BIND9 private DNS server uses DNSSEC1. server basic configuration 1) master root server 192.168.56.1012) from root server 192.168.56.1023) COM server 192.168.56.1034) resolution server 192.168.56.1042. configure the master root server 1... BIND9 private DNS server uses DNSSEC 1. basic Server Configuration 1) master root server 192.168.56.1012) from root server 192.168.56.1023) COM server 192.168.56.1034) resolution server 192.168.56.104 2. configure the master root server 1) generate a signature key pair # cd/var/named first generate a key signature key for your zone file KSK: # dnssec-keygen-f KSK-a RSASHA1-B 512-n ZONE. will generate the file K. + 005 + 09603.key and K. + 00 5 + 09603. private and then generate the ZONE signature key ZSK: # dnssec-keygen-a RSASHA1-B 512-n ZONE. will generate the file K. + 005 + 14932.key and K. + 005 + 14932. private 2) signature. add the two public keys generated before signing to [plain] $ TTL 86400 @ in soa @ root (12169 1 m 1 m 1 m 1 m 1 m) at the end of the region configuration file ). in ns root. ns. root. ns. in a 192.168.56.101 com. in ns ns.com. ns.com. in a 192.168.56.103 $ INCLUDE "K. + 005 + 14932.key" $ INCLUDE "K. + 005 + 09603.key" B. then, execute the signature operation. # Dnssec-signzone-o. db. the-o option above the root specifies the name of the signature generation zone. db will be generated. root. signed. c. modify master profile [plain] key "rndc-key" {algorithm HMAC-MD5; secret "wk7NzsvLaCobiCFxHB2LXQ =" ;}; controls {inet 127.0.0.1 port 953 allow {127.0.0.1 ;} keys {"rndc-key" ;};}; options {directory "/var/named/"; pid-file "/var/named. pid "; recursion no; dnssec-enable yes ;}; zone ". "IN {type master; file" db. root. signed "; al Low-transfer {192.168.56.102 ;};}; add dnssec-enable yes in options to open DNSSEC. Modify the file in the zone to point to the signed file db. root. signed restart named Server 3. configure secure resolution server 1) Open named. conf, add the following content # vi named. conf [plain] key "rndc-key" {algorithm HMAC-MD5; secret "kMOStrdGYC5WmE1obk7LJg =" ;}; controls {inet 127.0.0.1 port 953 allow {127.0.0.1 ;} keys {"rndc-key" ;};}; options {directory "/var/named"; pid-file "/var/run/named. pid "; allow-query {any ;}; recursion yes; allow-recursion {any ;}; dnssec- Enable yes;}; zone ". "IN {type hint; file" db. root ";}; include"/var/named/sec-trust-anchors.conf "; where: dnssec-enable yes; open DNSSEC include"/var/named/sec-trust-anchors.conf "; add trust anchor 2) create a trusted anchor file # cd/var/named # touch sec-trust-anchors.conf # vi sec-trust-anchors.conf [plain] trusted-keys {". "256 3 5" logs/J675JOBatuxY 3fpIF2ZlyVfjt4SSg8JN10 + FUx2iRqjlxzU =" ;". "257 3 5" release/m1RwLY0pA/Pa0r + release + zEWUQ9LVQ release/qqr71s74fD11bOLU = ";}; the key part is the K generated on the master server (192.168.56.101. + 005 + 09603.key and K. + 005 + 14932.key. restart the named service. 3) Test # dig @ 192.168.56.104 + dnssec. NS [plain] root @ simba-4:/var/named # dig @ 192.168.56.104 + dnssec. NS; <> DiG 9.9.2-P1 <> @ 192.168.56.104 + dnssec. NS; (1 server found); global options: + cmd; Got answer :;;>> HEADER <-opcode: QUERY, status: NOERROR, id: 58557; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1; OPT pseudo dosection:; EDNS: version: 0, flags: do; Udp: 4096; question section :;. in ns; answer section :. 