DNSSEC. Руководство регистратора доменов

DNSSEC

. . .

1

, IV 2016, UNLICENSE

DIPHOST

, IV 2016 , UNLICENSE

DNSSEC

DNSSEC

DIPHOST


DNSSEC

.

, .

.

DIPHOST


. , , , NS .

DNSSEC . , .

. , DNSSEC.

DIPHOST


DIPHOST


. . RRSIG . , , DNSKEY .

, , , .

DIPHOST


. .

. ( DNSKEY) KSK (Key-signing key).

KSK . KSK .

DIPHOST


DNSKEYAAAANSSOA

Key-signing key (KSK)

KSK KSK

DIPHOST


KSK ZSK (Zone-signing key).

ZSK KSK KSK.

ZSK.

ZSK . ZSK . ZSK .

DIPHOST


DNSKEYAAAANSSOA

Key-signing key (KSK)

KSK KSK ZSK

DNSKEY

Zone-signing key (ZSK)

ZSK

KSK

DIPHOST


KSK. KSK KSK.

KSK ZSK. ZSK KSK KSK. ZSK.

KSK .

DIPHOST


KSK ZSK . KSK . ZSK KSK.

. .

DIPHOST


,

DIPHOST


. , .

, .

KSK . .

DIPHOST


KSK , DS (Delegation Signer).

DS .

DS .

DIPHOST


DNSKEY (KSK)example DS.tld

example.tld

KSK

DS example.tld

DS KSK

DIPHOST


.

DS

, , , , .

DIPHOST



DNSKEY (KSK)sub.example DSexample.tld

DNSKEY (KSK)sub.example.tld

DIPHOST


KSK KSK . DNSKEY DS.


example.tld

DS example.tld

DS KSK

DIPHOST


DIPHOST


API

KSK (DNSKEY-) DS KSK.

DS (DS-) DS. , KSK DS.

DIPHOST


EPP. DNSSEC RFC 5910https://tools.ietf.org/html/rfc5910

DNSKEY DS.

RFC 5910 .

EPP

DIPHOST


(.RU, ., .SU, ., .TATAR) DS DNSSEC EPP DNSKEY . http://tcinet.ru/documents/

Eesti Interneti SA (.EE) DNSKEY DNSSEC EPP. DS .https://www.internet.ee/dnssec-ru

DIPHOST


DNSKEY DS

DIPHOST


DNSKEY

example.com. IN DNSKEY 257 3 13 (6a81escFb5QysOzJop VCPslEyldHjxOLNIq3 ol0xZPeLn6HBLwdRIa xz1aYpefJHPaj+seBt i4j5gLWYetY3vA==)

. KSK 257 DNSSEC. 3 . 1 14 base64

DIPHOST


5RSA/SHA-17RSASHA1-NSEC3-SHA1

8RSA/SHA-25610RSA/SHA-51212GOST R 34.10-2001

13ECDSA Curve P-256 with SHA-25614ECDSA Curve P-384 with SHA-384

DNSKEY

DIPHOST


8 , 8 10 2048

8 (RSA/SHA-256), 10 (RSA/SHA-512), 12 (GOST R 34.10-2001), 13 (ECDSA Curve P-256 with SHA-256), 14 (ECDSA Curve P-384 with SHA-384)

8 10 256 (2048 ) 512 (4096 ) 12 13 64 14 96

DNSKEY

DIPHOST


DS

example.com. IN DS 20545 13 1 (40bd7cf025eeb433f9 e74127009bd0af8c16 f449)

DNSKEY . 1 14 . 1 4 DNSKEY

DS DNSKEY ,

DIPHOST


,

1SHA-1

2SHA-2563GOST R 34.10-2001

4SHA-384

DS

DIPHOST


2 , , 1

2

2 (SHA-256), 3 (GOST R 34.11-94), 4 (SHA-384)

2 64 , 3 64 , 4 96

DS

DIPHOST


DS

DS

DIPHOST


DNSKEY,

DNSKEY

, DNSKEY

DS

DIPHOST


DS RFC 4034, , . .

. RFC .

, DNS. , DNS .

DS

DIPHOST


DS. . .

PHP, Perl, Python 2 3, Go Java GitHub:https://github.com/diphost/ds-calc

DS

DIPHOST


#!/usr/bin/env python3# -*- coding: utf-8 -*-

import struct, hashlib, base64# $domain # $algorithm $publickey base64 ( DNSKEY)# keytag SHA256def calc_ds_sha256(owner, algorithm, publickey): flags, protocol = 257, 3 # DNSKEY RDATA dnskey_rdata = struct.pack('!HBB', int(flags), int(protocol), int(algorithm)) dnskey_rdata += base64.b64decode(publickey) # keytag crc = 0 for i in range(len(dnskey_rdata)): b = struct.unpack('B', dnskey_rdata[i:i+1])[0] crc += b if i & 1 else b > 16) & 0xFFFF)) & 0xFFFF # domain_wire_format = b'' for part in bytes(owner,'ascii').split(b'.'): domain_wire_format += struct.pack('B', len(part)) + part # digest = hashlib.sha256(domain_wire_format + dnskey_rdata) return (keytag, digest.hexdigest().upper())

Python 3

DIPHOST


use MIME::Base64;use Digest::SHA;# $domain # $algorithm $publickey base64 ( DNSKEY)# keytag SHA256sub calc_ds_sha256($$$) { my ($domain, $algorithm, $publickey) = @_; my ($flags, $protocol) = (257,3); # DNSKEY RDATA my $dnskey_rdata = pack('nCC', $flags, $protocol, $algorithm);$dnskey_rdata .= decode_base64($publickey); # keytagmy $crc = 0;for(my $i = 0; $i < length($dnskey_rdata); $i++) {my $b = ord(substr $dnskey_rdata, $i, 1);$crc += ($i & 1) ? $b : $b > 16) & 0xffff )) & 0xffff; # my @parts = split(/\./, $domain, -1);my $domain_wire_format = '';foreach my $part (@parts) {$domain_wire_format .= pack('C', length $part ) . $part;}; # my $digest = uc Digest::SHA::sha256_hex($domain_wire_format . $dnskey_rdata); return $keytag, $digest;};

