Bind easy Tutorial (3): DNSSEC configuration

Directory:
Bind easy Tutorial (1): Installation and basic configuration
Bind Easy Tutorial (2): Bind view Configuration
Bind easy Tutorial (3): DNSSEC configuration (This article)

DNSSec, with a half-and-a-half name called DNS security extension . To say a little better, it is to sign the domain name authentication, to ensure the integrity and correctness of the domain name, will not be modified. DNSSEC does not protect against attacks on DNS servers, nor does it encrypt the data that is requested and answered, even if you do not know what DNSSEC is, and you do not know if the domain name is complete and correct.

In fact, the feeling for me is that DNSSEC is taking a lot of effort to configure something that is not very useful. And then the egg. The use is still to be used. Of course, there may be my Caishuxueqian, tiao and learn to laugh Peng Don't know how

OK, don't drag the text, or say the matter. It's going to take a couple of steps:

1. Enable DNSSEC function:

(1) To add several options to the option to enable the DNSSEC function:

Options {    dnssec-enable yes;    Dnssec-validation Auto;    Dnssec-lookaside Auto;    Notify yes;    Allow-transfer {none;};};

Previous dnssec-enable no; This option, change to Yes, the remaining 4 are new.

(2) Create a directory and leave it as a build key placement:

mkdir -P Views/dnssec_keys

(3) Add relevant parameters in zone:

Zone "Apple.tree" in {    type master;    Auto-dnssec maintain;    Update-policy Local;    File "/etc/bind/views/zones/dianxin.apple.tree.zone";    Key-directory "/etc/bind/views/dnssec_keys";};

Where type and file are the original ones, the remaining options are new. However, the files after file will be changed. Let's not change it here for the time being.

2, Generate key

Generate a key in the new Dnssec_keys directory

sudo  -n ZONE apple.tree. sudo  -N ZONE apple.tree.

KSK and RSA encryption are used respectively. About the use of dnssec-keygen, sometimes need to look at Baidu, or use-H to see. For example,-r/dev/urandom, this is a random number generator, if not added, it may take several minutes to wait for a key to produce the result.

You can then see 4 files in the Dnssec_keys directory:

kapple.tree.+005+54124.keykapple.tree.+005+54124.privatekapple.tree.+005+61152.keykapple.tree.+005+61152. Private

Two public key and two private key, one will be used when configuring the parsing library >

3, Signature

(1) Add the two public keys generated earlier to the end of the zone configuration file

$TTL 86400@   in  SOA apple.tree. Apple.apple.tree. (          2016090100     ; Serial               28800     ; Refresh                7200     ; Retry              604800     ; Expire               86400     ; Negative Cache TTL) @   in  NS  apple.tree.@   in  a   192.168.4.135aaa     in      a       192.168.4.100BBB     in      A       192.168.4.101ccc     in      CNAME   bbb$INCLUDE "/etc/bind/ Views/dnssec_keys/kapple.tree.+005+54124.key "$INCLUDE"/etc/bind/views/dnssec_keys/kapple.tree.+005+61152.key " 

(2) Signature of zone

sudo dnssec-signzone-k/etc/bind/views/dnssec_keys-o apple.tree. /etc/bind/views/zones/dianxin.apple.tree.zone

A file with the suffix. Signed is generated, which is the zone after the signature. Write the name of the zone file to the file option in the previous zone section. Zone becomes

Zone "Apple.tree" in {    type master;    Auto-dnssec maintain;    Update-policy Local;    File "/etc/bind/views/zones/dianxin.apple.tree.zone. Signed";    Key-directory "/etc/bind/views/dnssec_keys";};

4, generate the trust anchor

(1) Generate a trust anchor file: View the two public keys that were just generated

ls kccgslb.bokecs.com.+005+54124  . KeyKccgslb.bokecs.com. +005+54124. PrivateKccgslb.bokecs.com.  +005+61152  . KeyKccgslb.bokecs.com. +005+61152. Private

$sudo Catkapple.tree.+005+54124. Key; This is a key-signing Key, keyID54124, forApple.tree.; Created:20160825061813(Thu -  -: -: -  .); Publish:20160825061813(Thu -  -: -: -  .); Activate:20160825061813(Thu -  -: -: -  .)apple.tree. in DNSKEY257 3 5 Aweaabfkw0jfr6maiindumr1waj6xzirj3zso8xyiosmeqrnvvys9doz tbemhocwhok5rnezpu/itjvezszhy3ba1tc=