86039 in ns root. ns .. 86039 in rrsig ns 5 0 86400 20130920155850 20130821155850. examples/ae3K0iBTRoRzY50MhnmXCQYEQ examples + b28Q ==; Query time: 15 msec; SERVER: 192.168.56.104 #53 (192.168.56.104); WHEN: Wed Aug 21 13:26:35 2013; msg size rcvd: 142 The flags part contains ad, which indicates that DNSSEC is enabled and verified. However, if you run # dig @ 192.168.56.104 + dnssec com. NS or report "The trust chain is damaged ". 4. configure the slave root server to enable named on the IP address 192.168.56.102. conf, add the following content # vi named. conf [plain] key "rndc-key" {algorithm HMAC-MD5; secret "JaHjteR5sZxVrMWWcOne9g =" ;}; controls {inet 127.0.0.1 port 953 allow {127.0.0.1 ;} keys {"rndc-key" ;};}; options {directory "/var/named"; pid-file "/var/run/named. pid "; transfer-format allow-answers; recursion no; dnssec-enable yes;}; zone ". "IN {type slave; file "Db. root"; masters {192.168.56.101 ;};}; Where: you only need to add dnssec-enable yes; to options ;. Delete/var/named/db. root and restart the service. 2) Test # dig @ 192.168.56.102. NS [plain] root @ simba-2:/usr/local/named/etc # dig @ 192.168.56.102 + dnssec. NS; <> DiG 9.9.2-P1 <> @ 192.168.56.102 + dnssec. NS; (1 server found); global options: + cmd; Got answer :;;>> HEADER <-opcode: QUERY, status: NOERROR, id: 31463; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3; WARNING: recursion requested but not available ;; OPT pseudo SECTION:; EDNS: version: 0, flags: do; udp: 4096; question section :;. in ns; answer section :. 86400 in ns root. ns .. 86400 in rrsig ns 5 0 86400 20130920155850 20130821155850. RTflmGcEwLDyjENuEvDBVM1UiuL6lS/ae3K0iBTRoRzY50MhnmXCQYEQ TNSDflG9D0TskUJNd3UqLtvS6 + b28Q ==; additional section: root. ns. 86400 in a 192.168.56.101 root. ns. 86400 in rrsig a 5 2 86400 20130920155850 2 0130821155850 9603. MGX976QJsdXqS/tEtYoG/CvI4v1QWkUk79XOOxyvvVqFaVz5XBuFOppz BT/timeout ==;; Query time: 17 msec; SERVER: 192.168.56.102 #53 (192.168.56.102); WHEN: Wed Aug 21 13:36:21 2013 ;; msg size rcvd: 253 # dig @ 192.168.56.102 com. NS [plain] root @ simba-2:/usr/local/named/etc # dig @ 192.168.56.102 + dnssec com. NS; <> DiG 9.9.2-P1 <> @ 192.168.56.102 + dnssec com. NS; (1 server found); global options: + cmd; Got answer :;;>> HEADER <-opcode: QUERY, status: NOERROR, id: 23672 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2; WARNING: recursion requested but not available; OPT pseudo section:; EDNS: version: 0, flags: do; udp: 4096; question section:; com. in ns; authority section: com. 86400 in ns ns.com. com. 86400 in ds 57139 5 2 1D84EDAD0F96E34D869B24DBE0515C7179102EAD293C8FEAF7EE9B00 8388601C com. 86400 in ds 57139 5 1 C9D1B946BDC3CB7D1D97F3FC74483C13E3DD03A0 com. 86400 in rrsig ds 5 1 86400 20130920155850 20130821155850 9603. examples/J5Y/ZzMHxCjQel60pEqbxkMxLO c + nzhu810wv9AB6gCQ4JsOLJGu1uxw ==; additional section: ns.com. 86400 in a 192.168.56.103; Query time: 14 msec; SERVER: 192.168.56.102 #53 (192.168.56.102); WHEN: Wed Aug 21 13:35:43 2013; msg size rcvd: 244 5. configure the COM server on the server 192.168.56.103 1) generate