BIND9私有DNS服務器中使用DNSSEC

BIND9私有DNS服務器中使用DNSSEC

2013.8.22

Author: db.

 轉載請註明出處：http://blog.csdn.net/juneman/article/details/10186167。

1. 服務器基本配置

 

1) 主根服務器   192.168.56.101

2) 從根服務器    192.168.56.102

3) COM服務器   192.168.56.103

4) 解析服務器     192.168.56.104

 

基本配置見《BIND9私有DNS服務器 小環境搭建實驗》 http://blog.csdn.net/juneman/article/details/10171815

 

2. 配置主根服務器

1) 生成簽名密鑰對 

    

    # cd /var/named

    

    首先爲你的區（zone）文件生成密鑰簽名密鑰KSK：

# dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE .

 

將生成文件 K.+005+09603.key 和K.+005+09603.private

然後生成區簽名密鑰ZSK：

# dnssec-keygen -a RSASHA1 -b 512 -n ZONE  . 

將生成文件 K.+005+14932.key 和 K.+005+14932.private

 

2) 簽名

 

a. 簽名之前將前面生成的兩個公鑰添加到區域配置文件末尾

 

$TTL 86400
@ IN SOA @ root (
        12169
        1m
        1m
        1m
        1m )
 
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
 
$INCLUDE "K.+005+14932.key"
$INCLUDE "K.+005+09603.key"

b. 然後執行簽名操作。 

# dnssec-signzone  -o  .  db.root

     

上面的-o選項指定代簽名區的名字. 將生成 db.root.signed. 

    

c. 修改主配置文件

  

     
 key "rndc-key" {
        algorithm hmac-md5;
        secret "wk7NzsvLaCobiCFxHB2LXQ==";
 };
 
 controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
options {
        directory "/var/named/";
        pid-file "/var/named/named.pid";
        recursion no;
        dnssec-enable yes;
};
 
zone "." IN {
        type master;
        file "db.root.signed";
        allow-transfer {192.168.56.102;};
};
 
 

在 options 中添加 dnssec-enable yes; 以打開DNSSEC。

在 zone 中修改file 以指向簽名後的文件db.root.signed

重啓named服務器

 

3. 配置安全的解析服務器

1) 打開named.conf, 添加如下內容

# vi named.conf

 key "rndc-key" {
        algorithm hmac-md5;
        secret "kMOStrdGYC5WmE1obk7LJg==";
 };
 
 controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        allow-query {any;};
        recursion yes;
        allow-recursion {any;};
        dnssec-enable yes;
 
};
 
zone "." IN {
        type hint;
        file "db.root";
};
 
include "/var/named/sec-trust-anchors.conf";

 

其中：dnssec-enable  yes;  打開DNSSEC

      include "/var/named/sec-trust-anchors.conf"; 添加信任錨

 

2) 創建“信任錨”文件

# cd /var /named

# touch sec-trust-anchors.conf

# vi sec-trust-anchors.conf

trusted-keys {
        "." 256 3 5 "AwEAAcxHPOkZULjQeyxKoY7PPhnr4q3gvSqF5QLu8eh/J675JOBatuxY 3fpIF2ZlyVfjt4SSg8JN10+FUx2iRqjlxzU=";        
        "." 257 3 5 "AwEAAeqRlSY1wkO/m1RwLY0pA/Pa0r+ld4We21MXQwrnBM+zEWUQ9LVQ rYja1SEgnyTeJwysgh/qqr71s74fD11bOLU=";
};
 

其中的密鑰部分是將 主服務器（192.168.56.101）上生成的  K.+005+09603.key 和 

   K.+005+14932.key 中密鑰部分拷貝過來.

