6xzjYTSLa4rOzCZiG9bknbbSQomOqgRKvfJcr hVCQ+whzYe0=";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
KSKが違う!!!
信頼される鍵を変更
[user@dns-cache-server ~]$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "locals" {
192.168.2.0/24;
127.0.0.1;
};
options {
listen-on port 53 { 127.0.0.1; 192.168.2.131; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { locals; };
recursion yes;
allow-recursion { locals; };
allow-query-cache { locals; };
dnssec-enable yes;
dnssec-validation yes;
version none;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "ictsc.net" {
type stub;
masters { 192.168.2.20; };
};
zone "googlec.om" {
type stub;
masters { 8.8.8.8 };
};
trusted-keys {
"ictsc.net." 257 3 8 "AwEAAePGnJDVqiEhjCRcnYYNP+Pf2DFnJwoj3sTlJwkh2aM1LZR4ajtR sxidDJi59Hf/lcwCBiEnW8eNvpuHz5NfrUTuc/hI/jKI38VkH4m+b68B feNyJtS9IUn8Naln/9r4hQBFCCEHJNmiMo5XnKdD3oEuDSgIsCeP8IOJ c1tlEcimyfBfijuQleTr7MyoxW3iK0Q7kUuy8kIGelWKMogbUwrFFeBV CNvIAiofQOy7UDkjuGe9UpEXozZ5LNQkrBONzkUvr8Dt3YlhhWWYAjbX W5WzrLiQS9PTr3HMRlOOvTk4XlxQu0LDyqalyuBQnvMMg0AleQ7Q5c+M LU3l96yAg50=";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
再読み込み
rndc reconfig
[user@dns-cache-server ~]$ dig @192.168.2.20 pc1.ictsc.net +dnssec
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.2.20 pc1.ictsc.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14133
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 229fa7a243e974ea47fb03c8604303f070b42cd1a78908dd (good)
;; QUESTION SECTION:
;pc1.ictsc.net. IN A
;; ANSWER SECTION:
pc1.ictsc.net. 86400 IN A 192.168.2.151
pc1.ictsc.net. 86400 IN RRSIG A 8 3 86400 20210210004000 20210111004000 63885 ictsc.net. LKUDgH/UnLNfChUjqN8wPHQVVk0oXnfpPcAGy3CmMDlAYP4mJw6i8IVQ AnqEaou/0furcRJN6e/GbzZ2hoi2ubTguV7YvjKQ7QnA/AjcTLItqZ0J oBzrUIl+uGKsUtCPevAON45yliZV95b+vwtVA5Adh7kxsb959/1xSBG3 Swo=
;; AUTHORITY SECTION:
ictsc.net. 86400 IN NS master-ns.ictsc.net.
ictsc.net. 86400 IN RRSIG NS 8 2 86400 20210210004000 20210111004000 63885 ictsc.net. Ylkqu21praVTVlbUCZPaYAPHQ72PCXrPJA0bbq8OXIg8/pKYqO+rtmqO ZQVWizDzpYdtFnY4LoE+S/vl5taF2RVkwmV3ZJ3xyEwWRzSXwGnbWwyu /MfWOK3LUQc7UtHBGTJoaqKsiga7mpkfN9QGxqrSAmJP767vs9rcmh58 aYg=
;; ADDITIONAL SECTION:
master-ns.ictsc.net. 86400 IN A 192.168.2.20
master-ns.ictsc.net. 86400 IN RRSIG A 8 3 86400 20210210004000 20210111004000 63885 ictsc.net. WrOunB2EHrzvt6yEpnwYcFiTKkWz+decS+VdDVzyoFTkdHBiquh+u5+6 mmxJd6vAhi851MZ5R4aAcDMCfHG9ya4PyWoyylMAWOlmWJ7kf9q07ZX7 95Md438M8cqbXSEvQYs9Y7G0wRe2WFaWVB6diI72Enu8YtdJzWz+R1te EnY=
;; Query time: 2 msec
;; SERVER: 192.168.2.20#53(192.168.2.20)
;; WHEN: Sat Mar 06 13:24:16 JST 2021
;; MSG SIZE rcvd: 633
[user@dns-cache-server ~]$
うまくいってない
経路間のルーターで落ちてる…?
