Eu tenho um servidor DNS para com zone. Eu configurei o DNSSEC com base neste tutorial
Resumidamente, criei o Zone Siging Key (ZSK) e o Key Signing Key (KSK). Eu assinei a zona usando o comando:
sudo dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o com -t forward.com
Esta parte do comando para slats aleatórios:
head -c 1000 /dev/random | sha1sum | cut -b 1-16
Eu tenho o seguinte forward.com.signed (NOTA: omiti toda a string da assinatura - apenas mostre a primeira linha por brevidade):
; File written on Thu May 24 02:13:50 2018
; dnssec_signzone version 9.10.3-P4-Ubuntu
com. 604800 IN SOA dns1.com. admin.com. (
33 ; serial
604820 ; refresh (1 week 20 seconds)
86600 ; retry (1 day 3 minutes 20 seconds)
2419600 ; expire (4 weeks 6 minutes 40 seconds)
604600 ; minimum (6 days 23 hours 56 minutes 40 seconds)
)
604800 RRSIG SOA 7 1 604800 (
20180623001350 20180524001350 12410 com.
Qfd9i1AndX/dmyQuksOo2CRXH5RyM7i52c3P )
604800 NS dns1.com.
604800 RRSIG NS 7 1 604800 (
20180623001350 20180524001350 12410 com.
Qj1DMmEhfkU5KI9MVrIlgKmQ5DxTjGuRNJ8i)
604800 DNSKEY 256 3 7 (
AwEAAfZWrsuiFoAAGcOTDWyVlDoZjQC8CZc6) ; ZSK; alg = NSEC3RSASHA1; key id = 12410
604800 DNSKEY 257 3 7 (
AwEAAbc92MYUBPIs1L6lNAbubqRmZCfgv1h7) ; KSK; alg = NSEC3RSASHA1; key id = 62649
604800 RRSIG DNSKEY 7 1 604800 (
20180623001350 20180524001350 12410 com.
MuNVIE6oWV03+dXnXu+VufPQqfIgQvNIBODh)
604800 RRSIG DNSKEY 7 1 604800 (
20180623001350 20180524001350 62649 com.
HxKx8nsyZ/qtrAvhsFJ9r7EBBwhSCGh0FJfM)
0 NSEC3PARAM 1 0 10 1C5A91FD094B6845
0 RRSIG NSEC3PARAM 7 1 0 (
20180623001350 20180524001350 12410 com.
qXpHn0q2GG/BK71mMYqCELsoHiFT6Oel82Jv)
dns1.com. 604800 IN A 192.168.56.3
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
aHB7ZCD8dDV4jMHJsUg23jjcm48tTnUvS8hy )
a.com. 604800 IN A 192.168.56.7
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
0V7mUWUOuru41Rkp+RFp6eV13AHOdPnEanrV)
604800 TXT "some-random-text"
604800 RRSIG TXT 7 2 604800 (
20180623001350 20180524001350 12410 com.
Uta2/oGszVJAhm/DlGd7vnD+irg/GzyXlKHp)
b.com. 604800 IN A 192.168.56.8
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
2ui9x3SjrrEvFkcPbfcfC/NQW0MQOv2jy/Bd)
604800 TXT ""
604800 RRSIG TXT 7 2 604800 (
20180623001350 20180524001350 12410 com.
etX8lM00XXK9hUMM4FVsc51zuYOCz2+6qNLM)
8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO
A TXT RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
0qFfv4wr6WYSb4JlrtOlmPWykmCUKNdADlH8)
QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5
A RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
qZCi11tgJWJwjK2NI9KTVkcaJ0Eln0NVDsjM)
TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7
NS SOA RRSIG DNSKEY NSEC3PARAM )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
gud9iAHIRi4vR6eCgwOe6Xz0fR5F1qksJz6x)
0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB
A TXT RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
8ZowNBjQXgaAx89kjTmgCu/9lYLk14L+xTWr)
Então eu testei pelo servidor DNS usando um cliente python que usa a biblioteca dnspython:
import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype
resolver = dns.resolver.Resolver()
nameServer = resolver.nameservers = ['192.168.56.3'] # our local private DNS server
nsaddr = '192.168.56.3'
# get DNSKEY for zone
request = dns.message.make_query('com.',
dns.rdatatype.DNSKEY,
want_dnssec=True)
# send the query
response = dns.query.udp(request,nsaddr)
print(str(response))
Como você pode ver, não há resposta na saída:
id 13728
opcode QUERY
rcode NOERROR
flags QR AA TC RD RA
edns 0
eflags DO
payload 4096
;QUESTION
com. IN DNSKEY
;ANSWER
;AUTHORITY
;ADDITIONAL
Você pode, por favor, me ajudar a descobrir qual é o problema?
EDITAR: Eu usei escavação e recebi esta resposta se isso pode ajudá-lo a apontar para mim onde está o problema?
x@x:/etc/bind$ dig +multiline COM DNSKEY
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +multiline COM DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;COM. IN DNSKEY
;; ANSWER SECTION:
COM. 83148 IN DNSKEY 256 3 8 (
AQOz+iBqxZtCKBBqKsO/i9JVchZ2Z1pFCWnj+pFHJi3u
PWiYWsAMvtMpInRPfV1Ot9m+8nHPxSkvOL2+bttj4jEK
6uUfTarET4wAMSh2k9rX2h+9kVQDjcuRwfFXV5bAmFd3
j57hic7FEYVSxXtNUVU7BPaFRHuFr3OrQHQXaR4IeQ==
) ; ZSK; alg = RSASHA256; key id = 36707
COM. 83148 IN DNSKEY 257 3 8 (
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVc
NcsIszxNFxsBfKNW9JYCYqpik8366LE7VbIcNRzfp2h9
OO8HRl+H+E08zauK8k7evWEmu/6od+2boggPoiEfGNyv
NPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPNIwSUyWOZ
79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrb
TQ0HXvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7A
SbqmZN7Z98EGU/Qh2K/BgUe8Hs0XVcdPKrtyYnoQHd2y
nKPcMMlTEih2/2HDHjRPJ2aywIpKNnv4oPo/
) ; KSK; alg = RSASHA256; key id = 30909
;; Query time: 1219 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu May 24 10:16:44 BST 2018
;; MSG SIZE rcvd: 452