DNSでHTTPS ※ただしDNS over HTTPSではない

%/44VNNFS%BZՃචमਖ਼൛ ࢁޱਸಙ!**+ %/4Ͱ)5514 ˞ͨͩ͠%/4PWFS)5514Ͱ͸ͳ͍

wഎܠ w)5514Ϩίʔυͷ֓ཁ wར༻ྫ/(ྫ w΋ͬͱৄ͘͠

)55163- wXXXFYBNQMFDPNͱ͍͏ϗετʹ)5514ͱ͍͏εΩʔϜͰΞΫηεͯ͠Ͷ w63-ʹࣔ͞ΕΔϗετ໊࣮ࡍʹΞΫηε͞ΕΔϗετ໊ w͋͑ͯม͍͑ͨ৔߹͸ˠ$/".& https://www.example.com/

$/".& wXXXFYBNQMFDPNͱ͍͏ϗετͷਖ਼ن໊͸FYBNQMFDPNͩΑ w ผ໊ BMJBT Ͱ͸ͳ͘ɺਖ਼ن໊ DBOPOJDBMOBNF w$/".&ͷ੍ݶ w
ଞͷϨίʔυͱͷಉډෆՄ w κʔϯ௖఺ κʔϯ໊ࣗ਎ ʹ͸͔ͳΒͣ40"ͱ/4͕ଘࡏ͢Δˠκʔϯ௖఺Ͱͷ$/".&ෆՄ w ಛఆϓϩτίϧ͚ͩΛબ୒తʹ$/".&ͷର৅ʹͰ͖ͳ͍ www.example.com. IN CNAME example.com.

.9 wFYBNQMFDPNυϝΠϯͷGPP͞Μ wFYBNQMFDPNυϝΠϯѼͷϝʔϧΛFYBNQMFDPNͱ͍͏ϗετͰड͚ͱΔΘ ͚Ͱ͸ͳ͍ w NBJMͰड৴ɺͦͷαʔό͕ίέͯͨΒ͔ΘΓʹNBJM͕ w ϝʔϧҎ֎Ͱ͸ example.com. IN
MX 10 mail1.example.com . IN MX 20 mail2.example.com. [email protected]

437 wFYBNQMFDPNυϝΠϯͷGPPͱ͍͏αʔϏεʹ5$1ͰΞΫηε͢Δʹ͸ɺ GPPFYBNQMFDPNͱ͍͏ϗετͷϙʔτΛ࢖ͬͯͶ w ༏ઌ౓ઃఆʹՃ͑ͯॏΈ͚ͮෛՙ෼ࢄ΋Ͱ͖Δ ͜ͷྫͰ͸QSJPSJUZɺXFJHIU w$/".&ͷΑ͏ͳ੍ݶ͕ͳ͘ɺ.9ͷΑ͏ʹಛఆϓϩτίϧݶఆͰͳ͍ w ͕ɺ)551Ͱ͸࢖Θͳ͍
w )551͕·ͩυϥϑτͩͬͨ͜Ζʹ࠾༻͢ΔҊ͸͋ͬͨΑ͏͚ͩͲ _foo._tcp.example.com. IN SRV ( 1 10 1234 foo.example.com. )

)551όʔδϣϯ w)551ͷ֤όʔδϣϯʹޓ׵ੑ͸ͳ͍ͨ Ίɺόʔδϣϯબ୒ͷ࢓૊Έ͕ඞཁ w)551ͱ͸ɺ5-4ͷ૚ͰωΰγΤ ʔγϣϯ "-1/ w)551͸ɺ5-4ΑΓԼͷ૚͔Βҟͳͬ ͍ͯͯωΰγΤʔγϣϯ͠Α͏ʹ΋Ͱ͖ ͳ͍
w ڞ௨Ͱར༻͢Δ૚ͩͱ*1·ͰԼΓͳ͚Ε͹ ͳΒͳ͍͕ɺ*1ʹͦΜͳػೳ͸ͳ͍ )551 )551 )551 5-4 26*$ 5$1 6%1 *1WW "-1/

)551 w)551ɺͰ઀ଓ͢Δͱɺαʔό ͕ʮ͏ͪɺ࣮͸)551΋࢖͑ΔΜͰ ͢Θʯͱ௨஌͢Δ "MU4WD w)551Λ࢖͑ΔΑ͏ʹͳΔͷ͸ճ ໨ͷ઀ଓ͔Β w ԿΒ͔ͷํ๏Ͱࣄલʹ஌Δ͜ͱ͕Ͱ͖Ε
͹ɺॳճ઀ଓ͔Β)551Λ࢖͑Δ w ԿΒ͔ͷํ๏ͬͯɺԿ ΫϥΠΞϯτ αʔό 5$1IBOETIBLF 5-4IBOETIBLFXJUI"-1/ )551SFRVFTU )551SFTQPOTFXJUI"MU4WD )551SFRVFTU )551SFTQPOTF ࣮͸)551΋ ͍͚ΔΜͩΘ )551 ࢖͑Δ ͡Ό͋)551Ͱ )551 ࢖͑ΔΑ ͳΒ)551Ͱ