重啓named 的服務。

 

 

3) 測試 

#  dig @192.168.56.104 +dnssec . NS

   
root@simba-4:/var/named# dig @192.168.56.104 +dnssec . NS
 
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 +dnssec . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS
 
;; ANSWER SECTION:
.                       86039   IN      NS      root.ns.
.                       86039   IN      RRSIG   NS 5 0 86400 20130920155850 20130821155850 9603 . RTflmGcEwLDyjENuEvDBVM1UiuL6lS/ae3K0iBTRoRzY50MhnmXCQYEQ TNSDflG9D0TskUJNd3UqLtvS6+b28Q==
 
;; Query time: 15 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 13:26:35 2013
;; MSG SIZE  rcvd: 142
 
 

  

其中 flags 部分有 ad, 說明DNSSEC啓用並通過驗證。

但是此時 如果執行

# dig @192.168.56.104 +dnssec  com. NS

或報“信任鏈受損”。

 

 

4. 配置從根服務器 在IP爲192.168.56.102上

1) 打開named.conf, 添加如下內容

# vi named.conf

 key "rndc-key" {
        algorithm hmac-md5;
        secret "JaHjteR5sZxVrMWWcOne9g==";
 };
 
controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        transfer-format many-answers;
        recursion no;
        dnssec-enable yes;
};
 
zone "." IN {
        type slave;
        file "db.root";
        masters { 192.168.56.101; };
};
 

 

其中： 只需要在options 中添加 dnssec-enable yes; 。

將/var/named/db.root 刪除， 重啓服務。 

 

 

2)  測試

 

#  dig @192.168.56.102 . NS

   

 
root@simba-2:/usr/local/named/etc# dig @192.168.56.102 +dnssec . NS
 
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 +dnssec . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31463
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS
 
;; ANSWER SECTION:
.                       86400   IN      NS      root.ns.
.                       86400   IN      RRSIG   NS 5 0 86400 20130920155850 20130821155850 9603 . RTflmGcEwLDyjENuEvDBVM1UiuL6lS/ae3K0iBTRoRzY50MhnmXCQYEQ TNSDflG9D0TskUJNd3UqLtvS6+b28Q==
 
;; ADDITIONAL SECTION:
root.ns.                86400   IN      A       192.168.56.101
root.ns.                86400   IN      RRSIG   A 5 2 86400 20130920155850 20130821155850 9603 . MGX976QJsdXqS/tEtYoG/CvI4v1QWkUk79XOOxyvvVqFaVz5XBuFOppz BT/5kIIGn9ebMpjIhFYhhBlYM24aqA==
 
;; Query time: 17 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 13:36:21 2013
;; MSG SIZE  rcvd: 253
 
 

# dig @192.168.56.102 com. NS

root@simba-2:/usr/local/named/etc# dig @192.168.56.102 +dnssec com. NS
 
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 +dnssec com. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23672
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2
;; WARNING: recursion requested but not available
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.                           IN      NS
 
;; AUTHORITY SECTION:
com.                    86400   IN      NS      ns.com.
com.                    86400   IN      DS      57139 5 2 1D84EDAD0F96E34D869B24DBE0515C7179102EAD293C8FEAF7EE9B00 8388601C
com.                    86400   IN      DS      57139 5 1 C9D1B946BDC3CB7D1D97F3FC74483C13E3DD03A0
com.                    86400   IN      RRSIG   DS 5 1 86400 20130920155850 20130821155850 9603 . y6tqd0RzoAd9Qk8iDcnOr71iordfd/J5Y/ZzMHxCjQel60pEqbxkMxLO c+nzhu810wv9AB6gCQ4JsOLJGu1uxw==
 
;; ADDITIONAL SECTION:
ns.com.                 86400   IN      A       192.168.56.103
 
;; Query time: 14 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 13:35:43 2013
;; MSG SIZE  rcvd: 244
 

 

 

5. 配置COM服務器 在服務器192.168.56.103上

 

1)  生成簽名密鑰對 

    

    # cd /var/named

    

    首先爲你的區（zone）文件生成密鑰簽名密鑰KSK：

# dnssec-keygen -f KSK -a RSASHA1 -b 512 -n ZONE  com.

 

