rhel 5.4基于TSIG Key多个view多个slave智能bind
rhel 5.4基于TSIG Key多个view多个slave智能bind
2010-10-31 v0.01 北京公司
参考
Cjh: Linux应用使用TSIG和DNSSEC加固域名服务器
http://www.chinaz.com/Server/DNS/11051Y322007.html
netmanl :Bind9 View 底下的 master/slave 設定方案
http:// bbs.chinaunix.net/viewthr ... &extra=page%3D2
ailms: BIND 9.3 下使用 TSIG key 简化 view 的设置
http://hi.baidu.com/lvmajia/blog/item/5cf9fbfce6ed54f8fd037f70.html
hahazhu: 架设Master/Slave智能DNS的流程
http://5ydycm.blog.51cto.com/115934/116635
系统环境:rhel 5.4
所需包:
bind-9.5.1-P2.tar.gz
openssl-0.9.8d.tar.gz
ripe-dbase-client-v3.tar.gz
view
1. view_telecom
2. view_cnc
3. view_any
master: ns1.jerome-1.com 192.168.166.202
slave : ns2.jerome-1.com 192.168.166.203
ns3.jerome-1.com 192.168.166.212
(一) 安装
1、安装openssl
cd /usr/local/src
tar -zxvf openssl-0.9.8d.tar.gz
cd openssl-0.9.8d
./config --prefix=/usr/local/openssl
make && make install
2、安装bind
cd /usr/local/src
tar -zxvf bind-9.5.1-P2.tar.gz
cd bind-9.5.1-P2
./configure --prefix=/usr/local/named/ \
--mandir=/usr/local/share/man/ \
--enable-threads \
--with-openssl=/usr/local/openssl/
make && make install
groupadd -g 25 named
useradd -u 25 -g 25 -d /usr/local/named -s /sbin/nologin named
mkdir /usr/local/named/namedb
开始配置bind
创建 rndc.conf文件,用bind自带程序生成
cd /usr/local/named/
/usr/local/named/sbin/rndc-confgen > etc/rndc.conf
把rndc.conf 中的key信息输出到 named.conf 中 并将相同内容复制到slave的named.conf
cd /usr/local/named/etc/
tail -n 10 rndc.conf | head -n9 | sed -e s/#\ //g > ../named.conf
若运行rndc-confgen没有反应是怎么回事呢
仔细研究了一下rndc-confgen的选项,发现可以用下面的命令直接生成rndc.conf文件无无需做上述更改。
rndc-confgen -s 127.0.0.1 -r /dev/urandom > rndc.conf
一开始不能执行rndc-confgen命令是由于该命令是需要调用/dev/random,
而由于rndc-confgen的默认加密位数应该是218bit,超出了random默认支持的数据量导致。
3、安装IP地址段查询工具Ripe-dbase-client-v3:
下载软件包:
wget http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client-v3.tar.gz
cd /usr/local/src
tar zxvf ripe-dbase-client-v3.tar.gz
cd whois-3.1
./configure --prefix=/usr
make && make install
4、设置配置文件
mkdir /usr/local/named/data
mkdir /usr/local/named/master 此处slave部分mkdir /usr/local/named/slave
wget ftp://ftp.internic.org/domain/named.root -O /usr/local/named/named.ca
配置ACL文件
/usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CNCGROUP | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"CNC\" '{'"}{print $1";"}END{print "'}';"}' > /usr/local/named/cnc_acl.conf
/usr/bin/whois3 -h whois.apnic.net -l -i mb MAINT-CHINANET | grep "descr" | grep "Reverse" | awk -F "for" '{if ($2!="") print $2}'| sort -n | awk 'BEGIN{print "acl \"TELECOM\" '{'"}{print $1";"}END{print "'}';"}' > /usr/local/named/telecom_acl.conf
将named.ca cnc_acl.conf telecom_acl.conf scp至slave的/usr/local/named/下
5增加域名定义文件
设置网通域名定义文件
vi /usr/local/named/master/ jerome-1.com.cnc
========== jerome-1.com.cnc ==========
$TTL 3600
$ORIGIN jerome-1.com.
@ IN SOA ns1.jerome-1.com. root.jerome-1.com. (
2010103103 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns1.jerome-1.com.
@ IN NS ns2.jerome-1.com.
