kresd/2018-12-29について、ここに記述してください。
start 直後に実行 mode('strict')
- 毒は入らない。(Answerありの返答ではNSなどは捨てる)
/mode_normal (予定))
1. 始める
$ dig a.brau.jp @127.0.0.4 ; <<>> DiG 9.12.3 <<>> a.brau.jp @127.0.0.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2657 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;a.brau.jp. IN A ;; ANSWER SECTION: a.brau.jp. 300 IN A 127.0.0.1 ;; Query time: 219 msec ;; SERVER: 127.0.0.4#53(127.0.0.4) ;; WHEN: 土 12月 29 08:28:34 JST 2018 ;; MSG SIZE rcvd: 54
[00000.00][plan] plan 'a.brau.jp.' type 'A' uid [02657.00] [02657.00][iter] 'a.brau.jp.' type 'A' new uid was assigned .01, parent uid .00 [02657.01][cach] => no NSEC* cached for zone: . [02657.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [02657.01][cach] => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2 [02657.01][resl] => going insecure because there's no covering TA [02657.01][zcut] found cut: . (rank 020 return codes: DS -2, DNSKEY -2) [02657.01][resl] => id: '30209' querying: '198.97.190.53#00053' score: 11 zone cut: '.' qname: 'jP.' qtype: 'NS' proto: 'udp' [02657.01][resl] => id: '30209' querying: '192.112.36.4#00053' score: 11 zone cut: '.' qname: 'jP.' qtype: 'NS' proto: 'udp' [02657.01][iter] <= loaded 8 glue addresses [02657.01][iter] <= referral response, follow [02657.01][cach] => stashed jp. NS, rank 002, 110 B total, incl. 0 RRSIGs [02657.01][cach] => stashed also 15 nonauth RRsets [02657.01][resl] <= server: '198.97.190.53' rtt: >= 43 ms [02657.01][iter] 'a.brau.jp.' type 'A' new uid was assigned .02, parent uid .00 [02657.02][resl] => id: '10111' querying: '65.22.40.25#00053' score: 10 zone cut: 'jp.' qname: 'BRaU.JP.' qtype: 'NS' proto: 'udp' [02657.02][iter] <= loaded 1 glue addresses [02657.02][iter] <= referral response, follow [02657.02][cach] => stashed brau.jp. NS, rank 002, 30 B total, incl. 0 RRSIGs [02657.02][cach] => stashed also 1 nonauth RRsets [02657.02][resl] <= server: '65.22.40.25' rtt: 165 ms [02657.02][iter] 'a.brau.jp.' type 'A' new uid was assigned .03, parent uid .00 [02657.03][resl] => id: '07349' querying: '14.192.44.29#00053' score: 10 zone cut: 'brau.jp.' qname: 'A.BRAU.JP.' qtype: 'A' proto: 'udp' [02657.03][iter] <= rcode: NOERROR [02657.03][cach] => stashed a.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs [02657.03][cach] => not overwriting NS brau.jp. [02657.03][resl] <= server: '14.192.44.29' rtt: 11 ms [02657.03][resl] AD: request NOT classified as SECURE [02657.03][resl] finished: 0, queries: 1, mempool: 65600 B
2. 続く問合せ
$ dig b.brau.jp @127.0.0.4 ; <<>> DiG 9.12.3 <<>> b.brau.jp @127.0.0.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26507 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;b.brau.jp. IN A ;; ANSWER SECTION: b.brau.jp. 300 IN A 127.0.0.1 ;; Query time: 11 msec ;; SERVER: 127.0.0.4#53(127.0.0.4) ;; WHEN: 土 12月 29 08:32:29 JST 2018 ;; MSG SIZE rcvd: 54
[00000.00][plan] plan 'b.brau.jp.' type 'A' uid [26507.00] [26507.00][iter] 'b.brau.jp.' type 'A' new uid was assigned .01, parent uid .00 [26507.01][cach] => no NSEC* cached for zone: brau.jp. [26507.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [26507.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [26507.01][resl] => going insecure because there's no covering TA [26507.01][zcut] found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2) [26507.01][resl] => id: '42894' querying: '14.192.44.29#00053' score: 10 zone cut: 'brau.jp.' qname: 'b.BrAU.JP.' qtype: 'A' proto: 'udp' [26507.01][iter] <= rcode: NOERROR [26507.01][cach] => stashed b.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs [26507.01][cach] => not overwriting NS brau.jp. [26507.01][resl] <= server: '14.192.44.29' rtt: 11 ms [26507.01][resl] AD: request NOT classified as SECURE [26507.01][resl] finished: 0, queries: 1, mempool: 65600 B
毒は入らない。(Answerありの返答ではNSなどは捨てる)
3. しかし
だが、a.ns.brau.jp を問い合わせると、 ...
