■debian stretchにchroot-bindを導入してみる。
以下の手順とほとんど同じ
debian Wheezyにbind9を導入、chroot-bindを設定する。
http://labunix.hateblo.jp/entry/20130518/1368806582
■まずは普通のchroot-bindを導入
$ sudo apt-get install -y bind9
$ sudo systemctl stop bind9
$ sudo systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: en
Active: inactive (dead)
Docs: man:named(8)
■chrootディレクトリを権限を保持したまま作成
$ sudo mkdir -p /var/chroot/bind/{dev,etc,var/cache/bind,var/run/named,usr/lib,var/log}
■必須デバイスを作成
$ sudo find /dev -type c -perm -o=rw -exec env LANG=C ls -l {} \; | \
awk '($5=1 && $6>2 && $6<10) {print $NF}'
/dev/urandom
/dev/random
/dev/full
/dev/zero
/dev/null
$ sudo find /dev -type c -perm -o=rw -exec env LANG=C ls -l {} \; | \
awk '($5=1 && $6>2 && $6<10) \
{print "mknod -m 666","/var/chroot/bind"$NF,"c",$5,$6";"}' | sudo sh
$ ls -l /var/chroot/bind/dev
合計 0
crw-rw-rw- 1 root root 1, 7 7月 27 20:33 full
crw-rw-rw- 1 root root 1, 3 7月 27 20:33 null
crw-rw-rw- 1 root root 1, 8 7月 27 20:33 random
crw-rw-rw- 1 root root 1, 9 7月 27 20:33 urandom
crw-rw-rw- 1 root root 1, 5 7月 27 20:33 zero
■必要なファイルをコピー
$ sudo find /usr/lib -type d -name "openssl-*" -exec cp -Rav /var/chroot/bind/usr/lib/ {} \; >/dev/null
$ sudo cp -av /etc/localtime /var/chroot/bind/etc/ >/dev/null
$ sudo cp -Rav /var/cache/bind /var/chroot/bind/var/cache/bind/ >/dev/null
■「/etc/bind」の移動と再リンク。
※必ず、bind9は停止していること。
$ sudo mv /etc/bind /var/chroot/bind/etc/ && sudo ln -s /var/chroot/bind/etc/bind/ /etc/bind
$ sudo sed s%"PIDFILE=.*"%"PIDFILE=/var/chroot/bind/var/run/named/named.pid"% /etc/init.d/bind9 | grep ^PID
PIDFILE=/var/chroot/bind/var/run/named/named.pid
$ sudo touch /var/chroot/bind/var/run/named/named.pid
■chrootで起動するよう、デーモンの起動オプションを変更
$ sudo grep "^[A-Z]" /etc/default/bind9
RESOLVCONF=no
OPTIONS="-u bind"
$ sudo sed -i s%"OPTIONS=.*"%"OPTIONS=\"-u bind -t /var/chroot/bind/\""% /etc/default/bind9
■chrootの権限で統一
$ ls -l /etc/bind | awk '{print $3,$4}' | sort -u
bind bind
root bind
root root
$ sudo chown -R root:bind /var/chroot/bind/
■bindの起動
「dpkg-reconfigure」するときは、入力の問い合わせが異なっていても、何も変更しない。
$ sudo dpkg-reconfigure bind9
■状態確認
$ sudo systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-07-27 22:43:58 JST; 1min 19s ago
Docs: man:named(8)
Main PID: 12218 (named)
CGroup: /system.slice/bind9.service
└─12218 /usr/sbin/named -f -u bind -t /var/chroot/bind/
7月 27 22:43:58 vm-stretch named[12218]: the working directory is not writable
7月 27 22:43:58 vm-stretch named[12218]: managed-keys.bind.jnl: create: permission denied
7月 27 22:43:58 vm-stretch named[12218]: managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
7月 27 22:43:58 vm-stretch named[12218]: managed-keys-zone: unable to synchronize managed keys: unexpected error
7月 27 22:43:58 vm-stretch named[12218]: zone 0.in-addr.arpa/IN: loaded serial 1
7月 27 22:43:58 vm-stretch named[12218]: zone 127.in-addr.arpa/IN: loaded serial 1
7月 27 22:43:58 vm-stretch named[12218]: zone localhost/IN: loaded serial 2
7月 27 22:43:58 vm-stretch named[12218]: zone 255.in-addr.arpa/IN: loaded serial 1
7月 27 22:43:58 vm-stretch named[12218]: all zones loaded
7月 27 22:43:58 vm-stretch named[12218]: running
$ dig @127.0.0.1 localhost | grep ^[A-z]
localhost. 604800 IN A 127.0.0.1
localhost. 604800 IN NS localhost.