@ IN NS ns3.jerome-1.com.
ns1 IN A 192.168.166.202
ns2 IN A 192.168.166.203
ns3 IN A 192.168.166.212
www IN A 192.168.166.215
ftp IN A 192.168.166.202
cnc IN A 192.168.166.215
cnc1 IN A 192.168.166.215
cnc2 IN A 192.168.166.215
========== jerome-1.com.cnc ===========
设置电信域名定义文件
vim /usr/local/named/master/ jerome-1.com.telecom
========== jerome-1.com.telecom ==========
$TTL 3600
$ORIGIN jerome-1.com.
@ IN SOA ns1.jerome-1.com. root.jerome-1.com. (
2010103102 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns1.jerome-1.com.
@ IN NS ns2.jerome-1.com.
@ IN NS ns3.jerome-1.com.
ns1 IN A 192.168.166.202
ns2 IN A 192.168.166.203
ns3 IN A 192.168.166.212
www IN A 192.168.166.202
telecom IN A 192.168.166.215
telecom1 IN A 192.168.166.215
telecom2 IN A 192.168.166.215
========== jerome-1.com.telecom ===========
设置其它区域域名定义文件:
vim /usr/local/named/master/ jerome-1.com.any
========== jerome-1.com.any ===========
$TTL 3600
$ORIGIN jerome-1.com.
@ IN SOA ns1.jerome-1.com. root.jerome-1.com. (
2010103102 ;Serial
3600 ;Refresh ( seconds )
900 ;Retry ( seconds )
68400 ;Expire ( seconds )
15 ;Minimum TTL for Zone ( seconds )
)
@ IN NS ns1.jerome-1.com.
@ IN NS ns2.jerome-1.com.
@ IN NS ns3.jerome-1.com.
ns1 IN A 192.168.166.202
ns2 IN A 192.168.166.203
ns3 IN A 192.168.166.212
www IN A 192.168.166.202
any IN A 192.168.166.215
any1 IN A 192.168.166.215
========== jerome-1.com.any ===========
6.Acl Options logging include
acl "trusted-lan" {
127.0.0.1/8;
192.168.166.0/24;
};
options {
directory "/usr/local/named";
dump-file "/usr/local/named/data/cache_dump.db";
statistics-file "/usr/local/named/data/named_stats.txt";
version "";
datasize 40M;
allow-transfer {
"trusted-lan";
};
#recursion yes;
#allow-recursion {
# "trusted-lan";
#};
};
logging {
channel warning {
file "/usr/local/named/var/dns_warning" versions 3 size 5m ;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/usr/local/named/var/dns_log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "cnc_acl.conf";
include "telecom_acl.conf";
7. TSIG
使用TSIG技术,执行 dnssec-keygen function 产生加密金钥,一个为 public key 文件,另一个为 private key 文件,产生加密金钥。
首先在master上生成三对key,用于cnc telecom any
cd /usr/local/named/sbin/
./dnssec-keygen -a hmac-md5 -b 128 -n HOST cnc
./dnssec-keygen -a hmac-md5 -b 128 -n HOST telecom
./dnssec-keygen -a hmac-md5 -b 128 -n HOST any
Kany-key.+157+18116.key
Kany-key.+157+18116.private
Kcnc-key.+157+64099.key
Kcnc-key.+157+64099.private
Ktelecom-key.+157+38745.key
Ktelecom-key.+157+38745.private
[root@localhost sbin]# cat Kcnc-key.+157+64099.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: IalNK2xSZGHeacUOQaPQIg==
Bits: AAA=
将用红色标记的Key加入至named.conf文件中
格式:
key "cnckey" {
algorithm hmac-md5;
secret "IalNK2xSZGHeacUOQaPQIg==";
};
其他两个以相同方式加入named.conf
8. master服务器方面 :View的建立
view "view_cnc" { //定义一个名为cnc的 view
match-clients { key cnckey ; CNC; }; // 范围是匹配那些用cnckey加密的,以及CNC_Addr
recursion no; // 禁止处理来自 cnc 的主机的递归请求
allow-transfer { key cnckey; }; // 只允许用 cnc 加密过的 zone transfer 请求
server 192.168.166.203 { keys cnckey; }; // 向从服务器发送消息时,用cnc 加密
server 192.168.166.212 { keys cnckey; }; //多个slave在此处添加 slave在此处添加主IP
zone "jerome-1.com" IN {
