DNS BIND之dnssec安全实例配置-dev节点(dev.)
上一节我们演示了根节点的dnssec配置,下面我们配置dev节点的dnssec。
dev服务器:192.168.110.71
一、配置dev服务器
1.生成签名密钥对
# cd /var/named
首先为区(zone)文件生成密钥签名密钥KSK:
#~/bind/sbin/dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE dev.
将生成文件Kdev.+005+44248.key公钥和Kdev.+005+44248.private私钥
然后生成区签名密钥ZSK:
#~/bind/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE dev.
将生成文件Kdev.+005+41787.key公钥和Kdev.+005+44248.private私钥
2.签名zone
a.签名之前将前面生成的两个公钥添加到区域配置文件末尾
$TTL 86400
@ IN SOA @ root.dev (
2
1m
1m
1m
1m)
dev. IN NS ns.dev.
ns.dev. IN A 192.168.110.71
abc.dev. IN A 192.168.100.90
$INCLUDE "Kdev.+005+41787.key"
$INCLUDE "Kdev.+005+44248.key"b.执行签名操作
#~/bind/sbin/dnssec-signzone -o dev. dev.zone
生成dev.zone.signed签名zone
3.修改主配置文件name.conf
key "rndc-key" {
algorithm hmac-md5;
secret "etMaaS+O06WFFUHxKAaTXA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
listen-on port 53{
192.168.110.71;
};
version "vdns3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
rrset-order {
order cyclic;
};
recursion no;
allow-query{
any;
};
allow-query-cache{
any;
};
allow-transfer{
none;
};
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel queries_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
queries_info;
default_debug;
};
channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify {
notify_info;
default_debug;
};
channel dnssec_debug {
file "/var/named/log/dnssec.log" versions 1 size 100m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_debug;
};
};
zone "." in {
type hint;
file "root.zone";
};
zone "dev." IN {
type master;
file "dev.zone.signed";
}; 检查配置是否正确:
/home/slim/bind/sbin/named-checkconf -t /home/slim/chroot/ /etc/named.conf
4.启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf
1.将生成的dsset-dev.发给根服务器,在192.168.110.71上执行
# cd /var/named
# scp dsset-dev. [email protected]:/home/slim/chroot/var/named/
2.在192.168.13.103上执行
# cd /var/named
# vi root.zone
3.在该文件末尾添加 $INCLUDE "dsset-dev."
$TTL 86400
@ IN SOA @ root (
12169
1m
1m
1m
1m )
. IN NS root.ns.
root.ns. IN A 192.168.13.103
dev. IN NS ns.dev.
ns.dev. IN A 192.168.110.71
$INCLUDE "K.+005+62541.key"
$INCLUDE "K.+005+62317.key"
$INCLUDE "dsset-dev."4.然后在根服务器上重新对区文件进行签名
# mv root.zone.signed root.zone.signed.bak
# /home/slim/bind/sbin/dnssec-signzone -o . root.zone
5.重启根服务
三、测试
在递归解析服务执行:
dig @192.168.13.45 +dnssec dev. NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec dev. NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49047 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dev. IN NS ;; ANSWER SECTION: dev. 80410 IN NS ns.dev. dev. 86386 IN RRSIG NS 5 1 86400 20150517074758 20150417074758 41787 dev. x3QO8JsFscxB7t9SQjtjdZCXyjUkdWNbCfOSUxPyZZPb3jRt/DOYN0lR hKJqgl8VT2T2D1P3kmr8O7ptGlTKpg== ;; ADDITIONAL SECTION: ns.dev. 80410 IN A 192.168.110.71 ns.dev. 86386 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. a9f04XI5VUvgoDdJa5BoN3GEhA2Po+Iqo9GLgcw0S5Sts7Hw/dIm/EOF lj8oCXUniBgQdRzWw+0QzYvUavGYxg== ;; Query time: 0 msec ;; SERVER: 192.168.13.45#53(192.168.13.45) ;; WHEN: Fri Apr 17 02:05:49 2015 ;; MSG SIZE rcvd: 263
dig @192.168.13.45 +dnssec abc.dev. A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec abc.dev. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20230 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;abc.dev. IN A ;; ANSWER SECTION: abc.dev. 86375 IN A 192.168.100.90 abc.dev. 86375 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. aSP+yVyu83pPlwZ8iSoyFydzSOugMLnNV5ZcbObJ+U6qWj8j9AF4Baxy zxqKiSkTDkx16yjgnzdGINwfgFt1EA== ;; AUTHORITY SECTION: dev. 80152 IN NS ns.dev. dev. 86128 IN RRSIG NS 5 1 86400 20150517074758 20150417074758 41787 dev. x3QO8JsFscxB7t9SQjtjdZCXyjUkdWNbCfOSUxPyZZPb3jRt/DOYN0lR hKJqgl8VT2T2D1P3kmr8O7ptGlTKpg== ;; ADDITIONAL SECTION: ns.dev. 80152 IN A 192.168.110.71 ns.dev. 86375 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. a9f04XI5VUvgoDdJa5BoN3GEhA2Po+Iqo9GLgcw0S5Sts7Hw/dIm/EOF lj8oCXUniBgQdRzWw+0QzYvUavGYxg== ;; Query time: 0 msec ;; SERVER: 192.168.13.45#53(192.168.13.45) ;; WHEN: Fri Apr 17 02:10:07 2015 ;; MSG SIZE rcvd: 382
注:配置具体域名的dnssec也是类型,生成zone签名,将dsset-*添加到上一节点zone中,并重新签名。