localhost. 604800 IN AAAA ::1
■bindログの出力設定
$ echo '$AddUnixListenSocket /var/chroot/bind/dev/log' | sudo tee /etc/rsyslog.d/chroot-bind.conf
$AddUnixListenSocket /var/chroot/bind/dev/log
$ ls -l /etc/bind
lrwxrwxrwx 1 root root 26 7月 27 20:36 /etc/bind -> /var/chroot/bind/etc/bind/
$ head -12 /etc/bind/named.conf.options
logging {
channel "default-log" {
file "/var/log/bind.log" versions 10 size 100k;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { "default-log"; };
category lame-servers { null; };
};
$ sudo touch /var/chroot/bind/var/log/bind.log; \
sudo chown bind:bind /var/chroot/bind/var/log/bind.log
■「forwarders」の設定を行ってbind9のサービスを再起動
$ grep "forwarders .*[0-9]" /etc/bind/named.conf.options
forwarders { 172.31.31.251;};
$ sudo systemctl restart bind9
$ sudo systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-07-27 22:58:10 JST; 13s ago
Docs: man:named(8)
Process: 12711 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
Main PID: 12716 (named)
Tasks: 5 (limit: 19660)
CGroup: /system.slice/bind9.service
└─12716 /usr/sbin/named -f -u bind -t /var/chroot/bind/
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: 8.E.F.IP6.ARPA
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: 9.E.F.IP6.ARPA
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: A.E.F.IP6.ARPA
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: B.E.F.IP6.ARPA
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
7月 27 22:58:10 vm-stretch named[12716]: automatic empty zone: EMPTY.AS112.ARPA
7月 27 22:58:10 vm-stretch named[12716]: configuring command channel from '/etc/bind/rndc.key'
7月 27 22:58:10 vm-stretch named[12716]: command channel listening on 127.0.0.1#953
7月 27 22:58:10 vm-stretch named[12716]: configuring command channel from '/etc/bind/rndc.key'
7月 27 22:58:10 vm-stretch named[12716]: command channel listening on ::1#953
$ sudo tail /var/chroot/bind/var/log/bind.log
27-Jul-2017 13:58:10.546 general: info: managed-keys-zone: loaded serial 0
27-Jul-2017 13:58:10.547 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
27-Jul-2017 13:58:10.550 general: info: zone localhost/IN: loaded serial 2
27-Jul-2017 13:58:10.551 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
27-Jul-2017 13:58:10.553 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
27-Jul-2017 13:58:10.555 general: notice: all zones loaded
27-Jul-2017 13:58:10.555 general: notice: running
27-Jul-2017 13:58:10.566 general: warning: managed-keys-zone: Unable to fetch DNSKEY set '.': SERVFAIL
■「managed-keys-zone」の警告に対応
「dnssec-validation no」とすると、DNSSECの検証が無効となる。
$ sudo sed -i -e 's/dnssec-validation auto/dnssec-validation no/' /etc/bind/named.conf.options
$ sudo systemctl restart bind9;sudo tail /var/chroot/bind/var/log/bind.log
27-Jul-2017 14:04:00.711 general: notice: all zones loaded
27-Jul-2017 14:04:00.712 general: notice: running
27-Jul-2017 14:04:06.522 general: info: received control channel command 'stop'
27-Jul-2017 14:04:06.522 general: info: shutting down: flushing changes
27-Jul-2017 14:04:06.522 general: notice: stopping command channel on 127.0.0.1#953
27-Jul-2017 14:04:06.522 general: notice: stopping command channel on ::1#953
27-Jul-2017 14:04:06.524 network: info: no longer listening on ::#53
27-Jul-2017 14:04:06.524 network: info: no longer listening on 127.0.0.1#53
27-Jul-2017 14:04:06.524 network: info: no longer listening on 172.31.31.70#53
27-Jul-2017 14:04:06.538 general: notice: exiting
$ dig @127.0.0.1 localhost | grep ^[A-z]
localhost. 604800 IN A 127.0.0.1
localhost. 604800 IN NS localhost.
