ccTLD/cz - moin.dnsq.info

1. ccTLD/cz

/TTL /minimal-responses

cz, nic.cz, dnssec.cz ゾーンは同居。 cz, nic.cz ともにDNSSEC設定されている。

同居によりDNSSECがどういう振る舞いをするか。
ns.nic.cz にはレコードがないようだ。　-- ToshinoriMaeno 2015-04-05 00:16:12

/signed.dnstester.cz 三世代同居

nic.cz はKnot DNSらしい。-- ToshinoriMaeno 2015-08-29 22:07:08

/Knot-resolver

/NXDomain

2. 子ドメイン

gov, tel, il, advnet, ...

$ dnsq ns gov.cz d.ns.nic.cz
2 gov.cz:
123 bytes, 1+0+2+3 records, response, noerror
query: 2 gov.cz
authority: gov.cz 3600 NS ns.gov.cz
authority: gov.cz 3600 NS ns2.tel.cz
additional: ns.gov.cz 3600 A 94.199.40.130
additional: ns2.tel.cz 3600 A 194.228.2.1
additional: ns2.tel.cz 3600 28 *\000\020(\001\000\001\001\000\000\000\000\000\000\000\00

$ dnsq ns tel.cz d.ns.nic.cz
2 tel.cz:
156 bytes, 1+0+2+4 records, response, noerror
query: 2 tel.cz
authority: tel.cz 3600 NS dns.iol.cz
authority: tel.cz 3600 NS ns2.tel.cz
additional: ns2.tel.cz 3600 A 194.228.2.1
additional: ns2.tel.cz 3600 28 *\000\020(\001\000\001\001\000\000\000\000\000\000\000\002
additional: dns.iol.cz 3600 A 194.228.2.61
additional: dns.iol.cz 3600 28 *\000\020(\001\000\001\002\000\000\000\000\000\000\000a

3. Ondřej Surý ‏@oerdnj さん

https://twitter.com/oerdnj/status/638356099394064384

We run multiple DNS servers (@KnotDNS, NSD and Bind 9) in anycast, so depends on what server and what location you ask...

https://twitter.com/oerdnj/status/638360569695870976

Yes, others should also minimize the responses, they are not (and really MUST NOT) used by resolvers.

%dnsq ns cz a.root-servers.net

2 cz:
267 bytes, 1+0+4+8 records, response, noerror
query: 2 cz
authority: cz 172800 NS d.ns.nic.cz
authority: cz 172800 NS c.ns.nic.cz
authority: cz 172800 NS b.ns.nic.cz
authority: cz 172800 NS a.ns.nic.cz
additional: d.ns.nic.cz 172800 A 193.29.206.1
additional: d.ns.nic.cz 172800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001
additional: c.ns.nic.cz 172800 A 194.0.14.1
additional: c.ns.nic.cz 172800 28 \040\001\006x\000\021\000\000\000\000\000\000\000\000\000\001
additional: b.ns.nic.cz 172800 A 194.0.13.1
additional: b.ns.nic.cz 172800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001
additional: a.ns.nic.cz 172800 A 194.0.12.1
additional: a.ns.nic.cz 172800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001

-- ToshinoriMaeno 2015-08-29 22:08:48

$ dnsq ns cz 194.0.12.1

2 cz:
91 bytes, 1+4+0+0 records, response, authoritative, noerror
query: 2 cz
answer: cz 18000 NS c.ns.nic.cz
answer: cz 18000 NS b.ns.nic.cz
answer: cz 18000 NS d.ns.nic.cz
answer: cz 18000 NS a.ns.nic.cz

KnotDNS?

こっちはBINDか。

%dnsq ns cz 193.29.206.1

2 cz:
223 bytes, 1+4+0+6 records, response, authoritative, noerror
query: 2 cz
answer: cz 18000 NS a.ns.nic.cz
answer: cz 18000 NS b.ns.nic.cz
answer: cz 18000 NS c.ns.nic.cz
answer: cz 18000 NS d.ns.nic.cz
additional: a.ns.nic.cz 18000 A 194.0.12.1
additional: a.ns.nic.cz 18000 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001
additional: b.ns.nic.cz 18000 A 194.0.13.1
additional: b.ns.nic.cz 18000 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001
additional: d.ns.nic.cz 18000 A 193.29.206.1
additional: d.ns.nic.cz 18000 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001