&ODSZQUFE$MJFOU)FMMP w4/*5-4ϋϯυγΣΠΫதɺΫϥΠΞϯτ͕ΞΫηε͍ͨ͠ϗετ໊Λαʔό ʹ఻͑Δ࢓૊Έ w ैདྷͷ5-4Ͱ͸4/*ͷ΍ΓͱΓ͸ฏจͳͷͰɺಛఆͷ4/*͚ͩΛબ୒తʹதؒऀ߈ܸͰ ͖ͯ͠·͏ w&ODSZQUFE$MJFOU)FMMP &$) w
IUUQTEBUBUSBDLFSJFUGPSHEPDESBGUJFUGUMTFTOJ w 4/*ͳͲ$MJFOU)FMMPͰૹΒΕΔ֤छ৘ใΛ҉߸Խ͢Δ5-4֦ு w ϋϯυγΣΠΫͷ࠷ॳ͔Β҉߸Խ͢ΔͷͰɺඞཁͳެ։伴͸઀ଓલʹೖख͓ͯ͘͠ඞ ཁ͕͋Δˠͦͷ伴͸Ͳ͜ʹஔ͘

എܠ·ͱΊ wϝʔϧ͸υϝΠϯ໊ͱҟͳΔϗετ໊Ͱड͚औΕΔ͕ɺ)551͸63-ʹࣔ͞Ε ͨϗετ໊͕ΞΫηεΛड͚ͳ͚Ε͹ͳΒͳ͍ w$/".&Λ࢖͑͹ҟͳΔϗετ໊Ͱॲཧ͢Δ͜ͱ΋Ͱ͖Δ͕ɺ͢΂ͯͷέʔε Ͱ࢖͑Δͱ͸͔͗Βͳ͍ w)5514Ͱ઀ଓ͢Δࡍʹࣄલʹ஌͓͍ͬͯͨํ͕༗རͳ৘ใ )551όʔδϣ ϯɺ&$)伴 ͸437ʹॻ͚ͳ͍ w͜͏͍͏໰୊ΛҰؾʹղܾ͍ͨ͠

47$#)5514Ϩίʔυ w͜͏͍ͬͨ໰୊Λղܾ͢ΔͨΊͷ৽͍͠ϦιʔεϨίʔυΛఆٛ w 3'$ w l47$#z TFSWJDFCJOEJOH ൚༻൛
w l)5514z)551ઐ༻൛ wࡶʹݴ͏ͱɺ$/".&ͱ.9Λ଍ͯ͠ͰׂΒͣʹ෱ਆ௮Λఴ͑ͨ΋ͷ w)5514ͱ͍͏ωʔϛϯά͸Ͳ͏ʹ͔ͳΒΜ͔ͬͨͷ͔ʜ w ॳظͷυϥϑτͰ͸l)551447$zͩͬͨ w l"ϨίʔυzΑΓ͸Ϛγ͚ͩͲͶ

ͭ·ΓɺͲ͏͍͏͜ͱ w8FCαʔόͷ%/4΁ͷొ࿥ํ๏͕มΘΔͬͯ͜ͱ w͜Ε·Ͱ w͜Ε͔Β https://example.com/ example.com. IN HTTPS 1 www.example.com.
; ΞΫηε͞ΕΔϗετ໊Λొ࿥ www.example.com. IN A 192.0.2.1 ; ͦͷϗετ໊ͷIPΞυϨεΛొ࿥ IN AAAA 2001:db8::1 example.com. IN A 192.0.2.1 ; ΞΫηε͞ΕΔIPΞυϨεΛొ࿥ IN AAAA 2001:db8::1 OFX

)5514Ϩίʔυͷར༻ঢ়گ w3'$ʹͳΔલͷ࣌఺Ͱ͢ͰʹશΫΤϦͷதͰ"ɺ""""ʹ͍࣍Ͱ൪໨ʹଟ͍ w **+ͷΩϟογϡαʔόͰ͸શମͷׂҎ্͕)551433 ࣌఺ w "LBNBJͷௐࠪ
w IUUQTJOEJDPEOTPBSDOFUFWFOUDPOUSJCVUJPOTBUUBDINFOUTEOT IUUQTSS fi OBMQEG " """" )5514

)5514Ϩίʔυͷ࣮૷ঢ়گ w8FCϒϥ΢β w $ISPNFରԠࡁΈ &EHFͳͲ೿ੜϒϥ΢β΋΄΅ରԠ w 4BGBSJରԠࡁΈ w 'JSFGPYରԠࡁΈ͕ͩσϑΥϧτͰ͸࢖Θͳ͍
ཁઃఆมߋ w%/4αʔό w ݖҖαʔόΦʔϓϯιʔεͷ΋ͷ͸΄΅ରԠࡁΈ ະରԠͰ΋ηΧϯμϦαʔόͱ͠ ͯͳΒ͹ར༻Մೳ w ΩϟογϡαʔόɺϑΥϫʔμಛผͳରԠ͸ෆཁ )5514ϨίʔυҎલͷݹ͍࣮૷Ͱ ΋ѻ͑Δ

ॻࣜ w4WD1SJPSJUZ༏ઌ౓ ඞਢ ͷ੔਺ w ΤΠϦΞεϞʔυ w Ҏ֎αʔϏεϞʔυ w5BSHFU/BNFॲཧͷҕ೚ઌ ඞਢ
w4WD1BSBNT4WD1BSBN,FZ4WD1BSBN7BMVFϖΞͷϦετ Φϓγϣϯ w ΤΠϦΞεϞʔυແࢹ͞ΕΔ w αʔϏεϞʔυߏ੒৘ใͷఆٛ example.com. IN HTTPS 10 www.example.com. alpn=h2 ಈ࡞ͷҟͳΔͭͷϞʔυ 4WD1SJPSJUZ 5BSHFU/BNF 4WD1BSBNT

ΤΠϦΞεϞʔυ w༏ઌ౓ͷ)5514Ϩίʔυ͸ΤΠϦΞεϞʔυ wγϯϓϧͳΤΠϦΞε ผ໊ Λ࣮ݱ͢ΔϞʔυ w ΫϥΠΞϯτ͸λʔήοτ໊ ͜ͷྫͰ͸XXXFYBNQMFOFU ͷ)5514ϨίʔυΛ࠶౓ ໰͍߹ΘͤΔ
w ଟஈΤΠϦΞε͕Մೳ w $/".&ˠΤΠϦΞεϞʔυɺΤΠϦΞεϞʔυˠ$/".&ͱ͍͏ଟஈߏ੒΋Մ wࡶʹݴ͏ͱɺ)551 4 ݶఆͰκʔϯ௖఺Ͱ΋࢖͑Δ$/".& example.com. IN HTTPS 0 www.example.net.