localhost. 604800 IN AAAA ::1
■DNSSEC検証の成功を示す「ad」フラグ、
DNSサーバで不具合が発生したことを示す「SERVFAIL」ではなく、
「NOERROR」
$ dig +dnssec jprs.jp @127.0.0.1
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec jprs.jp @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55420
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp. IN A
;; ANSWER SECTION:
jprs.jp. 300 IN A 117.104.133.164
jprs.jp. 300 IN RRSIG A 8 2 300 20170824023003 20170725023003 7488 jprs.jp. y2e5ofUc7PncNTu7jR8oY9vOTUr8hitO8kESYxpGuxh2hcmY0yf/749Z 5En8u6gtS/pCM1zQAWzVHMm7ojI1phW4fRiJdM5q8DQIc1jmYr6r/5kR ye1mLVWDE48qr+lADfugTTU+Yi//V9Gas1CqwqUFKcFkkH1MTpr1/Ka1 53o=
;; Query time: 43 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 27 23:24:29 JST 2017
;; MSG SIZE rcvd: 219
■DNSSEC検証を有効にするために「managed-keys.bind」を設定する。
$ cat /var/cache/bind/managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
66 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20120816114054 20120502203603 19700101000000 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
dlv.isc.org KEYDATA 20120815124054 20120502203603 19700101000000 257 3 5 (
BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn
4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW
58dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6B
D4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5ymX4BI/o
Q+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte
/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw
/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+
al9UmZfSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh
) ; key id = 19297
$ sudo sed -i -e 's/dnssec-validation no/dnssec-validation auto/' /etc/bind/named.conf.options
$ sudo systemctl restart bind9;sudo tail /var/chroot/bind/var/log/bind.log
27-Jul-2017 14:24:15.026 general: notice: all zones loaded
27-Jul-2017 14:24:15.027 general: notice: running
27-Jul-2017 14:28:24.091 general: info: received control channel command 'stop'
27-Jul-2017 14:28:24.092 general: info: shutting down: flushing changes
27-Jul-2017 14:28:24.092 general: notice: stopping command channel on 127.0.0.1#953
27-Jul-2017 14:28:24.092 general: notice: stopping command channel on ::1#953
27-Jul-2017 14:28:24.093 network: info: no longer listening on ::#53
27-Jul-2017 14:28:24.093 network: info: no longer listening on 127.0.0.1#53
27-Jul-2017 14:28:24.093 network: info: no longer listening on 172.31.31.70#53
27-Jul-2017 14:28:24.108 general: notice: exiting
■DNSSEC検証に成功した「ad」フラグが付き、
「AUTHORITY」の回答が追加されたことが分かる。
$ dig +dnssec jprs.jp @127.0.0.1
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec jprs.jp @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23445
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp. IN A
;; ANSWER SECTION:
jprs.jp. 300 IN A 117.104.133.164
jprs.jp. 300 IN RRSIG A 8 2 300 20170824023003 20170725023003 7488 jprs.jp. y2e5ofUc7PncNTu7jR8oY9vOTUr8hitO8kESYxpGuxh2hcmY0yf/749Z 5En8u6gtS/pCM1zQAWzVHMm7ojI1phW4fRiJdM5q8DQIc1jmYr6r/5kR ye1mLVWDE48qr+lADfugTTU+Yi//V9Gas1CqwqUFKcFkkH1MTpr1/Ka1 53o=
;; AUTHORITY SECTION:
jprs.jp. 3398 IN NS ns2.jprs.jp.
jprs.jp. 3398 IN NS ns4.jprs.jp.
jprs.jp. 3398 IN NS ns1.jprs.jp.
jprs.jp. 3398 IN NS ns3.jprs.jp.
