最後更新: 2020-02-11

介紹

信任的次序

• The root of trust -> DS -> DNSKEYs -> RRSIGs

The root of trust (trusted DS records)

hosted at IANA (https://www.iana.org/dnssec/files)

DS(Delegation Signer) record (at the registrar 's DNS)

a hash of a DNSKEY record if DNSSEC enabled

used to verify the DNSKEY record

DNSKEY record

contains a public signing key

used to verify the DNS record

RRSIG record (Resource Record Signature)

used to verify the RR

功能

prevent malicious motions like

 - cache poisoning
 - pharming
 - man-in-the-middle attacks

Using dig

Get DS

dig DS ?

--

grab the public key

# all record signed with the same public key

dig DNSKEY ? +short

256 is the public key called Zone-signing-key, used to verify the DNS record signatures for A, MX, CNAME, SRV, etc.

257 is called the Key-Signing Key, used to verify the signatures of the DNSKEY, CDS, and CDNSKEY records.

--

Validate dnssec

dig +dnssec ?

i.e.

dig +dnssec hkdnr.hk

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec hkdnr.hk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64193
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;hkdnr.hk.                      IN      A

;; ANSWER SECTION:
hkdnr.hk.               3599    IN      A       203.119.87.31
hkdnr.hk.               3599    IN      A       203.119.2.31
hkdnr.hk.               3599    IN      RRSIG   A 8 2 3600 20200311190007 20200210180007 57714 hkdnr.hk. Gu3ByzA2hrZ4UpR/9+mBOopIT0lmq2GgR8oFokntlgVgFM2izwvp0tA2 +WRbsRgi21ueh0NBsGtDby0s+vAwx9G4+ZT/hPNcRTU4ZrvuZ4HIYB4c Z125yX+fzV4SRs1anIyDmfQcfq9ekNK9Y35zy4Z9hdTGunowYMqJ3VRR b9M=

;; Query time: 32 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 18:18:47 HKT 2020
;; MSG SIZE  rcvd: 237

# Answer 會有 DO-Flag & AD-Flag

(DO => DNSSEC OK)

Fail Result

dig +dnssec hk.yahoo.com      # 沒有 "ad" flag

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +dnssec hk.yahoo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49453
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;hk.yahoo.com.                  IN      A

;; ANSWER SECTION:
hk.yahoo.com.           5       IN      CNAME   atsv2-fp-shed.wg1.b.yahoo.com.
atsv2-fp-shed.wg1.b.yahoo.com. 8 IN     A       106.10.250.11
atsv2-fp-shed.wg1.b.yahoo.com. 8 IN     A       106.10.250.10

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 18:21:41 HKT 2020
;; MSG SIZE  rcvd: 107

dig +dnssec brokendnssec.net

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> brokendnssec.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brokendnssec.net.              IN      A

;; Query time: 431 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 16:51:48 HKT 2020
;; MSG SIZE  rcvd: 45

The "+cd" option provides DNS results without any DNSSEC validation in place. 

dig brokendnssec.net +dnssec +cd

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> brokendnssec.net +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55721
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brokendnssec.net.              IN      A

;; ANSWER SECTION:
brokendnssec.net.       299     IN      A       104.20.49.61
brokendnssec.net.       299     IN      A       104.20.48.61

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 16:53:14 HKT 2020
;; MSG SIZE  rcvd: 77

EDNS0

EDNS is a mechanism to be able to add extra information to a DNS message,
since the header is fixed, nothing can be added there.

Root

dig +dnssec -t DS com.

Tools

https://dnsviz.net/