αʔϏεϞʔυ w༏ઌ౓Ҏ֎ͷ)5514Ϩίʔυ͸αʔϏεϞʔυ w࣮ࡍͷαʔϏεఏڙϗετΛఏࣔ͢ΔϞʔυ w ΫϥΠΞϯτ͸λʔήοτ໊ͷ"""""ϨίʔυΛ໰͍߹Θͤͯ઀ଓઌΛܾఆ͢Δ w ༏ઌ౓ͷ஋͕খ͍͞ॱʹɺ஋͕ಉ͡ͳΒϥϯμϜॱʹΞΫηε .9ͱಉ͡ w
ΞΫηεʹඞཁͳ෇Ճ৘ใΛॻ͚Δ wࡶʹݴ͏ͱɺ)551༻ͷ.9 www.example.net. IN HTTPS 10 www1.example.net. alpn=h3,h 2 IN HTTPS 20 www2.example.net. alpn=h2

αʔϏεύϥϝʔλ wαʔόͷ෇Ճత৘ใ w αʔϏεϞʔυͰͷΈ༗ޮ w ΤΠϦΞεϞʔυͰ͸ແࢹ͞ΕΔ ॻ͍ͯ΋Τϥʔʹ͸ͳΒͳ͍ w
4WD1BSBN,FZ4WD1BSBN7BMVFͷܗࣜͰྻڍ w lBMQOIBMQOIzͷΑ͏ʹಉҰΩʔΛෳ਺ॻ͘ͷ͸ෆՄ w lBMQOI IzͷΑ͏ʹ·ͱΊͳ͚Ε͹ͳΒͳ͍ wඇৗʹ֦ுੑ͕ߴ͘ɺࠓޙ΋৽͍͠ύϥϝʔλ͕૿͑ΔͱࢥΘΕΔ www.example.net. IN HTTPS 10 www1.example.net. alpn=h3,h2 ipv4hint=…

αʔϏεύϥϝʔλ wBMQO w αϙʔτ͍ͯ͠Δϓϩτίϧ w IUUQ͸σϑΥϧτͰ༗ޮͳͷͰهड़ෆཁ wOPEFGBVMUBMQO w σϑΥϧτ༗ޮͳϓϩτίϧ
IUUQ ʹରԠ͍ͯ͠ͳ͍͜ͱΛࣔ͢ wQPSU w ϙʔτ൪߸Λมߋ͢Δ

αʔϏεύϥϝʔλ wJQWIJOUɺJQWIJOU w αʔόͷ*1ΞυϨε w """""ͰಘΒΕͨ৘ใ͕͋Δ৔߹͸ͦͪΒ͕༏ઌ͞ΕΔ w """""ͷొ࿥ΛলུͰ͖ΔΘ͚Ͱ͸ͳ͍ͷͰ஫ҙ w
1PXFS%/4͸ɺJQWIJOUBVUPͱॻ͘ͱద੾ͳ*1ΞυϨεʹஔ͖ସ͑ΔΑ͏ಠ֦ࣗு ͯ͠ΔͬΆ͍ wFDI w &ODSZQUFE$MJFOU)FMMPͷ伴৘ใ ESBGUJFUGUMTFTOJ

αʔϏεύϥϝʔλ wهड़ॱ͕ݫີʹنఆ͞Ε͍ͯΔ w NBOEBUPSZɺBMQOɺOPEFGBVMUBMQOɺQPSUɺJQWIJOUɺFDIɺJQWIJOUͷॱ w ͕ɺ·ͱ΋ͳ࣮૷ͳΒద౰ʹॻ͍ͯ΋಺෦తʹਖ਼͍͠ॱ൪ʹฒ΂ସ͑ͯ͘ΕΔ ͱࢥ͏ w஋͸μϒϧΫΥʔτͰͬͯ͘͘΋͘͘Βͳͯ͘΋Α͍
w BMQOI IͱBMQOlI Iz͸ͲͪΒͰ΋ಉ͡ w ݫີʹ͸ه߸จࣈΛΤεέʔϓ͢ΔࡍͷόοΫεϥογϡ a ͷѻ͍͕ҟͳΔ wEJHͰ֬ೝͯ͠ΈͨΒొ࿥ͨ͠಺༰ͱҟͳΔɺͱ͋Θͯͳ͍Α͏ʹ w ॱ൪΍μϒϧΫΥʔτͷ༗ແ͚ͩͷҧ͍͚ͩͳΒؾʹ͠ͳͯ͘Α͍

