■EDNS0に対応しているかdigコマンドで確認してみる。
512オクテット(=バイト)を超え、4096バイトまでの名前解決結果を受け取れるかがメイン。
以下総務省の中尉喚起にある「別紙2」、『「鍵の移行期間」のデータ量増大に対応』について確認する。
DNSの世界的な運用変更に伴うキャッシュDNSサーバーの設定更新の必要性
http://www.soumu.go.jp/menu_news/s-news/02kiban04_04000212.html
■単純にフラグで、「ANSWER: n」を受け取れるか、
「aa」フラグが無いキャッシュ(権威DNSサーバでない)か、
「EDNS: version: 0」でEDNS0に対応しているか、
「udp: 4096」オクテットのメッセージサイズの受信が可能か、
を通信経路上問題ないかを含めてテストする。
$ dig +bufsize=4096 rs.dns-oarc.net txt | awk '/flags/'
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 2
; EDNS: version: 0, flags:; udp: 4096
■パケットキャプチャの準備
■テスト
$ dig +bufsize=4096 +short rs.dns-oarc.net txt
rst.x4050.rs.dns-oarc.net.
rst.x4060.x4050.rs.dns-oarc.net.
rst.x4066.x4060.x4050.rs.dns-oarc.net.
"2400:2000:bb1b:13::f4 sent EDNS buffer size 4096"
"Tested at 2017-07-25 16:11:27 UTC"
"2400:2000:bb1b:13::f4 DNS reply size limit is at least 4066"
■パケットキャプチャ結果
1 0100 .... = Version: 4
2 .... 0101 = Header Length: 20 bytes (5)
3 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
4 0000 00.. = Differentiated Services Codepoint: Default (0)
5 .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
6 Total Length: 72
7 Identification: 0x2b66 (11110)
8 Flags: 0x00
9 0... .... = Reserved bit: Not set
10 .0.. .... = Don't fragment: Not set
11 ..0. .... = More fragments: Not set
12 Fragment offset: 0
13 Time to live: 64
14 Protocol: UDP (17)
15 Header checksum: 0xb7c9 [validation disabled]
16 [Header checksum status: Unverified]
17 [Source GeoIP: Unknown]
18 [Destination GeoIP: Unknown]
19 User Datagram Protocol, Src Port: 55059, Dst Port: 53
20 Source Port: 55059
21 Destination Port: 53
22 Length: 52
23 Checksum: 0x97bb [unverified]
24 [Checksum Status: Unverified]
25 [Stream index: 0]
26 Domain Name System (query)
27 Transaction ID: 0x3f9e
28 Flags: 0x0120 Standard query
29 0... .... .... .... = Response: Message is a query
30 .000 0... .... .... = Opcode: Standard query (0)
31 .... ..0. .... .... = Truncated: Message is not truncated
32 .... ...1 .... .... = Recursion desired: Do query recursively
33 .... .... .0.. .... = Z: reserved (0)
34 .... .... ..1. .... = AD bit: Set
35 .... .... ...0 .... = Non-authenticated data: Unacceptable
36 Questions: 1
37 Answer RRs: 0
38 Authority RRs: 0
39 Additional RRs: 1
40 Queries
41 rs.dns-oarc.net: type TXT, class IN
42 Name: rs.dns-oarc.net
43 [Name Length: 15]
44 [Label Count: 3]
45 Type: TXT (Text strings) (16)
46 Class: IN (0x0001)
47 Additional records
48 <Root>: type OPT
49 Name: <Root>
50 Type: OPT (41)
51 UDP payload size: 4096
52 Higher bits in extended RCODE: 0x00
53 EDNS0 version: 0
54 Z: 0x0000
55 0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
56 .000 0000 0000 0000 = Reserved: 0x0000
57 Data length: 0
■おまけ
以下を元に「traceroute」や「traceroute -p 53」で確認すれば、
上位DNSサーバもある程度は見つかるかも知れない。
$ dig +bufsize=4096 +trace +ans +noall rs.dns-oarc.net txt
;; Received 733 bytes from 192.168.1.254#53(192.168.1.254) in 13 ms
;; Received 1172 bytes from 202.12.27.33#53(m.root-servers.net) in 10 ms
;; Received 456 bytes from 192.26.92.30#53(c.gtld-servers.net) in 11 ms
;; Received 317 bytes from 77.72.225.243#53(ns3.dns-oarc.net) in 305 ms
;; Received 1013 bytes from 64.191.0.133#53(ns00.rs.dns-oarc.net) in 235 ms
$ dig +bufsize=4096 +trace +all rs.dns-oarc.net txt | awk '/^;;/'
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392
;; flags: qr ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 14
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; ANSWER SECTION:
;; ADDITIONAL SECTION:
;; Query time: 21 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 26 02:09:15 JST 2017
;; MSG SIZE rcvd: 733
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55780
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 189 msec
;; SERVER: 198.97.190.53#53(198.97.190.53)
;; WHEN: Wed Jul 26 02:09:15 JST 2017
;; MSG SIZE rcvd: 1172
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35300
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 145 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Wed Jul 26 02:09:16 JST 2017
;; MSG SIZE rcvd: 456
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55158
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 197 msec
;; SERVER: 192.211.126.36#53(192.211.126.36)
;; WHEN: Wed Jul 26 02:09:17 JST 2017
;; MSG SIZE rcvd: 317
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60781
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 27, ADDITIONAL: 28
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 430 msec
;; SERVER: 64.191.0.133#53(64.191.0.133)
;; WHEN: Wed Jul 26 02:09:17 JST 2017
;; MSG SIZE rcvd: 1013