1. ルートゾーンKSK/DNSKEY
9/19 2300 JST (+900) に行われたのはflag 256 レコード(ZSK)の追加だった。-- ToshinoriMaeno 2017-09-19 23:38:35
これはKSKロールオーバーとは関係ないのかもしれない。:-<
f.root-servers.netは他のroot-serversとは少し異なる動作をしている。-- ToshinoriMaeno 2017-09-21 02:00:00
- 返答が多少大きいのです。
-- ToshinoriMaeno 2017-09-19 03:46:33
参考資料: https://dnsops.jp/event/20130529/dnssec2013springforum-funato-2.pdf
JPRSの図1はおかしい。 https://jprs.jp/tech/notice/2017-07-10-root-zone-ksk-rollover.pdf -- ToshinoriMaeno 2017-09-19 15:49:20
2. 追加直前
フラグ256 RR (KSK) はひとつ。ZSKはふたつ。 フラグ256 RR (ZSK) はひとつ。KSKはふたつ。
$ dig +dnssec -t dnskey . @a.root-servers.net ; <<>> DiG 9.11.1-P3 <<>> +dnssec -t dnskey . @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56058 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1472 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172800 IN DNSKEY 256 3 8 AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjlp4f81ZGQK42H NxSfkiSahinPR3t0YQhjC393NX4TorSiTJy76TBWddNOkC/IaGqcb4er U+nQ75k2Lf0oIpA7qTCk3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH 5FtfxhUqyTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknHuO1j VAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3+pUk+zKTD2ncq7Zb JBZddo9T7PZjvntWJUzIHIMWZRFAjpi+V7pgh0o1KYXZgDUbiA1s9oLA L1KLSdmoIYM= . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 172800 IN RRSIG DNSKEY 8 0 172800 20170930000000 20170909000000 19036 . k68xiMgfi4yZCiX7GDRkpWXBEY5hHiUMUXnMaSgE3X1aYpU/AQKHW7yQ rOVXkSWwu5GSendgshSlqfwUxPK3xCg8YqnulyNG5beQBFnNwPet0v2N sporNEg+rcSnWU+kTOZOrj+ANySz94w0/8+JssLVhnbuEan27PYve14K E811HAPJfyrqrcT27fAA0PkfqiXvOpvC5zpG4Eei0D5TDNoaloghOabk MO2xYyh56fa1He9PpRBGpygYZ1Wg4Hmne3kCBRec70QoA1lkf2UYMVMe F8sijUIOUN7bfIEXWxECHceFztP2hbg33zmW0zmzydn2KRt37wTuJa/z 7hNfGA== ;; Query time: 117 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Tue Sep 19 12:45:16 JST 2017 ;; MSG SIZE rcvd: 1139
3. 追加
フラグ256がふたつになっている。二番目のDNSKEY RRが追加になったもの。
- DNS返答のサイズが増加している。
$ dig +dnssec -t dnskey . @a.root-servers.net ; <<>> DiG 9.11.1-P3 <<>> +dnssec -t dnskey . @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58240 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1472 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172800 IN DNSKEY 256 3 8 AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjlp4f81ZGQK42H NxSfkiSahinPR3t0YQhjC393NX4TorSiTJy76TBWddNOkC/IaGqcb4er U+nQ75k2Lf0oIpA7qTCk3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH 5FtfxhUqyTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknHuO1j VAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3+pUk+zKTD2ncq7Zb JBZddo9T7PZjvntWJUzIHIMWZRFAjpi+V7pgh0o1KYXZgDUbiA1s9oLA L1KLSdmoIYM= . 