8FCαʔόଆͷઃఆ wجຊతʹैདྷͱԿ΋มΘΒͳ͍ w໊લϕʔεͷԾ૝ϗετ΍αʔόূ໌ॻͷ4VCKFDU"MU/BNF͸ɺ63-ͷυϝΠ ϯ໊Ͱઃఆ͢Δ w )5514Ϩίʔυͷλʔήοτ໊Ͱ͸ͳ͍ w8FCαʔόଆͷઃఆ͕BMQO΍FDIͳͲαʔϏεύϥϝʔλͰࢦఆͨ͠஋ͱໃ६ ͠ͳ͍Α͏ʹ͢Δ

lz w%/4ͷੈքͰlz͸ҰൠʹϧʔτυϝΠϯΛ͋ΒΘ͕͢ɺ)5514Ϩίʔυͷλ ʔήοτ໊Ͱ͸ผͷҙຯʹͳΔ w ΤΠϦΞεϞʔυͰ͸ɺIUUQTFYBNQMFDPN͕ΞΫηεෆՄͰ͋Δ͜ͱΛࣔ͢ w ϝʔϧʹ͓͚ΔOVMM.9 3'$ ͱಉ͡ w
αʔϏεϞʔυͰ͸ɺλʔήοτ͕ࣗ෼ࣗ਎Ͱ͋Δ͜ͱΛࣔ͢ w ͜Εͷলུܗˠ example.com. IN HTTPS 1 example.com. example.com. IN HTTPS 0 . example.com. IN HTTPS 1 .

ฏจ)551Ͱͷ)5514Ϩίʔυ w)5514Ϩίʔυ͸IUUQͳ63-Ͱ΋ࢀর͞ΕΔ w ͦͷ݁Ռ༗ޮͳ)5514Ϩίʔυ͕ݟ͔ͭΕ͹ɺIUUQTʹϦμΠϨΫτ͢Δ w͢ͳΘͪɺ)454ͷ΋͏ͻͱͭͷ࣮ݱํ๏ w Ϩεϙϯεͷ4USJDU5SBOTQPSU4FDVSJUZϔομʹΑΔࢦࣔ w )5514ʹͳΔͷ͸ճ໨ͷΞΫηε͔Β w
ϒϥ΢β૊ΈࠐΈͷ)5514ڧ੍υϝΠϯͷϦετʹؚ·ΕΔαΠτ )454QSFMPBE w ࣗ෼ͷυϝΠϯΛϦετʹೖΕͯ΋Β͏Α͏ਃ੥͕ඞཁ w )5514ϨίʔυˡOFX w %/4ొ࿥͚ͩͰॳճΞΫηε͔Β)5514ʹ

ա౉ظͷར༻ wීٴ·Ͱͷա౉ظ͸ɺ)5514ϨίʔυରԠະରԠΫϥΠΞϯτ͕ࠞࡏ͢Δ wͲͪΒͰ΋ΞΫηεͰ͖ΔΑ͏ͳ഑ྀ͕ඞཁ wΤΠϦΞεϞʔυ͸࢖Θͳ͍ͷ͕ແ೉ w $/".&͕࢖͑Δ৔߹͸$/".&Ͱ w κʔϯ௖఺ͳͲ$/".&͕࢖͑ͳ͍৔߹͸ɺແཧͯ͠Ͱ΋"""""ϨίʔυͰॻ͘ w
͋Δ͍͸ɺ%/4ϗεςΟϯάࣄۀऀ͕ಠࣗʹఏڙ͢ΔΤΠϦΞεػೳͳͲΛར༻

ա౉ظͷར༻ wαʔϏεϞʔυͰͷλʔήοτ͸ࣗ෼ࣗ਎ lz Λࢦఆ͢Δͷ͕ແ೉ w lzҎ֎Λࢦఆ͢Δͱɺ)5514ϨίʔυରԠΫϥΠΞϯτͱະରԠΫϥΠΞϯτͰҟͳ ΔαʔόʹΞΫηεͯ͠͠·͏ࣄނ͕ى͖ΔՄೳੑ w )5514ϨίʔυͰ͸αʔϏεύϥϝʔλͷ௨஌ͷΈʹ༻్ΛߜΔ
example.com. IN HTTPS 10 . alpn=h3,h 2 IN A 192.0.2. 1 IN AAAA 2001:db8::1

ա౉ظͷར༻ wա౉ظ͍ͬͯͭ·Ͱ wʜʜʜ͋͞ w'JSFGPY͕σϑΥϧτͰ)5514ϨίʔυͷΫΤϦΛग़͢Α͏ʹͳ͔ͬͯΒ೥ ͙Β͍ͨͯ͹େৎ෉ͳΜ͡Όͳ͍͔ͳ͊ w
$ISPNFͱ4BGBSJ͸͢ͰʹσϑΥϧτ༗ޮ w ϒϥ΢βҎ֎ͷΞΫηε͕ଟ͍"1*αʔόͳͲ͸ผ్ݕ౼

ීٴޙͷར༻ w)5514ϨίʔυʹରԠ͍ͯ͠Δͱ͍ͬͯ΋ɺʮ͢΂ͯͷػೳʯʹରԠ͍ͯ͠Δ ͱ͸͔͗Βͳ͍ w σϑΥϧτແޮͷ'JSFGPYؚΊओཁͳϒϥ΢β͸)5514Ϩίʔυͷجຊతͳ෦෼ʹ͸ ରԠࡁΈ͕ͩɺࡉ͔͍෦෼ͷରԠঢ়گ͸ҟͳΔ w Ұ෦ͷαʔϏεύϥϝʔλʹରԠ͍ͯ͠ͳ͔ͬͨΓɺ࣮૷͞Ε͍ͯͯ΋σϑΥϧτͰ ͸ແޮͰઃఆมߋ͠ͳ͍ͱ࢖͑ͳ͔ͬͨΓ wαʔϏεύϥϝʔλ͸ࠓޙ΋௥Ճ͞Ε͍ͯ͘
w ৽͍͠ػೳʹΫϥΠΞϯτ͕ରԠ͍ͯ͠Δ͔Ͳ͏͔͸ͦͷ౎౓֬ೝ͕ඞཁ

యܕతͳར༻ྫ$%/ Ϣʔβଆ wΤΠϦΞεϞʔυͰ$%/αʔϏεΛొ࿥ w $%/ଆαʔόͷৄ͍͠ߏ੒Λ஌Δඞཁ͕ͳ͍ w κʔϯ௖఺Ͱ΋໊લͰࢦఆͰ͖Δ example.com. IN HTTPS
0 cdn.example.net.

