1. ccTLD/cz
| /Knot-resolver /NXDOMAIN /TTL /il /minimal-responses /signed.dnstester.cz |
cz, nic.cz, dnssec.cz ゾーンは同居。 cz, nic.cz ともにDNSSEC設定されている。
- 同居によりDNSSECがどういう振る舞いをするか。
ns.nic.cz にはレコードがないようだ。 -- ToshinoriMaeno 2015-04-05 00:16:12
/signed.dnstester.cz 三世代同居
nic.cz はKnot DNSらしい。-- ToshinoriMaeno 2015-08-29 22:07:08
2. 子ドメイン
gov, tel, il, advnet, ...
$ dnsq ns gov.cz d.ns.nic.cz 2 gov.cz: 123 bytes, 1+0+2+3 records, response, noerror query: 2 gov.cz authority: gov.cz 3600 NS ns.gov.cz authority: gov.cz 3600 NS ns2.tel.cz additional: ns.gov.cz 3600 A 94.199.40.130 additional: ns2.tel.cz 3600 A 194.228.2.1 additional: ns2.tel.cz 3600 28 *\000\020(\001\000\001\001\000\000\000\000\000\000\000\00
$ dnsq ns tel.cz d.ns.nic.cz 2 tel.cz: 156 bytes, 1+0+2+4 records, response, noerror query: 2 tel.cz authority: tel.cz 3600 NS dns.iol.cz authority: tel.cz 3600 NS ns2.tel.cz additional: ns2.tel.cz 3600 A 194.228.2.1 additional: ns2.tel.cz 3600 28 *\000\020(\001\000\001\001\000\000\000\000\000\000\000\002 additional: dns.iol.cz 3600 A 194.228.2.61 additional: dns.iol.cz 3600 28 *\000\020(\001\000\001\002\000\000\000\000\000\000\000a
3. Ondřej Surý @oerdnj さん
https://twitter.com/oerdnj/status/638356099394064384
- We run multiple DNS servers (@KnotDNS, NSD and Bind 9) in anycast, so depends on what server and what location you ask...
https://twitter.com/oerdnj/status/638360569695870976
- Yes, others should also minimize the responses, they are not (and really MUST NOT) used by resolvers.
%dnsq ns cz a.root-servers.net
2 cz: 267 bytes, 1+0+4+8 records, response, noerror query: 2 cz authority: cz 172800 NS d.ns.nic.cz authority: cz 172800 NS c.ns.nic.cz authority: cz 172800 NS b.ns.nic.cz authority: cz 172800 NS a.ns.nic.cz additional: d.ns.nic.cz 172800 A 193.29.206.1 additional: d.ns.nic.cz 172800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001 additional: c.ns.nic.cz 172800 A 194.0.14.1 additional: c.ns.nic.cz 172800 28 \040\001\006x\000\021\000\000\000\000\000\000\000\000\000\001 additional: b.ns.nic.cz 172800 A 194.0.13.1 additional: b.ns.nic.cz 172800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001 additional: a.ns.nic.cz 172800 A 194.0.12.1 additional: a.ns.nic.cz 172800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001
-- ToshinoriMaeno 2015-08-29 22:08:48
$ dnsq ns cz 194.0.12.1
2 cz: 91 bytes, 1+4+0+0 records, response, authoritative, noerror query: 2 cz answer: cz 18000 NS c.ns.nic.cz answer: cz 18000 NS b.ns.nic.cz answer: cz 18000 NS d.ns.nic.cz answer: cz 18000 NS a.ns.nic.cz
KnotDNS?
