70
オープンソースカンファレンス 2013 Tokyo/Spring Unbound/NSD最新情報 滝澤 隆史 本Unboundユーザー会 http://unbound.jp/ 1 20130223 OSC 2013 Tokyo/Spring

Unbound/NSD最新情報(OSC 2013 Tokyo/Spring)

Embed Size (px)

Citation preview

  • 1.1 2013 Tokyo/SpringUnbound/NSD Unbound http://unbound.jp/OSC 2013 Tokyo/Spring 2013-02-23

2. 2 : @ttkzw : 24365 MSP DNS 19972006 BIND4, BIND8, djbdns, BIND9 NSD, Unbound Unbound Unbound/NSD DNS( OSC 2013 Tokyo/Spring 2013-02-23 3. 3 DNS Unbound NSD NSD3 NSD4 : NSD 4 beta4 : NSD 4 OSC 2013 Tokyo/Spring 2013-02-23 4. 4 Unbound http://unbound.jp/unbound/ NSDInternet Week 2012 DNS DAYOSC 2013 Tokyo/Spring 2013-02-23 5. 5OSC 2013 Tokyo/Spring 2013-02-23 6. 6Unbound NLnet Labs OSC 2013 Tokyo/Spring 2013-02-23 7. 7 http://unbound.jp/ UnboundldnsNSD OSC 2013 Tokyo/Spring 2013-02-23 8. 8OSC 2013 Tokyo/Spring 2013-02-23 9. 9 BIND Zero Day Attack OSC 2013 Tokyo/Spring 2013-02-23 10. 10BIND 9DNS BIND 10 2013222 1.0.0 NSD Unbound PowerDNS OSC 2013 Tokyo/Spring 2013-02-23 11. 111,2 OSC 2013 Tokyo/Spring 2013-02-23 12. 121.0.0 51.0.05 2008520 Unbound 1.0.0 Unbound 0.06 2007219 Unbound 0.0 OSC 2013 Tokyo/Spring 2013-02-23 13. 13 CVE"Unbound" CVE-2012-1192 CVE-2011-4869 CVE-2011-4528 CVE-2011-1922 CVE-2010-0969 CVE-2009-4008 CVE-2009-3602 OSC 2013 Tokyo/Spring 2013-02-23 14. 14DNS UnboundDNS UnboundDNS OSC 2013 Tokyo/Spring 2013-02-23 15. 15DNS DNS W.C.A. Wijngaards DNS OSC 2013 Tokyo/Spring 2013-02-23 16. 16DNS 201247unbound-users Unbound 1.4.17 rrset-roundrobin: yesOSC 2013 Tokyo/Spring 2013-02-23 17. 17DNS util/data/msgencode.cpacked_rrset_encode()1 j = (i + rr_oset) % data->count; j: i: rr_oset: ID data->count: RRset ID ID ID W.C.A. Wijngaards Excellent! The patch is very small, and contains threadsafe code. The queryID is a very good way to make the rrset rotate, and removes my concern for speed. OSC 2013 Tokyo/Spring 2013-02-23 18. 18DNS Unbound - DNS DNS Summer Days 201220128 http://dnsops.jp/event20120831.html OSC 2013 Tokyo/Spring 2013-02-23 19. 19minimal-responses AUTHORITY ADDITIONAL rrset-roundrobin Unbound - DNS Unbound 1.4.7 rrset-roundrobin: yes OSC 2013 Tokyo/Spring 2013-02-23 20. 20DNSSEC RSAMD5 (1.4.18, 1.4.19) ECDSA (1.4.17)OSC 2013 Tokyo/Spring 2013-02-23 21. 21forward-rst, stub-rst forwardstub forwardstub Unbound 1.4.7 OSC 2013 Tokyo/Spring 2013-02-23 22. 22tcp-upstream DNS over TCP Unbound 1.4.13 Unbound server: interface: 0.0.0.0@80 Unbound server: tcp-upstream: yes forward-zone: name: "." forward-addr: 192.0.2.1@80OSC 2013 Tokyo/Spring 2013-02-23 23. 23ssl-upstream, ssl-service-key, ssl-service-pem, ssl-port DNS over SSL Unbound 1.4.14 Unboundserver:interface: 0.0.0.0@443server:ssl-service-key: "/etc/unbound/unbound_server.key"ssl-service-pem: "/etc/unbound/unbound_server.pem"ssl-port: 443 Unboundserver:ssl-upstream: yesforward-zone:name: "."forward-addr: 192.0.2.1@443 OSC 2013 Tokyo/Spring 2013-02-23 24. 24unbound-control 8953IANA (1.4.11) forward_add, forward_remove, stub_add, stub_remove (1.4.17) ush_bogus (1.4.18) -q (quite) (1.4.19)OSC 2013 Tokyo/Spring 2013-02-23 25. 