Não é possível obter resposta correta do DNSSEC

1

Eu tenho um servidor DNS para com zone. Eu configurei o DNSSEC com base neste tutorial

Resumidamente, criei o Zone Siging Key (ZSK) e o Key Signing Key (KSK). Eu assinei a zona usando o comando:

sudo dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o com -t forward.com

Esta parte do comando para slats aleatórios:

head -c 1000 /dev/random | sha1sum | cut -b 1-16

Eu tenho o seguinte forward.com.signed (NOTA: omiti toda a string da assinatura - apenas mostre a primeira linha por brevidade):

; File written on Thu May 24 02:13:50 2018
; dnssec_signzone version 9.10.3-P4-Ubuntu
com.            604800  IN SOA  dns1.com. admin.com. (
                    33         ; serial
                    604820     ; refresh (1 week 20 seconds)
                    86600      ; retry (1 day 3 minutes 20 seconds)
                    2419600    ; expire (4 weeks 6 minutes 40 seconds)
                    604600     ; minimum (6 days 23 hours 56 minutes 40 seconds)
                    )
            604800  RRSIG   SOA 7 1 604800 (
                    20180623001350 20180524001350 12410 com.
                    Qfd9i1AndX/dmyQuksOo2CRXH5RyM7i52c3P )
            604800  NS  dns1.com.
            604800  RRSIG   NS 7 1 604800 (
                    20180623001350 20180524001350 12410 com.
                    Qj1DMmEhfkU5KI9MVrIlgKmQ5DxTjGuRNJ8i)
            604800  DNSKEY  256 3 7 (
                    AwEAAfZWrsuiFoAAGcOTDWyVlDoZjQC8CZc6) ; ZSK; alg = NSEC3RSASHA1; key id = 12410
            604800  DNSKEY  257 3 7 (
                    AwEAAbc92MYUBPIs1L6lNAbubqRmZCfgv1h7) ; KSK; alg = NSEC3RSASHA1; key id = 62649
            604800  RRSIG   DNSKEY 7 1 604800 (
                    20180623001350 20180524001350 12410 com.
                    MuNVIE6oWV03+dXnXu+VufPQqfIgQvNIBODh)
            604800  RRSIG   DNSKEY 7 1 604800 (
                    20180623001350 20180524001350 62649 com.
                    HxKx8nsyZ/qtrAvhsFJ9r7EBBwhSCGh0FJfM)
            0   NSEC3PARAM 1 0 10 1C5A91FD094B6845
            0   RRSIG   NSEC3PARAM 7 1 0 (
                    20180623001350 20180524001350 12410 com.
                    qXpHn0q2GG/BK71mMYqCELsoHiFT6Oel82Jv)
dns1.com.       604800  IN A    192.168.56.3
            604800  RRSIG   A 7 2 604800 (
                    20180623001350 20180524001350 12410 com.
                    aHB7ZCD8dDV4jMHJsUg23jjcm48tTnUvS8hy )
a.com.      604800  IN A    192.168.56.7
            604800  RRSIG   A 7 2 604800 (
                    20180623001350 20180524001350 12410 com.
                    0V7mUWUOuru41Rkp+RFp6eV13AHOdPnEanrV)
            604800  TXT "some-random-text"
            604800  RRSIG   TXT 7 2 604800 (
                    20180623001350 20180524001350 12410 com.
                    Uta2/oGszVJAhm/DlGd7vnD+irg/GzyXlKHp)
b.com.      604800  IN A    192.168.56.8
            604800  RRSIG   A 7 2 604800 (
                    20180623001350 20180524001350 12410 com.
                    2ui9x3SjrrEvFkcPbfcfC/NQW0MQOv2jy/Bd)
            604800  TXT ""
            604800  RRSIG   TXT 7 2 604800 (
                    20180623001350 20180524001350 12410 com.
                    etX8lM00XXK9hUMM4FVsc51zuYOCz2+6qNLM)
8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
                    QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO
                    A TXT RRSIG )
            604600  RRSIG   NSEC3 7 2 604600 (
                    20180623001350 20180524001350 12410 com.
                    0qFfv4wr6WYSb4JlrtOlmPWykmCUKNdADlH8)
QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
                    TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5
                    A RRSIG )
            604600  RRSIG   NSEC3 7 2 604600 (
                    20180623001350 20180524001350 12410 com.
                    qZCi11tgJWJwjK2NI9KTVkcaJ0Eln0NVDsjM)
TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
                    0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7
                    NS SOA RRSIG DNSKEY NSEC3PARAM )
            604600  RRSIG   NSEC3 7 2 604600 (
                    20180623001350 20180524001350 12410 com.
                    gud9iAHIRi4vR6eCgwOe6Xz0fR5F1qksJz6x)
0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
                    8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB
                    A TXT RRSIG )
            604600  RRSIG   NSEC3 7 2 604600 (
                    20180623001350 20180524001350 12410 com.
                    8ZowNBjQXgaAx89kjTmgCu/9lYLk14L+xTWr)

Então eu testei pelo servidor DNS usando um cliente python que usa a biblioteca dnspython:

import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype


resolver = dns.resolver.Resolver()
nameServer = resolver.nameservers = ['192.168.56.3'] # our local private DNS server
nsaddr = '192.168.56.3'

# get DNSKEY for zone
request = dns.message.make_query('com.',
                                 dns.rdatatype.DNSKEY,
                                 want_dnssec=True)

# send the query
response = dns.query.udp(request,nsaddr)
print(str(response))

Como você pode ver, não há resposta na saída:

id 13728
opcode QUERY
rcode NOERROR
flags QR AA TC RD RA
edns 0
eflags DO
payload 4096
;QUESTION
com. IN DNSKEY
;ANSWER
;AUTHORITY
;ADDITIONAL

Você pode, por favor, me ajudar a descobrir qual é o problema?

EDITAR: Eu usei escavação e recebi esta resposta se isso pode ajudá-lo a apontar para mim onde está o problema?

x@x:/etc/bind$ dig +multiline COM DNSKEY

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +multiline COM DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;COM.           IN DNSKEY

;; ANSWER SECTION:
COM.            83148 IN DNSKEY 256 3 8 (
                AQOz+iBqxZtCKBBqKsO/i9JVchZ2Z1pFCWnj+pFHJi3u
                PWiYWsAMvtMpInRPfV1Ot9m+8nHPxSkvOL2+bttj4jEK
                6uUfTarET4wAMSh2k9rX2h+9kVQDjcuRwfFXV5bAmFd3
                j57hic7FEYVSxXtNUVU7BPaFRHuFr3OrQHQXaR4IeQ==
                ) ; ZSK; alg = RSASHA256; key id = 36707
COM.            83148 IN DNSKEY 257 3 8 (
                AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVc
                NcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9
                OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyv
                NPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ
                79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrb
                TQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7A
                SbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2y
                nKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
                ) ; KSK; alg = RSASHA256; key id = 30909

;; Query time: 1219 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu May 24 10:16:44 BST 2018
;; MSG SIZE  rcvd: 452
    
por user9371654 24.05.2018 / 10:46

0 respostas