యܕతͳར༻ྫ$%/ ࣄۀऀଆ wαʔϏεϞʔυͰαʔόͷৄࡉΛهड़ w αʔόͷߏ੒Λมߋ͢Δͱ͖Ͱ΋ɺϢʔβʹ%/4ొ࿥৘ใΛมߋͯ͠΋Β͏ඞཁ͕ͳ ͍ cdn.example.net. IN HTTPS 10
sv30.example.net. alpn=h3,h 2 IN HTTPS 10 sv31 example.net. alpn=h3,h 2 IN HTTPS 20 sv20.example.net. alpn=h 2 sv30.example.net. IN A 192.0.2. 1 sv31.example.net. IN A 192.0.2. 2 sv20.example.net. IN A 192.0.2.3

κʔϯ௖఺ͰͷΤΠϦΞε wಉ໊͡લͰଞͷϦιʔεϨίʔυ͕ଘࡏ͢Δ৔߹ɺ$/".&͸ొ࿥Ͱ͖ͳ͍ wκʔϯ௖఺ʹ͸͔ͳΒͣ40"ͱ/4Ϩίʔυ͕ଘࡏ͢Δˠ$/".&ෆՄ w)5514ϨίʔυͳΒ͹໰୊ͳ͘ొ࿥Մೳ w ͨͩ͠ɺ)5514ϨίʔυະରԠͷΫϥΠΞϯτ͕ΞΫηεͰ͖ͳ͍ͷͰɺͦΕΛߟྀ ͢Δ৔߹͕͋ΔͳΒ"""""Ϩίʔυ΋ซه͢Δඞཁ͕͋Δ example.jp. IN
SOA … IN NS … IN HTTPS 0 cdn.example.net.

ෛՙ෼ࢄͱϑΥʔϧόοΫ wαʔϏεϞʔυͰ͸.9ϨίʔυͷΑ͏ͳ༏ઌ౓ઃఆ͕Մೳ w ·ͣɺXXXͱXXXΛ౳֬཰ͰΞΫηε w ͲͪΒ΋ͩΊͳΒGBMMCBDLʹΞΫηε w GBMMCBDLͷ΄͏ʹʮো֐தͰ͢͝ΊΜͳ͍͞ʯͱ͍͏)5.-Λஔ͍͓ͯ͘ͱɺো֐؂ ࢹͱ࿈ܞͯ͠%/4Λॻ͖׵͑ͳͯ͘΋ɺϒϥ΢β͕উखʹ൑அͯ͠੾Γସ͑ͯ͘ΕΔ
example.jp. IN HTTPS 10 www1.example.jp. alpn=h3,h 2 example.jp. IN HTTPS 10 www2.example.jp. alpn=h3,h 2 example.jp. IN HTTPS 20 fallback.example.jp. alpn=h2

ॏΈ͚ͮෛՙ෼ࢄ w437Ϩίʔυͱҧͬͯ)5514ϨίʔυࣗମͰ͸XFJHIUΛઃఆͰ͖ͳ͍͚Ε Ͳɺͪΐͬͱ޻෉͢Ε͹ʜ w XXXɺXXXɺXXXʹ౳֬཰ͰΞΫηε w XXXͱXXX͸ಉ͡*1ΞυϨεˠͷׂ߹Ͱෛՙ෼ࢄ example.jp. IN
HTTPS 10 www1.example.jp. alpn=h3,h 2 example.jp. IN HTTPS 10 www2.example.jp. alpn=h3,h 2 example.jp. IN HTTPS 10 www3.example.jp. alpn=h3,h 2 www1.example.jp. IN A 192.0.2. 1 www2.example.jp. IN A 192.0.2. 1 www3.example.jp. IN A 192.0.2.2

ෳ਺ͷΤΠϦΞεϞʔυ ΂͔Βͣू wෳ਺ͷΤΠϦΞεϞʔυ͸ෆՄ wొ࿥ͯ͠΋Τϥʔʹ͸ͳΒͳ͍͕ɺͲͪΒʹΞΫηε͞ΕΔ͔ෆఆ w ϥϯμϜͰͲΕ͔ͻͱͭʮ͚ͩʯʹΞΫηε͢Δ 4)06-% w
αʔϏεϞʔυͰ͸ಉҰ༏ઌ౓ͳΒϥϯμϜॱ ΞΫηεࣦഊͨ͠ΒผαʔόΛࢼ͢ ͕ͩɺΤΠϦ ΞεϞʔυͰ͸ͻͱͭʹΞΫηεࣦͯ͠ഊͨ͠ΒଞΛࢼͣ͞ऴΘΓ w 4)06-%ͳͷͰαʔϏεϞʔυͱಉ͡Α͏ͳڍಈ͕׬શʹېࢭ͞Ε͍ͯΔΘ͚Ͱ͸ͳ͍͕ɺͦΕΛ ظ଴ͯ͠͸͍͚ͳ͍ example.jp. IN HTTPS 0 cdn-a.example.com . IN HTTPS 0 cnd-b.example.net.

