unbound/nsd最新情報(osc 2014 tokyo/spring)
DESCRIPTION
オープンソースカンファレンス2014 Tokyo/Spring Unbound/NSD最新情報TRANSCRIPT
- 1. 1 2014 Tokyo/SpringUnbound/NSD Unbound http://unbound.jp/OSC 2014 Tokyo/Spring2014-02-28
2. 2 : @ttkzw DNS 19972006 BIND4, BIND8, djbdns, BIND9 NSD, Unbound Unbound Unbound/NSD DNS DNS RFC OSC 2014 Tokyo/Spring2014-02-28 3. 3 BINDDNS Unbound Unbound NSD NSD SSL NSD 4 OSC 2014 Tokyo/Spring2014-02-28 4. 4OSC 2014 Tokyo/Spring2014-02-28 5. 5Unbound NLnet Labs OSC 2014 Tokyo/Spring2014-02-28 6. 6 http://unbound.jp/ UnboundldnsNSD OSC 2014 Tokyo/Spring2014-02-28 7. 7OSC 2014 Tokyo/Spring2014-02-28 8. 8BINDDNS BINDDNS BIND BIND OSC 2014 Tokyo/Spring2014-02-28 9. 9BIND 9OSSDNS DNS NSD PowerDNS Authoritative Server Knot DNS YADIFA BIND 10 DNS Unbound PowerDNS Recurser BIND 10 OSC 2014 Tokyo/Spring2014-02-28 10. 10BIND 9OSSDNS DNS NSD PowerDNS Authoritative Server Knot DNS YADIFA BIND 10 DNS Unbound PowerDNS Recurser BIND 10 OSC 2014 Tokyo/Spring2014-02-28 11. 11OSC 2014 Tokyo/Spring2014-02-28 12. 12Unbound BINDDNS DNS DNSSEC OSC 2014 Tokyo/Spring2014-02-28 13. 13Unbound NLnet Labs Verisign labsNominetKireiEP.net Java NLnet LabsC BSD UNIXOSLinux, *BSD, MacOS X, Solaris Windows OSC 2014 Tokyo/Spring2014-02-28 14. 14NLnet Labs DNSDNSSEC Unbound, drill, ldns, NSD, OpenDNSSECOSC 2014 Tokyo/Spring2014-02-28 15. 15 http://unbound.jp/ Unbound OSC 2014 Tokyo/Spring2014-02-28 16. 16OSC 2014 Tokyo/Spring2014-02-28 17. 17/ ldns NLnet LabsDNS OpenSSL GOSTECDSAldns unboundcongure--disable-gost-- disable-ecdsa libexpat XML Parser libevent 1024 outgoing-range, num-queries-per-thread OSC 2014 Tokyo/Spring2014-02-28 18. 18/Linux LinuxUnboundldnsDebian GNU/Linux wheezy1.4.17 (1.4.21)1.6.13 (1.6.16)wheezy-backportsDebian GNU/Linux jessie1.4.211.6.17Ubuntu 12.04 LTS (precise)1.4.16 (1.4.18)1.6.11Ubuntu 14.04 LTS (trusty)1.4.211.6.16Fedora 201.4.211.6.16RHEL 5/CentOS 5(1.4.20)(1.6.16)RHEL 6/CentOS 6(1.4.21)(1.6.16)openSUSE 13.11.4.211.6.16Gentoo Linux1.4.211.6.16precise-backports Fedora EPEL 5 Fedora EPEL 6 server:dns projectOSC 2014 Tokyo/Spring2014-02-28 19. 19/*BSD OSUnboundldnsFreeBSD1.4.211.6.17PortsNetBSD1.4.211.6.16Packages CollectionOpenBSD1.4.211.6.17PortsMac OS X (MacPorts)1.4.211.6.16MacPortsMac OS X (Homebrew)1.4.211.6.17HomebrewOSC 2014 Tokyo/Spring2014-02-28 20. 20/Windows Windows OSC 2014 Tokyo/Spring2014-02-28 21. 21 0.0200702 7 6 1.0.0200805 1.1.0200811 DLV 1.2.020091 unbound-control 1.3.020096 WindowsPython OSC 2014 Tokyo/Spring2014-02-28 22. 22 1.4.0200911 RSASHA256RSASHA512 1.4.7201011 unbound-anchor GOST 1.4.1120116 log-queries OSC 2014 Tokyo/Spring2014-02-28 23. 23 1.4.1320119 tcp-upstream 1.4.14201112 ssl-upstreamDNS over SSL 1.4.1720125 rrset-roundrobin minimal-responses forward-rst, stub-rst ECDSA OSC 2014 Tokyo/Spring2014-02-28 24. 24 1.4.19201212 RSAMD5 include 1.4.2120139- max-udp-size unbound-control OSC 2014 Tokyo/Spring2014-02-28 25. 251OSC 2014 Tokyo/Spring2014-02-28 26. 26 Unbound 1.4.142 CVE"Unbound" CVE-2012-1192 CVE-2011-4869 CVE-2011-4528 CVE-2011-1922 CVE-2010-0969 CVE-2009-4008 CVE-2009-3602 OSC 2014 Tokyo/Spring2014-02-28 27. 