BIND9私有DNS服务器中使用DNSSEC
BIND9私有DNS服务器中使用DNSSEC
BIND9私有DNS服务器中使用DNSSEC
1. 服务器基本配置
1) 主根服务器 192.168.56.101
2) 从根服务器 192.168.56.102
3) COM服务器 192.168.56.103
4) 解析服务器 192.168.56.104
2. 配置主根服务器
1) 生成签名密钥对
# cd /var/named
首先为你的区(zone)文件生成密钥签名密钥KSK:
# dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE .
将生成文件 K.+005+09603.key 和K.+005+09603.private
然后生成区签名密钥ZSK:
# dnssec-keygen -a RSASHA1 -b 512 -n ZONE .
将生成文件 K.+005+14932.key 和 K.+005+14932.private
2) 签名
a. 签名之前将前面生成的两个公钥添加到区域配置文件末尾
[plain]
$TTL 86400
@ IN SOA @ root (
12169
1m
1m
1m
1m )
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
$INCLUDE "K.+005+14932.key"
$INCLUDE "K.+005+09603.key"
b. 然后执行签名操作。
# dnssec-signzone -o . db.root
上面的-o选项指定代签名区的名字. 将生成 db.root.signed.
c. 修改主配置文件
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "wk7NzsvLaCobiCFxHB2LXQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named/";
pid-file "/var/named/named.pid";
recursion no;
dnssec-enable yes;
};
zone "." IN {
type master;
file "db.root.signed";
allow-transfer {192.168.56.102;};
};
在 options 中添加 dnssec-enable yes; 以打开DNSSEC。
在 zone 中修改file 以指向签名后的文件db.root.signed
重启named服务器
3. 配置安全的解析服务器
1) 打开named.conf, 添加如下内容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "kMOStrdGYC5WmE1obk7LJg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-query {any;};
recursion yes;
allow-recursion {any;};
dnssec-enable yes;
};
zone "." IN {
type hint;
file "db.root";
};
include "/var/named/sec-trust-anchors.conf";
其中:dnssec-enable yes; 打开DNSSEC
include "/var/named/sec-trust-anchors.conf"; 添加信任锚
2) 创建“信任锚”文件
# cd /var /named
# touch sec-trust-anchors.conf
# vi sec-trust-anchors.conf
[plain]
trusted-keys {
"." 256 3 5 "AwEAAcxHPOkZULjQeyxKoY7PPhnr4q3gvSqF5QLu8eh/J675JOBatuxY 3fpIF2ZlyVfjt4SSg8JN10+FUx2iRqjlxzU=";
"." 257 3 5 "AwEAAeqRlSY1wkO/m1RwLY0pA/Pa0r+ld4We21MXQwrnBM+zEWUQ9LVQ rYja1SEgnyTeJwysgh/qqr71s74fD11bOLU=";
};
其中的密钥部分是将 主服务器(192.168.56.101)上生成的 K.+005+09603.key 和
K.+005+14932.key 中密钥部分拷贝过来.
重启named 的服务。
3) 测试
# dig @192.168.56.104 +dnssec . NS
[plain]
root@simba-4:/var/named# dig @192.168.56.104 +dnssec . NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 +dnssec . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86039 IN NS root.ns.
. 86039 IN RRSIG NS 5 0 86400 20130920155850 20130821155850 9603 . RTflmGcEwLDyjENuEvDBVM1UiuL6lS/ae3K0iBTRoRzY50MhnmXCQYEQ TNSDflG9D0TskUJNd3UqLtvS6+b28Q==
;; Query time: 15 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 13:26:35 2013
;; MSG SIZE rcvd: 142
其中 flags 部分有 ad, 说明DNSSEC启用并通过验证。
但是此时 如果执行
# dig @192.168.56.104 +dnssec com. NS
或报“信任链受损”。
4. 配置从根服务器 在IP为192.168.56.102上
1) 打开named.conf, 添加如下内容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "JaHjteR5sZxVrMWWcOne9g==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
transfer-format many-answers;
recursion no;
dnssec-enable yes;
};
zone "." IN {
type slave;
file "db.root";
masters { 192.168.56.101; };
};
其中: 只需要在options 中添加 dnssec-enable yes; 。
将/var/named/db.root 删除, 重启服务。
2) 测试
# dig @192.168.56.102 . NS
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.102 +dnssec . NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 +dnssec . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31463
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86400 IN NS root.ns.