9:58f%dnsq ns nic.cz 193.29.206.1 ~

2 nic.cz:
207 bytes, 1+3+0+6 records, response, authoritative, noerror
query: 2 nic.cz
answer: nic.cz 1800 NS a.ns.nic.cz
answer: nic.cz 1800 NS b.ns.nic.cz
answer: nic.cz 1800 NS d.ns.nic.cz
additional: a.ns.nic.cz 1800 A 194.0.12.1
additional: a.ns.nic.cz 1800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001
additional: b.ns.nic.cz 1800 A 194.0.13.1
additional: b.ns.nic.cz 1800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001
additional: d.ns.nic.cz 1800 A 193.29.206.1
additional: d.ns.nic.cz 1800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001

c.ns.nic.cz は nic.ns.cz ゾーンの権威サーバではないが、問い合せると権威サーバであるかのような返事をする。w

これは問い合せる方が悪い。　-- ToshinoriMaeno 2015-08-30 11:24:44

[abd].ns.nic.cz に cz ns を問い合せたときのadditionalのつきかたがおもしろい。-- ToshinoriMaeno 2015-08-30 11:27:39

$ dnsq ns nic.cz 194.0.12.1

2 nic.cz:
207 bytes, 1+3+0+6 records, response, authoritative, noerror
query: 2 nic.cz
answer: nic.cz 1800 NS a.ns.nic.cz
answer: nic.cz 1800 NS b.ns.nic.cz
answer: nic.cz 1800 NS d.ns.nic.cz
additional: a.ns.nic.cz 1800 A 194.0.12.1
additional: a.ns.nic.cz 1800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001
additional: b.ns.nic.cz 1800 A 194.0.13.1
additional: b.ns.nic.cz 1800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001
additional: d.ns.nic.cz 1800 A 193.29.206.1
additional: d.ns.nic.cz 1800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001

厳密にはglueではないが、権限ありなので、つけたというところか。（Knotdns)

4. emty non-terminal ns.nic.cz

%dig -t ns ns.nic.cz @193.29.206.1 ~

; <<>> DiG 9.9.0 <<>> -t ns ns.nic.cz @193.29.206.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31880
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns.nic.cz.                     IN      NS

;; AUTHORITY SECTION:
nic.cz.                 1800    IN      SOA     a.ns.nic.cz. hostmaster.nic.cz. 1428004504 10800 3600 1209600 7200

;; Query time: 112 msec
;; SERVER: 193.29.206.1#53(193.29.206.1)
;; WHEN: Sat Apr  4 07:37:39 2015
;; MSG SIZE  rcvd: 87

5. ns.nic.cz DNSSEC

%dig -t any ns.nic.cz +dnssec @a.ns.nic.cz ~

; <<>> DiG 9.9.0 <<>> -t any ns.nic.cz +dnssec @a.ns.nic.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36690
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ns.nic.cz.                     IN      ANY

;; AUTHORITY SECTION:
nic.cz.                 1800    IN      SOA     a.ns.nic.cz. hostmaster.nic.cz. 1428177304 10800 3600 1209600 7200
nix-s.nic.cz.           7200    IN      NSEC    a.ns.nic.cz. A RRSIG NSEC
nic.cz.                 1800    IN      RRSIG   SOA 5 2 1800 20150418063233 20150404185504 45627 nic.cz. coXAqdI/WS5xws9H25ZIYISMQJSRN8+dl0HlLLPUg5E6P/pLmpB29LkE SNXqRH3psrF0AmMoHlJKt/0I3iifZ4S0VXXz93c9L9yCse/V3hWVdbIK M8A0mdmOJZl1P+OMb7ds1pbivxc8Ows9bP9o6rNyPNcVIOjuXfTjjwNu Dcw=
nix-s.nic.cz.           7200    IN      RRSIG   NSEC 5 3 7200 20150417191512 20150404185504 45627 nic.cz. DQKzuSsArxtGHBuYfsr01FeK/2dWNLLVqoEqCoOIdKyjk3rw1GMw1pWz EA9kDB2R+SnFI82K3xdw1uZf9EdtSVAmJBE52kzHZOFehrGfLQWiMtv5 /fmzFhBQYAm82Ssd4KJhxH4oK9ga18EyEaFPjT+RbJMUTLaIrclCjBN3 cew=

;; Query time: 269 msec
;; SERVER: 194.0.12.1#53(194.0.12.1)
;; WHEN: Sun Apr  5 09:17:50 2015
;; MSG SIZE  rcvd: 458