271 Unbound 1.4.20 (2013-03-21) Unbound 1.4.21 (2013-09-10OSC 2014 Tokyo/Spring2014-02-28 28. 28max-udp-size UDP 4096 ISPDNS UDP DNS Unbound 1.4.21 OSC 2014 Tokyo/Spring2014-02-28 29. 29unbound-control unbound-control insecure_add insecure_remove Unbound 1.4.21 OSC 2014 Tokyo/Spring2014-02-28 30. 30OSC 2014 Tokyo/Spring2014-02-28 31. 31NSD DNS Name Server Daemon DNSOSC 2014 Tokyo/Spring2014-02-28 32. 32NSD NLnet LabsRIPE NCC NLnet Labs RIPE NCC RIR BSD UNIXOSFreeBSD, Linux, Solaris, etc OSC 2014 Tokyo/Spring2014-02-28 33. 33NSD "REQUIREMENTS" DNSRFC OSC 2014 Tokyo/Spring2014-02-28 34. 34NSD "REQUIREMENTS" BIND 8/9 DDoS 2 OSC 2014 Tokyo/Spring2014-02-28 35. 35NSD "REQUIREMENTS" UNIXOS(FreeBSD, Linux, Solaris) 12OSC 2014 Tokyo/Spring2014-02-28 36. 36 "REQUIREMENTS" UNIX OSC 2014 Tokyo/Spring2014-02-28 37. 37/Linux LinuxNSDDebian GNU/Linux wheezy3.2.12Debian GNU/Linux jessie4.0.1Ubuntu 12.04 LTS (precise)3.2.9Ubuntu 14.04 LTS (trusty)4.0.1Fedora 203.2.15RHEL 5/CentOS 5(3.2.15)RHEL 6/CentOS 6(3.2.15)openSUSE 13.14.0.0Gentoo Linux4.0.0 Fedora EPEL 5 Fedora EPEL 6 server:dnsOSC 2014 Tokyo/Spring2014-02-28 38. 38/*BSD OSNSDFreeBSD4.0.1PortsNetBSD4.0.1Packages CollectionOpenBSD3.2.6PortsMac OS X (MacPorts)3.2.8MacPortsMac OS X (Homebrew)4.0.1HomebrewOSC 2014 Tokyo/Spring2014-02-28 39. 39NSD NLnet Labs http://www.nlnetlabs.nl/projects/nsd/ NSD 3.2.17 (2014127) NSD 4.0.1 (2014127)OSC 2014 Tokyo/Spring2014-02-28 40. 40NSD BIND 20032RIPE NCC k.root-servers.netBINDNSD H, K, LNSD $ dig +norec @h.root-servers.net. version.server. CH TXT ;; ANSWER SECTION: version.server. 0 CH TXT "NSD 4.0.0"OSC 2014 Tokyo/Spring2014-02-28 41. 41NSD IXFR Dynamic UpdateOSC 2014 Tokyo/Spring2014-02-28 42. 42("REQUIREMENTS") NSD 1 RFC 1183 (Multiple RRs) RFC 1706 (NSAP) RFC 1876 (LOC RR) RFC 1886 (AAAA RR) RFC 2230 (KX RR) RFC 2536 (CERT RR) RFC 2671 (EDNS0) RFC 2782 (SRV) RFC 2915 (NAPTR RR) RFC 2915 (SRV RR) NSD 2 RFC 4033, 4034, 4035 (DNSSEC) RFC 2673 (Binary labels) RFC 2874 (A6) NSD 3 RFC 1995 (IXFR) RFC 1996 (NOTIFY) RFC 2845 (TSIG) RFC 2672 (DNAME) RFC 4509 (SHA-256 DS) RFC 4635 (HMAC SHA TSIG) RFC 5001 (NSID) RFC 5155 (NSEC3) RFC 5702 (SHA-2) RFC 5936 (AXFR) RFC 6605 (ECDSA) RFC 6698 (DANE) RFC 6742 (ILNP) RFC 6844 (CAA) RFC 7043 (EUI48+64) RFC 2136 (Dynamic update) OSC 2014 Tokyo/Spring2014-02-28 43. 43NSD SERVFAIL referral NOTIFY SOA MNAMENSOSC 2014 Tokyo/Spring2014-02-28 44. 44NSD NSD OSC 2014 Tokyo/Spring2014-02-28 45. 45NSD /etc/nsd/nsd.conf : OSC 2014 Tokyo/Spring2014-02-28 46. 46 server: ip-address: 192.0.2.1 key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" zone: NOTIFY IP name: example.jp. zonefile: example.jp.zone notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 tsig.example.jp IP OSC 2014 Tokyo/Spring2014-02-28 47. 47 server: ip-address: 192.0.2.2 key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" NOTIFY zone: IP name: example.jp. zonefile: example.jp.zone allow-notify: 192.0.2.1 NOKEY request-xfr: AXFR 192.0.2.1 tsig.example.jp NSDAXFR IXFR IP OSC 2014 Tokyo/Spring2014-02-28 48. 