25OSC 2013 Tokyo/Spring 2013-02-23 26. 26NSD Name Server Daemon DNS OSC 2013 Tokyo/Spring 2013-02-23 27. 27NSD NLnet LabsRIPE NCC NLnet Labs DNSDNSSEC NSD, Unbound, drill, ldns, OpenDNSSEC RIPE NCC RIROSC 2013 Tokyo/Spring 2013-02-23 28. 28NSD NLnet Labs http://www.nlnetlabs.nl/projects/nsd/ NSD 3.2.15 (201324) NSD4 http://www.nlnetlabs.nl/svn/nsd/trunk/ OSC 2013 Tokyo/Spring 2013-02-23 29. 29NSD BIND 20032RIPE NCC k.root-servers.netBINDNSD H, K, LNSD $ dig @h.root-servers.net. version.server. CH TXT +norec ;; ANSWER SECTION: version.server.0CH TXT"NSD 3.2.14"OSC 2013 Tokyo/Spring 2013-02-23 30. 30NSD3 200652012116 20127 CVE-2012-2979 20127 CVE-2012-2978 20095 CVE-2009-1755 OSC 2013 Tokyo/Spring 2013-02-23 31. 31 Performance tests results on BIND9/NSD/ UNBOUND IEPG Meeting November 2010 @ IETF 79 http://iepg.org/2010-11-ietf79/ Orange LabsDaniel Migault Alternaive DNS Servers Jan-Piet Mens http://jpmens.net/2010/10/29/alternative-dns-servers-the-book-as-pdf/ OSC 2013 Tokyo/Spring 2013-02-23 32. 32NSD IXFR Dynamic Update OSC 2013 Tokyo/Spring 2013-02-23 33. 33 (REQUIREMENTS) RFC 1995 (IXFR) RFC 1996 (NOTIFY) RFC 2845 (TSIG) RFC 2672 (DNAME) RFC 4509 (SHA-256 DS) RFC 4635 (HMAC SHA TSIG) RFC 5001 (NSID) RFC 5155 (NSEC3) RFC 5702 (SHA-2) RFC 5936 (AXFR) RFC 6605 (ECDSA) draft-ietf-dane-protocol (DANE) RFC 2136 (Dynamic update)OSC 2013 Tokyo/Spring 2013-02-23 34. 34NSD SERVFAIL referral NOTIFYSOANS OSC 2013 Tokyo/Spring 2013-02-23 35. 35NSD NSD OSC 2013 Tokyo/Spring 2013-02-23 36. 36NSD3 nsd (parent) nsdnsd (child) nsd (child) nsd (childen) nsd DB nsdc rebuild (zonec) nsd.db nsd Intenet Week 2012 DNS DAY 2012-11-21 37. 37NSD /etc/nsd/nsd.conf : OSC 2013 Tokyo/Spring 2013-02-23 38. 38server: ip-address: 192.0.2.1key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="zone:NOTIFY name: example.jp. IP zonefile: example.jp.zone notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 tsig.example.jp IPOSC 2013 Tokyo/Spring 2013-02-23 39. 39server: ip-address: 192.0.2.2key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="zone:NOTIFY IP name: example.jp. zonefile: example.jp.zone allow-notify: 192.0.2.1 NOKEYnsdc update allow-notify: 127.0.0.1 NOKEY request-xfr: AXFR 192.0.2.1 tsig.example.jp IP OSC 2013 Tokyo/Spring 2013-02-23 40. 4020132nsd 4.0.0 beta 4 OSC 2013 Tokyo/Spring 2013-02-23 41. 41NSD3 OSC 2013 Tokyo/Spring 2013-02-23 42. 42NSD4(4.0.0 beta4) nsd nsd-checkconfnsd.confnsd-controlnsd-control-setup nsd-control : Unboundnsdc, zonec, unboundnsd-notify, nsd-patch, unbound-checkconfnsd-xferunbound-control unbound-control-setup unbound-host unbound-anchorOSC 2013 Tokyo/Spring 2013-02-23 43. 43$ ps axfPID TTY STAT TIME COMMAND21953 ?Ss 0:00 nsd -c /etc/nsd/nsd.conf21954 ?S0:00 _ nsd -c /etc/nsd/nsd.conf21955 ?S0:00_ nsd -c /etc/nsd/nsd.conf21956 ?S0:00_ nsd -c /etc/nsd/nsd.conf(nsd-control)nsd (xfrd) DBnsd (main) UDBnsd (child) nsd (child) xfrd.zone.nsd.db state list refreshexpire OSC 2013 Tokyo/Spring 2013-02-23 44. 