【ハンズオン】親のDSリソースレコードと、子のDNSKEYリソースレコードのハッシュ値の照合
参考
jp.権威サーバーにjprs.jp.のDSレコードを問い合わせる
dig @203.119.1.1 +multi +dnssec +norec jprs.jp. DS
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> @203.119.1.1 +multi +dnssec +norec jprs.jp. DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11532
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ce54c736aadcd441ba2e95d25e91de0fd5948d42f7b35087 (good)
;; QUESTION SECTION:
;jprs.jp. IN DS
;; ANSWER SECTION:
jprs.jp. 7200 IN DS 43519 8 2 (
F1253DCC0CEE00CFB6518894AD23F135E1801D67D67D
9CCDA81AADA9954109DC )
jprs.jp. 7200 IN RRSIG DS 8 2 7200 (
20200504174502 20200404174502 26115 jp.
WzHwmO60n2gF8bhV0zQadbYLNPs5GljIRtO3wFN4eDYc
lH+gYD8lYk9lWtgyq09AZJ0m//zxlkOMmBlQBLVNHQ9d
VjP1gL7Y7THD44IDcQcG0hLoAJEBNufjyM7QcIjSgmHg
ib2oefDxzoVDNSNZLhPdV0JHccEBK2zCn2WPDH0= )
;; Query time: 4 msec
;; SERVER: 203.119.1.1#53(203.119.1.1)
;; WHEN: Sun Apr 12 00:11:12 JST 2020
;; MSG SIZE rcvd: 274
jprs.jp.権威サーバーにKSK,ZSKを問い合わせる
dig @202.11.16.49 +dnssec +norec jprs.jp. DNSKEY
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> @202.11.16.49 +dnssec +norec jprs.jp. DNSKEY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59010 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;jprs.jp. IN DNSKEY ;; ANSWER SECTION: jprs.jp. 86400 IN DNSKEY 257 3 8 AwEAAc1yS/obQs9Geh5qahR3k28PrqwCve3Z/osxEb5OXdzFgfqGpRYz rjqXMJdInPdBq3WeklIvOOajW+IS2zzqcwqAa7S7mEtH7ptUz24JQaAu ECZl1IkuIoiqmMAbhOPs7QC62llCGq1W3ElbfWioXUaWormXjWNDHNFk BEgFOj2SYdhvKPVJK85I275Rh1Q18Xyn7EjPtpfiHKNUrWC8rK4ccN4c kpP6zn/dxurN38l4s0dXqG3iUolvzAIFt6rIRdC/o2YHnstBXMgVzNr9 lMG1ZH4J1AV5RA/ri68sHFi7jgDa3E4hGkTvoKQquq8KLjsg/cYUVrMT BUMHeU6BEsM= jprs.jp. 86400 IN DNSKEY 257 3 8 AwEAAbEW7c61WQ+ZWrUivmXoOTqqN4i7yB1MhCtaG2YCTm5UdlBaOHtc JFNaubPYntvmz5Nd9S7NE05r2dUtA/pDR7GD35gku2y6tDas78VXivIG 6Mgj+M5G0J5xFl074PULJj1v4Omxrv7kojcsgrwjdZR46q7iVNPvCmeB lWO7FIAx2J+hGLk38XgCCKFzYtcYOgDxWexL3KvE1MMWz2D2Hs3GRWd0 fYdVv3iaoKyS2wtAtnt+zc/qKmB7hZ645O7JIRRCEhZrzLoOIQUaD+0o RdmCNtecRWcRB7pYYxF9kaRKknWX2dO78ndRUaGos725rOkISqtEP0O6 Cu96/ecggkU= jprs.jp. 86400 IN DNSKEY 256 3 8 AwEAAbqJTLf0DTwRTzXExy+DifhwVhtFWYEDorFPIcEE9J8CBierd4cv R5kT2qSHru3MViqZTz/40ApLwQArzKtOm4z1KsWLQsNFO63fJw1pOXS6 DtUTEaex2wH2IXeH9fZwVWQpgfbuzqBuGlefRSLEFU9D0+o+QgP5RQ38 /scK69PR jprs.jp. 86400 IN RRSIG DNSKEY 8 2 86400 20200505023003 20200405023003 32452 jprs.jp. wZB3t7+E4JYVCzjXJpHV0t8PNXbXKU3TpU1Cdm+zsFWJsPeQwr2rRU7k a7dPf9a+pSq9+1EKZvfntpCN0DkGYJXLDSnzLiVDepJqm2FUEJks+bvk SOnVTib97lCjLJnxd6FE187767ehK5AO8sj6gnfy5R18cs4on4QOVPkG 1GwHQOw3GaIekOzXlxcWot59s1iU8g893YrjSQUJZYzfyYFgcA1wBnED 8iSGVVgQnsAfxHSTWO+skcZ1LPYiQFkNcHqFkIXrama+UJuJZqz/Iiw3 TShgKwjY48UiETCMp5r0r2+oiDkytSSyU9hnAOku+EQ/DQSYka/h8Fhz 8z4IhQ== jprs.jp. 86400 IN RRSIG DNSKEY 8 2 86400 20200505023003 20200405023003 43519 jprs.jp. lP1MRMSmrZFavC4qjYZhNf9RSH9Qxd5knLfvyZus2Zf5xIdJit/V2bIn IxM3PYy+6Nf71/n9fdfWj9KP3Bm5PXNMVDH9SupA7OVW4Hf3WqqT9Qah rFgpanzv471wc1w3vpOTxh9Iu+HeZCzAAhPZNpq98UPXgW70PvClvThQ T9I2C+cWt1nHRhgkectIjpsIHPdycmP5bP4pX3eqOvnUWBlUrIkENJRG t265I1A+v5gnNc2nKF++s8FfwbBDQq7Li4t+26BQiKk77RBgMJASMQOl +6Bzm35f5SPQLxEK4vhYC6AprSg/Qjw676buLLo5LejKjN6B1Fv1F3+K hcFX2g== ;; Query time: 5 msec ;; SERVER: 202.11.16.49#53(202.11.16.49) ;; WHEN: Sun Apr 12 00:12:11 JST 2020 ;; MSG SIZE rcvd: 1326
