Open main menu

CDOT Wiki β

Changes

OPS535-lab-dnssec

3,192 bytes added, 13:04, 9 October 2019
Investigation 1: Performing queries using DNSSec: - Inserting investigation 1 body
==Investigation 1: Performing queries using DNSSec==
Perform the following steps on your VM2:
<ol>
<li>Ensure you have bind-utils installed.</li>
<li>Run the command dig senecacollege.ca
*You should get output similar to the following:
<source>
>dig senecacollege.ca @1.1.1.1
 
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> senecacollege.ca @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12758
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;senecacollege.ca. IN A
 
;; ANSWER SECTION:
senecacollege.ca. 564 IN A 205.207.147.230
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Nov 04 17:31:57 EST 2018
;; MSG SIZE rcvd: 61
</source>
* If you did not get the expected output, go back and ensure your machine has network connectivity (including an assigned default route).
</li>
<li>Once you have a respoinse, can you be sure it is accurate?
*Re-run the previous dig command, but this time add +dnssec to request authentication of the results using DNSSec.
<source>
>dig senecacollege.ca @1.1.1.1 +dnssec
 
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> senecacollege.ca @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38472
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;senecacollege.ca. IN A
 
;; ANSWER SECTION:
senecacollege.ca. 564 IN A 205.207.147.230
;; Query time: 34 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Nov 04 17:36:57 EST 2018
;; MSG SIZE rcvd: 61
</source>
*Notice the addition of the do flag (DNSSec Ok, that is the server we queried is willing to perform authentication), but no other difference in output. This information is '''not''' authenticated.
</li>
<li>Now we will run a query that does get authenticated:
* Run the following command (again you should get output similar to the following):
<source>
>dig isc.org @1.1.1.1 +dnssec
 
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> isc.org @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51709
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;isc.org. IN A
 
;; ANSWER SECTION:
isc.org. 60 IN A 149.20.64.69
isc.org. 60 IN RRSIG A 5 2 60 20181128233334
20181029233334 19923 isc.org.
evUIhl3hmTGFchNe8GH7NDgMQS56fdgFgQy/BBqbE+zu0TXEVPLLsGxz
pAEnYJq+0gTTa/nJjIMmxxsXj7HNZ+gpL8koGNRJeZDt/Q4jmfcRh+A7
HJOn1LVpjwdzw459XF38mQmwBK7oh6ZTBg0UKzaw4J6zr5vql9KWoyJV KCo=
 
;; Query time: 31 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Nov 04 17:42:44 EST 2018
;; MSG SIZE rcvd: 219
</source>
*Notice that in addition to the '''do''' flag, the answer to this query also has an '''ad''' flag (Authenticated Data), along with extra information in the answer itself (the RRSIG record). This result '''is''' authenticated.
*If you want to see this result without the DNSSec information, simply re-run the query without the +dnssec request.
</li>
</ol>
==Investigation 2: Configuring DNSSec on a Recursive Server==
932
edits