DS Perl

DIPHOST


package mainimport "encoding/base64"import "strings"import "crypto/sha256"import "encoding/hex"func calc_ds_sha256(owner string, algorithm uint8, publickey string) (uint16,[]byte) { var flags uint16 = 257 var protocol uint8 = 3 var keytag uint32 dnskey_rdata := []byte{byte(flags >> 8), byte(flags), byte(protocol), byte(algorithm)} decoded_publickey, _ := base64.StdEncoding.DecodeString(publickey) dnskey_rdata = append(dnskey_rdata, decoded_publickey...) for i, b := range dnskey_rdata { if i&1 != 0 { keytag += int(b) } else { keytag += int(b) > 16) & 0xFFFF)) & 0xFFFF domain_wire_format := make([]byte, 0, 256) for _, part := range strings.Split(owner, ".") { domain_wire_format = append(domain_wire_format, byte(len(part))) domain_wire_format = append(domain_wire_format, part[:]...) } hasher := sha256.New() hasher.Write(append(domain_wire_format, dnskey_rdata[:]...)) digest := make([]byte, 2 * hasher.Size()) hex.Encode(digest, hasher.Sum(nil)) return uint16(keytag), digest}

DS Go

DIPHOST


DS DNSKEY

DIPHOST


https://www.dnssec-tools.org/

. ISC BIND. UNIX- dnssec-tools

KSK$ dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com.Generating key pair.Kexample.com.+013+34607

DS 2$ dnssec-dsfromkey -a SHA-256 Kexample.com.+013+34607example.com. IN DS 34607 13 2 3F6ED17BBCAAD567619C0D43F05DD9BD0...

DNSSEC Tools

DIPHOST


https://www.nlnetlabs.nl/projects/ldns/

Ldns. RIPE. UNIX- ldns-utils

KSK$ ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom example.comKexample.com.+013+09534

DS 2$ ldns-key2ds -n -2 Kexample.com.+013+09534.key example.com.3600INDS9534 13 2 1a7f795c11c3f0e3b74299e1e...

LDNS Utils

DIPHOST


. . .

DIPHOST


KSK . KSK .

KSK . , DNSSEC , . .

DIPHOST


DS KSK. DNS-.

DS , , . , DNSSEC , .

DS , . .

DIPHOST


. . , .

. DNSSEC .

DIPHOST


, ( 12 3 ) DNSSEC

. PHP Perl OpenSSL. .

PHP 5.6

Perl Digest::GOST::CryptoPro

Python https://pypi.python.org/pypi/pygost/

Go http://www.cypherpunks.ru/gogost/

Java http://www.bouncycastle.org/

DIPHOST


, . .

DNSSEC ECDSA ( 13). RSA. ECDSA RSA. ECDSA RSA . ECDSA DNS UDP .

SHA-256 ( 2).

DIPHOST


. , KSK.

KSK. , DNSKEY DS.

KSK KSK , DS.

API c DNSSEC DNSSEC

API

DIPHOST


API API DNSSEC , . API .

API ? .CA (CIRA) :https://github.com/CIRALabs/DSAP/

DNSSEC API,

DNSSEC API

DIPHOST


DNSSEC. API DNSKEY, DS .

DIPHOST


. : http://dnsviz.net/

.

DNSSEC .

.

DIPHOST


DIPHOST


KSK .

. 1


example.tld

DS example.tld

DS KSK

DIPHOST


DNSKEY DS. DNSKEY .

EPP EPP. DNSSEC RFC 5910

. 2

DIPHOST


KSK . DS , .

API API DS / DNSKEY. .

. 3

DIPHOST


, , :

[email protected]

DIPHOST


, . . , , , .

PayPal https://www.paypal.me/schors

. http://yasobe.ru/na/schors

Bitcoin

17V94QS4vaBwec1Qwqp2ow5b3tbrRGGcne

DIPHOST


. . , . . . , . , DNSSEC, .

DIPHOST


PHP, Perl, Python 2 3, Go Java GitHub:

https://github.com/diphost/ds-calc

DIPHOST


DNSSEC. OpenDNSSEChttps://www.opendnssec.org/

dnssec-toolshttps://www.dnssec-tools.org/

Ldnshttps://www.nlnetlabs.nl/projects/ldns/

DNS DNSSEChttp://dnsviz.net/

CIRA DShttps://github.com/CIRALabs/DSAP/

DIPHOST


Gohttp://www.cypherpunks.ru/gogost/

Pythonhttps://pypi.python.org/pypi/pygost/

Java BouncyCastlehttp://www.bouncycastle.org/

DNS Javahttp://www.dnsjava.org/

DNS Perlhttp://search.cpan.org/~nlnetlabs/Net-DNS/

DIPHOST


RFC 4033 DNSSECRFC 4034 DNSSECRFC 4035 DNS DNSSEC

RFC 3110 RSA/SHA-1 DNSRFC 4509 SHA-256 DSRFC 5702 SHA-2 DNSKEY RRSIGRFC 5933 DNSSECRFC 6605 ECDSA SHA-384 DNSSEC

RFC 5910 EPP DNSSEC

RFC 6781 DNSSECRFC 7583 DNSSEC

RFC DNSSEC

DIPHOST


, .

, , , , , .

DIPHOST
