- 自宅にキャッシュDNSサーバーを置き, dnssec validation 環境を試しています
- その中で見つけた IPv4アドレスが引けない & 原因がよくわからない ものです
- たまたまアクセスしたサイトです 😄
- たぶんわたし以外困っていません
- ghs.google.com (zone頂点にCNAME がない)
- www.ietf.org (zone頂点にCNAME がない)
- gec.xxx (TLD がDNSSEC 署名されていない)
- 検索対象が,DNSSEC 署名されているTLD 配下にある
- 検索対象のzone頂点にCNAME が設定されている
- キャッシュDNSサーバーで クエリ転送を設定している
上記をすべて満たすと, アドレスが引けない
- bind + unbound -> dnssec validation 環境下では両方 NG
- dnssec-validation をdisable する -> OK
- dig +cdflag -> OK
$ uname -a
Linux wheezy 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.6 (wheezy)
Release: 7.6
Codename: wheezy
$ dpkg -s bind9 | grep Version
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u1
-
forward only: アドレス引けない
$ invoke-rc.d bind9 restart $ dig saigaijyouhou.com @localhost ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> saigaijyouhou.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4894 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;saigaijyouhou.com. IN A ;; Query time: 271 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Jul 25 18:46:36 2014 ;; MSG SIZE rcvd: 35
-
このときの named.conf
forward only; forwarders { 8.8.8.8; };
ちなみに,
forward only;
を消せば アドレス引ける
-
-
forward first (forward なし): アドレス引ける
-
このときの named.conf
// forward only; // forwarders { // 8.8.8.8; // };
-
$ uname -a
Linux wheezy 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.6 (wheezy)
Release: 7.6
Codename: wheezy
$ dpkg -s unbound | grep Version
Version: 1.4.17-3+deb7u1
-
forward only: アドレス引けない
$ invoke-rc.d unbound restart $ dig saigaijyouhou.com @localhost ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> saigaijyouhou.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;saigaijyouhou.com. IN A ;; Query time: 93 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Jul 25 20:17:21 2014 ;; MSG SIZE rcvd: 35
-
このときの unbound.conf
forward-zone: name: "." forward-addr: 8.8.8.8
ちなみに,
forward-first: yes
を足しても アドレス引けない (bind と動作がちがう)
-
-
forward first (forward なし): アドレス引ける
-
このときの unbound.conf
# forward-zone: # name: "." # forward-addr: 8.8.8.8
-
-
named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
-
named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
-
named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918";
-
named.conf.default-zones
// prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
-
unbound.conf
# Unbound configuration file for Debian. # # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. server: # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: "/var/lib/unbound/root.key"