微討論 + DNSSEC 簡介
user
nameserver(s)
resolver
1.1.1.1
8.8.8.8
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.200.238
有答案:
去問別人:
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
;; ADDITIONAL SECTION:
l.gtld-servers.net. 172800 IN A 192.41.162.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
type
resource record (RR)
type
resource record (RR)
resource record (RR)
resource record (RR)
// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
// ==============================================================================================================
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// ==============================================================================================================
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
明文傳輸 & 沒有簽章
1987 年
RFC 1034
RFC 1035
隱私
隱含的安全性問題
看得到問了哪些 domain
沒有簽章的話,沒辦法確定傳訊息的對象是誰
用公鑰解密 → 解得開、內容沒錯 → 嗯是由對應的私鑰加密的
可以確保 1. 訊息沒有漏或被竄改 2. 訊息是有私鑰的人發的
有可能不是我們以為的那個人
可能一開始公鑰就錯了
公鑰要有人背書
要有別人對這個公鑰做簽章
別人可能也不能相信
要有別人對別人的公鑰做簽章
這樣下去沒完沒了
他簽的公鑰我們都相信
他簽的公鑰簽的公鑰我們也相信
他簽的公鑰簽的公鑰簽的公鑰我們也相信
...
這就是信任鏈
port number?
以前很多用固定的同一個
現在每個 request 隨機
request ID number?
以前可能數字遞增
現在也要亂
resolver
nameserver
有用 dns spoofing
有一堆 RFC,大約在 2000 年左右開始發布
是 DNS 的擴充
可以解決 resolver 跟 nameserver 間的信任問題
(雖然現在大多數網站還是沒有使用)
nameserver 除了回傳紀錄之外
同時回傳紀錄的簽章
key 由 parent zone 背書
// response from root zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210427170000 20210414160000 14631 . jwahsbkHuNHBLp9YgL9d4EVhLmtgBaTHHyKZAla3//yfTJZSdjzasjlr jQztqmJE/eESu812+7DG7S1LFfs8TMoyENlaxUoBuqB5PVAec2B2aiW2 udE8MSPUJ55VaOEAPIg8WWj5U81b8L28xWrnpCKTuP+nyKrOihGHHc5j FIByd9537+uUzwsCjKgQCEjllYb5n/jLvbHypqywkDwvboL5jV/Amo8h kmGBcm3BwKVoa44l56mHdwU29g2mUwErbzE5ac6SHcsWchQy2JSzSu7F cFXUDXRBJd1PPTiiKZZHJR/XhOMIy19Y5zsUsTcqpgKrIvTQBvbf1+Mt ZLq8Gw==
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
// ==============================================================================================================
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// ==============================================================================================================
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
RRSIG 也是一筆紀錄 (RR)
DNSSEC 新增了一些 RR 的 type
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
// ==============================================================================================================
有兩個 key
而且也有 RRSIG
要驗證這個 RRSIG
會需要另一個 request 去拿 key
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com. IN DNSKEY
;; ANSWER SECTION:
cloudflare.com. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com. 3600 IN RRSIG DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================
上面兩筆 A record 的簽章
上面兩筆 DNSKEY record 的簽章
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;cloudflare.com. IN DNSKEY
;; ANSWER SECTION:
cloudflare.com. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== (key id: 2371)
cloudflare.com. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== (key id: 34505)
cloudflare.com. 3600 IN RRSIG DNSKEY 13 2 3600 20210514040914 20210315040914 2371 cloudflare.com. jj+c/7Y67inA4heXnNUKBNOGI+B8Foy3wtcsgK0wXgX0ZlRhsyvc6Eys oJowpHvrz2/PCXDZD/z0yZ6eXEFADg==
// ==============================================================================================================
257 是 key-signing key
256 是 zone-signing key
key-signing key 用來驗證 DNSKEY 的 RRSIG
zone-signing key 用來驗證其它 RRSIG
key-signing key 拿來驗證 DNSKEY record 的 RRSIG
zone-signing key 拿來驗證其它的 RRSIG
現在有兩個 RRSIG record
A record 有 RRSIG
DNSKEY record 也有 RRSIG
兩個 DNSKEY record
所以
parent zone 給的 DS record
是 child zone 的 key-signing key 的 hash 值
// response from .com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 172800 IN NS ns3.cloudflare.com.
cloudflare.com. 172800 IN NS ns5.cloudflare.com.
cloudflare.com. 172800 IN NS ns4.cloudflare.com.
cloudflare.com. 172800 IN NS ns6.cloudflare.com.
cloudflare.com. 172800 IN NS ns7.cloudflare.com.
