{"id":554,"date":"2017-08-31T16:27:59","date_gmt":"2017-08-31T07:27:59","guid":{"rendered":"https:\/\/fsck.jp\/?p=554"},"modified":"2018-05-31T16:01:23","modified_gmt":"2018-05-31T07:01:23","slug":"dnssec-%e3%83%ab%e3%83%bc%e3%83%88%e3%82%be%e3%83%bc%e3%83%b3-ksk-%e3%83%ad%e3%83%bc%e3%83%ab%e3%82%aa%e3%83%bc%e3%83%90%e3%83%bc%e3%81%ab%e3%81%a4%e3%81%84%e3%81%a6","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=554","title":{"rendered":"DNSSEC \u30eb\u30fc\u30c8\u30be\u30fc\u30f3 KSK \u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3064\u3044\u3066"},"content":{"rendered":"

DNSSEC\u306e\u30eb\u30fc\u30c8\u30be\u30fc\u30f3KSK\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3064\u3044\u3066\u3001\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u524d\u5f8c\u3067DNS\u306e\u691c\u7d22\u306b\u652f\u969c\u304c\u51fa\u306a\u3044\u3088\u3046\u3001\u5404\u6240\u304b\u3089\u901a\u9054\u304c\u51fa\u3066\u3044\u308b\u3002<\/p>\n

\u30eb\u30fc\u30c8\u30be\u30fc\u30f3KSK\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3088\u308b\u5f71\u97ff\u3068\u305d\u306e\u78ba\u8a8d\u65b9\u6cd5\u306b\u3064\u3044\u3066 (JPRS)<\/a>
\nKSK\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3064\u3044\u3066 (JPNIC)<\/a><\/p>\n

\uff082017\/10\u6708\u4e88\u5b9a\u3060\u3063\u305f\u5207\u308a\u66ff\u3048\u304c\u5ef6\u671f\u3055\u308c\u3001\u73fe\u5728\u306f 2018\/10\/11 \u306b\u4e88\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\uff09<\/p>\n

1. \u7ba1\u7406\u4e0b\u306e DNS \u30ad\u30e3\u30c3\u30b7\u30e5\u306f DNSSEC \u691c\u8a3c\u3092\u3057\u3066\u3044\u308b\u304b<\/h3>\n

DNS \u30ad\u30e3\u30c3\u30b7\u30e5\u30b5\u30fc\u30d0\u30fc\u3092\u7ba1\u7406\u3057\u3066\u3044\u308b\u5834\u5408\u306f\u3001\u4e00\u5fdc\u6c17\u3092\u4ed8\u3051\u305f\u307b\u3046\u304c\u826f\u3044\u3002\u7ba1\u7406\u4e0b\u306e DNS \u30ad\u30e3\u30c3\u30b7\u30e5\u30b5\u30fc\u30d0\u30fc\u306b\u5bfe\u3057\u3066\u3001dig \u30b3\u30de\u30f3\u30c9\u3067DNSSEC \u5bfe\u5fdc\u6e08\u307f\u30c9\u30e1\u30a4\u30f3 (\u4f8b: jprs.jp) \u306e\u60c5\u5831\u3092\u691c\u7d22\u3057\u305f\u3068\u304d\u306b\u3001\u56de\u7b54\u306b ad \u30d5\u30e9\u30b0\u304c\u4ed8\u3044\u3066\u3044\u305f\u3089\u300c\u30ad\u30e3\u30c3\u30b7\u30e5\u30b5\u30fc\u30d0\u30fc\u3067DNSSEC\u7f72\u540d\u691c\u8a3c\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u300d\u72b6\u614b\u306a\u306e\u3067\u3001\u66f4\u65b0\u5f8c\u306e\u9375\u3092\u8a2d\u5b9a\u3057\u3066\u3084\u308b\u5fc5\u8981\u304c\u3042\u308b\u304b\u3082\u3057\u308c\u306a\u3044\u3002<\/p>\n