$sudo Catkapple.tree.+005+61152. Key; This is a zone-signing Key, keyID61152, forApple.tree.; Created:20160825062349(Thu -  -: at: the  .); Publish:20160825062349(Thu -  -: at: the  .); Activate:20160825062349(Thu -  -: at: the  .)apple.tree. in DNSKEY3 5 aweaab8mo4dn8i1mct/f575aacdesr+q0igouawrja5dgjnzfaox39ew z3qfg6nmiddgtt/copl+uqh46bergqk9poc=

Generate files under the/etc/bind directory sec-trust-anchors.conf

Trusted-keys {    apple.tree. 257 3 5 "Aweaabfkw0jfr6maiindumr1waj6xzirj3zso8xyiosmeqrnvvys9doz tBemhoCWhOk5RnEZpu/ Itjvezszhy3ba1tc= ";    Apple.tree. 3 5 "Aweaab8mo4dn8i1mct/f575aacdesr+q0igouawrja5dgjnzfaox39ew z3qfg6nmiddgtt/copl+uqh46bergqk9poc=" ;};

The two items in this article are the contents of the two keys just generated. It is convenient to use the public key (that is, the. key file). Note that the two words "in" and "DNSKEY" are removed when copying, and the following key is quoted.

(2) Add in named.conf
Include "/etc/bind/sec-trust-anchors.conf";

5, restart Bind

sudo service bind9 restart

If the restart is successful, you can test the

 $ dig   +dnssec   aaa.apple.tree @192.168.4.43; <<> > DiG 9.9.5-3ubuntu0.8-ubuntu <<>> aaa.apple.tree @192.168.4.43; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:53833; FLAGS:QR AA Rd; Query:1, Answer:2, authority:0, additional:1; Warning:recursion requested but not available;; OPT pseudosection:; edns:version:0, Flags:; udp:4096;; QUESTION Section:;aaa.apple.tree. in A;; ANSWER SECTION:aaa.apple.tree. 86400 in A 192.168.4.100 aaa.apple.tree. 86400 in RRSIG CNAME 5 6 86400 201609240843 20160825075619 61152 Apple.tree. Plhn/vcvsb6mcvyzgm66qh2/19gkxrrfogcdwmwj3n5zu+iqpu4w5xoy 9osk/d9bm9lm3yflteubmcdlfbrukw==  ;; Query Time:4 msec;; server:192.168.4.43#53 (192.168.4.43); When:fri Jan 14:47:48 CST 2016;; MSG SIZE rcvd:59 

We see that in addition to the normal line parsing to 192.168.4.100, there is a row of messy strings, this is the signature of Aaa.apple.tree. The presence of this is a good representation of DNSSEC. OK, so far, three of the introduction of bind even completed. In fact, for the whole bind, this is just the tip of the iceberg. But my energy is limited, I can only write such a little thing.

Off Topic:

(1) began to think that the efficiency of bind is very poor, but later really used to find it is quite fast, plus more features, really deserves to be the most widely used DNS server in the world today. I closed the log and tested the QPS for almost 120,000 of the performance. It's a lot higher than the powerdns. Furthermore, the efficiency of DNSSEC is not reduced, I guess because of the cached relationship.

(2) DNS security is a very serious issue. I know very little, and one-sided, so afraid to write. A few days ago with a group of students talked about "distributed amplification attack", simply panic. Simply put, for example, attacker a and victim B,a will disguise their IP address as B, and then send a request to the DNS server. The request is well-prepared, and the request is answered much more often than the request itself. After that, the DNS server sends a reply packet to B. Externally, a DNS server is used as an amplifier to launch attacks against B. Of course, a DNS package is no bigger problem. But a lot of DNS answer packets will be a problem-the victim's computer is not a server, can withstand such a large number of network packets? This is the amplification attack. The so-called distribution is that a can send a request to many DNS servers, which will become N multiple server attacks on the same computer (server: I am wronged/(ㄒoㄒ)/~~). Don't look at me, I don't know how to solve it.

Bind easy Tutorial (3): DNSSEC configuration