ΤΠϦΞεϞʔυͱαʔϏεϞʔυͷࠞࡏ ΂͔Βͣू wΤΠϦΞεϞʔυͱαʔϏεϞʔυͷࠞࡏ͸ෆՄ w΋ࠞ͠ࡏ͍ͯͨ͠৔߹ɺαʔϏεϞʔυ͸ແࢹ͞ΕΔ w શମ͕ແޮʹͳΔͷͰ͸ͳ͘ɺΤΠϦΞεϞʔυͱͯ͠༗ޮͱ͍͏͜ͱ example.jp. IN
HTTPS 0 cdn-a.example.com . IN HTTPS 1 cnd-b.example.net.

௒ଟஈΤΠϦΞε ΂͔Βͣू w࢓্༷͸ଟஈΤΠϦΞε͕ೝΊΒΕ͍ͯΔ w͕ɺஈ਺ʹ͸্ݶΛઃ͚ͳ͚Ε͹ͳΒͳ͍ͱ΋نఆ͞Ε͍ͯΔ w Կஈ·ͰՄೳ͔͸࣮૷ґଘ ࣮૷ଆͰܾΊΔ΂͠ͱ࢓༷ʹ໌ه͞Ε͍ͯΔ w
ஈΛ௒͑Δଟஈ$/".&Λ໊લղܾͰ͖ͳ͍Ωϟογϡ%/4αʔό͕ଘࡏ͢Δ͜ͱ͔ Βɺଟஈ)5514Ϩίʔυ΋$/".&ͱ͋Θͤͯஈఔ౓·Ͱʹ͢Δͷ͕ແ೉͔ w্ݶʹͻ͔͔ͬͬͨ৔߹͸)5514Ϩίʔυ͕ଘࡏ͠ͳ͔ͬͨ΋ͷͱͯ͠ѻ͏ w ͭ·Γɺ"""""Ϩίʔυͷ໊લղܾʹϑΥʔϧόοΫ͢Δ w΋ͪΖΜɺ॥؀ΤΠϦΞε΋ෆՄ

ඇඪ४ϙʔτͷར༻ ΂͔Βͣू wϑΝΠΞ΢Υʔϧ΍)551ϓϩΫγͰ͸Ҏ֎ͷ)5514઀ଓ͕ېࢭ͞Ε͍ͯ Δέʔε͕΄ͱΜͲ w ͱ͘ʹɺ೚ҙϙʔτʹ)5514ΞΫηεͰ͖ΔϓϩΫγ͸੬ऑੑ w IUUQTXXXLCDFSUPSHWVMTJE w)5514Ϩίʔυͷ࢓্༷͸ϙʔτ൪߸ΛมߋՄೳ͕ͩɺ࣮ࡍʹ΍ͬͯ͠·͏ͱ
ΞΫηεͰ͖ͳ͍Ϣʔβ͕ଓग़͢ΔͷͰ࢖͏΂͖Ͱ͸ͳ͍ w ͜͏͍͏໰୊͕ى͖ͳ͍͜ͱ͕ࣄલʹΘ͔͍ͬͯΔ૊৫಺ωοτϫʔΫͰͷར༻ͷΈ ʹཹΊΔ΂͠ example.jp. IN HTTPS 1 . port=8443

"""""Ϩίʔυͷলུ ΂͔Βͣू w*1ΞυϨε͸JQWIJOUɺJQWIJOUͰ༩͑Δ͜ͱ͕Ͱ͖Δ w͕ɺ͋͘·ͰώϯτͰ͋Γɺ"""""Λొ࿥͠ͳ͍͍ͯ͘Θ͚Ͱ͸ͳ͍ w JQWIJOUɺJQWIJOUʹΑΔ৘ใΛʮར༻ͯ͠΋Α͍ .": ʯͰ͋Γɺແࢹ͢Δ࣮૷͸ ౰વ૝ఆ͠ͳ͚Ε͹ͳΒͳ͍
w ޙड़ͷBEEJUJPOBMTFDUJPOΛར༻͢Δํ๏͕ਪ঑͞Ε͍ͯͯɺJQWIJOU͸ͦΕʹରԠ͠ ࣮ͨ૷͕ීٴ͢Δ·Ͱͷͭͳ͗ͱ͍͏Ґஔ͚ͮ w"""""ϨίʔυͰಘΒΕΔ*1ΞυϨεͱJQWIJOUJQWIJOUʹΑΔ*1ΞυϨε ͕ҟͳΔ৔߹͸"""""ϨίʔυͷํΛਖ਼ͱΈͳ͢

47$#Ϩίʔυ w)5514Ϩίʔυ͸)551ͱͦͷ೿ੜϓϩτίϧ )5514ɺ8FC4PDLFU ༻ w47$#Ϩίʔυ͸ϓϩτίϧΛݶఆ͠ͳ͍ w TDIFNFOBNFQPSUͱ͍͏63-ʹ@QPSU@TDIFNFOBNFͷ47$#Ϩίʔυ͕ରԠ w ͭ·ΓɺҎԼͷͭ͸ҙຯతʹ͸ಉ͡ w
ͨͩ͠ɺIUUQTͳ63-Ͱ͸͔ͳΒͣ)5514ϨίʔυΛ࢖͏͜ͱʹͳ͍ͬͯͯɺ47$#͸ແޮ wIUUQTҎ֎ʹ࢖ΘΕΔ͜ͱɺROBNF͕ҟͳΔ͜ͱҎ֎͸)5514Ϩίʔυͱ ΄΅ಉ͡ example.com. IN HTTPS … _443._https.example.com. IN SVCB …