こっちはBINDか。
%dnsq ns cz 193.29.206.1
2 cz: 223 bytes, 1+4+0+6 records, response, authoritative, noerror query: 2 cz answer: cz 18000 NS a.ns.nic.cz answer: cz 18000 NS b.ns.nic.cz answer: cz 18000 NS c.ns.nic.cz answer: cz 18000 NS d.ns.nic.cz additional: a.ns.nic.cz 18000 A 194.0.12.1 additional: a.ns.nic.cz 18000 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001 additional: b.ns.nic.cz 18000 A 194.0.13.1 additional: b.ns.nic.cz 18000 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001 additional: d.ns.nic.cz 18000 A 193.29.206.1 additional: d.ns.nic.cz 18000 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001
9:58f%dnsq ns nic.cz 193.29.206.1 ~
2 nic.cz: 207 bytes, 1+3+0+6 records, response, authoritative, noerror query: 2 nic.cz answer: nic.cz 1800 NS a.ns.nic.cz answer: nic.cz 1800 NS b.ns.nic.cz answer: nic.cz 1800 NS d.ns.nic.cz additional: a.ns.nic.cz 1800 A 194.0.12.1 additional: a.ns.nic.cz 1800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001 additional: b.ns.nic.cz 1800 A 194.0.13.1 additional: b.ns.nic.cz 1800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001 additional: d.ns.nic.cz 1800 A 193.29.206.1 additional: d.ns.nic.cz 1800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001
c.ns.nic.cz は nic.ns.cz ゾーンの権威サーバではないが、問い合せると権威サーバであるかのような返事をする。w
これは問い合せる方が悪い。 -- ToshinoriMaeno 2015-08-30 11:24:44
[abd].ns.nic.cz に cz ns を問い合せたときのadditionalのつきかたがおもしろい。-- ToshinoriMaeno 2015-08-30 11:27:39
$ dnsq ns nic.cz 194.0.12.1
2 nic.cz: 207 bytes, 1+3+0+6 records, response, authoritative, noerror query: 2 nic.cz answer: nic.cz 1800 NS a.ns.nic.cz answer: nic.cz 1800 NS b.ns.nic.cz answer: nic.cz 1800 NS d.ns.nic.cz additional: a.ns.nic.cz 1800 A 194.0.12.1 additional: a.ns.nic.cz 1800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001 additional: b.ns.nic.cz 1800 A 194.0.13.1 additional: b.ns.nic.cz 1800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001 additional: d.ns.nic.cz 1800 A 193.29.206.1 additional: d.ns.nic.cz 1800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001
厳密にはglueではないが、権限ありなので、つけたというところか。(Knotdns)
4. emty non-terminal ns.nic.cz
%dig -t ns ns.nic.cz @193.29.206.1 ~
; <<>> DiG 9.9.0 <<>> -t ns ns.nic.cz @193.29.206.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31880 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns.nic.cz. IN NS ;; AUTHORITY SECTION: nic.cz. 1800 IN SOA a.ns.nic.cz. hostmaster.nic.cz. 1428004504 10800 3600 1209600 7200 ;; Query time: 112 msec ;; SERVER: 193.29.206.1#53(193.29.206.1) ;; WHEN: Sat Apr 4 07:37:39 2015 ;; MSG SIZE rcvd: 87
5. ns.nic.cz DNSSEC
%dig -t any ns.nic.cz +dnssec @a.ns.nic.cz ~
; <<>> DiG 9.9.0 <<>> -t any ns.nic.cz +dnssec @a.ns.nic.cz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36690 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;ns.nic.cz. IN ANY ;; AUTHORITY SECTION: nic.cz. 1800 IN SOA a.ns.nic.cz. hostmaster.nic.cz. 1428177304 10800 3600 1209600 7200 nix-s.nic.cz. 7200 IN NSEC a.ns.nic.cz. A RRSIG NSEC nic.cz. 1800 IN RRSIG SOA 5 2 1800 20150418063233 20150404185504 45627 nic.cz. coXAqdI/WS5xws9H25ZIYISMQJSRN8+dl0HlLLPUg5E6P/pLmpB29LkE SNXqRH3psrF0AmMoHlJKt/0I3iifZ4S0VXXz93c9L9yCse/V3hWVdbIK M8A0mdmOJZl1P+OMb7ds1pbivxc8Ows9bP9o6rNyPNcVIOjuXfTjjwNu Dcw= nix-s.nic.cz. 7200 IN RRSIG NSEC 5 3 7200 20150417191512 20150404185504 45627 nic.cz. DQKzuSsArxtGHBuYfsr01FeK/2dWNLLVqoEqCoOIdKyjk3rw1GMw1pWz EA9kDB2R+SnFI82K3xdw1uZf9EdtSVAmJBE52kzHZOFehrGfLQWiMtv5 /fmzFhBQYAm82Ssd4KJhxH4oK9ga18EyEaFPjT+RbJMUTLaIrclCjBN3 cew= ;; Query time: 269 msec ;; SERVER: 194.0.12.1#53(194.0.12.1) ;; WHEN: Sun Apr 5 09:17:50 2015 ;; MSG SIZE rcvd: 458