ad\u30d5\u30e9\u30b0\u304c\u4ed8\u3044\u3066\u3044\u308b\u4f8b:<\/p>\n

\r\n$ dig jprs.jp. @mydns.example.com\r\n\r\n; <<>> DiG 9.10.3-P4-Ubuntu <<>> jprs.jp.\r\n;; global options: +cmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26772\r\n;; flags: qr rd ra ad<\/span>; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9\r\n...<\/pre>\n
(\u53c2\u8003: DNSSEC\u30c1\u30e5\u30fc\u30c8\u30ea\u30a2\u30eb\uff5e\u5b9f\u8df5\u7de8\uff5e<\/a>)<\/p>\n
2. RHEL 7 \/ CentOS 7 + BIND \u306e\u5834\u5408<\/h3>\n
named.conf\u306b\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u4ee5\u4e0b\u306e\u8a2d\u5b9a\u304c\u5165\u3063\u3066\u3044\u3066\u3001DNSSEC\u7f72\u540d\u691c\u8a3c\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n
\r\noptions {\r\n...\r\n        dnssec-enable yes;\r\n        dnssec-validation yes;\r\n\r\n        \/* Path to ISC DLV key *\/\r\n        bindkeys-file \"\/etc\/named.iscdlv.key\";\r\n\r\n        managed-keys-directory \"\/var\/named\/dynamic\";\r\n...\r\n};\r\n...\r\ninclude \"\/etc\/named.root.key\";<\/pre>\n
\u5bfe\u51e6\u6cd51. \u30d1\u30c3\u30b1\u30fc\u30b8\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8<\/h3>\n
\/etc\/named.iscdlv.key \u3068 \/etc\/named.root.key \u306b\u3001\u30eb\u30fc\u30c8\u30be\u30fc\u30f3\u306e\u9375\u304c\u5165\u3063\u3066\u3044\u308b\u3002\u30d1\u30c3\u30b1\u30fc\u30b8\u30d0\u30fc\u30b8\u30e7\u30f3\u304cbind-9.9.4-38.4\u4ee5\u964d\u3067\u3042\u308c\u3070\u3001\u4e0a\u8a182\u30d5\u30a1\u30a4\u30eb\u306b\u65b0\u3057\u3044\u9375\u304c\u8ffd\u52a0\u3055\u308c\u308b\u306e\u3067\u3001bind\u306e\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u3066\u3057\u307e\u3046\u306e\u304c\u4e00\u756a\u624b\u3063\u53d6\u308a\u65e9\u304f\u5b89\u5fc3\u3067\u304d\u308b\u65b9\u6cd5\u3067\u306f\u3042\u308b\u3002<\/p>\n
\u5bfe\u51e6\u6cd52. \u81ea\u52d5\u66f4\u65b0\u306b\u4efb\u305b\u308b<\/h3>\n
9.9.4-38.3\u4ee5\u524d\u306e\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u4f7f\u3063\u3066\u3044\u308b\u5834\u5408\u3067\u3082\u3001RFC5011 \u306e\u81ea\u52d5\u66f4\u65b0\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u3002named \u3092\u8d77\u52d5\u3059\u308b\u3068\u66f4\u65b0\u5f8c\u306e\u9375\u306f \/var\/named\/dynamic\/managed-keys.bind{,.jnl} \u3068\u3057\u3066\u81ea\u52d5\u4fdd\u5b58\u3055\u308c\u308b\u3002\u3053\u306e\u305f\u3081\u3001\u7279\u306b\u4f55\u304b\u3092\u3059\u308b\u5fc5\u8981\u306f\u306a\u3044\u3002<\/p>\n
# \u3068\u306f\u3044\u3048\u3001CVE-2017-3142\u3001CVE-2017-3143<\/a>\u3078\u306e\u5bfe\u51e6\u304c9.9.4-38.5\u4ee5\u964d\u3067\u884c\u308f\u308c\u3066\u3044\u308b\u306e\u3067\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u66f4\u65b0\u3057\u305f\u65b9\u304c\u826f\u3044\u3002<\/p>\n
3. RHEL 7 \/ CentOS 7 + Unbound \u306e\u5834\u5408<\/h3>\n
