named.conf中options相关配置
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
建立目录留作生成key放置
[root@ddi ~]# cd /var/named/
[root@ddi named]# mkdir dnssec_keys
zone配置
zone "mnn.com" IN {
type master;
file "mnn.com.zone";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/dnssec_keys";
};
file "mnn.com.zone"; 一会与修改为签名后的zone
生成密钥
[root@ddi named]# cd dnssec_keys/
[root@ddi dnssec_keys]# ls
[root@ddi dnssec_keys]# dnssec-keygen -f KSK -a RSASHA1 -r /dev/urandom -b 512 -n ZONE mnn.com
Generating key pair................++++++++++++ ..........................++++++++++++
Kmnn.com.+005+41497
[root@ddi dnssec_keys]# ls
Kmnn.com.+005+41497.key Kmnn.com.+005+41497.private
[root@ddi dnssec_keys]# dnssec-keygen -a RSASHA1 -r /dev/urandom -b 512 -n ZONE mnn.com
Generating key pair..............++++++++++++ ................++++++++++++
Kmnn.com.+005+45006
注:此处可能出错,比较新的bind版本此命令去掉了-r参数 此处去掉即可,查看dnssec-keygen帮助可以看到-b参数支持区间为1024-4096所以出错此处需修改。
修改后命令为
dnssec-keygen -f KSK -a RSASHA1 -b 1024 -n ZONE mnn.com
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE mnn.com
之后在dnssec_keys目录中可以看到4个文件,两个公钥和两个私钥,配置解析库的时候会用到
[root@ddi dnssec_keys]# ls
Kmnn.com.+005+41497.key Kmnn.com.+005+41497.private Kmnn.com.+005+45006.key Kmnn.com.+005+45006.private
[root@ddi dnssec_keys]# pwd
/var/named/dnssec_keys
签名
1,将前面生成的两个公钥添加到区域配置文件末尾
[root@ddi dnssec_keys]# vim ../mnn.com.zone
$TTL 600
@ IN SOA dns.mnn.com. dnsadmin.mnn.com. (
20190109
2H
4M
1W
2D
)
@ IN NS dns.mnn.com.
@ IN MX 10 mail.mnn.com.
dns IN A 192.168.16.109
mail IN A 5.5.6.6
www IN A 6.6.8.8
$INCLUDE "/var/named/dnssec_keys/Kmnn.com.+005+41497.key"
$INCLUDE "/var/named/dnssec_keys/Kmnn.com.+005+45006.key"
2,对zone签名
[root@ddi dnssec_keys]# dnssec-signzone -K /var/named/dnssec_keys -o mnn.com. /var/named/mnn.com.zone
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
/var/named/mnn.com.zone.signed
会生成一个后缀为.signed的文件,这个就是签名后的zone 修改zone为签名后的zone
[root@ddi dnssec_keys]# vim /etc/named.rfc1912.zones
zone "mnn.com" IN {
type master;
file "mnn.com.zone.signed";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/dnssec_keys";
};
生成信任锚
[root@ddi dnssec_keys]# ls
dsset-mnn.com. Kmnn.com.+005+41497.key Kmnn.com.+005+41497.private Kmnn.com.+005+45006.key Kmnn.com.+005+45006.private
[root@ddi dnssec_keys]# cat Kmnn.com.+005+41497.
Kmnn.com.+005+41497.key Kmnn.com.+005+41497.private
[root@ddi dnssec_keys]# cat Kmnn.com.+005+41497.key
; This is a key-signing key, keyid 41497, for mnn.com.
; Created: 20191021065307 (Mon Oct 21 14:53:07 2019)
; Publish: 20191021065307 (Mon Oct 21 14:53:07 2019)
; Activate: 20191021065307 (Mon Oct 21 14:53:07 2019)
mnn.com. IN DNSKEY 257 3 5 AwEAAcYZa4ptqjSKQMWJpUx0Rfms24WUlX5r/gMw/m5JQTCe0xkgRhy8 mYSBBukxEs+2yrf6mkHlrEMd9q8C0zzvLAk=
[root@ddi dnssec_keys]#
[root@ddi dnssec_keys]# cat Kmnn.com.+005+45006.key
; This is a zone-signing key, keyid 45006, for mnn.com.
; Created: 20191021065330 (Mon Oct 21 14:53:30 2019)
; Publish: 20191021065330 (Mon Oct 21 14:53:30 2019)
; Activate: 20191021065330 (Mon Oct 21 14:53:30 2019)
mnn.com. IN DNSKEY 256 3 5 AwEAActhvaoSchX/WxuGmzYoR0JIZ1cP963hrazD/hvrws4qOPtw4//w Wkhd/W6FxMEgnXt21ByF5z37Xc1QD1ny6Uk=
[root@ddi dnssec_keys]#
/etc目录下生成文件 sec-trust-anchors.conf
[root@ddi dnssec_keys]# vim /etc/sec-trust-anchors.conf
trusted-keys {
mnn.com. 256 3 5 "AwEAActhvaoSchX/WxuGmzYoR0JIZ1cP963hrazD/hvrws4qOPtw4//w
Wkhd/W6FxMEgnXt21ByF5z37Xc1QD1ny6Uk=";
mnn.com. 257 3 5 "AwEAAcYZa4ptqjSKQMWJpUx0Rfms24WUlX5r/gMw/m5JQTCe0xkgRhy8
mYSBBukxEs+2yrf6mkHlrEMd9q8C0zzvLAk=";
};
2,在named.conf中添加
include "/etc/sec-trust-anchors.conf";
重启named测试
service named restart
网友评论