16. DNSSEC 運作方式
Root
Name Registrars
Servers
Cache Registry
.TW Database
Name Name
servers Servers
User's computer
Registrant
Stub Name Servers
Browser or
Resolver
other
(Part of
application
O/S)
21. RFC 4033 defined
DNSSEC requires support EDNS0
EDNS0 allow UDP message as long as 4,096 bytes
EDNS0 由 client 決定大小
New EDNS0 flag(DO) for DNSSEC OK
New header bit
Authenticated Data(AD) bit
Checking Disable(CD) bit
30. RRSIG 同 FQDN/Type 只需一筆?
www.twnic.net.tw IN A 2.2.2.2
www.twnic.net.tw IN A 3.3.3.3
www.twnic.net.tw IN A 7.7.7.7
www.twnic.net.tw IN RRSIG A ……….
同樣的 FQDN/Type 在每次回應的時候可視為
一筆資料,並不會因為不同的 Client 只回應兩
筆或一筆,所以不需要簽署三筆 RRSIG
81. 建立 /var/named/example.tw.db
$TTL 0
$ORIGIN example.tw.
@ IN SOA ns1 root (
1 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
example.tw. IN NS ns1.example.tw.
ns1 IN A 1.1.1.1
www IN A 2.2.2.2
mail IN A 3.3.3.3
@ IN MX 10 mail
104. Application DNSSEC 驗證
若 AP 可自行支援 DNSSEC 驗證方式, 則可將
CD bit 設定為 1 , 讓 Cache Server 不需驗證資
料
安裝 firefox DNSSEC外掛
https://addons.mozilla.org/en-US/firefox/addon/dnssec-
validator/versions/1.1.4
105. DNSSEC 其他
Key 長度
RFC 4641
we come to the following recommendations about KSK sizes:
1024 bits for low-value domains, 1300 bits for medium-value
domains, and 2048 bits for high-value domains.
107. Key lifecycle
ICANN
Zone file size: < 300 Domain names
TTL: 2 days
ZSK: 90 days
KSK: change if necessary
TWNIC
Zone file size: > 100K Domain names
TTL: 1 day
ZSK: 30 days
KSK: 1 years
There are 8 zones in TWNIC, rollover 1 ZSK every 3 or 4
days
108. DNSSEC 效率
DNSSEC with With DNSSEC Without DNSSEC
Key rollover
Create 40min20sec 21min42sec 2min
zone files
Zone file 176M 97M 20M
size
Query - 6.02 ms 3.47 ms
time
Start 39.1s 24.6s 6.3s
named
108