44nsd (xfrd)nsd (main)DB UDBnsd (child) nsd (child) nsd.dbnsd OSC 2013 Tokyo/Spring 2013-02-23 45. 45nsd-control unbound-controlNSD TCP 8952 TLS nsd-control-setup OSC 2013 Tokyo/Spring 2013-02-23 46. 46nsd-control startnsdstop nsdrecongrepatternreconglog_reopenstatus statsstats_noreset verbosity OSC 2013 Tokyo/Spring 2013-02-23 47. 47nsd-control reload [] addzone delzone write [] notify []NOTIFYtransfer []force_transfer [] AXFR zonestatus [] OSC 2013 Tokyo/Spring 2013-02-23 48. 48 NSD 3 nsd NSD 4 nsd-control recong nsd OSC 2013 Tokyo/Spring 2013-02-23 49. 49 NSD 3 nsdc rebuild nsdc reload NSD 4 nsd nsd-control reload OSC 2013 Tokyo/Spring 2013-02-23 50. 50 pattern:%sname: "masterzone"zonefile: "zones/%s.zone"notify: 192.0.2.1 NOKEYprovide-xfr: 192.0.2.1 tsig.masterzone nsd-control addzone example.jp masterzonensd-control delzone example.jp OSC 2013 Tokyo/Spring 2013-02-23 51. 51 libevent http://www.nlnetlabs.nl/downloads/ presentations/NSD_Update_OARC_2011SF.pdf Response Rate Limiting (RRL) NSD33.2.15 OSC 2013 Tokyo/Spring 2013-02-23 52. 52NSD4 nsd-control RRL NSD 4.0.0 beta4 OSC 2013 Tokyo/Spring 2013-02-23 53. 53 http://www.nlnetlabs.nl/projects/nsd/ Unbound http://unbound.jp/nsd/ NSD3 an Authoritative Nameserver: Technical http://www.nlnetlabs.nl/downloads/presentations/ NSD_DenicTechnical.pdf Response Dierences between NSD and other DNS Servers http://www.nlnetlabs.nl/downloads/nsd/dierences.pdf NSD Evolution of a name server http://www.nlnetlabs.nl/downloads/presentations/ NSD_Update_OARC_2011SF.pdf nlnetlabs.nl :: Blog :: NSD4 Features http://www.nlnetlabs.nl/blog/2012/09/14/nsd4-features/ nlnetlabs.nl :: Blog :: NSD Response Rate Limiting http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/ OSC 2013 Tokyo/Spring 2013-02-23 54. 54Ubuntu 12.04.1 TLS OSC 2013 Tokyo/Spring 2013-02-23 55. 55 C openssl libevent (libevlibevent) $ wget http://nlnetlabs.nl/downloads/nsd/ nsd-4.0.0b4.tar.gz $ sha256sum -b nsd-4.0.0b4.tar.gz ed29019d6e8aface4c32e22c9968aa9688acf98f8356112c4ee8 9a923022cc2b *nsd-4.0.0b4.tar.gz http://open.nlnetlabs.nl/pipermail/nsd-users/ 2013-February/001613.html SHA256 OSC 2013 Tokyo/Spring 2013-02-23 56. 56$ tar xvzf nsd-4.0.0b4.tar.gz$ cd nsd-4.0.0b4$ ./configure --prefix=/usr/local --enable-ratelimit --with-configdir=/etc/nsd --with-zonesdir=/etc/nsd --with-user=nsd --with-libevent --with-ssl$ make$ sudo make install$ sudo cp /etc/nsd/nsd.conf.sample /etc/nsd/nsd.conf OSC 2013 Tokyo/Spring 2013-02-23 57. 57$ sudo groupadd -r nsd$ sudo useradd -r -d /etc/nsd -M -g nsd nsd$ sudo chown nsd:nsd /usr/local/var/db/nsd$ sudo chown nsd:nsd /etc/nsdOSC 2013 Tokyo/Spring 2013-02-23 58. 58nsd-control$ sudo /usr/local/sbin/nsd-control-setup$ sudo chgrp nsd /etc/nsd/nsd_server.{pem,key}$ sudo chgrp nsd /etc/nsd/nsd_control.{pem,key}$ ls -l /etc/nsd/*.{pem,key}-rw-r----- 1 root nsd 1277 Feb 9 20:04 nsd_control.key-rw-r----- 1 root nsd 790 Feb 9 20:04 nsd_control.pem-rw-r----- 1 root nsd 1281 Feb 9 20:04 nsd_server.key-rw-r----- 1 root nsd 782 Feb 9 20:04 nsd_server.pemOSC 2013 Tokyo/Spring 2013-02-23 59. 