勉強日記

チラ裏

【ハンズオン】親のDSリソースレコードと、子のDNSKEYリソースレコードのハッシュ値の照合

www.sbcr.jp


参考

stimming-today.hatenablog.jp

jp.権威サーバーにjprs.jp.のDSレコードを問い合わせる

dig @203.119.1.1 +multi +dnssec +norec jprs.jp. DS
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> @203.119.1.1 +multi +dnssec +norec jprs.jp. DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11532
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ce54c736aadcd441ba2e95d25e91de0fd5948d42f7b35087 (good)
;; QUESTION SECTION:
;jprs.jp.       IN DS

;; ANSWER SECTION:
jprs.jp.        7200 IN DS 43519 8 2 (
                F1253DCC0CEE00CFB6518894AD23F135E1801D67D67D
                9CCDA81AADA9954109DC )
jprs.jp.        7200 IN RRSIG DS 8 2 7200 (
                20200504174502 20200404174502 26115 jp.
                WzHwmO60n2gF8bhV0zQadbYLNPs5GljIRtO3wFN4eDYc
                lH+gYD8lYk9lWtgyq09AZJ0m//zxlkOMmBlQBLVNHQ9d
                VjP1gL7Y7THD44IDcQcG0hLoAJEBNufjyM7QcIjSgmHg
                ib2oefDxzoVDNSNZLhPdV0JHccEBK2zCn2WPDH0= )

;; Query time: 4 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: Sun Apr 12 00:11:12 JST 2020
;; MSG SIZE  rcvd: 274

jprs.jp.権威サーバーにKSK,ZSKを問い合わせる

dig @202.11.16.49 +dnssec +norec jprs.jp. DNSKEY
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> @202.11.16.49 +dnssec +norec jprs.jp. DNSKEY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59010
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp.           IN  DNSKEY

;; ANSWER SECTION:
jprs.jp.        86400   IN  DNSKEY  257 3 8 AwEAAc1yS/obQs9Geh5qahR3k28PrqwCve3Z/osxEb5OXdzFgfqGpRYz rjqXMJdInPdBq3WeklIvOOajW+IS2zzqcwqAa7S7mEtH7ptUz24JQaAu ECZl1IkuIoiqmMAbhOPs7QC62llCGq1W3ElbfWioXUaWormXjWNDHNFk BEgFOj2SYdhvKPVJK85I275Rh1Q18Xyn7EjPtpfiHKNUrWC8rK4ccN4c kpP6zn/dxurN38l4s0dXqG3iUolvzAIFt6rIRdC/o2YHnstBXMgVzNr9 lMG1ZH4J1AV5RA/ri68sHFi7jgDa3E4hGkTvoKQquq8KLjsg/cYUVrMT BUMHeU6BEsM=
jprs.jp.        86400   IN  DNSKEY  257 3 8 AwEAAbEW7c61WQ+ZWrUivmXoOTqqN4i7yB1MhCtaG2YCTm5UdlBaOHtc JFNaubPYntvmz5Nd9S7NE05r2dUtA/pDR7GD35gku2y6tDas78VXivIG 6Mgj+M5G0J5xFl074PULJj1v4Omxrv7kojcsgrwjdZR46q7iVNPvCmeB lWO7FIAx2J+hGLk38XgCCKFzYtcYOgDxWexL3KvE1MMWz2D2Hs3GRWd0 fYdVv3iaoKyS2wtAtnt+zc/qKmB7hZ645O7JIRRCEhZrzLoOIQUaD+0o RdmCNtecRWcRB7pYYxF9kaRKknWX2dO78ndRUaGos725rOkISqtEP0O6 Cu96/ecggkU=
jprs.jp.        86400   IN  DNSKEY  256 3 8 AwEAAbqJTLf0DTwRTzXExy+DifhwVhtFWYEDorFPIcEE9J8CBierd4cv R5kT2qSHru3MViqZTz/40ApLwQArzKtOm4z1KsWLQsNFO63fJw1pOXS6 DtUTEaex2wH2IXeH9fZwVWQpgfbuzqBuGlefRSLEFU9D0+o+QgP5RQ38 /scK69PR
jprs.jp.        86400   IN  RRSIG   DNSKEY 8 2 86400 20200505023003 20200405023003 32452 jprs.jp. wZB3t7+E4JYVCzjXJpHV0t8PNXbXKU3TpU1Cdm+zsFWJsPeQwr2rRU7k a7dPf9a+pSq9+1EKZvfntpCN0DkGYJXLDSnzLiVDepJqm2FUEJks+bvk SOnVTib97lCjLJnxd6FE187767ehK5AO8sj6gnfy5R18cs4on4QOVPkG 1GwHQOw3GaIekOzXlxcWot59s1iU8g893YrjSQUJZYzfyYFgcA1wBnED 8iSGVVgQnsAfxHSTWO+skcZ1LPYiQFkNcHqFkIXrama+UJuJZqz/Iiw3 TShgKwjY48UiETCMp5r0r2+oiDkytSSyU9hnAOku+EQ/DQSYka/h8Fhz 8z4IhQ==
jprs.jp.        86400   IN  RRSIG   DNSKEY 8 2 86400 20200505023003 20200405023003 43519 jprs.jp. lP1MRMSmrZFavC4qjYZhNf9RSH9Qxd5knLfvyZus2Zf5xIdJit/V2bIn IxM3PYy+6Nf71/n9fdfWj9KP3Bm5PXNMVDH9SupA7OVW4Hf3WqqT9Qah rFgpanzv471wc1w3vpOTxh9Iu+HeZCzAAhPZNpq98UPXgW70PvClvThQ T9I2C+cWt1nHRhgkectIjpsIHPdycmP5bP4pX3eqOvnUWBlUrIkENJRG t265I1A+v5gnNc2nKF++s8FfwbBDQq7Li4t+26BQiKk77RBgMJASMQOl +6Bzm35f5SPQLxEK4vhYC6AprSg/Qjw676buLLo5LejKjN6B1Fv1F3+K hcFX2g==