type master;
file "/usr/local/named/master/jerome-1.com.cnc";
};
zone "." {
type hint;
file "named.ca";
};
};
其他两个建立view方法相同
9. slave服务器方面 :View的建立
view "view_cnc" { // 定义一个名为 view_cnc 的 view
match-clients { key cnckey ; CNC; }; // 范围是匹配那些用cnckey加密的,以及 CNC_addr
recursion no; // 禁止处理来自cnc 的递归请求
allow-transfer { none; }; // 禁止任何人向从服务器请求 zone transfer
server 192.168.166.202 { keys cnckey; }; // 向主服务器发送消息时,用 cnckey 加密
其他的slave也在此处指定master
zone "jerome-1.com" IN {
type slave;
masters { 192.168.166.202; };
file "/usr/local/named/slave/jerome-1.com.cnc.slave";
};
zone "." {
type hint;
file "named.ca";
};
};
10启动bind
/usr/local/named/sbin/named -gc /usr/local/named/named.conf &
设为开机启动:
echo "/usr/local/named/sbin/named -gc /usr/local/named/named.conf &" >> /etc/rc.local
重新加载view_cnc区域文件
rndc reload jerome.com. IN view_cnc
状态检查:
rndc status
11.nslookup
C:\>nslookup
默认服务器: UnKnown
Address: 192.168.166.202
> set type=soa
> jerome-1.com
服务器: UnKnown
Address: 192.168.166.202
jerome-1.com
primary name server = ns1.jerome-1.com
responsible mail addr = root.jerome-1.com
serial = 2010103102
refresh = 3600 (1 hour)
retry = 900 (15 mins)
expire = 68400 (19 hours)
default TTL = 15 (15 secs)
jerome-1.com nameserver = ns1.jerome-1.com
jerome-1.com nameserver = ns3.jerome-1.com
jerome-1.com nameserver = ns2.jerome-1.com
ns1.jerome-1.com internet address = 192.168.166.202
ns2.jerome-1.com internet address = 192.168.166.203
ns3.jerome-1.com internet address = 192.168.166.212
12.使用 TSIG key 来配置 view 有什么需要注意的呢?
a)key 在另一台 server 上不存在
b同一个名称的 key 在两台server 上的内容不一样(在master与slave间TSIG Key必须一致
c)两台 server 的时间不同步,导致 TSIG key 验证通不过。所以最好两台 server 用 ntp 进行同步。这种情况比较隐蔽,需要特别注意。经过试验,两台 server 如果时间相差超过 5min 就会导致失败。
d)已定义的view按有地址的在view在前, view_any当中没有地址池,放最后一个
30-Oct-2010 18:16:48.321 client 192.168.166.202#52553: view view_any: received notify for zone 'jerome-1.com': TSIG 'anykey'
30-Oct-2010 18:16:48.321 zone jerome-1.com/IN/view_any: notify from 192.168.166.202#52553: zone is up to date
30-Oct-2010 18:16:48.321 client 192.168.166.202#52553: view view_any: received notify for zone 'jerome-1.com': TSIG 'cnckey'
e)权限问题导致无法同步
此次测试时因为刚开始曾提示权限问题\试着按照以下的方式修改
view view_telecom: zone transfer 'jerome-1.com/AXFR/IN' denied
cd /usr/local/named/
chown –R named.named *
chown –R 777 master
chown –R 777 slave
但后来把权限还原回去一点也不影响同步..权限有些不大明白 此处如果有需要再进行调试吧
f)rndc key不同于TSIG key要各在master和slave分别手动生成,两者不一样
g)要使用 TSIG 的方法来建立 view ,要注意符合 ver >= 9.3 的前提条件,否则 match-clients 语句不起作用
h)关闭 selinux vim /etc/sysconfig/selinux
13. 建立启动脚本:
# chmod 755 /etc/init.d/named
# chown root:root /etc/init.d/named
# chkconfig --add named
# chkconfig named on
============================== named==============================
#!/bin/bash
#
#Init file for named server daemon
#
#
# chkconfig: 545 35 75
# description: named server daemon
#
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/local/named/sbin/named ]; then
/usr/local/named/sbin/named -c /usr/local/named/named.conf && echo . && echo 'BIND9 server started.'
fi
;;
stop)
/usr/local/named/sbin/rndc stop
#kill `cat /usr/local/named/var/run/named.pid` && echo . && echo 'BIND9 server stopped.'