[user@dns-cache-server ~]$ dig @192.168.2.131 pc1.ictsc.net +dnssec
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> @192.168.2.131 pc1.ictsc.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 956
; COOKIE: 42d80cde997ebd7d10b10ad7604305bd38e6f2dbb3e34787 (good)
;; QUESTION SECTION:
;pc1.ictsc.net. IN A
;; Query time: 5 msec
;; SERVER: 192.168.2.131#53(192.168.2.131)
;; WHEN: Sat Mar 06 13:31:57 JST 2021
;; MSG SIZE rcvd: 70
TCPが死んでるわけじゃない
[user@dns-cache-server ~]$ nc -vz 192.168.2.20 53
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.2.20:53.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
[user@dns-cache-server ~]$ nc -vz 192.168.2.20 53
ログを見る
validating ictsc.net/DNSKEY: verify failed due to bad signature (keyid=63829): RRSIG has expired
validating ictsc.net/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'ictsc.net'
no valid KEY resolving 'ictsc.net/DNSKEY/IN': 192.168.2.20#53
broken trust chain resolving 'pc1.ictsc.net/A/IN': 192.168.2.20#53
validating ictsc.net/DNSKEY: verify failed due to bad signature (keyid=63829): RRSIG has expired
validating ictsc.net/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'ictsc.net'
no valid KEY resolving 'ictsc.net/DNSKEY/IN': 192.168.2.20#53
broken trust chain resolving 'pc1.ictsc.net/A/IN': 192.168.2.20#53
validating pc1.ictsc.net/A: bad cache hit (ictsc.net/DNSKEY)
broken trust chain resolving 'pc1.ictsc.net/A/IN': 192.168.2.20#53
新しい鍵が使われてない…?
権威内のzone情報
[user@dns_master_server ~]$ sudo cat /var/named/ictsc.net.zone.signed
; File written on Mon Jan 11 10:40:00 2021
; dnssec_signzone version 9.11.20-RedHat-9.11.20-5.el8
ictsc.net. 86400 IN SOA master-ns.ictsc.net. root.master-ns.ictsc.net. (
2020123101 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
86400 RRSIG SOA 8 2 86400 (
20210210004000 20210111004000 63885 ictsc.net.
HWgbXdzCzLT9nmOq2qYYtySTIqq/iDoWOHSc
PcdchtwGNopK+tH0AB0NR5LiWul4dN/mgsmn
FPIpfvwrXabQV+aVjwKfq+gcVSDE+aJiBgZM
ulAU/t6kOx6s4ZxZIscya4cWsrCJ/8n1enNO
A1VC7sOArYxrNx65n+MeeFZ1aww= )
86400 NS master-ns.ictsc.net.
86400 RRSIG NS 8 2 86400 (
20210210004000 20210111004000 63885 ictsc.net.
Ylkqu21praVTVlbUCZPaYAPHQ72PCXrPJA0b
bq8OXIg8/pKYqO+rtmqOZQVWizDzpYdtFnY4
LoE+S/vl5taF2RVkwmV3ZJ3xyEwWRzSXwGnb
Wwyu/MfWOK3LUQc7UtHBGTJoaqKsiga7mpkf
N9QGxqrSAmJP767vs9rcmh58aYg= )
3600 NSEC cache-ns.ictsc.net. NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 8 2 3600 (
20210210004000 20210111004000 63885 ictsc.net.
