つれづれ日記
DNSカテゴリ 10/10
Google Public DNSにtlsでtls-pin制限をつけてexample.comをリクエストする例。 TLSのサーバー名がdns.googleだったとは。

$ kdig -d @8.8.8.8 +tls-ca +tls-host=dns.google +tls-pin=c6Oq7DP+27znbdc+OOKxinT6k2k5nvvrkA1eaD
fV8EI= soa example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(6), server(8.8.8.8), port(853), protocol(TCP)
;; DEBUG: TLS, imported 151 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=Mountain View,O=Google LLC,CN=dns.google
;; DEBUG:      SHA-256 PIN: c6Oq7DP+27znbdc+OOKxinT6k2k5nvvrkA1eaDfV8EI=, MATCH
;; DEBUG:  #2, C=US,O=Google Trust Services,CN=Google Internet Authority G3
;; DEBUG:      SHA-256 PIN: f8NnEFZxQ4ExFOhSN7EiFWtiudZQVD2oY60uauV/n78=
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61088
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; example.com.                 IN      SOA

;; ANSWER SECTION:
example.com.            3599    IN      SOA     sns.dns.icann.org. noc.dns.icann.org. 2018112877 7200 3600 1209600 3600

;; Received 97 B
;; Time 2019-03-28 22:55:49 JST
;; From 8.8.8.8@853(TCP) in 177.9 ms
DNSカテゴリ 10/10