172800 IN DNSKEY 256 3 8 AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbsaMqmMrIpd1+b P7nyULLuL8jWnKAqcaVfal2yJD50gg5zFl5yW/F9dKNXXEFI7VEcGrPy G6/OrA9RBU8pGWm0qxpsNm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1yls r4f1Y3R6p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3bsjve D1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAFqVKhGbjxEyXAweem 8cTU4L1p+DV7Ua11a1tMf0Tlu8pkpLwh7NQIggIEhJwEhPeXE3E4C6Q2 /PFENcoFERc= . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 172800 IN RRSIG DNSKEY 8 0 172800 20171010000000 20170919000000 19036 . G1B0YY5YGCRtT3HuZhR6/ivgiiZ5uBSkPri6Mrhz6lZtJeQMeIPiIlAO +Y8jEkurNYPL4Gk1kaprSKBbKnB3joIeGHGBBRiKYgS0cQk/NWuEX9Jf LtW0RwZhrXTN7JsH15/WEjFQkH0LnR+R3WUFH8uHR4kxLFKztKDSZoNf +PR7pa8PK98YcjSW7rZcTV70V3daSwQTeJIpXpUhVUGXXju9WN0cRVVY Ck7sRteUqKqJQxLBAlzYQX2CgPhZOTypqJxzj12e9Y/9WPGkBLqfxHms 0c/Om+NO5WhNNONLdoXX8Yw4okFCpodGUO/UMrgM4qm7SWxXkjZwedzD ZFJpYA== ;; Query time: 121 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Tue Sep 19 23:05:32 JST 2017 ;; MSG SIZE rcvd: 1414
あたらしいKSKがZSKに対して適用されるのが10月ということか。
古いKSKは2018年1月に無効とされる。
-- ToshinoriMaeno 2017-09-19 15:30:08
4. f root
$ dig +dnssec -t dnskey . @f.root-servers.net ; <<>> DiG 9.11.1-P3 <<>> +dnssec -t dnskey . @f.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 3cec54dfbb58dd3fa4e755f259c30e71f29dcbc86568d353 (good) ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= . 172800 IN DNSKEY 256 3 8 AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbsaMqmMrIpd1+b P7nyULLuL8jWnKAqcaVfal2yJD50gg5zFl5yW/F9dKNXXEFI7VEcGrPy G6/OrA9RBU8pGWm0qxpsNm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1yls r4f1Y3R6p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3bsjve D1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAFqVKhGbjxEyXAweem 8cTU4L1p+DV7Ua11a1tMf0Tlu8pkpLwh7NQIggIEhJwEhPeXE3E4C6Q2 /PFENcoFERc= . 172800 IN DNSKEY 256 3 8 AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjlp4f81ZGQK42H NxSfkiSahinPR3t0YQhjC393NX4TorSiTJy76TBWddNOkC/IaGqcb4er U+nQ75k2Lf0oIpA7qTCk3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH 5FtfxhUqyTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknHuO1j VAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3+pUk+zKTD2ncq7Zb JBZddo9T7PZjvntWJUzIHIMWZRFAjpi+V7pgh0o1KYXZgDUbiA1s9oLA L1KLSdmoIYM= . 172800 IN RRSIG DNSKEY 8 0 172800 20171010000000 20170919000000 19036 . G1B0YY5YGCRtT3HuZhR6/ivgiiZ5uBSkPri6Mrhz6lZtJeQMeIPiIlAO +Y8jEkurNYPL4Gk1kaprSKBbKnB3joIeGHGBBRiKYgS0cQk/NWuEX9Jf LtW0RwZhrXTN7JsH15/WEjFQkH0LnR+R3WUFH8uHR4kxLFKztKDSZoNf +PR7pa8PK98YcjSW7rZcTV70V3daSwQTeJIpXpUhVUGXXju9WN0cRVVY Ck7sRteUqKqJQxLBAlzYQX2CgPhZOTypqJxzj12e9Y/9WPGkBLqfxHms 0c/Om+NO5WhNNONLdoXX8Yw4okFCpodGUO/UMrgM4qm7SWxXkjZwedzD ZFJpYA== ;; Query time: 61 msec ;; SERVER: 192.5.5.241#53(192.5.5.241) ;; WHEN: Thu Sep 21 09:57:21 JST 2017 ;; MSG SIZE rcvd: 1442
長い理由はこれ:
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 093e16247e051d5d5e3ce08759c30f21d603d925aa64870a (good) ;; QUESTION SECTION: ;.