DNS BIND之dnssec安全实例配置-dev节点(dev.)
来源:互联网 发布:王震对新疆的功过知乎 编辑:程序博客网 时间:2024/04/25 09:40
上一节我们演示了根节点的dnssec配置,下面我们配置dev节点的dnssec。
dev服务器:192.168.110.71
一、配置dev服务器
1.生成签名密钥对
# cd /var/named
首先为区(zone)文件生成密钥签名密钥KSK:
#~/bind/sbin/dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE dev.
将生成文件Kdev.+005+44248.key公钥和Kdev.+005+44248.private私钥
然后生成区签名密钥ZSK:
#~/bind/sbin/dnssec-keygen -a RSASHA1 -b 512 -n ZONE dev.
将生成文件Kdev.+005+41787.key公钥和Kdev.+005+44248.private私钥
2.签名zone
a.签名之前将前面生成的两个公钥添加到区域配置文件末尾
$TTL 86400@ IN SOA @ root.dev ( 2 1m 1m 1m 1m)dev. IN NS ns.dev.ns.dev. IN A 192.168.110.71abc.dev. IN A 192.168.100.90$INCLUDE "Kdev.+005+41787.key"$INCLUDE "Kdev.+005+44248.key"b.执行签名操作
#~/bind/sbin/dnssec-signzone -o dev. dev.zone
生成dev.zone.signed签名zone
3.修改主配置文件name.conf
key "rndc-key" { algorithm hmac-md5; secret "etMaaS+O06WFFUHxKAaTXA==";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};options{ listen-on port 53{ 192.168.110.71; }; version "vdns3.0"; directory "/var/named"; pid-file "/var/run/named.pid"; session-keyfile "/var/run/session.key"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; rrset-order { order cyclic; }; recursion no; allow-query{ any; }; allow-query-cache{ any; }; allow-transfer{ none; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic";};logging { channel default_debug { file "/var/named/data/named.run"; severity dynamic; }; channel queries_info { file "/var/named/log/query.log" versions 1 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; category queries { queries_info; default_debug; }; channel notify_info { file "/var/named/log/notify.log" versions 8 size 128m; severity info; print-category yes; print-severity yes; print-time yes; }; category notify { notify_info; default_debug; }; channel dnssec_debug { file "/var/named/log/dnssec.log" versions 1 size 100m; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_debug; };}; zone "." in { type hint; file "root.zone";};zone "dev." IN { type master; file "dev.zone.signed"; }; 检查配置是否正确:/home/slim/bind/sbin/named-checkconf -t /home/slim/chroot/ /etc/named.conf
4.启动服务
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf
1.将生成的dsset-dev.发给根服务器,在192.168.110.71上执行
# cd /var/named
# scp dsset-dev. slim@192.168.13.103:/home/slim/chroot/var/named/
2.在192.168.13.103上执行
# cd /var/named
# vi root.zone
3.在该文件末尾添加 $INCLUDE "dsset-dev."
$TTL 86400@ IN SOA @ root ( 12169 1m 1m 1m 1m ). IN NS root.ns.root.ns. IN A 192.168.13.103dev. IN NS ns.dev.ns.dev. IN A 192.168.110.71 $INCLUDE "K.+005+62541.key"$INCLUDE "K.+005+62317.key"$INCLUDE "dsset-dev."4.然后在根服务器上重新对区文件进行签名
# mv root.zone.signed root.zone.signed.bak
# /home/slim/bind/sbin/dnssec-signzone -o . root.zone
5.重启根服务
三、测试
在递归解析服务执行:
dig @192.168.13.45 +dnssec dev. NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec dev. NS; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49047;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;dev. IN NS;; ANSWER SECTION:dev. 80410 IN NS ns.dev.dev. 86386 IN RRSIG NS 5 1 86400 20150517074758 20150417074758 41787 dev. x3QO8JsFscxB7t9SQjtjdZCXyjUkdWNbCfOSUxPyZZPb3jRt/DOYN0lR hKJqgl8VT2T2D1P3kmr8O7ptGlTKpg==;; ADDITIONAL SECTION:ns.dev. 80410 IN A 192.168.110.71ns.dev. 86386 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. a9f04XI5VUvgoDdJa5BoN3GEhA2Po+Iqo9GLgcw0S5Sts7Hw/dIm/EOF lj8oCXUniBgQdRzWw+0QzYvUavGYxg==;; Query time: 0 msec;; SERVER: 192.168.13.45#53(192.168.13.45);; WHEN: Fri Apr 17 02:05:49 2015;; MSG SIZE rcvd: 263
dig @192.168.13.45 +dnssec abc.dev. A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> @192.168.13.45 +dnssec abc.dev. A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20230;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;abc.dev. IN A;; ANSWER SECTION:abc.dev. 86375 IN A 192.168.100.90abc.dev. 86375 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. aSP+yVyu83pPlwZ8iSoyFydzSOugMLnNV5ZcbObJ+U6qWj8j9AF4Baxy zxqKiSkTDkx16yjgnzdGINwfgFt1EA==;; AUTHORITY SECTION:dev. 80152 IN NS ns.dev.dev. 86128 IN RRSIG NS 5 1 86400 20150517074758 20150417074758 41787 dev. x3QO8JsFscxB7t9SQjtjdZCXyjUkdWNbCfOSUxPyZZPb3jRt/DOYN0lR hKJqgl8VT2T2D1P3kmr8O7ptGlTKpg==;; ADDITIONAL SECTION:ns.dev. 80152 IN A 192.168.110.71ns.dev. 86375 IN RRSIG A 5 2 86400 20150517074758 20150417074758 41787 dev. a9f04XI5VUvgoDdJa5BoN3GEhA2Po+Iqo9GLgcw0S5Sts7Hw/dIm/EOF lj8oCXUniBgQdRzWw+0QzYvUavGYxg==;; Query time: 0 msec;; SERVER: 192.168.13.45#53(192.168.13.45);; WHEN: Fri Apr 17 02:10:07 2015;; MSG SIZE rcvd: 382
注:配置具体域名的dnssec也是类型,生成zone签名,将dsset-*添加到上一节点zone中,并重新签名。
0 0
- DNS BIND之dnssec安全实例配置-dev节点(dev.)
- DNS BIND之dnssec安全实例配置-根节点
- DNS BIND之dnssec安全介绍
- DNS安全认证的机制之DNSSEC(DNS安全扩展)
- 创建 /dev/video0 节点
- Dev
- dev
- dev
- dev
- dev
- /dev/null /dev/zero /dev/console /dev/tty 之问题
- WPF使用DEV之TreeListControl---父子节点关系
- inux中的设备节点(/dev/*)
- DEV TreeList的节点设置
- DNS BIND 搭建域名智能解析DNS服务器之配置
- 配置 dev-php
- DEV-CPP配置EGE
- dev模板配置
- C++ STL泛型编程——在ACM中的运用
- traceview的使用
- 利用eclipse管理Hadoop集群文件系统
- Springmvc文件上传
- Android版多线程聊天室——ServerSocket和Socket的使用
- DNS BIND之dnssec安全实例配置-dev节点(dev.)
- 第四章——控制执行流程
- 内部插入排序---希尔排序
- FutureTask
- Java多线程总结之线程安全队列Queue
- 第一个 OpenGL ES的小程序(过程写的非常详细)
- C++ STL基本容器的使用
- Android-------模拟用户登录界面(5)
- nyoj 308 Substring
