[Internet-e-architetture-di-rete] esercizi uso resolver e authoritative

Mauro Angiolillo m.angiolillo at comuneap.gov.it
Wed May 11 12:17:04 CEST 2016 

Salve prof,
   aggiungo qualche piccolo spunto di approfondimento approfittando di qualche
esercizio sfizioso; in particolare:

> __________________________________________________________
> N. |			QUESTION                           |
> ---+-----------------------------------------------------+
> 14.| qual e' il RR IN RRSIG del RR IN SOA di org.?       |
> ---+-----------------------------------------------------+

[morpheus at odino:~] dig org. IN SOA +short +dnssec
a0.org.afilias-nst.info. noc.afilias-nst.info. 2011986427 1800 900 604800 86400
SOA 7 1 900 20160601093016 20160511083016 52860 org. DnrgWDbnZoOK+8ofFS0G+ODJnWQg9TKHjNOysKhxD+TTEqQk4V+cGRb6
DKor4JMXkrzzgGCc9+1Vn3eYcoA/Z/LbsAAnnDU4KGUeZWS2q003gZh/ RFW9e/dORnvK2Dak7lnZtuEd6Tobp0ZXNmAT+PeyLf8QIyaiOVbrYLEk tUY=

[morpheus at odino:~] dig @8.8.8.8 org. IN SOA +short +dnssec
a0.org.afilias-nst.info. noc.afilias-nst.info. 2011986425 1800 900 604800 86400
SOA 7 1 900 20160601092815 20160511082815 52860 org. irEw11yXgJ6uwmk/RmjHxpGaD+c64JVdOSZUrkqiYWUtMNhOQvAHH7K2
qy77dBRoe+0mZ4INnDUindkJ/+aBlFsr4clVCO5/SRR1DKvamDqtF0Ox 3XjI1X+ED+mokHrCI9Jt+a/allqyoNomszSw5iI5YaUSWHIlci5NOBCk EAI=

[morpheus at odino:~] dig @$(dig org. IN SOA +short | awk '{ print $1 }') org. IN SOA +short +dnssec
a0.org.afilias-nst.info. noc.afilias-nst.info. 2011986428 1800 900 604800 86400
SOA 7 1 900 20160601093126 20160511083126 52860 org. bYcgUIRncUiLJSFx/ns/+WwfjJS5SZxqz3RZ93u1+B6+S5zqtrPL1+vE
VxKm9ztbCt1MbhVBbg7zN7a32JM90hnww0rvy9WzMxm5XlbStPIs2FO7 9LwCwy+9NvCd4E54SPXBffRMwOWf7CD2/lQ7ot0ZXXy2Q7rw74kf6i6j Aio=

Provo ad utilizzare il tool drill (https://www.nlnetlabs.nl/projects/drill/ è un tool sviluppato da NLnet Labs, che
sviluppa anche
due bei pezzi di software che sono nsd [server autoritativo] e unbound [server ricorsivo]) per eseguire qualche query
nel contesto dnssec;
( per chi non l'avesse: apt-get install ldnsutils

# scarico in locale le chiavi pubbliche di firma della zona root dns
[morpheus at odino:~] drill . dnskey > my_dns_root.key

# valido in modo ricorsivo, utilizzando le chiavi primarie, il RR A della zona org.
[morpheus at odino:~] drill -k my_dns_root.key -TD org.
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 60615 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .	172800	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
	Trusted key: .	1672	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	1672	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
[T] org. 86400 IN DS 9795 7 1 364dfab3daf254cab477b5675b10766ddaa24982
org. 86400 IN DS 9795 7 2 3922b31b6f3a4ea92b19eb7b52120f031fd8e05ff0b03bafcf9f891bfe7ff8e5
;; Domain: org.
[T] org. 900 IN DNSKEY 257 3 7 ;{id = 9795 (ksk), size = 2048b}
org. 900 IN DNSKEY 257 3 7 ;{id = 17883 (ksk), size = 2048b}
org. 900 IN DNSKEY 256 3 7 ;{id = 12510 (zsk), size = 1024b}
org. 900 IN DNSKEY 256 3 7 ;{id = 52860 (zsk), size = 1024b}
[T] Existence denied: org. A
;;[S] self sig OK; [B] bogus; [T] trusted