481OSC 2014 Tokyo/Spring2014-02-28 49. 49NSD NSD 3.2.13 20065NSD 3.0.0 20142 20127 CVE-2012-2979 20127 CVE-2012-2978 20095 CVE-2009-1755OSC 2014 Tokyo/Spring2014-02-28 50. 501 NSD3 NSD 3.2.15 (2013-02-04) NSD 3.2.16 (2013-07-22) NSD 3.2.17 (2014-01-27) NSD4 NSD 4.0.0 (2013-10-29) NSD 4.0.1 (2014-01-27)OSC 2014 Tokyo/Spring2014-02-28 51. 511 NSD3 NSD 3.2.15 (2013-02-04) NSD 3.2.16 (2013-07-22) NSD 3.2.17 (2014-01-27) NSD4 NSD 4.0.0 (2013-10-29) NSD 4.0.1 (2014-01-27)OSC 2014 Tokyo/Spring2014-02-28 52. 52NSD4 20131029NSD 4.0.0 nsd-control OSC 2014 Tokyo/Spring2014-02-28 53. 53NSD3 OSC 2014 Tokyo/Spring2014-02-28 54. 54NSD4 nsdnsd-checkconfnsd.confnsd-controlnsd-control-setupnsd-control nsd-memNSD3nsdc, zonec, nsd-notify, nsd-patch, nsd-xfer: Unbound unbound unbound-checkconf unbound-control unbound-control-setup unbound-host unbound-anchor OSC 2014 Tokyo/Spring2014-02-28 55. 55$ ps axf PID TTY STAT TIME COMMAND 21953 ? Ss 0:00 nsd -c /etc/nsd/nsd.conf 21954 ? S 0:00 _ nsd -c /etc/nsd/nsd.conf 21955 ? S 0:00 _ nsd -c /etc/nsd/nsd.conf 21956 ? S 0:00 _ nsd -c /etc/nsd/nsd.conf(nsd-control) nsd (xfrd) DBnsd (main) UDBxfrd. statezone. list refreshexpire nsd (child) nsd (child)nsd.db OSC 2014 Tokyo/Spring2014-02-28 56. 56 nsd (xfrd)nsd (main) DBUDB nsd (child) nsd (child) nsd nsd.db OSC 2014 Tokyo/Spring2014-02-28 57. 57nsd-control unbound-controlNSD TCP 8952 TLS nsd-control-setup OSC 2014 Tokyo/Spring2014-02-28 58. 58nsd-control startnsdstopnsdrecong TSIGrepatternreconglog_reopenstatusstatsstats_noresetserverpidPIDverbosity OSC 2014 Tokyo/Spring2014-02-28 59. 59nsd-control reload [] addzone delzone write []notify []NOTIFYtransfer []force_transfer []AXFR zonestatus []OSC 2014 Tokyo/Spring2014-02-28 60. 60 pattern: %sname: "masterzone" zonefile: "zones/%s.zone" notify: 192.0.2.1 NOKEY provide-xfr: 192.0.2.1 tsig.masterzone nsd-control addzone example.jp masterzone nsd-control delzone example.jp OSC 2014 Tokyo/Spring2014-02-28 61. 61 libevent Response Rate Limiting (RRL) NSD33.2.15OSC 2014 Tokyo/Spring2014-02-28 62. 62NSD4 nsd-control RRL OSC 2014 Tokyo/Spring2014-02-28 63. 63 http://www.nlnetlabs.nl/projects/nsd/ Unbound http://unbound.jp/nsd/ NSD3 an Authoritative Nameserver: Technical http://www.nlnetlabs.nl/downloads/presentations/ NSD_DenicTechnical.pdf Response Dierences between NSD and other DNS Servers http://www.nlnetlabs.nl/downloads/nsd/dierences.pdf NSD Evolution of a name server http://www.nlnetlabs.nl/downloads/presentations/ NSD_Update_OARC_2011SF.pdf nlnetlabs.nl :: Blog :: NSD4 Features http://www.nlnetlabs.nl/blog/2012/09/14/nsd4-features/ nlnetlabs.nl :: Blog :: NSD Response Rate Limiting http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/OSC 2014 Tokyo/Spring2014-02-28 64. 64OSC 2014 Tokyo/Spring2014-02-28 65. 65UnboundPC 53 UDPNAPT prefech NAPT SSL OSC 2014 Tokyo/Spring2014-02-28 66. 66UnboundSSL IasS TCP 443 UnboundTCP 443 listen server: interface: 0.0.0.0@443 ssl-service-key: "/etc/unbound/unbound_server.key" ssl-service-pem: "/etc/unbound/unbound_server.pem" ssl-port: 443server: ssl-upstream: yes forward-zone: name: "." forward-addr: 192.0.2.1@443 OSC 2014 Tokyo/Spring2014-02-28 67. 