dnssec-validation.md

問題: dnssec validation 環境下だと, IPv4アドレスが引けないレコードがある

• 自宅にキャッシュDNSサーバーを置き, dnssec validation 環境を試しています
• その中で見つけた IPv4アドレスが引けない & 原因がよくわからない ものです
  • たまたまアクセスしたサイトです 😄
  • たぶんわたし以外困っていません

うまくいかないレコード

• hosyusokuhou.jp
• saigaijyouhou.com

うまくいくレコード

• ghs.google.com (zone頂点にCNAME がない)
• www.ietf.org (zone頂点にCNAME がない)
• gec.xxx (TLD がDNSSEC 署名されていない)

条件

• 検索対象が，DNSSEC 署名されているTLD 配下にある
• 検索対象のzone頂点にCNAME が設定されている
• キャッシュDNSサーバーで クエリ転送を設定している

上記をすべて満たすと, アドレスが引けない

試したこと

• bind + unbound -> dnssec validation 環境下では両方 NG
• dnssec-validation をdisable する -> OK
• dig +cdflag -> OK

debian + bind 9.8.4 (deb pkg)

$ uname -a
Linux wheezy 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 7.6 (wheezy)
Release:        7.6
Codename:       wheezy

$ dpkg -s bind9 | grep Version
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u1

• forward only: アドレス引けない

    $ invoke-rc.d bind9 restart
    $ dig saigaijyouhou.com @localhost
    
    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> saigaijyouhou.com @localhost
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4894
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;saigaijyouhou.com.             IN      A
    
    ;; Query time: 271 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Fri Jul 25 18:46:36 2014
    ;; MSG SIZE  rcvd: 35
  

  • このときの named.conf

        forward only;
        forwarders {
            8.8.8.8;
        };
    

    ちなみに, forward only; を消せば アドレス引ける

• forward first (forward なし): アドレス引ける

  • このときの named.conf

        // forward only;
        // forwarders {
        //     8.8.8.8;
        // };
    

debian + unbound 1.4.17 (deb pkg)

$ uname -a
Linux wheezy 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 7.6 (wheezy)
Release:        7.6
Codename:       wheezy

$ dpkg -s unbound | grep Version
Version: 1.4.17-3+deb7u1

• forward only: アドレス引けない

    $ invoke-rc.d unbound restart
    $ dig saigaijyouhou.com @localhost
    
    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> saigaijyouhou.com @localhost
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44401
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;saigaijyouhou.com.             IN      A
    
    ;; Query time: 93 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Fri Jul 25 20:17:21 2014
    ;; MSG SIZE  rcvd: 35
  

  • このときの unbound.conf

        forward-zone:
            name: "."
            forward-addr: 8.8.8.8
    

    ちなみに, forward-first: yes を足しても アドレス引けない (bind と動作がちがう)

• forward first (forward なし): アドレス引ける

  • このときの unbound.conf

        # forward-zone:
        #     name: "."
        #     forward-addr: 8.8.8.8
    

参考: bind9 default configuration

• named.conf

    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local
    
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
  

• named.conf.options

    options {
            directory "/var/cache/bind";
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
            // forwarders {
            //      0.0.0.0;
            // };
    
            //========================================================================
            // If BIND logs error messages about the root key being expired,
            // you will need to update your keys.  See https://www.isc.org/bind-keys
            //========================================================================
            dnssec-validation auto;
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { any; };
    };
  

• named.conf.local

    //
    // Do any local configuration here
    //
    
    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";
  

• named.conf.default-zones

    // prime the server with knowledge of the root servers
    zone "." {
            type hint;
            file "/etc/bind/db.root";
    };
    
    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912
    
    zone "localhost" {
            type master;
            file "/etc/bind/db.local";
    };
    
    zone "127.in-addr.arpa" {
            type master;
            file "/etc/bind/db.127";
    };
    
    zone "0.in-addr.arpa" {
            type master;
            file "/etc/bind/db.0";
    };
    
    zone "255.in-addr.arpa" {
            type master;
            file "/etc/bind/db.255";
    };
  

参考: unbound default configuration

• unbound.conf

    # Unbound configuration file for Debian.
    #
    # See the unbound.conf(5) man page.
    #
    # See /usr/share/doc/unbound/examples/unbound.conf for a commented
    # reference config file.
    
    server:
        # The following line will configure unbound to perform cryptographic
        # DNSSEC validation using the root trust anchor.
        auto-trust-anchor-file: "/var/lib/unbound/root.key"