59NSD 4 OSC 2013 Tokyo/Spring 2013-02-23 60. 60$ sudo vim /etc/nsd/nsd.confserver:ip-address:192.0.2.1 remote-control:control-enable: yes OSC 2013 Tokyo/Spring 2013-02-23 61. 61nsd$ sudo nsd-control start$ ps axf | grep [n]sd23398 ?Ss 0:00 nsd -c /etc/nsd/nsd.conf23399 ?S0:00 _ nsd -c /etc/nsd/nsd.conf23400 ?S0:00_ nsd -c /etc/nsd/nsd.conf$ sudo nsd-control statusversion: 4.0.0b4verbosity: 0$ dig @192.0.2.1 version.server. CH TXT;; ANSWER SECTION:version.server.0CH TXT"NSD 4.0.0b4" OSC 2013 Tokyo/Spring 2013-02-23 62. 62$ sudo mkdir /etc/nsd/primary$ sudo vim /etc/nsd/primary/example.jp.zone$ sudo vim /etc/nsd/nsd.conf key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="zone: name: example.jp. zonefile: primary/example.jp.zone notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 tsig.example.jp$ sudo nsd-control reconfig OSC 2013 Tokyo/Spring 2013-02-23 63. 63 $ sudo mkdir /etc/nsd/secondary$ sudo chown nsd:nsd /etc/nsd/secondary$ sudo vim /etc/nsd/nsd.confkey: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="zone: name: example.jp. zonefile: secondary/example.jp.zone allow-notify: 192.0.2.1 NOKEY request-xfr: AXFR 192.0.2.1 tsig.example.jp$ sudo nsd-control reconfig OSC 2013 Tokyo/Spring 2013-02-23 64. 64 $ sudo nsd-control zonestatuszone: example.jp. state: okserved-serial: "20130211 since 2013-02-11T14:33:07"commit-serial: "20130211 since 2013-02-11T14:33:07"$ ls -l /etc/nsd/secondary/total 0$ sudo nsd-control writeok $ ls -l /etc/nsd/secondary/total 4-rw-r--r-- 1 nsd nsd 366 Feb 11 14:36 example.jp.zone OSC 2013 Tokyo/Spring 2013-02-23 65. 65$ sudo mkdir /etc/nsd/primary$ /etc/nsd/nsd.conf key: name: "master.key" algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="pattern:%s name: "master" zonefile: "primary/%s.zone" notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 master.key$ sudo nsd-control reconfig OSC 2013 Tokyo/Spring 2013-02-23 66. 66$ sudo vim /etc/nsd/primary/example.jp.zone$ sudo nsd-control addzone example.jp mastersudo nsd-control zonestatuszone: example.jpmaster example.jppattern: master state: masterOSC 2013 Tokyo/Spring 2013-02-23 67. 67$ sudo mkdir /etc/nsd/secondary/$ sudo chown nsd:nsd /etc/nsd/secondary $ sudo vim /etc/nsd/nsd.conf key: name: "master.key" algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw=="pattern: name: "slave"%s zonefile: "secondary/%s.zone" allow-notify: 192.0.2.1 NOKEY request-xfr: AXFR 192.0.2.1 master.key$ sudo nsd-control reconfig OSC 2013 Tokyo/Spring 2013-02-23 68. 68$ sudo nsd-control addzone example.jp slaveslaveexample.jp$ sudo nsd-control zonestatuszone: example.jppattern: slavestate: refreshingserved-serial: "20130211 since 2013-02-11T14:33:07"commit-serial: "20130211 since 2013-02-11T14:33:07"OSC 2013 Tokyo/Spring 2013-02-23 69. 69$ sudo nsd-control reloadOSC 2013 Tokyo/Spring 2013-02-23 70. 70OSC 2013 Tokyo/Spring 2013-02-23


