{"id":93,"date":"2011-02-13T17:10:06","date_gmt":"2011-02-13T08:10:06","guid":{"rendered":"http:\/\/www.furelo.jp\/wordpress\/?p=93"},"modified":"2011-03-05T16:14:17","modified_gmt":"2011-03-05T07:14:17","slug":"pdnssec%e3%82%92%e4%bd%bf%e3%81%a3%e3%81%a6dnssec%e3%81%ab%e5%af%be%e5%bf%9c","status":"publish","type":"post","link":"http:\/\/www.furelo.jp\/wordpress\/2011\/02\/13\/pdnssec%e3%82%92%e4%bd%bf%e3%81%a3%e3%81%a6dnssec%e3%81%ab%e5%af%be%e5%bf%9c\/","title":{"rendered":"PowerDNS\u3092\u4f7f\u3063\u3066DNSSEC\u306b\u5bfe\u5fdc"},"content":{"rendered":"CentOS5.5\u306e\u74b0\u5883\u3067PowerDNS\u3092\u5229\u7528\u3057\u3066DNSSEC\u306b\u5bfe\u5fdc\u3059\u308b\u3002\r\nBind\u3092\u5229\u7528\u3057\u305fDNSSEC\u306e\u65b9\u6cd5\u306f\u3044\u308d\u3044\u308d\u691c\u7d22\u3057\u3066\u51fa\u3066\u304f\u308b\u304c\u3001PowerDNS\u306b\u3064\u3044\u3066\u306f\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f\u306e\u3067\u305d\u306e\u65b9\u6cd5\u3092\u30e1\u30e2\u3057\u3066\u304a\u304f\u3002\r\n\r\nDNSSEC\u5bfe\u5fdc\u51fa\u6765\u305f\u304b\u30c1\u30a7\u30c3\u30af\u3059\u308b\u305f\u3081\u306bdig\u30b3\u30de\u30f3\u30c9\u3092\u7528\u3044\u308b\u304c\u3001\u6a19\u6e96\u30d1\u30c3\u30b1\u30fc\u30b8\u3067\u306f+sigchase\u30aa\u30d7\u30b7\u30e7\u30f3\u304c\u5229\u7528\u3067\u304d\u306a\u3044(DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3)\u3002\u305d\u306e\u70ba\u3001bind\u3092\u30bd\u30fc\u30b9\u304b\u3089\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\r\n[shell]\r\n# wget http:\/\/ftp.isc.org\/isc\/bind9\/9.7.2-P3\/bind-9.7.2-P3.tar.gz\r\n# tar zxvf bind-9.7.2-P3.tar.gz\r\n# cd bind-9.7.2-P3\r\n# .\/configure –disable-openssl-version-check STD_CDEFINES="-DDIG_SIGCHASE=1"\r\n\t\u203bsigchase\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u6709\u52b9\u306b\u3059\u308b\r\n# make\r\n# make install\r\n\t\u203b\u65b0\u3057\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\/usr\/local\/bin\/dig\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u308b\u3002\r\n# hash -r\r\n[\/shell]\r\n\r\n\u65e2\u5b58\u306ePowerDNS\u306eDB(pdns)\u306e\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3092\u53d6\u5f97\u3057\u3066\u3001\u5225\u9014pdnssec DB\u306b\u30ea\u30b9\u30c8\u30a2\u3059\u308b\r\n[shell]\r\n# mysqldump -p DB\u540d > pdnssec.sql\r\n# wget http:\/\/wiki.powerdns.com\/trac\/browser\/trunk\/pdns\/pdns\/dnssec.schema.mysql.sql\r\n# mysqladmin -p create pdnssec\r\n# mysql -u root -p pdnssec < dnssec.schema.mysql.sql\r\n \u203bDNSSEC\u7528\u30b9\u30ad\u30fc\u30de\u306e\u8ffd\u52a0\r\n[\/shell]\r\n\r\nPowerDNS\u306f3.0\u304b\u3089DNSSEC\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u304c\u3001\u30ea\u30dd\u30b8\u30c8\u30ea\u306b\u767b\u9332\u3055\u308c\u3066\u3044\u306a\u3044\u3002\u30bd\u30fc\u30b9\u304b\u3089\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u5834\u5408\u3001Boost\u30e9\u30a4\u30d6\u30e9\u30ea\u306e\u3042\u305f\u3089\u3057\u76ee\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u5fc5\u8981\u3060\u304c\u3001\u3053\u308c\u3082\u30ea\u30dd\u30b8\u30c8\u30ea\u306b\u306a\u3044\u3002\u9762\u5012\u306a\u306e\u3067\u3001PowerDNS\u306e\u914d\u5e03\u5143\u304c\u30e9\u30a4\u30d6\u30e9\u30ea\u3092static\u30ea\u30f3\u30af\u3057\u305f\u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u516c\u958b\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u305d\u308c\u3092\u5229\u7528\u3059\u308b\u3002\r\n\u203b\u3059\u3067\u306bPowerDNS+MySQL\u306b\u3066\u904b\u7528\u3057\u3066\u3044\u308b\u524d\u63d0\u3067\u8a18\u8f09\u3057\u3066\u3042\u308a\u307e\u3059\u3002\r\n[shell]\r\n# wget