;;
status)
/usr/local/named/sbin/rndc status
;;
#reload)
#rndc reload jerome-1.com. IN view_cnc
#rndc reload jerome-1.com. IN view_telecom
#rndc reload jerome-1.com. IN view_any
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 6
$0 start
;;
*)
echo "$0 start | status | stop | restart"
;;
esac
============================== named==============================
以下为master与slave的named.conf配置 在此作参考
master: named.conf
**************************************************************************
key "rndc-key" {
algorithm hmac-md5;
secret "3PfYa6OCskRHxFVHsU2sgQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "telecomkey" {
algorithm hmac-md5;
secret "CuKa23oWkXc5GudoAA6/3w==";
};
key "cnckey" {
algorithm hmac-md5;
secret "IalNK2xSZGHeacUOQaPQIg==";
};
key "anykey" {
algorithm hmac-md5;
secret "NBpu3k6S1CiO4bFrScTxYQ==";
};
acl "trusted-lan" {
127.0.0.1/8;
192.168.166.0/24;
};
options {
directory "/usr/local/named";
dump-file "/usr/local/named/data/cache_dump.db";
statistics-file "/usr/local/named/data/named_stats.txt";
version "";
datasize 40M;
allow-transfer {
"trusted-lan";
};
#recursion yes;
#allow-recursion {
# "trusted-lan";
#};
};
logging {
channel warning {
file "/usr/local/named/var/dns_warning" versions 3 size 5m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/usr/local/named/var/dns_log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "cnc_acl.conf";
include "telecom_acl.conf";
view "view_telecom" {
match-clients { key telecomkey ; TELECOM; };
recursion no;
allow-transfer { key telecomkey; };
server 192.168.166.203 { keys telecomkey; };
server 192.168.166.212 { keys telecomkey; };
zone "jerome-1.com" IN {
type master;
file "/usr/local/named/master/jerome-1.com.telecom";
};
zone "." {
type hint;
file "named.ca";
};
};
view "view_cnc" {
match-clients { key cnckey ; CNC; };
recursion no;
allow-transfer { key cnckey; };
server 192.168.166.203 { keys cnckey; };
server 192.168.166.212 { keys cnckey; };
zone "jerome-1.com" IN {
type master;
file "/usr/local/named/master/jerome-1.com.cnc";
};
zone "." {
type hint;
file "named.ca";
};
};
view "view_any" {
match-clients { key anykey ; any; };
recursion no;
allow-transfer { key anykey; };
server 192.168.166.203 { keys anykey; };
server 192.168.166.212 { keys anykey; };
zone "jerome-1.com" IN {
type master;
file "/usr/local/named/master/jerome-1.com.any";
};
zone "." {
type hint;
file "named.ca";
};
};
**************************************************************************
Slave: named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "WEZHsZhyfc5NrhNC/G9zkg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "telecomkey" {
algorithm hmac-md5;
secret "CuKa23oWkXc5GudoAA6/3w==";
};
key "cnckey" {
algorithm hmac-md5;
secret "IalNK2xSZGHeacUOQaPQIg==";
};
key "anykey" {
algorithm hmac-md5;
secret "NBpu3k6S1CiO4bFrScTxYQ==";
};
acl "trusted-lan" {
127.0.0.1/8;
192.168.166.0/24;
};
options {
directory "/usr/local/named";
dump-file "/usr/local/named/data/cache_dump.db";
statistics-file "/usr/local/named/data/named_stats.txt";
version "";
datasize 40M;
allow-transfer {
"trusted-lan";
};
#recursion yes;
#allow-recursion {
# "trusted-lan";
#};
};
logging {
channel warning {
file "/usr/local/named/var/dns_warning" versions 3 size 5m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/usr/local/named/var/dns_log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "cnc_acl.conf";
include "telecom_acl.conf";
view "view_telecom" {
match-clients { key telecomkey ; TELECOM; };
recursion no;
allow-transfer { none; };
server 192.168.166.202 { keys telecomkey; };
zone "jerome-1.com" IN {
type slave;
masters { 192.168.166.202; };
file "/usr/local/named/slave/jerome-1.com.telecom.slave";
};
zone "." {
type hint;
file "named.ca";
};
};
view "view_cnc" {
match-clients { key cnckey ; CNC; };
recursion no;
allow-transfer { none; };
server 192.168.166.202 { keys cnckey; };
zone "jerome-1.com" IN {
type slave;
masters { 192.168.166.202; };
file "/usr/local/named/slave/jerome-1.com.cnc.slave";
};
zone "." {
type hint;
file "named.ca";
};
};
view "view_any" {
match-clients { key anykey ; any; };
recursion no;
allow-transfer { none; };
server 192.168.166.202 { keys anykey; };
zone "jerome-1.com" IN {
type slave;
masters { 192.168.166.202; };
file "/usr/local/named/slave/jerome-1.com.any.slave";
};
zone "." {
type hint;
file "named.ca";
};
};