67NSD 4OSC 2014 Tokyo/Spring2014-02-28 68. 68 $ sudo vim /etc/nsd/nsd.conf server: ip-address:192.0.2.1 remote-control: control-enable: yesOSC 2014 Tokyo/Spring2014-02-28 69. 69nsd $ sudo nsd-control start $ ps axf | grep [n]sd 23398 ? Ss 0:00 nsd -c /etc/nsd/nsd.conf 23399 ? S 0:00 _ nsd -c /etc/nsd/nsd.conf 23400 ? S 0:00 _ nsd -c /etc/nsd/nsd.conf $ sudo nsd-control status version: 4.0.1 verbosity: 0 ratelimit: 200 $ dig +norec @192.0.2.1 version.server. CH TXT ;; ANSWER SECTION: version.server. 0 CH TXT "NSD 4.0.1"OSC 2014 Tokyo/Spring2014-02-28 70. 70 $ sudo mkdir /etc/nsd/primary $ sudo vim /etc/nsd/primary/example.jp.zone $ sudo vim /etc/nsd/nsd.conf key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" zone: name: example.jp. zonefile: primary/example.jp.zone notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 tsig.example.jp $ sudo nsd-control reconfig OSC 2014 Tokyo/Spring2014-02-28 71. 71 $ sudo mkdir /etc/nsd/secondary $ sudo chown nsd:nsd /etc/nsd/secondary $ sudo vim /etc/nsd/nsd.conf key: name: tsig.example.jp algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" zone: name: example.jp. zonefile: secondary/example.jp.zone allow-notify: 192.0.2.1 NOKEY request-xfr: AXFR 192.0.2.1 tsig.example.jp $ sudo nsd-control reconfig OSC 2014 Tokyo/Spring2014-02-28 72. 72 $ sudo nsd-control zonestatus zone: example.jp. state: ok served-serial: "20130211 since 2013-02-11T14:33:07" commit-serial: "20130211 since 2013-02-11T14:33:07" $ ls -l /etc/nsd/secondary/ total 0 $ sudo nsd-control write ok $ ls -l /etc/nsd/secondary/ total 4 -rw-r--r-- 1 nsd nsd 366 Feb 11 14:36 example.jp.zoneOSC 2014 Tokyo/Spring2014-02-28 73. 73 $ sudo mkdir /etc/nsd/primary $ /etc/nsd/nsd.conf key: name: "master.key" algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" pattern: %s name: "master" zonefile: "primary/%s.zone" notify: 192.0.2.2 NOKEY provide-xfr: 192.0.2.2 master.key $ sudo nsd-control reconfig OSC 2014 Tokyo/Spring2014-02-28 74. 74 $ sudo vim /etc/nsd/primary/example.jp.zone$ sudo nsd-control addzone example.jp master sudo nsd-control zonestatus master zone: example.jp example.jp pattern: master state: masterOSC 2014 Tokyo/Spring2014-02-28 75. 75 $ sudo mkdir /etc/nsd/secondary/ $ sudo chown nsd:nsd /etc/nsd/secondary $ sudo vim /etc/nsd/nsd.conf key: name: "master.key" algorithm: hmac-sha1 secret: "lCzS3R+oAZJp607jZ36eKw==" pattern: name: "slave" %s zonefile: "secondary/%s.zone" allow-notify: 192.0.2.1 NOKEY request-xfr: AXFR 192.0.2.1 master.key $ sudo nsd-control reconfig OSC 2014 Tokyo/Spring2014-02-28 76. 76 $ sudo nsd-control addzone example.jp slaveslave example.jp $ sudo nsd-control zonestatus zone: example.jp pattern: slave state: refreshing served-serial: "20130211 since 2013-02-11T14:33:07" commit-serial: "20130211 since 2013-02-11T14:33:07"OSC 2014 Tokyo/Spring2014-02-28 77. 77 $ sudo nsd-control reloadOSC 2014 Tokyo/Spring2014-02-28 78. 78OSC 2014 Tokyo/Spring2014-02-28