a signature key pair # cd/var/named first generate a key signature key for your zone file KSK: # dnssec-keygen-f KSK-a RSASHA1-B 512-n ZONE com. will generate the file Kcom. + 005 + 17631.key and Kcom. + 005 + 17631. private and then generate the ZONE signature key ZSK: # dnssec-keygen-a RSASHA1-B 512-n ZONE com. will generate the file Kcom. + 005 + 57139.key and Kcom. + 005 + 57139. private 2) signature d. the two public keys generated before the signature Add to [plain] $ TTL 86400 @ in soa @ root (2 1 m 1 m 1 m 1 m) com. in ns ns.com. ns.com. in a 192.168.56.103 my.com. in a 192.168.56.201 $ INCLUDE "Kcom. + 005 + 17631.key" $ INCLUDE "Kcom. + 005 + 57139.key" e. then, execute the signature operation. # Dnssec-signzone-o com. the-o option on db.com specifies the name of the signature generation zone. db will be generated. root. signed. f. modify master profile [plain] key "rndc-key" {algorithm HMAC-MD5; secret "kMOStrdGYC5WmE1obk7LJg =" ;}; controls {inet 127.0.0.1 port 953 allow {127.0.0.1 ;} keys {"rndc-key" ;};}; options {directory "/var/named"; pid-file "/var/run/named. pid "; allow-query {any ;}; recursion no; dnssec-enable yes ;}; zone ". "IN {type hint; fil E "db. root ";}; zone" com. "IN {type master; file" db.com. signed ";}; add dnssec-enable yes; in options to open DNSSEC. Modify the file in the zone to point to the signed file db.com. signed. restart the named server. g. and send the generated dsset-com. to the master server. ① Run # cd/var/named # scp dsset-com on 192.168.56.103. root@192.168.56.101:/var/named/② run # cd/var/named # vi db on 192.168.56.101. root ③ add $ INCLUDE "dsset-com. ". [Plain] $ TTL 86400 @ in soa @ root (12169 1 m 1 m 1 m 1 m ). in ns root. ns. root. ns. in a 192.168.56.101 com. in ns ns.com. ns.com. in a 192.168.56.103 $ INCLUDE "K. + 005 + 14932.key" $ INCLUDE "K. + 005 + 09603.key" $ INCLUDE "dsset-com. "④ then re-sign the zone file on the master server # mv db. root. signed db. root. signed. bak # dnssec-signzone-o. db. root ⑤ restart the service. 6. test # dig @ 192.168.56.104 + dnssec my.com. A [plain] root @ simba-2:/usr/local/named/etc # dig @ 192.168.56.104 + dnssec my.com. a; <> DiG 9.9.2-P1 <> @ 192.168.56.104 + dnssec my.com. a; (1 server found); global options: + cmd; Got answer :;;>> HEADER <-opcode: QUERY, status: NOERROR, id: 6723; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3; OPT pseudo dosection:; EDNS: version: 0, flags: do; udp: 4096; question section:; my.com. in a; answer section: my.com. 84500 in a 192.168.56.201 my.com. 84500 in rrsig a 5 2 86400 20130920155342 20130821155342 17631 com. aj0rkV1M2twT7 + aFcFi1k3Fej + V6AepP + bhUJFvmOo3JZPckU8S3igDp 6lfvb0amveskyhupmpner2i3cfxra ==; authority section: com. 84500 in ns ns.com. com. 84500 in rrsig ns 5 1 86400 20130920155342 20130821155342 17631 com. ikhew.m5rr ++ export vuj3b3hfxy3vcoyaocsozyv3169oxfq ==; additional section: ns.com. 84500 in a 192.168.56.103 ns.com. 84500 in rrsig a 5 2 86400 20130920155342 20130821155342 17631 com. oY/d3tIRWOypjxz0LWnEWK0wCfM/commandid/0A ==; Query time: 23 msec; SERVER: 192.168.56.104 #53 (192.168.56.104); WHEN: Wed Aug 21 13:52:14 2013 ;; msg size rcvd: 381
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