VkTzSBsQBq8mAga8pc/4fR41B5TRRUkOtEqW
zvoAhbamh3lo2Cbrf55X0QfkJrbGWfhYfsoU
QF7WM7I7hwu2t/ZYDMxYp+zYEYrQCsaZnkCp
y17HhhZxtDPi61iBHIjWWsSK3iAkRvHNqikU
y60Uf/LAU9pU7lA72xNo7lnRS7c= )
86400 DNSKEY 256 3 8 (
AwEAAcDG8kmdIuHXkMGPJ02xI8H8cdSubmwb
g0IMcdC7w3uFtXwy/spdjaq81Ww9kjQG/Nx2
ft+fXTETH8D6Ihp8fRGfyi1lykjDZjuPppFZ
cd3vdV794+UoBEr4/FFFjtxyhdWE8YAhspxx
sz4ECPDxmoQGdSTpl6hD8S9M+xYHres9
) ; ZSK; alg = RSASHA256 ; key id = 63885
86400 DNSKEY 257 3 8 (
AwEAAePGnJDVqiEhjCRcnYYNP+Pf2DFnJwoj
3sTlJwkh2aM1LZR4ajtRsxidDJi59Hf/lcwC
BiEnW8eNvpuHz5NfrUTuc/hI/jKI38VkH4m+
b68BfeNyJtS9IUn8Naln/9r4hQBFCCEHJNmi
Mo5XnKdD3oEuDSgIsCeP8IOJc1tlEcimyfBf
ijuQleTr7MyoxW3iK0Q7kUuy8kIGelWKMogb
UwrFFeBVCNvIAiofQOy7UDkjuGe9UpEXozZ5
LNQkrBONzkUvr8Dt3YlhhWWYAjbXW5WzrLiQ
S9PTr3HMRlOOvTk4XlxQu0LDyqalyuBQnvMM
g0AleQ7Q5c+MLU3l96yAg50=
) ; KSK; alg = RSASHA256 ; key id = 63439
86400 DNSKEY 257 3 8 (
AwEAAavtx9P+9GefmVjvmdcR9XccQKR8mrWv
FlQQ+kLY2qh1qlyoZs5TYVcmiWVr/EjJsmLw
4W0XIQjd1e0x8Si6OSL8dFtQbGq+1kbLBzbA
deuwS5zRubLhUWVTuwQseEo6hRfaRFTdqf/l
ViOddl+OnJwIf4RFvmIuI7hoVCVf8Tui4Cbz
xanyubTGqL0fPh6sWTqGS8QBmrmXo0HoIaod
VSPT5vW21jrAVF7oUoQBf87s5xhewLaz6bAX
41DYpUj5cKukOZ56TEantH70mQwqgurKLbqr
GnfsOOSWtxZNkI557lHZAx/WGNV0YnKSJ5WT
8seWVkL03J8c+a9YV7VK0m0=
) ; KSK; alg = RSASHA256 ; key id = 63829
86400 RRSIG DNSKEY 8 2 86400 (
20210210004000 20210111004000 63829 ictsc.net.
EmXl7P4CRyuGL66EHmADc4ZUiO57/ZdGF/r4
n3fQ66FQz3638p0xDjpo5cVHlgZaXM5errTg
VJ1YMIB+3M9ycyj4jCkvVETGw+OKcLLQwRGm
xjmOioa5+yptlToG/aTd3p2Gq9DLqeQn3lD2
J5eEP8Wvdo8IZtv/WHDKgGKcaYnjJDkx2dw5
vDQodKvTWrBHp2XqLe755U1F3rXv4r6kGHZY
DH/Qt2vZoq0tOOXABPKwozRekuQ3GfIL3Y7V
1iSx77BBDOgkXLXEWQ5pEZrd7MiwR35FIxPY
RCBNVFPMEZqG7845KJQUez/AvI+0JuQ/5Uhe
ESnhKoAzkzrww1+WnQ== )
86400 RRSIG DNSKEY 8 2 86400 (
20210210004000 20210111004000 63439 ictsc.net.