;; Query time: 5 msec
;; SERVER: 202.11.16.49#53(202.11.16.49)
;; WHEN: Sun Apr 12 00:12:11 JST 2020
;; MSG SIZE  rcvd: 1326

KSKを読み解く

  • KSK(のうち1つ)

pubkey

AwEAAbEW7c61WQ+ZWrUivmXoOTqqN4i7yB1MhCtaG2YCTm5UdlBaOHtcJFNaubPYntvmz5Nd9S7NE05r2dUtA/pDR7GD35gku2y6tDas78VXivIG6Mgj+M5G0J5xFl074PULJj1v4Omxrv7kojcsgrwjdZR46q7iVNPvCmeBlWO7FIAx2J+hGLk38XgCCKFzYtcYOgDxWexL3KvE1MMWz2D2Hs3GRWd0fYdVv3iaoKyS2wtAtnt+zc/qKmB7hZ645O7JIRRCEhZrzLoOIQUaD+0oRdmCNtecRWcRB7pYYxF9kaRKknWX2dO78ndRUaGos725rOkISqtEP0O6Cu96/ecggkU=
base64 -d pubkey > pubkey_decoded
00000000: 0301 0001 b116 edce b559 0f99 5ab5 22be  .........Y..Z.".
00000010: 65e8 393a aa37 88bb c81d 4c84 2b5a 1b66  e.9:.7....L.+Z.f
00000020: 024e 6e54 7650 5a38 7b5c 2453 5ab9 b3d8  .NnTvPZ8{\$SZ...
00000030: 9edb e6cf 935d f52e cd13 4e6b d9d5 2d03  .....]....Nk..-.
00000040: fa43 47b1 83df 9824 bb6c bab4 36ac efc5  .CG....$.l..6...
00000050: 578a f206 e8c8 23f8 ce46 d09e 7116 5d3b  W.....#..F..q.];
00000060: e0f5 0b26 3d6f e0e9 b1ae fee4 a237 2c82  ...&=o.......7,.
00000070: bc23 7594 78ea aee2 54d3 ef0a 6781 9563  .#u.x...T...g..c
00000080: bb14 8031 d89f a118 b937 f178 0208 a173  ...1.....7.x...s
00000090: 62d7 183a 00f1 59ec 4bdc abc4 d4c3 16cf  b..:..Y.K.......
000000a0: 60f6 1ecd c645 6774 7d87 55bf 789a a0ac  `....Egt}.U.x...
000000b0: 92db 0b40 b67b 7ecd cfea 2a60 7b85 9eb8  ...@.{~...*`{...
000000c0: e4ee c921 1442 1216 6bcc ba0e 2105 1a0f  ...!.B..k...!...
000000d0: ed28 45d9 8236 d79c 4567 1107 ba58 6311  .(E..6..Eg...Xc.
000000e0: 7d91 a44a 9275 97d9 d3bb f277 5151 a1a8  }..J.u.....wQQ..
000000f0: b3bd b9ac e908 4aab 443f 43ba 0aef 7afd  ......J.D?C...z.
00000100: e720 8245                                . .E
  • 0301 0001
    • 1バイト目03: public exponentの長さ (=3バイト)
    • 2-4バイト目01 0001: public exponent (65537)
  • 残り256バイト: modulus

SHA256を照合してみる

ダイジェスト = ダイジェストアルゴリズム(DNSKEY所有者名 | DNSKEY RDATA);

 "|"は連結(concatenation)を表す。

DNSKEY RDATA = フラグ | プロトコル | アルゴリズム | 公開鍵
  • DNSKEY所有者
    • jprs.jp. => \x04jprs\x02jp\x00 (4文字jprs 2文字jp 0文字終端)
  • フラグ
    • KSK => 257 => \x01\x01
    • ZSKなら256
  • プロトコル
    • DNSSEC => \x03
  • アルゴリズム
    • RSASHA256 => \x08
  • 署名検証鍵
    • さっきの260オクテット

組み立ててSHA-256に流し込む

Python 2.7.15+ (default, Nov 27 2018, 23:36:35) 
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> f=open('tmp', 'w')
>>> f.write('\x04jprs\x02jp\x00' + '\x01\x01' + '\x03' + '\x08')
>>> f.close()
>>> exit()
cat tmp pubkey_decoded | sha256sum
f1253dcc0cee00cfb6518894ad23f135e1801d67d67d9ccda81aada9954109dc  -
  • DSリソースレコードと一致した!
jprs.jp.     7200 IN DS 43519 8 2 (
                F1253DCC0CEE00CFB6518894AD23F135E1801D67D67D
                9CCDA81AADA9954109DC )