\u30c7\u30d5\u30a9\u30eb\u30c8\u306e \/var\/lib\/unbound\/root.key \u306b\u306f\u53e4\u3044\u9375\u3057\u304b\u5165\u3063\u3066\u3044\u306a\u3044\u304c\u3001\/etc\/unbound\/unbound.conf \u306b\u4ee5\u4e0b\u306e\u8a18\u8ff0\u304c\u3042\u308a\u3001\u81ea\u52d5\u66f4\u65b0\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n
\r\nserver:\r\n...\r\n        auto-trust-anchor-file: \"\/var\/lib\/unbound\/root.key\"\r\n...<\/pre>\n
unbound \u306e\u30c7\u30fc\u30e2\u30f3\u3092\u8d77\u52d5\u3059\u308b\u3068\u3001\/var\/lib\/unbound\/root.key \u306b\u65b0\u3057\u3044\u9375\u304c\u8ffd\u52a0\u3055\u308c\u308b\u3002<\/p>\n
\u3053\u306e\u305f\u3081\u3001\u3053\u308c\u3089\u306e\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u3066\u3044\u306a\u3051\u308c\u3070\u3001\u7279\u306b\u5bfe\u51e6\u306e\u5fc5\u8981\u306f\u306a\u3044\u3002<\/p>\n
4. \u78ba\u8a8d\u3001\u305d\u306e\u4ed6<\/h3>\n
EDNS0\u3092\u7121\u52b9\u5316\u3057\u3066\u3044\u306a\u3044\u3053\u3068\u3001\u7d4c\u8def\u4e0a\u3067TCP53\u304c\u901a\u308b\u3053\u3068\u3001\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u30d1\u30b1\u30c3\u30c8\u304c\u901a\u308b\u3053\u3068\u3082\u78ba\u8a8d\u3057\u3066\u304a\u304f\u3002<\/p>\n
\u5927\u304d\u306a\u30b5\u30a4\u30ba\u306e DNS \u5fdc\u7b54\u306b\u5bfe\u5fdc\u3067\u304d\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u306f\u3001DNS-OARC<\/a>\u304c\u78ba\u8a8d\u7528\u306e\u30ec\u30b3\u30fc\u30c9\u3092\u7528\u610f\u3057\u3066\u304f\u308c\u3066\u3044\u308b\u306e\u3067\u3001\u4ee5\u4e0b\u306e dig \u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n
\r\n$ dig +bufsize=4096 +short rs.dns-oarc.net txt<\/pre>\n
\u975e\u5bfe\u5fdc\u306e\u30ad\u30e3\u30c3\u30b7\u30e5\u30b5\u30fc\u30d0\u3060\u3068\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u56de\u7b54\u304c\u8fd4\u3063\u3066\u304f\u308b\u3002<\/p>\n
\r\nrst.x476.rs.dns-oarc.net.\r\nrst.x485.x476.rs.dns-oarc.net.\r\nrst.x490.x485.x476.rs.dns-oarc.net.\r\n\"203.0.113.1 DNS reply size limit is at least 490\"\r\n\"203.0.113.1 lacks EDNS, defaults to 512\"\r\n\"Tested at 2017-08-31 01:19:47 UTC\"<\/pre>\n","protected":false},"excerpt":{"rendered":"
DNSSEC\u306e\u30eb\u30fc\u30c8\u30be\u30fc\u30f3KSK\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3064\u3044\u3066\u3001\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u524d\u5f8c\u3067DNS\u306e\u691c\u7d22\u306b\u652f\u969c\u304c\u51fa\u306a\u3044\u3088\u3046\u3001\u5404\u6240\u304b\u3089\u901a\u9054\u304c\u51fa\u3066\u3044\u308b\u3002 \u30eb\u30fc\u30c8\u30be\u30fc\u30f3KSK\u30ed\u30fc\u30eb\u30aa\u30fc\u30d0\u30fc\u306b\u3088\u308b\u5f71\u97ff\u3068\u305d\u306e\u78ba\u8a8d\u65b9\u6cd5\u306b\u3064\u3044\u3066 (JPRS) KSK […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20,13,15,12],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/554"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=554"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/554\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}