KSKを読み解く
- KSK(のうち1つ)
pubkey
AwEAAbEW7c61WQ+ZWrUivmXoOTqqN4i7yB1MhCtaG2YCTm5UdlBaOHtcJFNaubPYntvmz5Nd9S7NE05r2dUtA/pDR7GD35gku2y6tDas78VXivIG6Mgj+M5G0J5xFl074PULJj1v4Omxrv7kojcsgrwjdZR46q7iVNPvCmeBlWO7FIAx2J+hGLk38XgCCKFzYtcYOgDxWexL3KvE1MMWz2D2Hs3GRWd0fYdVv3iaoKyS2wtAtnt+zc/qKmB7hZ645O7JIRRCEhZrzLoOIQUaD+0oRdmCNtecRWcRB7pYYxF9kaRKknWX2dO78ndRUaGos725rOkISqtEP0O6Cu96/ecggkU=
base64 -d pubkey > pubkey_decoded
00000000: 0301 0001 b116 edce b559 0f99 5ab5 22be .........Y..Z.".
00000010: 65e8 393a aa37 88bb c81d 4c84 2b5a 1b66 e.9:.7....L.+Z.f
00000020: 024e 6e54 7650 5a38 7b5c 2453 5ab9 b3d8 .NnTvPZ8{\$SZ...
00000030: 9edb e6cf 935d f52e cd13 4e6b d9d5 2d03 .....]....Nk..-.
00000040: fa43 47b1 83df 9824 bb6c bab4 36ac efc5 .CG....$.l..6...
00000050: 578a f206 e8c8 23f8 ce46 d09e 7116 5d3b W.....#..F..q.];
00000060: e0f5 0b26 3d6f e0e9 b1ae fee4 a237 2c82 ...&=o.......7,.
00000070: bc23 7594 78ea aee2 54d3 ef0a 6781 9563 .#u.x...T...g..c
00000080: bb14 8031 d89f a118 b937 f178 0208 a173 ...1.....7.x...s
00000090: 62d7 183a 00f1 59ec 4bdc abc4 d4c3 16cf b..:..Y.K.......
000000a0: 60f6 1ecd c645 6774 7d87 55bf 789a a0ac `....Egt}.U.x...
000000b0: 92db 0b40 b67b 7ecd cfea 2a60 7b85 9eb8 ...@.{~...*`{...
000000c0: e4ee c921 1442 1216 6bcc ba0e 2105 1a0f ...!.B..k...!...
000000d0: ed28 45d9 8236 d79c 4567 1107 ba58 6311 .(E..6..Eg...Xc.
000000e0: 7d91 a44a 9275 97d9 d3bb f277 5151 a1a8 }..J.u.....wQQ..
000000f0: b3bd b9ac e908 4aab 443f 43ba 0aef 7afd ......J.D?C...z.
00000100: e720 8245 . .E
0301 0001- 1バイト目
03: public exponentの長さ (=3バイト) - 2-4バイト目
01 0001: public exponent (65537)
- 1バイト目
- 残り256バイト: modulus
SHA256を照合してみる
ダイジェスト = ダイジェストアルゴリズム(DNSKEY所有者名 | DNSKEY RDATA); "|"は連結(concatenation)を表す。 DNSKEY RDATA = フラグ | プロトコル | アルゴリズム | 公開鍵
- DNSKEY所有者
jprs.jp.=>\x04jprs\x02jp\x00(4文字jprs 2文字jp 0文字終端)
- フラグ
- KSK => 257 =>
\x01\x01 - ZSKなら256
- KSK => 257 =>
- プロトコル
- DNSSEC =>
\x03
- DNSSEC =>
- アルゴリズム
- RSASHA256 =>
\x08
- RSASHA256 =>
- 署名検証鍵
- さっきの260オクテット
組み立ててSHA-256に流し込む
Python 2.7.15+ (default, Nov 27 2018, 23:36:35)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> f=open('tmp', 'w')
>>> f.write('\x04jprs\x02jp\x00' + '\x01\x01' + '\x03' + '\x08')
>>> f.close()
>>> exit()
cat tmp pubkey_decoded | sha256sum
f1253dcc0cee00cfb6518894ad23f135e1801d67d67d9ccda81aada9954109dc -
- DSリソースレコードと一致した!
jprs.jp. 7200 IN DS 43519 8 2 (
F1253DCC0CEE00CFB6518894AD23F135E1801D67D67D
9CCDA81AADA9954109DC )