. 86400 IN RRSIG NS 5 0 86400 20130920155850 20130821155850 9603 . RTflmGcEwLDyjENuEvDBVM1UiuL6lS/ae3K0iBTRoRzY50MhnmXCQYEQ TNSDflG9D0TskUJNd3UqLtvS6+b28Q==
;; ADDITIONAL SECTION:
root.ns. 86400 IN A 192.168.56.101
root.ns. 86400 IN RRSIG A 5 2 86400 20130920155850 20130821155850 9603 . MGX976QJsdXqS/tEtYoG/CvI4v1QWkUk79XOOxyvvVqFaVz5XBuFOppz BT/5kIIGn9ebMpjIhFYhhBlYM24aqA==
;; Query time: 17 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 13:36:21 2013
;; MSG SIZE rcvd: 253
# dig @192.168.56.102 com. NS
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.102 +dnssec com. NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 +dnssec com. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23672
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 86400 IN NS ns.com.
com. 86400 IN DS 57139 5 2 1D84EDAD0F96E34D869B24DBE0515C7179102EAD293C8FEAF7EE9B00 8388601C
com. 86400 IN DS 57139 5 1 C9D1B946BDC3CB7D1D97F3FC74483C13E3DD03A0
com. 86400 IN RRSIG DS 5 1 86400 20130920155850 20130821155850 9603 . y6tqd0RzoAd9Qk8iDcnOr71iordfd/J5Y/ZzMHxCjQel60pEqbxkMxLO c+nzhu810wv9AB6gCQ4JsOLJGu1uxw==
;; ADDITIONAL SECTION:
ns.com. 86400 IN A 192.168.56.103
;; Query time: 14 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 13:35:43 2013
;; MSG SIZE rcvd: 244
5. 配置COM服务器 在服务器192.168.56.103上
1) 生成签名密钥对
# cd /var/named
首先为你的区(zone)文件生成密钥签名密钥KSK:
# dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE com.
将生成文件 Kcom.+005+17631.key 和Kcom.+005+17631.private
然后生成区签名密钥ZSK:
# dnssec-keygen -a RSASHA1 -b 512 -n ZONE com.
将生成文件 Kcom.+005+57139.key 和 Kcom.+005+57139.private
2) 签名
d. 签名之前将前面生成的两个公钥添加到区域配置文件末尾
[plain]
$TTL 86400
@ IN SOA @ root (
2
1m
1m
1m
1m
)
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
my.com. IN A 192.168.56.201
$INCLUDE "Kcom.+005+17631.key"
$INCLUDE "Kcom.+005+57139.key"
e. 然后执行签名操作。
# dnssec-signzone -o com. db.com
上面的-o选项指定代签名区的名字. 将生成 db.root.signed.
f. 修改主配置文件
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "kMOStrdGYC5WmE1obk7LJg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-query {any;};
recursion no;
dnssec-enable yes;
};
zone "." IN {
type hint;
file "db.root";
};
zone "com." IN {
type master;
file "db.com.signed";
};
在 options 中添加 dnssec-enable yes; 以打开DNSSEC。
在 zone 中修改file 以指向签名后的文件db.com.signed
重启named服务器.
g. 将生成的dsset-com. 发给 主服务器。
① 在 192.168.56.103 上执行
# cd /var/named
# scp dsset-com. root@192.168.56.101:/var/named/
② 在 192.168.56.101 上执行
# cd /var/named
# vi db.root
③ 在该文件末尾添加 $INCLUDE "dsset-com." 。
[plain]
$TTL 86400
@ IN SOA @ root (
12169
1m
1m
1m
1m )
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
$INCLUDE "K.+005+14932.key"
$INCLUDE "K.+005+09603.key"
$INCLUDE "dsset-com."
④ 然后在 主服务器上重新对区文件进行签名
# mv db.root.signed db.root.signed.bak
# dnssec-signzone -o . db.root
⑤ 重启服务.
6. 测试
# dig @192.168.56.104 +dnssec my.com. A
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.104 +dnssec my.com. A
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 +dnssec my.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6723
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;my.com. IN A
;; ANSWER SECTION:
my.com. 84500 IN A 192.168.56.201
my.com. 84500 IN RRSIG A 5 2 86400 20130920155342 20130821155342 17631 com. Aj0rkV1M2twT7+aFcFi1k3Fej+V6AepP+bhUJFvmOo3JZPckU8S3igDp 6lfVb0aMVESkYhuTPMPneR2i3cfxrA==
;; AUTHORITY SECTION:
com. 84500 IN NS ns.com.
com. 84500 IN RRSIG NS 5 1 86400 20130920155342 20130821155342 17631 com. IKhEH7M5RR++eBT8SCljw3OVm0ghbV4i5KWFJL7fslfDmibSncUo6Qn6 vuJ3B3hFxY3VCoyaoCSoZyVQf9oxFQ==
;; ADDITIONAL SECTION:
ns.com. 84500 IN A 192.168.56.103
ns.com. 84500 IN RRSIG A 5 2 86400 20130920155342 20130821155342 17631 com. oY/d3tIRWOypjxz0LWnEWK0wCfM/h5FlNTn9I5pqxJU9MiylfiwJ2Kpr JjzitCZqnkFn0gfZoOqfmK5i2pY/0A==
;; Query time: 23 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 13:52:14 2013
;; MSG SIZE rcvd: 381
评论暂时关闭