將生成文件 Kcom.+005+17631.key 和Kcom.+005+17631.private

然後生成區簽名密鑰ZSK：

# dnssec-keygen -a RSASHA1 -b 512 -n ZONE  com. 

將生成文件 Kcom.+005+57139.key 和 Kcom.+005+57139.private

 

2) 簽名

 

d. 簽名之前將前面生成的兩個公鑰添加到區域配置文件末尾

 

$TTL 86400
@ IN SOA @ root (
        2
        1m
        1m
        1m
        1m
)
 
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
my.com. IN A 192.168.56.201
$INCLUDE "Kcom.+005+17631.key"
$INCLUDE "Kcom.+005+57139.key"

 

e. 然後執行簽名操作。

# dnssec-signzone  -o  com.  db.com

     

上面的-o選項指定代簽名區的名字. 將生成 db.root.signed. 

    

f. 修改主配置文件

 key "rndc-key" {
        algorithm hmac-md5;
        secret "kMOStrdGYC5WmE1obk7LJg==";
 };
 
 controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
 
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        allow-query {any;};
        recursion no;
        dnssec-enable yes;
};
 
zone "." IN {
        type hint;
        file "db.root";
};
 
zone "com." IN {
        type master;
        file "db.com.signed";
};
 

     

在 options 中添加 dnssec-enable yes; 以打開DNSSEC。

在 zone 中修改file 以指向簽名後的文件db.com.signed

重啓named服務器.

 

g.  將生成的dsset-com. 發給 主服務器。

①　 在 192.168.56.103 上執行

# cd /var/named

# scp dsset-com. [email protected]:/var/named/

②　在 192.168.56.101 上執行

# cd /var/named

# vi db.root

③　 在該文件末尾添加 $INCLUDE "dsset-com." 。

 
  $TTL 86400
@ IN SOA @ root (
        12169
        1m
        1m
        1m
        1m )
 
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
 
$INCLUDE "K.+005+14932.key"
$INCLUDE "K.+005+09603.key"
$INCLUDE "dsset-com."

 

④　然後在 主服務器上重新對區文件進行簽名

# mv db.root.signed db.root.signed.bak     

# dnssec-signzone  -o  .  db.root

 

⑤　重啓服務.

 

6.  測試

#  dig @192.168.56.104 +dnssec my.com. A

 

root@simba-2:/usr/local/named/etc# dig @192.168.56.104 +dnssec my.com. A
 
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 +dnssec my.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6723
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;my.com.                                IN      A
 
;; ANSWER SECTION:
my.com.                 84500   IN      A       192.168.56.201
my.com.                 84500   IN      RRSIG   A 5 2 86400 20130920155342 20130821155342 17631 com. Aj0rkV1M2twT7+aFcFi1k3Fej+V6AepP+bhUJFvmOo3JZPckU8S3igDp 6lfVb0aMVESkYhuTPMPneR2i3cfxrA==
 
;; AUTHORITY SECTION:
com.                    84500   IN      NS      ns.com.
com.                    84500   IN      RRSIG   NS 5 1 86400 20130920155342 20130821155342 17631 com. IKhEH7M5RR++eBT8SCljw3OVm0ghbV4i5KWFJL7fslfDmibSncUo6Qn6 vuJ3B3hFxY3VCoyaoCSoZyVQf9oxFQ==
 
;; ADDITIONAL SECTION:
ns.com.                 84500   IN      A       192.168.56.103
ns.com.                 84500   IN      RRSIG   A 5 2 86400 20130920155342 20130821155342 17631 com. oY/d3tIRWOypjxz0LWnEWK0wCfM/h5FlNTn9I5pqxJU9MiylfiwJ2Kpr JjzitCZqnkFn0gfZoOqfmK5i2pY/0A==
 
;; Query time: 23 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 13:52:14 2013
;; MSG SIZE  rcvd: 381