上一节我们对dnssec有了一定的认识,下面我们通过实例来说明尝试一下dnssec的配置。关于bind的安装参考:DNS BIND安装测试
环境如下:
递归解析服务器:192.168.13.45
权威服务器根节点:192.168.13.103
权威服务器dev节点:192.168.110.71
递归服务--->根节点(.)--->dev节点(dev.)
一、权威服务器配置
1.修改named.conf配置
key "rndc-key" { algorithm hmac-md5; secret "bRKv62iy/I7RoNNOl0dW2A=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options{ listen-on port 53{ 192.168.13.103; }; version "vdns3.0"; directory "/var/named"; pid-file "/var/run/named.pid"; session-keyfile "/var/run/session.key"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; rrset-order { order cyclic; }; recursion no; allow-query{ any; }; allow-query-cache{ any; }; allow-transfer{ none; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "/var/named/data/named.run"; severity dynamic; }; channel queries_info { file "/var/named/log/query.log" versions 1 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { queries_info; default_debug; }; channel notify_info { file "/var/named/log/notify.log" versions 8 size 128m; severity info; print-category yes; print-severity yes; print-time yes; }; category notify { notify_info; default_debug; }; channel dnssec_debug { file "/var/named/log/dnssec.log" versions 1 size 100m; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_debug; }; }; zone "." in { type hint; file "root.zone"; };
增加开启dnssec选项,关闭递归服务。
2.dnssce配置实例
1)生成签名密钥对
# cd /var/named
首先为区(zone)文件生成密钥签名密钥KSK:
# ~/bind/sbin/dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE . #注意结尾的点别遗漏
将生成文件K.+005+62317.key和K.+005+62317.private
然后生成区签名密钥ZSK:
# ~/bind/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE .
将生成文件K.+005+62541.key和K.+005+62541.private
2)签名
a.签名之前将前面生成的两个公钥添加到区域配置文件末尾(root.zone)
$TTL 86400 @ IN SOA @ root ( 12169 1m 1m 1m 1m ) . IN NS root.ns. root.ns. IN A 192.168.13.103 dev. IN NS ns.dev. ns.dev. IN A 192.168.110.71 $INCLUDE "K.+005+62541.key" $INCLUDE "K.+005+62317.key"b.然后执行签名操作
file "root.zone.signed";
allow-transfer {none;};
};检查配置是否正确:
/home/slim/bind/sbin/named-checkconf -t /home/slim/chroot/ /etc/named.conf
3.启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf
二、递归解析服务器配置
1.修改named.conf配置
key "rndc-key" { algorithm hmac-md5; secret "D6ShqDKzLPtbHxko0TqgrQ=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options{ listen-on port 53{ 192.168.13.45; }; version "vdns3.0"; directory "/var/named"; pid-file "/var/run/named.pid"; session-keyfile "/var/run/session.key"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; rrset-order { order cyclic; }; recursion yes; allow-recursion { any; }; allow-query{ any; }; allow-query-cache{ any; }; allow-transfer{ none; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "/var/named/data/named.run"; severity dynamic; }; channel queries_info { file "/var/named/log/query.log" versions 1 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { queries_info; default_debug; }; channel notify_info { file "/var/named/log/notify.log" versions 8 size 128m; severity info; print-category yes; print-severity yes; print-time yes; }; category notify { notify_info; default_debug; }; channel dnssec_debug { file "/var/named/log/dnssec.log" versions 1 size 100m; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_debug; }; }; zone "." in { type hint; file "root.zone"; };需开启递归服务(recursion yes;), 在末尾添加信任锚
include "/var/named/trust-anchors.conf";
2.创建“信任锚”文件# vi trust-anchors.conf
trusted-keys { "." 256 3 5 "AwEAAdlhCey/l4T7PQRkBZ2uFixLCpwOdz9bgAMGbNTRApiey9On/qIu uBuEcCvArTYti944ErPPco+fcBawCmYordU="; "." 257 3 5 "AwEAAdQah+KmO0vMSYHtx/TxBzBjqif524nuFow5bp5Zc+pDO9tLrX3Y SrVpuddSx+utRZLVzcI3JeFQtjaBa8OfXH0="; };
其中的密钥部分是将权威服务器生成的K.+005+62317.key和K.+005+62541.key中密钥部分拷贝过来。
3.根zone(root.zone)
$TTL 86400 @ IN SOA @ root ( 12169 1m 1m 1m 1m ) . IN NS root.ns. root.ns. IN A 192.168.13.103配置NS指向根(“.”)的服务器地址。
4.启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf
在递归解析服务器测试。
dig @192.168.13.45 +dnssec . NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec . NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 362 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 85830 IN NS root.ns. . 85830 IN RRSIG NS 5 0 86400 20150517041910 20150417041910 62541 . udUss1t7llZeYZAbsi8/ITPwVFAy8cB3BpyAyiVLQjRRCtKOSNS7V1H/ jzMdzJ+d62EfdC+hABrX9200Dpnung== ;; Query time: 1 msec ;; SERVER: 192.168.13.45#53(192.168.13.45) ;; WHEN: Fri Apr 17 00:25:18 2015 ;; MSG SIZE rcvd: 142其中flags部分有ad,说明DNSSEC启用并通过验证,可以在dig添加+cdflag参数进行调试DNSSEC。
注意:如果要配置从服务器,只需要在options中添加添加开启dnssec选项,并删除原有的根zone,重启服务。