eoRMp7ltocRwesVchdRuUhef+I/DpOc3dvZ9
UZ/WkH1+EA81fKJCq22DrqssGImSlTh6YaWL
+Q/5DyyAYp49ffL1osm1GmWAqBGD9WNio3JJ
YQ6L+NiQ42xVqrflO47TjQPvkUCrAeZ0UTIu
j4SNNI6wYe07FbYIZKkHZpFB8vdfJfrpL0Nx
zhL7l0gNvJnvzxENOygO5D25vivtJdSRrHsf
b4q1kSPceX/+a47q7hTu6FM9YbevzoICbFkz
WTndl4w0L9u7zIDp2wZoLP/qb/Wywyc/WxxQ
5LNW5alC9KfU49ndvugFBGnfFYM4+YJvCuxb
sVsArWgoRiAd41NHmw== )
cache-ns.ictsc.net. 86400 IN A 192.168.2.131
86400 RRSIG A 8 3 86400 (
20210210004000 20210111004000 63885 ictsc.net.
A1o762LBuVsKV7J8mceTCYu4xQs+mFjOkqxa
2MN1MloEsoQuCv/15CU0dxjxhHMs+aNE+TbD
IMbGPaQGYvyK0wmOtFbdhERKEiDe3j/VNzdQ
cBjHT1XI/3wwvgB5fu7Zcwp99rWOTmODjbv2
GkoMEPJ14Am/5mhYKE111N4Wrls= )
3600 NSEC master-ns.ictsc.net. A RRSIG NSEC
3600 RRSIG NSEC 8 3 3600 (
20210210004000 20210111004000 63885 ictsc.net.
Y7aKUHT5Gv/9yzNQvVPVcJH+lrqN84QC1AFb
lbbI8tRIFqWPHLa5BnYANpiKcq8CEtx0c3gz
ade1qujEl0bP25Hw2igbgerXHC2cCNw7M2l7
NLB9qY80cL+RLvRSMT0JEVJEIxxNZdMJHPdq
VPjfyzVcMWCFqH2YZRyDQYlfphI= )
master-ns.ictsc.net. 86400 IN A 192.168.2.20
86400 RRSIG A 8 3 86400 (
20210210004000 20210111004000 63885 ictsc.net.
WrOunB2EHrzvt6yEpnwYcFiTKkWz+decS+Vd
DVzyoFTkdHBiquh+u5+6mmxJd6vAhi851MZ5
R4aAcDMCfHG9ya4PyWoyylMAWOlmWJ7kf9q0
7ZX795Md438M8cqbXSEvQYs9Y7G0wRe2WFaW
VB6diI72Enu8YtdJzWz+R1teEnY= )
3600 NSEC pc1.ictsc.net. A RRSIG NSEC
3600 RRSIG NSEC 8 3 3600 (
20210210004000 20210111004000 63885 ictsc.net.
RiSZL5XXUifSD6WaSWn7vLjhrGqn/YtRKWyL
GmEZ3Qv+yvgkCDOxs+uIW8YgwwNmisHP0Wo8
xLAj/y5vrxpMaMkxv6EDX8N/8zonxLw+cox2
QG+E7F2UoQIK9CP+s+v5SY3UFrXl7oA55EHz
A8VaJWynFh9JOexVpdLkVQO02SM= )
pc1.ictsc.net. 86400 IN A 192.168.2.151
86400 RRSIG A 8 3 86400 (
20210210004000 20210111004000 63885 ictsc.net.
LKUDgH/UnLNfChUjqN8wPHQVVk0oXnfpPcAG
y3CmMDlAYP4mJw6i8IVQAnqEaou/0furcRJN
6e/GbzZ2hoi2ubTguV7YvjKQ7QnA/AjcTLIt
qZ0JoBzrUIl+uGKsUtCPevAON45yliZV95b+
vwtVA5Adh7kxsb959/1xSBG3Swo= )
3600 NSEC pc2.ictsc.net. A RRSIG NSEC
3600 RRSIG NSEC 8 3 3600 (
20210210004000 20210111004000 63885 ictsc.net.