cloudflare.com. 86400 IN DS 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9
cloudflare.com. 86400 IN RRSIG DS 8 2 86400 20210421041721 20210414030721 58540 com. AbNlrffLewRXntWb0GEkNsUSRWisQV8lVagZuD+RUpcsTjFPd/fkQInM XKfp6nSMB632tfceGPE3C1mr4jxR4lyV93O+MexAe1bEmSS5s1ZhX3Sb JWXkh/cZlS6yCDGBmlJHbgfwmVQ0vIvitfOw4VlxcAV+FYsRdF3C/ClT Dr8KQ1QY0kKHdp8TeLbVSkSmdm2wYBhi3kIcoomdsFkZHQ==
;; ADDITIONAL SECTION:
ns3.cloudflare.com. 172800 IN A 162.159.0.33
ns3.cloudflare.com. 172800 IN A 162.159.7.226
ns5.cloudflare.com. 172800 IN A 162.159.2.9
ns5.cloudflare.com. 172800 IN A 162.159.9.55
ns4.cloudflare.com. 172800 IN A 162.159.1.33
ns4.cloudflare.com. 172800 IN A 162.159.8.55
ns6.cloudflare.com. 172800 IN A 162.159.3.11
ns6.cloudflare.com. 172800 IN A 162.159.5.6
ns7.cloudflare.com. 172800 IN A 162.159.4.8
ns7.cloudflare.com. 172800 IN A 162.159.6.6
// response from cloudflare.com zone ==============================================================================================================
;; QUESTION SECTION:
;community.cloudflare.com. IN A
;; ANSWER SECTION:
community.cloudflare.com. 300 IN A 104.16.133.229
community.cloudflare.com. 300 IN A 104.16.132.229
community.cloudflare.com. 300 IN RRSIG A 13 3 300 20210416013846 20210413233846 34505 cloudflare.com. JMiz99Buhxb6QbD51D/ysTzsG2Rz5ifr3lRo48PkOqLjt1Az37whx8AO NmA4kZAED5hJh3dZfZbNcoTtIdMnwg==
resolver 要預設定 root key-signing key 的 DS record
→ 可以相信 root zone 的 key-signing key
→ 可以相信 root zone 的 DNSKEY record (zone-signing key)
→ 可以相信 root zone 的 DS record (跟 NS record)
→ 可以相信 .com 的 key-signing key
→ 可以相信 .com 的 DNSKEY record (zone-signing key)
→ 可以相信 .com 的 DS record (跟 NS record)
→ 可以相信 cloudflare.com 的 key-signing key
→ 可以相信 cloudflare.com 的 DNSKEY record (zone-signing key)
→ 可以相信 cloudflare.com 的 A record
NSEC 或 NSEC3 Record
// response from cloudflare.com zone
;; QUESTION SECTION:
;ttjsioj90jkljfsgr.cloudflare.com. IN A
;; AUTHORITY SECTION:
cloudflare.com. 300 IN SOA ns3.cloudflare.com. dns.cloudflare.com. 2037003995 10000 2400 604800 300
ttjsioj90jkljfsgr.cloudflare.com. 300 IN NSEC \000.ttjsioj90jkljfsgr.cloudflare.com. RRSIG NSEC
cloudflare.com. 300 IN RRSIG SOA 13 2 300 20210416052852 20210414032852 34505 cloudflare.com. Em2EYGHAQI69NYZYQtO2A/Th6C8FTLEKu6VfWrvXNNHufkazWfjZw7JO 9ALBZAK3Y7+sFNXoL4xhh7hVB40KaA==
ttjsioj90jkljfsgr.cloudflare.com. 300 IN RRSIG NSEC 13 3 300 20210416052852 20210414032852 34505 cloudflare.com. xXA4glHt7T38O5JNT12oe9EHy3BhHuxLabzHqSSNpD4XMY9iU0fr4iLs k/kkfl4+idUGqXTu1T7ShLsY1mUS+A==
// response from cloudflare.com zone
;; QUESTION SECTION:
;google.com. IN A
;; AUTHORITY SECTION:
google.com. 172800 IN NS ns2.google.com.
google.com. 172800 IN NS ns1.google.com.
google.com. 172800 IN NS ns3.google.com.
google.com. 172800 IN NS ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210422042410 20210415031410 58540 com. fePohSpUOL9K9eCljlIgjwl8TiSbS1ahDo0B1FI9aIIZA3u1AuzKQgzK yRxC56l4SXq5oLvuUe8Xti4/G8ARewoTTNtgNN0KWIj7PKCNdLDSQYtu nF3HoZZLtoKomKgq6YXbdwt9+6Qern+as2SAI2pWvPPjsGVx0400tCNY C1YgPGOuMomEm/Fg/aWwW6uv/a+k7SJPSKIvJ0CLHiCmuw==
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5 NS DS RRSIG
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20210419042155 20210412031155 58540 com. q4Vpx7gnbxsb3HXnw9FCe203ZHl6pBDgAgVDQK3lA9eFh1XCGUbjcpwQ gjZbb7OfuSBa2Bee9J/YRMpUw11D5uXSllNfoSjdWCZvQPSKtGLVEH72 32VA1nikaRTIZEe4FDIKWjMrJJpKSYDZIUtMmg66KnQ+RN8TPTvlhUt4 NkGiIWeqwHP5eY4HhuCDaLezn4T640BB16usghh5AO+G5g==
root zone 有支援
top-level domain 也絕大多數都有支援
絕大多數的網站都沒有啟用
跟找 ip 沒有直接關聯的東西也可以
例如 TLS 的憑證
DANE (DNS-Based Authentication of Named Entities)
RFC 6698、RFC 7671
(「理論上」這套機制可以取代 CA 的角色)
訊息未加密 & last mile
"last mile"
用 tls/https 的隧道來傳遞 dns 訊息
DNS over TLS (DoT) (2016/05 RFC 7858、2018/03 RFC 8310)
DNS over HTTPS (DoH) (2018/10 RFC 8484)
"last mile"
原始 DNS 協定沒有加密訊息、沒有簽章
後來 DNSSEC 加上了 nameserver 的簽章
這套機制不錯
不過他主要是在保護 resolver 不要被騙
沒有處理 user 跟 resolver 之間這段
目前也沒有什麼網站有啟用
之前還有其它一些增加 DNS 安全性的做法,可能沒下文?
last mile 要解決的話可能還是要用 DNS over TLS/HTTPS