NETEK NSD MARI

NETEK NSD MARI

Documents
NSD Helg 29-5 2010

NSD Helg 29-5 2010

Documents
Catálogo NSD 2014-2015

Catálogo NSD 2014-2015

Documents
Viviendo Unbound Invierno 2015 Español

Viviendo Unbound Invierno 2015 Español

Documents
UnboundとDNSSEC(OSC2011 Tokyo/Spring)

UnboundとDNSSEC(OSC2011 Tokyo/Spring)

Technology
Vox-speilet 2009 - NSD

Vox-speilet 2009 - NSD

Documents
CAMINANDO JUNTOS - Unbound

CAMINANDO JUNTOS - Unbound

Documents
NSD Helg 10 april 2010

NSD Helg 10 april 2010

Documents
Parkes Precedent Unbound

Parkes Precedent Unbound

Documents
non-stop decay (NSD)

non-stop decay (NSD)

Documents
由 NSd 12245455112

由 NSd 12245455112

Documents
Compact NSD Vigicompact NSD - gongkongftp.gongkong.com/UploadFile/datum/2009-10/2009101717065500001.pdf · 630 630 615 600 585 570 550 535 Compact NSD. 7!!"#$% Compact NSD 25-40 Compact

Compact NSD Vigicompact NSD - gongkongftp.gongkong.com/UploadFile/datum/2009-10/2009101717065500001.pdf · 630 630 615 600 585 570 550 535 Compact NSD. 7!!"#$% Compact NSD 25-40 Compact

Documents
NSD Kabupaten Kapuas

NSD Kabupaten Kapuas

Government & Nonprofit
Unbound/NSD最新情報(OSC 2014 Tokyo/Spring)

Unbound/NSD最新情報(OSC 2014 Tokyo/Spring)

Technology
NSD Prospectus 2012

NSD Prospectus 2012

Documents
NSD-helg 17-10

NSD-helg 17-10

Documents
Internet Week 2012 DNS DAY -DNS実装ダイバーシティの話 NSD · 主にDNSとDNSSECについての調査研究お よびソフトウェア開発をしている NSD, Unbound,

Internet Week 2012 DNS DAY -DNS実装ダイバーシティの話 NSD · 主にDNSとDNSSECについての調査研究お よびソフトウェア開発をしている NSD, Unbound,

Documents
NSD Helg 30 april 2010

NSD Helg 30 april 2010

Documents
ENLAZÁNDOSE con TRADICIÓN - Unbound

ENLAZÁNDOSE con TRADICIÓN - Unbound

Documents
Unbound #1 Russian (pr)

Unbound #1 Russian (pr)

Documents
Marketing Unbound NY 2016

Marketing Unbound NY 2016

Marketing
SIN ATADURAS UNBOUND

SIN ATADURAS UNBOUND

Documents
NSD Helg 6 mars 2010

NSD Helg 6 mars 2010

Documents
Unboundの紹介DNSSECの検証が有効になる。 2011-03-04 日本Unboundユーザ会OSC 2011 Tokyo/Spring発表資料 13 バージョンの履歴 •1.0.0(2008年05月) 正式リリース

Unboundの紹介DNSSECの検証が有効になる。 2011-03-04 日本Unboundユーザ会OSC 2011 Tokyo/Spring発表資料 13 バージョンの履歴 •1.0.0(2008年05月) 正式リリース

Documents
Unboundの紹介 - enog.jpenog.jp/.../12/20121221-ENOG18-unbound-takata-2.pdf · Unboundとは • キャッシュDNSサーバソフトウェア – キャッシュDNSのサービスに特化

Unboundの紹介 - enog.jpenog.jp/.../12/20121221-ENOG18-unbound-takata-2.pdf · Unboundとは • キャッシュDNSサーバソフトウェア – キャッシュDNSのサービスに特化

Documents
Bolivia - Unbound

Bolivia - Unbound

Documents
NSD helg 10 oktober 2009

NSD helg 10 oktober 2009

Documents
NSD Helg 20 mars 2010

NSD Helg 20 mars 2010

Documents
Unbound in C - NLnet Labs · © Stichting NLnet Labs Unbound in C San Diego - 2006 Wouter Wijngaards (wouter@NLnetLabs.nl)

Unbound in C - NLnet Labs · © Stichting NLnet Labs Unbound in C San Diego - 2006 Wouter Wijngaards ([email protected])

Documents
NSD Helg 23-5

NSD Helg 23-5

Documents