jprs.jp. 3398 IN RRSIG NS 8 2 86400 20170824023003 20170725023003 7488 jprs.jp. MrhWAlBdnRU3Q4cTO3GmV/YMK2MWENUzLVJmJxfoaZ9MDJPhigo+li87 kOg2TP0sFrmUJwxIo9us69sFUg28Bewy5HPmR289Mga/UGAA51EavIIi a67nEgsC8oTehk2fVYJxuehfbIU4CVWkCuNSuj7Ei8QSaekAVMLMcqKk VcE=
;; Query time: 206 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 27 23:28:41 JST 2017
;; MSG SIZE rcvd: 458
■しばらくログを見ていると以下のようなログが出る。
$ sudo tail -f /var/chroot/bind/var/log/bind.log
27-Jul-2017 14:28:24.321 general: warning: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.
$ dig . DNSKEY | grep -w DNSKEY | grep -w 257 > root-anchors.key
$ grep -A 9 "257 3 8" /var/cache/bind/managed-keys.bind | awk '!/KEYDATA|key id/{printf $NF}END{print ""}' | tee key.a
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
$ awk '/AwEAAag/' root-anchors.key | sed -e 's/.*257 3 8 \|\t\| //g' | tee key.b
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
$ diff -s key.{a,b}
ファイル key.a と key.b は同一です
$ sudo mv /etc/bind/bind.{keys,keys.old}
$ sudo wget -O "/etc/bind/bind.keys" https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
$ sudo systemctl restart bind9;sudo tail /var/chroot/bind/var/log/bind.log
27-Jul-2017 15:44:53.971 general: notice: all zones loaded
27-Jul-2017 15:44:53.972 general: notice: running
27-Jul-2017 15:45:22.384 general: info: received control channel command 'stop'
27-Jul-2017 15:45:22.385 general: info: shutting down: flushing changes
27-Jul-2017 15:45:22.385 general: notice: stopping command channel on 127.0.0.1
27-Jul-2017 15:45:22.385 general: notice: stopping command channel on ::1#953
27-Jul-2017 15:45:22.385 network: info: no longer listening on ::
27-Jul-2017 15:45:22.385 network: info: no longer listening on 127.0.0.1
27-Jul-2017 15:45:22.385 network: info: no longer listening on 172.31.31.70
27-Jul-2017 15:45:22.398 general: notice: exiting
■問い合わせるDNSによって返って来る応答サイズが異なるなと思ったら、
以下のようなログが。
$ sudo tail -f /var/chroot/bind/var/log/bind.log
27-Jul-2017 15:52:52.938 edns-disabled: info: success resolving 'rst.x4090.rs.dns-oarc.net/TXT' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
$ dig +bufsize=4096 +dnssec jprs.jp @127.0.0.1 | awk '/^;/'
; <<>> DiG 9.10.3-P4-Debian <<>> +bufsize=4096 +dnssec jprs.jp @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55692
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 28 01:01:48 JST 2017
;; MSG SIZE rcvd: 458
$ dig +bufsize=512 +dnssec jprs.jp @127.0.0.1 | awk '/^;/'
; <<>> DiG 9.10.3-P4-Debian <<>> +bufsize=512 +dnssec jprs.jp @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32728
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp. IN A
;; ANSWER SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 28 01:02:40 JST 2017
;; MSG SIZE rcvd: 219
$ dig +bufsize=512 +dnssec +noedns jprs.jp @127.0.0.1 | awk '/^;/'
; <<>> DiG 9.10.3-P4-Debian <<>> +bufsize=512 +dnssec +noedns jprs.jp @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62169
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jprs.jp. IN A
;; ANSWER SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 28 01:03:18 JST 2017
;; MSG SIZE rcvd: 219
■chroot-bindのログがlocaltimeのJSTを参照していないので、今日はここまで。
$ diff -s /etc/localtime /var/chroot/bind/etc/localtime
ファイル /etc/localtime と /var/chroot/bind/etc/localtime は同一です
$ sudo apt-get install -y binutils
$ strings /etc/localtime /var/chroot/bind/etc/localtime
TZif2
TZif2
JST-9
TZif2
TZif2
JST-9