47$#Ϩίʔυͷར༻ྫ w%JTDPWFSZPG%FTJHOBUFE3FTPMWFST %%3 3'$ w %P)%P5Λ࢖͏ͨΊʹඞཁͳ৘ใΛऔಘ͢ΔͨΊͷखॱΛఆٛ w ҎԼͷ໊લͷ47$#ϨίʔυΛ໰͍߹Θͤͯ%P)%P5αʔόͷ৘ใΛಘΔ w
%PϑϧϦκϧόͷ*1ΞυϨε͚͕ͩΘ͔͍ͬͯΔ৔߹@EOTSFTPMWFSBSQB w %P)%P5αʔόͷ໊લ͸Θ͔͍ͬͯΔ৔߹@EOT\%P)%P5αʔό໊^ w ͜Μͳ47$#ϨίʔυΛొ࿥͢Δ w _dns.resolver.arpa. IN SVCB 1 . alpn=h2 ipv4hint=x.y.z.w dohpath=/dns-query{?dns } _dns.resolver.arpa. IN SVCB 1 . alpn=dot port=853 ipv4hint=x.y.z.w

ϙʔτࢦఆ͖ͭͷ63- w47$#ϨίʔυͷྲّྀͰ໊લΛهड़͢Δ wαʔϏεύϥϝʔλͰϙʔτ൪߸Λࢦఆ͢Ε͹ɺ63-͸ͳͷʹ࣮ࡍ͸ඪ ४ͷ൪ͰՔಈͤ͞Δɺͱ͍͏͜ͱ΋Մೳ w ϙʔτࢦఆͷͳ͍63-Ͱඇඪ४ϙʔτΛ࢖͏ͨΊQPSUΛࢦఆ͢Δͷ͸τϥϒϧͷݩ https://example.com:8443/ _8443._https.example.com. IN
HTTPS … _8443._https.example.com. IN HTTPS 1 example.com. port=443

Φʔόʔϔουେ͖͘ͳ͍ w͜Ε·Ͱ w """""ͷ໰͍߹Θ͚ͤͩ w͜Ε͔Β w )5514Ϩίʔυͷ໰͍߹Θͤ """""ͷ໰͍߹Θͤ w)5514Ϩίʔυͷ෼͚ͩ%/4ͷ໰͍߹Θ͕ͤ૿͑ΔˠϨΠςϯγ௿Լ

ϨΠςϯγ޲্ࡦ wΫϥΠΞϯτଆͰ΋໊લղܾ݁ՌΛΩϟογϡ͢Δ 4)06-% w)5514Ϩίʔυͱಉ࣌ʹͦΕͬΆ͍"""""΋౤ػ໰͍߹Θͤ 4)06-% w ʮͦΕͬΆ͍ʯ͕ਖ਼ղͳΒ໊લղܾʹ͔͔Δ࣌ؒΛ୹ॖͰ͖Δ w
ϋζϨͳΒ࣌ؒ୹ॖʹ͸ͳΒͳ͍͠ແବʹͳΔ͚Ͳ w)5514Ϩίʔυࣗମ͔ΒಘΒΕΔ*1ΞυϨεʹΑΓ"""""ͷ໰͍߹ΘͤΛ লུͯ͠΋Α͍ .": w ໰͍߹ΘͤΔଆ͕লུ͢Δͷ͸͍͍͚Ͳɺ͞ΕΔଆ͕ొ࿥Λলུ͢Δͷ͸ෆՄ example.com. IN HTTPS 1 . ipv4hint=192.0.2.1 ipv6hint=2001:db8::1

"%%*5*0/"-4&$5*0/ͷར༻ wैདྷ OPO)551433BXBSF w αʔό͸ฉ͔Εͨ͜ͱ͚ͩ౴͑Δ w ΫϥΠΞϯτ͸*1ΞυϨε͕ಘΒ ΕΔ·Ͱ໰͍߹ΘͤΛ܁Γฦ͢
wকདྷ )551433BXBSF w αʔό͸ฉ͔Ε͍ͯͳ͍৘ใΛ BEEJUJPOBMTFDUJPOʹࡌͤΔ w ΫϥΠΞϯτ͸͜ΕΛར༻ͯ͠໰ ͍߹ΘͤΛݮΒ͢͜ͱ͕Ͱ͖Δ ; QUESTION SECTIO N example.com. IN HTTP S ; ANSWER SECTIO N example.com. IN HTTPS 0 foo.example.com . ; ADDITIONAL SECTIO N foo.example.com. IN HTTPS 10 bar.example.com . foo.example.com. IN HTTPS 10 baz.example.com . bar.example.com. IN A 192.0.2. 1 bar.example.com. IN AAAA 2001:db8:: 1 baz.example.com. IN A 192.0.2. 2 baz.example.com. IN AAAA 2001:db8::2 )551433BXBSF OPO)551433BXBSF