Supt4zse23Fb4/iuCVl8DWtM3Ytc2+wfhmyc
kUoGv55XRpgRmIuI50UrKuPMZwrkpBDTfcjF
uYCQgXUYQbUFGJ0FE9IAFxqP4tsqiVZ6I9xB
3rjaLjLuVhJQxF37Ku1OO4fCF1ZMYB8qmeEG
yjTu8swRIvjM+J6SubUB3DT9400= )
pc2.ictsc.net. 86400 IN A 192.168.2.152
86400 RRSIG A 8 3 86400 (
20210210004000 20210111004000 63885 ictsc.net.
j8YWWCUpD8aC/n4msrNQ5uU9jy/+g75XMnMr
sazSkuyaDnFVZr+Lzs8X+8ZBNTAEyfZ2X8RI
UOZWRecZDb6AjTL2Iv4jVbtP749s+OQzgHXV
Ei0V9GuSFvpK7tx+Fx2MzvK0qxqmhIgg7qx9
a9rEEUrhvQUA+/rXoYrC7w4NAhk= )
3600 NSEC pc3.ictsc.net. A RRSIG NSEC
3600 RRSIG NSEC 8 3 3600 (
20210210004000 20210111004000 63885 ictsc.net.
jK0AsQOnXC5YXwOsnrXPOFFTKKD+jtK9brjG
gCFsVsheF1ihkkHhKZsudwiQx2prchf62AqX
tuGPnEzGd682WOlN559liDaADPqAmjlKYXHe
w46xbyvyo9VfOD6dtsJJoi8SNpCPoW0Y+Iv2
VSN6Qfv6p+uBJHdKuxKEogDvcvo= )
pc3.ictsc.net. 86400 IN A 192.168.2.153
86400 RRSIG A 8 3 86400 (
20210210004000 20210111004000 63885 ictsc.net.
dn0j+QSAWr2+WLNo5QV93EvL5tUVDHU3F+r3
M8qAAeT+yVJf9PaopRyq9dHTcATg17MUqf/c
BF72TApoh7pv+Pd0kAIv+iPFT75z0mKTKzV1
UFgYUsW1pVfUBjg7e/LDY1Gsj0oFe8sKyeWH
8ux4U+wiXHgECvKcQwqEdG2ejNM= )
3600 NSEC ictsc.net. A RRSIG NSEC
3600 RRSIG NSEC 8 3 3600 (
20210210004000 20210111004000 63885 ictsc.net.
eqZ1h4hJz4BO+PUroioM8pXayLqrycNfdTf9
keL1ciK7hKtBPu0cbnHbyuKwDyo0HDYTnFO3
klbKYuL//1L3GOmx3k8EUOP2poURzLAX/e12
0v6ABvwV7dUhrDwQku6cy2Ubd9C3KrPhWpHM
IJaHEsuyPXeV2ZX7y6YZUlxPGWg= )
設定読み込み後のerror
validating ictsc.net/DNSKEY: verify failed due to bad signature (keyid=63829): RRSIG has expired
validating ictsc.net/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'ictsc.net'
no valid KEY resolving 'ictsc.net/DNSKEY/IN': 192.168.2.20#53
broken trust chain resolving 'pc1.ictsc.net/A/IN': 192.168.2.20#53
zone "googlec.om" {
type stub;
masters { 8.8.8.8 };
};
設定のちょっとおかしかったとこ カンマいれて再起動したけどダメでした…
概要 会社の内部で使用しているキャッシュサーバが名前解決ができなくなってしまった. 管理者に問い合わせたところ,権威サーバでKSKロールオーバーを行ったという話を聞くことができた. キャッシュサーバでDNSSECの検証をして名前解決をできるようにトラブルシューティングしてほしい.
前提条件 $ dig @192.168.2.131 pc1.ictsc.net で名前解決ができない 権威サーバーを使っているキャッシュサーバーは一つしかない 初期状態 クライアントからdig @192.168.2.131 pc1.ictsc.net +dnssec を実行しても,名前解決ができない.
終了状態 クライアントからdig @192.168.2.131 pc1.ictsc.net +dnssec を実行して,dnssecの検証が成功して名前解決ができる