DNS BIND之dnssec安全实例配置-根节点

上一节我们对dnssec有了一定的认识,下面我们通过实例来说明尝试一下dnssec的配置。关于bind的安装参考:DNS BIND安装测试

环境如下

递归解析服务器:192.168.13.45

权威服务器根节点:192.168.13.103

权威服务dev节点:192.168.110.71

递归服务--->根节点(.)--->dev节点(dev.)

一、权威服务器配置

1.修改named.conf配置

key "rndc-key" {
        algorithm hmac-md5;
        secret "bRKv62iy/I7RoNNOl0dW2A==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
        listen-on port 53{
                192.168.13.103;
        };
        version "vdns3.0";
        directory "/var/named";
        pid-file "/var/run/named.pid";
        session-keyfile "/var/run/session.key";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        rrset-order { 
                order cyclic;
        }; 
        recursion no;
        allow-query{
                any;
        };
        allow-query-cache{
                any;
        };
        allow-transfer{
                none;
        }; 
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

logging { 
        channel default_debug {
                file "/var/named/data/named.run";
                severity dynamic;
        };
        channel queries_info { 
                file "/var/named/log/query.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category queries { 
                queries_info; 
                default_debug; 
        }; 
 
        channel notify_info { 
                file "/var/named/log/notify.log" versions 8 size 128m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category notify { 
                notify_info; 
                default_debug; 
        };
        channel dnssec_debug {
                file "/var/named/log/dnssec.log" versions 1 size 100m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 3;
        }; 
        category dnssec { 
                dnssec_debug; 
        };
}; 

zone "." in {
        type hint;
        file "root.zone";
};

增加开启dnssec选项,关闭递归服务。

2.dnssce配置实例
1)生成签名密钥对

# cd /var/named
首先为区(zone)文件生成密钥签名密钥KSK:
 # ~/bind/sbin/dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE .  #注意结尾的点别遗漏
将生成文件K.+005+62317.key和K.+005+62317.private
然后生成区签名密钥ZSK:
# ~/bind/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE .
将生成文件K.+005+62541.key和K.+005+62541.private
2)签名
a.签名之前将前面生成的两个公钥添加到区域配置文件末尾(root.zone)

$TTL 86400
@           IN   SOA    @       root (
                                                        12169
                                                        1m
                                                        1m
                                                        1m
                                                        1m )
.                       IN      NS      root.ns.
root.ns.        IN      A       192.168.13.103
dev.            IN      NS      ns.dev.
ns.dev.         IN      A       192.168.110.71
 
$INCLUDE "K.+005+62541.key"
$INCLUDE "K.+005+62317.key"

b.然后执行签名操作
# ~/bind/sbin/dnssec-signzone  -o  .  root.zone
上面的-o选项指定代签名区的名字. 将生成root.zone.signed
c.修改主配置文件
zone "." IN {  
        type master;  

        file "root.zone.signed";  

allow-transfer {none;};

};

检查配置是否正确:

/home/slim/bind/sbin/named-checkconf -t /home/slim/chroot/ /etc/named.conf

3.启动服务

/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf

二、递归解析服务器配置

1.修改named.conf配置

key "rndc-key" {
        algorithm hmac-md5;
        secret "D6ShqDKzLPtbHxko0TqgrQ==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
        listen-on port 53{
                192.168.13.45;
        };
        version "vdns3.0";
        directory "/var/named";
        pid-file "/var/run/named.pid";
        session-keyfile "/var/run/session.key";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        rrset-order { 
                order cyclic;
        }; 
        recursion yes;
        allow-recursion {
                any;
        };
        allow-query{
                any;
        };
        allow-query-cache{
                any;
        };
        allow-transfer{
                none;
        }; 

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

logging { 
        channel default_debug {
                file "/var/named/data/named.run";
                severity dynamic;
        };
        channel queries_info { 
                file "/var/named/log/query.log" versions 1 size 100m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category queries { 
                queries_info; 
                default_debug; 
        }; 
 
        channel notify_info { 
                file "/var/named/log/notify.log" versions 8 size 128m; 
                severity info; 
                print-category yes; 
                print-severity yes; 
                print-time yes; 
        }; 
 
        category notify { 
                notify_info; 
                default_debug; 
        };
        channel dnssec_debug {
                file "/var/named/log/dnssec.log" versions 1 size 100m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity debug 3;
        }; 
        category dnssec { 
                dnssec_debug; 
        };
}; 

zone "." in {
        type hint;
        file "root.zone";
};
需开启递归服务(recursion yes;), 在末尾添加信任锚

include "/var/named/trust-anchors.conf";

2.创建“信任锚”文件
# cd /var /named

# vi trust-anchors.conf

trusted-keys {
        "." 256 3 5 "AwEAAdlhCey/l4T7PQRkBZ2uFixLCpwOdz9bgAMGbNTRApiey9On/qIu uBuEcCvArTYti944ErPPco+fcBawCmYordU=";
        "." 257 3 5 "AwEAAdQah+KmO0vMSYHtx/TxBzBjqif524nuFow5bp5Zc+pDO9tLrX3Y SrVpuddSx+utRZLVzcI3JeFQtjaBa8OfXH0=";
};

其中的密钥部分是将权威服务器生成的K.+005+62317.keyK.+005+62541.key中密钥部分拷贝过来。

3.根zone(root.zone)

$TTL 86400
@           IN   SOA    @       root (
                                                        12169
                                                        1m
                                                        1m
                                                        1m
                                                        1m )
.                       IN      NS      root.ns.
root.ns.        IN      A       192.168.13.103
配置NS指向根(“.”)的服务器地址。

4.启动服务

/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf

三、测试

在递归解析服务器测试。

dig @192.168.13.45  +dnssec .  NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 362
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       85830   IN      NS      root.ns.
.                       85830   IN      RRSIG   NS 5 0 86400 20150517041910 20150417041910 62541 . udUss1t7llZeYZAbsi8/ITPwVFAy8cB3BpyAyiVLQjRRCtKOSNS7V1H/ jzMdzJ+d62EfdC+hABrX9200Dpnung==

;; Query time: 1 msec
;; SERVER: 192.168.13.45#53(192.168.13.45)
;; WHEN: Fri Apr 17 00:25:18 2015
;; MSG SIZE  rcvd: 142
其中flags部分有ad,说明DNSSEC启用并通过验证,可以在dig添加+cdflag参数进行调试DNSSEC。
但是此时如果执行
dig @192.168.13.45  +dnssec dev. NS
查询失败或报“信任链受损”。

注意:如果要配置从服务器,只需要在options中添加添加开启dnssec选项,并删除原有的根zone,重启服务。 

你可能感兴趣的:(dns)