"%%*5*0/"-4&$5*0/ͷར༻ wΩϟογϡαʔό w 47$#)5514"""""ϨίʔυΛBEEJUJPOBMTFDUJPOʹؚΊΔ΂͠ wݖҖαʔό w l಺෦໊ͷz47$#)5514"""""ϨίʔυΛBEEJUJPOBMTFDUJPOʹؚΊΔ΂͠ w )551433BXBSFͳΩϟογϡαʔό͕ੈؒͷେ൒ʹͳΔΑ͏ͳ࣌୅͕དྷͨΒɺ΋͸
΍JQWIJOU΍JQWIJOU͸࢖͏΂͖Ͱ͸ͳ͍ 4)06-%/05 wैདྷͷαʔόͰ΋)5514ϨίʔυͷऔΓѻ͍͸Մೳ͕ͩɺBEEJUJPOBMTFDUJPO Λ௥ՃͰ͖ΔαʔόղऍͰ͖ΔΫϥΠΞϯτͰ͸΍ΓͱΓ͕ݮͬͯޮ཰͕Α͘ ͳΔ

47$#PQUJPOBMSFMJBOUDMJFOU w47$#PQUJPOBMDMJFOUαʔϏεϞʔυ͸ඞਢͰͳ͍ w 47$#Ϩίʔυ͕ଘࡏ͠ͳ͍৔߹ɺ·ͨ͸ɺΤΠϦΞεϞʔυͷλʔήοτ໊ʹࢦఆ ໊ͨ͠લʹαʔϏεϞʔυͷ47$#Ϩίʔυ͕ଘࡏ͠ͳ͍৔߹ɺ"""""Ϩίʔυʹ ϑΥʔϧόοΫ͢Δ w47$#SFMJBOUDMJFOUαʔϏεϞʔυඞਢ w αʔϏεϞʔυͷ47$#Ϩίʔυ͕ଘࡏ͠ͳ͚Ε͹ΞΫηεࣦഊ wͲͪΒͱ࣮ͯ͠૷͢Δ͔͸ɺ47$#ϨίʔυΛར༻͢Δϓϩτίϧ͕બ୒͢Δ
w طଘͷϓϩτίϧ͸47$#PQUJPOBMDMJFOUͱ࣮ͯ͠૷͞ΕΔ΂͖ 4)"-- w )5514͸ʮطଘͷϓϩτίϧʯͳͷͰPQUJPOBM ͕ɺαʔϏεϞʔυ΋͋ͬͨ΄͏͕͍͍ΑͶ

)5514ϨίʔυͷηΩϡϦςΟ w%/44&$΍҉߸Խ%/4ͷར༻͸.645Ͱ͸ͳ͍ w௨৴ܦ࿏্ͷதؒऀ͸)5514Ϩίʔυͷ໊લղܾΛࣦഊͤ͞ΔԠ౴Λվ᜵͢Δ ͜ͱͰμ΢ϯάϨʔυ߈ܸ͕Մೳ w &$)ެ։伴͕ಘΒΕͣฏจ4/*ʹ w )454͕ޮ͔ͳ͍ w ҙਤͱ͸ҟͳΔαʔό΁ͷΞΫηε༠ಋ
μ΢ϯάϨʔυͰ͸ͳ͍͚Ͳ w͜ͷΑ͏ͳ߈ܸͷஹީΛݕ஌ͨ͠৔߹ɺΫϥΠΞϯτ͸઀ଓࢼߦΛ΍ΊΔ΂͖ 4)06-% w """""΁ͷϑΥʔϧόοΫ΋͠ͳ͍

ϑΝΠΞ΢Υʔϧͱ)5514Ϩίʔυ wʮະ஌ͷ%/4ϨίʔυλΠϓ͸ո͍͠ʯͱ͍͏ཧ༝ͰύέοτΛυϩοϓ͢Δ ϑΝΠΞ΢Υʔϧ΍*14*%4Ͱɺ)5514ϨίʔυΛר͖ఴ͑ʹ͢Δ΋ͷ͕͋Δ w ΍ͬͯΔ͜ͱ͸தؒऀ߈ܸͱಉ͡ ͦ͏͍͏ҙਤ͸ͳͯ͘΋֎ܗతʹ͸ w)5514ͷ͔ΘΓʹ"""""ϨίʔυͰ໊લղܾ͕Ͱ͖ͨͱͯ͠΋ɺ w தؒऀ߈ܸͱͯ͠ೝࣝ͞ΕΔͱɺμ΢ϯάϨʔυΛආ͚ΔͨΊϑΥʔϧόοΫ͠ͳ͍
w தؒऀ߈ܸͱͯ͠ೝࣝ͞Εͳͯ͘΋ɺ6%1ͳ%/4Ͱ͸ύέοτΛυϩοϓ͢ΔͱλΠ ϜΞ΢τΛ଴ͭ͜ͱʹͳΔͷͰ໊લղܾʹ͕͔͔࣌ؒΔ w47$#)5514Ϩίʔυ͸υϩοϓͤͣʹ௨աͤ͞ΔΑ͏ϑΝΠΞ΢Υʔϧͷ ઃఆΛมߋ͍ͯͩ͘͠͞

·ͱΊ w47$#ͱ)5514ͱ͍͏ϦιʔεϨίʔυ͕Ͱ͖·ͨ͠ w 3'$ w )551Λࢧ͑Δٕज़ͷͻͱͭ w 8FCαʔόͷ%/4΁ͷొ࿥ํ๏͕มΘΔ w $/".&
.9 Ћͷػೳ wͱ͘ʹϑΝΠΞ΢ΥʔϧͰυϩοϓͯ͠ͳ͍͔͸ࠓ͙֬͢ೝΛ

DNSでHTTPS ※ただしDNS over HTTPSではない

DNSでHTTPS ※ただしDNS over HTTPSではない

More Decks by IIJ_PR

Other Decks in Technology

Featured

Transcript