$ dig a.ns.brau.jp @127.0.0.4 ; <<>> DiG 9.12.3 <<>> a.ns.brau.jp @127.0.0.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62350 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;a.ns.brau.jp. IN A ;; ANSWER SECTION: a.ns.brau.jp. 360 IN A 192.168.10.10 ;; Query time: 23 msec ;; SERVER: 127.0.0.4#53(127.0.0.4) ;; WHEN: 土 12月 29 08:34:19 JST 2018 ;; MSG SIZE rcvd: 57
[00000.00][plan] plan 'a.ns.brau.jp.' type 'A' uid [62350.00] [62350.00][iter] 'a.ns.brau.jp.' type 'A' new uid was assigned .01, parent uid .00 [62350.01][cach] => skipping exact RR: rank 001 (min. 020), new TTL 86054 [62350.01][cach] => no NSEC* cached for zone: brau.jp. [62350.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [62350.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [62350.01][resl] => going insecure because there's no covering TA [62350.01][zcut] found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2) [62350.01][resl] => id: '09413' querying: '14.192.44.29#00053' score: 11 zone cut: 'brau.jp.' qname: 'Ns.bRAu.jp.' qtype: 'NS' proto: 'udp' [62350.01][iter] <= loaded 1 glue addresses [62350.01][iter] <= rcode: NOERROR [62350.01][iter] <= retrying with non-minimized name [62350.01][cach] => not overwriting A a.ns.brau.jp. [62350.01][cach] => stashed packet: rank 020, TTL 2560, NS ns.brau.jp. (119 B) [62350.01][resl] <= server: '14.192.44.29' rtt: 12 ms [62350.01][iter] 'a.ns.brau.jp.' type 'A' new uid was assigned .02, parent uid .00 [62350.02][resl] => id: '21511' querying: '14.192.44.5#00053' score: 10 zone cut: 'brau.jp.' qname: 'A.Ns.brAu.jp.' qtype: 'A' proto: 'udp' [62350.02][iter] <= rcode: NOERROR [62350.02][cach] => stashed a.ns.brau.jp. A, rank 020, 20 B total, incl. 0 RRSIGs [62350.02][cach] => not overwriting NS brau.jp. [62350.02][resl] <= server: '14.192.44.5' rtt: 11 ms [62350.02][resl] AD: request NOT classified as SECURE [62350.02][resl] finished: 0, queries: 1, mempool: 65600 B
4. そして
$ dig c.brau.jp @127.0.0.4 ; <<>> DiG 9.12.3 <<>> c.brau.jp @127.0.0.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40847 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;c.brau.jp. IN A ;; Query time: 2298 msec ;; SERVER: 127.0.0.4#53(127.0.0.4) ;; WHEN: 土 12月 29 08:36:38 JST 2018 ;; MSG SIZE rcvd: 38
[00000.00][plan] plan 'c.brau.jp.' type 'A' uid [40847.00] [40847.00][iter] 'c.brau.jp.' type 'A' new uid was assigned .01, parent uid .00 [40847.01][cach] => no NSEC* cached for zone: brau.jp. [40847.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [40847.01][cach] => skipping zone: brau.jp., NSEC, hash 0;new TTL -123456789, ret -2 [40847.01][resl] => going insecure because there's no covering TA [40847.01][zcut] found cut: brau.jp. (rank 002 return codes: DS -2, DNSKEY -2) [40847.01][resl] => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp' [40847.01][resl] => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp' [40847.01][resl] => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp' [40847.01][resl] => id: '58843' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'C.bRau.jp.' qtype: 'A' proto: 'udp' [40847.01][wrkr] => server: '192.168.10.10#00053' flagged as 'bad' [40847.01][iter] 'c.brau.jp.' type 'A' new uid was assigned .02, parent uid .00 [40847.02][resl] => id: '18388' querying: '192.168.10.10#00053' score: 10 zone cut: 'brau.jp.' qname: 'c.brau.jp.' qtype: 'A' proto: 'tcp' [40847.02][wrkr] => connecting to: '192.168.10.10#00053' [wrkr]=> connect to '192.168.10.10#00053' failed (connection refused), flagged as 'bad' [40847.02][iter] 'c.brau.jp.' type 'A' new uid was assigned .03, parent uid .00 [40847.03][resl] => no NS with an address [40847.03][iter] 'c.brau.jp.' type 'A' new uid was assigned .04, parent uid .00 [40847.04][resl] => no NS with an address [40847.04][resl] AD: request NOT classified as SECURE [40847.04][resl] finished: 0, queries: 1, mempool: 65600 B