http:\/\/powerdnssec.org\/downloads\/packages\/pdns-static-3.0pre.20110207.1990-1.i386.rpm\r\n# rpm -ivh –force pdns-static-3.0pre.20110207.1990-1.i386.rpm\r\n \u203b\u65e2\u5b58\u306epdns\u30d1\u30c3\u30b1\u30fc\u30b8\u3068\u7af6\u5408\u3059\u308b\u306e\u3067\u5f37\u5236\u7684\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\r\n# rpm -qlp pdns-static-3.0pre.20110207.1990-1.i386.rpm\r\n\/etc\/init.d\/pdns\r\n\/etc\/powerdns\r\n\/etc\/powerdns\/pdns.conf\r\n\/usr\/bin\/pdns_control\r\n\/usr\/bin\/pdnssec\r\n\/usr\/bin\/zone2sql\r\n\/usr\/man\/man8\/pdns_control.8\r\n\/usr\/man\/man8\/pdns_server.8\r\n\/usr\/man\/man8\/zone2sql.8\r\n\/usr\/sbin\/pdns_server\r\n\r\n# cd \/etc\/powerdns\r\n# cp \/etc\/pdns\/pdns.conf \/etc\/powerdns\/pdns.conf\r\n \u203b\u65e2\u5b58\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3067\u4e0a\u66f8\u304d\r\n# vi pdns.conf\r\nlaunch\u306e\u7b87\u6240\u306bgmysql-dnssec\u3092\u8ffd\u52a0\u3057\u3001DB\u540d\u3092\u5909\u66f4\u3059\u308b\u3002\r\n\u3053\u3053\u304b\u3089——-\r\ngmysql-dbname=pdnssec\r\ngmysql-dnssec\r\n\u3053\u3053\u307e\u3067——-\r\n\r\n\u5fc5\u8981\u3067\u3042\u308c\u3070\u3001MySQL\u306e\u63a5\u7d9a\u6a29\u9650\u3092\u8ffd\u52a0\u3059\u308b\u3002\r\n# mysql -p\r\nGRANT SELECT,INSERT,UPDATE,DELETE ON pdnssec.* TO ‘DB\u63a5\u7d9a\u30e6\u30fc\u30b6ID’@’localhost’;\r\nFLUSH PRIVILEGES;\r\nquit\r\n\r\n\u307e\u305fPowerAdmin\u3092\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u3042\u308c\u3070\u3001\u63a5\u7d9a\u5148DB\u540d\u3092\u5909\u3048\u308b\u3002\r\n\r\n# \/etc\/init.d\/pdns stop\r\n# \/etc\/init.d\/pdns start\r\n[\/shell]\r\n\r\n\u3069\u3046\u3082gmysql-dnssec\u3092\u6709\u52b9\u306b\u3057\u305f\u5834\u5408\u3001\u4ee5\u4e0b\u3067\u884c\u3046pdnssec secure-zone \u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u307e\u3067\u306f\u3001dig\u306a\u3069\u3067\u30ec\u30b3\u30fc\u30c9\u304c\u53d6\u5f97\u3067\u304d\u306a\u304f\u306a\u308b\u6a21\u69d8\u3002\r\n\u203bpdnssec secure-zone\u30b3\u30de\u30f3\u30c9\u306fKSK\u3068\uff12\u3064\u306eZSK\u3092\u30c9\u30e1\u30a4\u30f3\u306b\u8ffd\u52a0\u3059\u308b\u30b3\u30de\u30f3\u30c9\r\n\r\n[shell]\r\n# pdnssec secure-zone furelo.jp\r\n# dig +dnssec -t A furelo.jp @localhost\r\n\u3000\u3000\u203bRSSIG\u30ec\u30b3\u30fc\u30c9\u304cA\u30ec\u30b3\u30fc\u30c9\u306e\u4ed6\u306b\u8fd4\u3063\u3066\u304f\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002\r\n# pdnssec export-zone-dnskey furelo.jp 1 | grep DNSKEY > trusted-keys\r\n\u3000\u3000\u203bKSK(Key Signing Key)\u3092\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3059\u308b\u3002\r\n# dig +dnssec +sigchase +trusted-key=.\/trusted-keys -t A furelo.jp @127.0.0.1\r\n\u3000\u3000\u203b\u7406\u89e3\u3057\u3066\u3044\u306a\u3044\u304c\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306bsuccss\u3068\u51fa\u305f\u306e\u3067OK\u3068\u601d\u308f\u308c\u308b\u3002\r\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\r\n;; VERIFYING CNAME RRset for www.furelo.jp. with DNSKEY:64131: success\r\n;; OK We found DNSKEY (or more) to validate the RRset\r\n;; Ok, find a Trusted Key in the DNSKEY RRset: 38374\r\n;; VERIFYING DNSKEY RRset for furelo.jp. with DNSKEY:38374: success\r\n\r\n;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS\r\n[\/shell]\r\n\r\n\r\n\u4eca\u5f8c\u3001\u30ec\u30b3\u30fc\u30c9\u3092\u4fee\u6b63\u3057\u305f\u3089\u3001\u4ee5\u4e0b\u306e\uff12\u3064\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u306a\u3044\u3068\u3001\u53cd\u6620\u3055\u308c\u306a\u3044\u3002\r\n[shell]\r\n# pdnssec check-zone furelo.jp\r\n# pdnssec rectify-zone furelo.jp\r\n[\/shell]\r\n\r\n\r\n\u30ec\u30b8\u30b9\u30c8\u30e9\u304cDNSSEC\u672a\u5bfe\u5fdc\u306e\u305f\u3081\u3001JP\u30c9\u30e1\u30a4\u30f3\u306b\u306f\u307e\u3060\u767b\u9332\u51fa\u6765\u306a\u3044\u306e\u3067\u3001\r\n\u4ee3\u308f\u308a\u306bISC DLV Registry<\/a>\u306b\u767b\u9332\u3092\u884c\u3063\u3066\u307f\u308b\u3002\r\n\r\n\u5148\u307b\u3069\u4f5c\u6210\u3057\u305f trusted-keys\u306e\u5185\u5bb9\u3092DNSKEY Records\u3068\u3057\u3066\u767b\u9332\u3059\u308b\u3002\r\n\u767b\u9332\u3057\u305f\u3089\u3001TXT\u30ec\u30b3\u30fc\u30c9\u306b\u767b\u9332\u3059\u308b\u5185\u5bb9\u304c\u8868\u793a\u3055\u308c\u308b\u306e\u3067\u3001DNS\u30ec\u30b3\u30fc\u30c9\u306b\u767b\u9332\u3059\u308b\u3002\r\n\r\n\r\n\r\npdnssec\u30b3\u30de\u30f3\u30c9\u306e\u30d8\u30eb\u30d7\uff1a\r\n[shell]\r\n# pdnssec -h\r\nUsage:\r\npdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]\r\n [import-zone-key] [export-zone-key] [set-nsec3] [set-presigned] [unset-nsec3] [unset-presigned] [export-zone-dnskey]\r\n\r\nactivate-zone-key ZONE KEY-ID Activate the key with key id KEY-ID in ZONE\r\nadd-zone-key ZONE [zsk|ksk] Add a ZSK or KSK to a zone\r\n [bits] [rsasha1|rsasha256] and specify algorithm & bits\r\ncheck-zone ZONE Check a zone for correctness\r\ndeactivate-zone-key Dectivate the key with key id KEY-ID in ZONE\r\nexport-zone-dnskey ZONE KEY-ID Export to stdout the public DNSKEY described\r\nexport-zone-key ZONE KEY-ID Export to stdout the private key described\r\nimport-zone-key ZONE FILE Import from a file a private key, ZSK or KSK\r\n [ksk|zsk] Defaults to KSK\r\nrectify-zone ZONE Fix up DNSSEC fields (order, auth)\r\nremove-zone-key ZONE KEY-ID Remove key with KEY-ID from ZONE\r\nsecure-zone Add KSK and two ZSKs\r\nset-nsec3 ZONE ‘params’ [narrow] Enable NSEC3 with PARAMs. Optionally narrow\r\nset-presigned ZONE Use presigned RRSIGs from storage\r\nshow-zone ZONE Show DNSSEC (public) key details about a zone\r\nunset-nsec3 ZONE Switch back to NSEC\r\nunset-presigned ZONE No longer use presigned RRSIGs\r\n[\/shell]\r\n","protected":false},"excerpt":{"rendered":"

CentOS5.5\u306e\u74b0\u5883\u3067PowerDNS\u3092\u5229\u7528\u3057\u3066DNSSEC\u306b\u5bfe\u5fdc\u3059\u308b\u3002 Bind\u3092\u5229\u7528\u3057\u305fDNSSEC\u306e\u65b9\u6cd5\u306f\u3044\u308d\u3044\u308d\u691c\u7d22\u3057\u3066\u51fa\u3066\u304f\u308b\u304c\u3001PowerDNS\u306b\u3064\u3044\u3066\u306f\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f\u306e\u3067\u305d\u306e\u65b9\u6cd5\u3092\u30e1\u30e2\u3057\u3066\u304a\u304f\u3002 DN … \u7d9a\u304d\u3092\u8aad\u3080 →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[39,25],"_links":{"self":[{"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/posts\/93"}],"collection":[{"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":12,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"predecessor-version":[{"id":154,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/posts\/93\/revisions\/154"}],"wp:attachment":[{"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.furelo.jp\/wordpress\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}