dnssec二, 11/02/2020 - 17:24 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

最後更新: 2020-02-11

 

DS(Delegation Signer) record

a hash of a DNSKEY record if DNSSEC enabled

DNSKEY record

contains a public signing key

RRSIG (Resource Record Signature)

信任


# Delegation of Signing (at the registrar 's DNS)

dig DS ? +short

...

--

# grab the public key (used to verify the DNS record)
# all record signed with the same public key

dig DNSKEY ? +short

256 is the public key called Zone-signing-key, used to verify the DNS record signatures for A, MX, CNAME, SRV, etc.
257 is called the Key-Signing Key, used to verify the signatures of the DNSKEY, CDS, and CDNSKEY records.

--

# Validate dnssec using dig

dig +dnssec ? +short

RRSIG is the DNSSEC signature attached to the record.

RRSIG line

The ad flag means authenticated answer and do flag must set indicating that DNSSEC was OK:

===========

prevent malicious motions like
 - cache poisoning,
 - pharming,
 - man-in-the-middle attacks.
 

 


EDNS0

 

EDNS is a mechanism to be able to add extra information to a DNS message,
since the header is fixed, nothing can be added there.

 


Testing

 

DNSSEC OK

Answer 會有 DO-Flag & AD-Flag

DO => DNSSEC OK

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> hkdnr.hk +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28732
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;hkdnr.hk.                      IN      A

;; ANSWER SECTION:
hkdnr.hk.               3599    IN      A       203.119.2.31
hkdnr.hk.               3599    IN      A       203.119.87.31
hkdnr.hk.               3599    IN      RRSIG   A 8 2 3600 ...

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 16:54:07 HKT 2020
;; MSG SIZE  rcvd: 237

Fail Result

dig brokendnssec.net +dnssec

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> brokendnssec.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brokendnssec.net.              IN      A

;; Query time: 431 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 16:51:48 HKT 2020
;; MSG SIZE  rcvd: 45

The "+cd" option provides DNS results without any DNSSEC validation in place. 

dig brokendnssec.net +dnssec +cd

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> brokendnssec.net +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55721
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;brokendnssec.net.              IN      A

;; ANSWER SECTION:
brokendnssec.net.       299     IN      A       104.20.49.61
brokendnssec.net.       299     IN      A       104.20.48.61

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 11 16:53:14 HKT 2020
;; MSG SIZE  rcvd: 77

 


Tools

 

https://dnsviz.net/