Per diletto, provo a validare il RR SOA di as5971.net

[morpheus at odino:~] drill -k my_dns_root.key -TD as59715.net. SOA
;; Number of trusted keys: 2
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 60615 (zsk), size = 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: .	172800	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
	Trusted key: .	1672	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	1672	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
Key is now trusted!
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
[T] net. 86400 IN DS 35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
;; Domain: net.
[T] net. 86400 IN DNSKEY 257 3 8 ;{id = 35886 (ksk), size = 2048b}
net. 86400 IN DNSKEY 256 3 8 ;{id = 50762 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: net.	86400	IN	DNSKEY	256 3 8
AQPNMFqRLYVsvz7L1y7athCoAHynoJiOVUijHAlQ2o70ZTUsQb0RJsAKQlFztuClkFMzweDRlochZ7y7JWCLqUzGAmtbT2T7duYQk+eGHqbz4FmuaZEMDuvQ1zkFQFYbO4vuWZ2IFESXjZkYhzmkkEQYpjPoF3yzUGnud6w5QksP0Q==
;{id = 50762 (zsk), size = 1024b}
	Trusted key: .	1672	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: .	1672	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
	Trusted key: .	172800	IN	DNSKEY	256 3 8
AwEAAarQO0FTE/l6LEKFlZllJIwXuLGd3q5d8S8NH+ntOeIMN81A5wAI18g3u9w/esNkThwgXTEa2mX1iOPdTcl3yRleAExxF22lEU2E0GKY2XdYr/BxP5fojJAPRgtEGDl72NSwSnD2/a8uPNirAJZoab36Hlw41QxEl7bmCo0280mt
;{id = 60615 (zsk), size = 1024b}
	Trusted key: .	172800	IN	DNSKEY	257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
	Trusted key: net.	86400	IN	DNSKEY	257 3 8
AQOYBnzqWXIEj6mlgXg4LWC0HP2n8eK8XqgHlmJ/69iuIHsa1TrHDG6TcOra/pyeGKwH0nKZhTmXSuUFGh9BCNiwVDuyyb6OBGy2Nte9Kr8NwWg4q+zhSoOf4D+gC9dEzg0yFdwT0DKEvmNPt0K4jbQDS4Yimb+uPKuF6yieWWrPYYCrv8C9KC8JMze2uT6NuWBfsl2fDUoV4l65qMww06D7n+p7RbdwWkAZ0fA63mXVXBZF6kpDtsYD7SUB9jhhfLQE/r85bvg3FaSs5Wi2BaqN06SzGWI1DHu7axthIOeHwg00zxlhTpoYCH0ldoQz+S65zWYi/fRJiyLSBb6JZOvn
;{id = 35886 (ksk), size = 2048b}
	Trusted key: net.	86400	IN	DNSKEY	256 3 8
AQPNMFqRLYVsvz7L1y7athCoAHynoJiOVUijHAlQ2o70ZTUsQb0RJsAKQlFztuClkFMzweDRlochZ7y7JWCLqUzGAmtbT2T7duYQk+eGHqbz4FmuaZEMDuvQ1zkFQFYbO4vuWZ2IFESXjZkYhzmkkEQYpjPoF3yzUGnud6w5QksP0Q==
;{id = 50762 (zsk), size = 1024b}
Key is now trusted!
[T] as59715.net. 86400 IN DS 4847 8 2 69a705e2835dcae42bdb4c82b2e7260abf918c164954eca329aebb9010110352
;; Domain: as59715.net.
[T] as59715.net. 3600 IN DNSKEY 257 3 8 ;{id = 4847 (ksk), size = 2048b}
as59715.net. 3600 IN DNSKEY 257 3 8 ;{id = 46709 (ksk), size = 2048b}
as59715.net. 3600 IN DNSKEY 256 3 8 ;{id = 51699 (zsk), size = 1024b}
as59715.net. 3600 IN DNSKEY 256 3 8 ;{id = 4399 (zsk), size = 1024b}
[T] as59715.net.	3600	IN	SOA	ns1.as59715.net. dnsmaster.as59715.net. 2016041847 86400 7200 604800 3600
;;[S] self sig OK; [B] bogus; [T] trusted


[morpheus at odino:~] drill -k my_dns_root.key -s -S as59715.net. SOA
;; Number of trusted keys: 2
;; Chasing: as59715.net. SOA


DNSSEC Trust tree:
as59715.net. (SOA)
|---as59715.net. (DNSKEY keytag: 4399 alg: 8 flags: 256)
    |---as59715.net. (DNSKEY keytag: 4847 alg: 8 flags: 257)
    |---as59715.net. (DNSKEY keytag: 46709 alg: 8 flags: 257)
    |---as59715.net. (DS keytag: 4847 digest type: 2)
        |---net. (DNSKEY keytag: 50762 alg: 8 flags: 256)
            |---net. (DNSKEY keytag: 35886 alg: 8 flags: 257)
            |---net. (DS keytag: 35886 digest type: 2)
                |---. (DNSKEY keytag: 60615 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful

Mauro

-- 
Dott. Ing. Mauro Angiolillo
Linux Registered User #343216
GnuPG-Key fingerprint = 90A3 3F92 6008 7383 A569  E952 CF97 383B 63F6 F425

				      -*-

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://list.informagiovani.comunesbt.it/pipermail/internet-e-architetture-di-rete/attachments/20160511/b92399cc/attachment.bin>

More information about the Internet-e-architetture-di-rete mailing list