dnssec部署及验证

1、配置环境介绍：根服务器： （.)顶级域服务器：0 (com.)二级域名服务器：1 (.)递归服务器：0客户端：拓扑结构：一、 二级服务器的配置 1、配置named.conf#more named.confoptions directory /root/dnssec/; pid-file named.pid; version none; hostname none; recursion no; allow-query any; ; querylog yes;dnssec-enable yes;dnssec-validation

2、 yes;dnssec-lookaside auto; listen-on port 53 any; ; listen-on-v6 port 53 any;logging channel query_log file log/query.log versions 5 size 50m; print-time yes; severity info; ; category queries query_log; channel general_log file log/general.log versions 5 size 20m; print-time yes; print-category ye

3、s; print-severity yes; severity info; ; category default general_log; ; category general general_log; ;zone . key-directory /root/dnssec/key; auto-dnssec maintain; inline-signing yes;type master;file zone/.zone;2、域文 $TTL 3600. IN SOA . . (2014011203 600 300 86400 36000). IN NS .dns IN A 0www

4、 IN A 0ftp IN A 0 3、检查配置文件named.conf 与区域文件的语法是否正确# named-checkconf named.conf# named-checkzone ./zone/.zonezone com/IN: loaded serial 2014011203OK 4、生成.签名所需要的zsk、ksk 生成KSK：# dnssec-keygen -K /root/dnssec/key/ -r /dev/urandom-f KSK-a NSEC3RSASHA1 -b 2048 -n ZONE .Generating key pa

5、ir.+ .+K.+007+54399生成ZSK：# dnssec-keygen -K /root/dnssec/key/ -r /dev/urandom -a NSEC3RSASHA1 -b 1024 -n ZONE .Generating key pair.+ .+K.+007+583525、检查生成的keyrootDMkey# lltotal 16-rw-r-r- 1 root root 599 Dec 11 14:22 K.+007+54399.key-rw- 1 root root 1779 Dec 11 14:22 K.+007+54399.private-rw-r-r- 1 ro

6、ot root 600 Dec 11 14:22 K.+007+58352.key-rw- 1 root root 1779 Dec 11 14:22 K.+007+58352.private6、现在启动named进程之后你就会发起已经被签名。rootDMzone# lltotal 20-rw-r-r- 1 root root 216 Dec 11 11:50 .zone-rw-r-r- 1 root root 512 Dec 11 14:28 .zone.jbk-rw-r-r- 1 root root 2107 Dec 11 14:28 .zone.signed-rw-r-r- 1 root

7、 root 7507 Dec 11 14:28 .zone.signed.jnlrootDMzone#dig 0+dnssec; DiG 9.9.6 0+dnssec; (1 server found); global options: +cmd; Got answer:; -HEADER- opcode: QUERY, status: NOERROR, id: 38967; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3; WARNING: recursion requeste

8、d but not available; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096; QUESTION SECTION:;.IN A; ANSWER SECTION:.3600 IN A 0.3600 IN RRSIG A 7 3 3600 20150110061530 20141211052801 58352 . v+KaNBhFz20UY4nF0Qb6HKvCvDUW2CzkojiVa7qvC8W/MAZCt1E6ctMU 8Xh+AOa7WMRfV6xHckQF1ywFUDB2vxMtiGbL

9、KqF4QlEcdqOObxtSrK3y lLpdOEaWtQbrqcx3QZ4N9Md1C/Btzw3mtDWga62ghBctQSzskzCxYWeb eegzhDGL2KwvoXReAanS5SHKZZQXQjr0nXqC8xPPWRBUqHD6/D829ab8 m4N8i5OrvTI/6Bb4Kc8Nkzv0JHmvArlhLnmltdIMxefyzdD+5DbVJinD /WJJ3cy7/oc7r0UCQ7y1nYX0HGyNAamjS+ypukIGbIiQFsMRGGLBrXnQ 0lhChg=; AUTHORITY SECTION:. 3600 IN NS . 3600 IN R

10、RSIG NS 7 2 3600 20150110061530 20141211052801 58352 . ep7BzH9LX9PV/opqH9ABZ/JWQJRTrOE5Ct5QN0reh0a0fGvaP5MOVEv6 25XcnCJURvwBsIg5Z/2uvbraFwXxwCOAW5xz3FAvBmdgQ5+tvOlE7P/j Odu/O1y6RHo4MUtq5L6P4NBfg96hYP3O2DdTvNZ2ef1TfNNdy2txbeMy CEHKZT6to4Lop3J6gTV0+lSIO9AMcZJSbSJlmWSWX4s1mGOzEDYfqF7Q PDaIyx+Lkit+Txt6E

11、h4usSJs7hBGtrQZ/88lABps6HyvoAyVkMVptnTY 3f7G3G2HuhobMPv7i21OJAPVhq1bjqxXmvNCUc+4psH3IT+fk953obp MLiB7w=; ADDITIONAL SECTION:. 3600 IN A 0. 3600 IN RRSIG A 7 3 3600 20150110061530 20141211052801 58352 . TnWvOqrHSiCHJItN/RNiGVzXkJJZ+dFtvmL4H4ps1n6uVquapze0qkcz H+2tdLgzVGfntZlqtQBngU00LziIjEQYd

12、cNGktQGgE36A8Qwgl+TI0o1 o4b7GI1k4MsP6FGKiXY3W/FK32atkcZ5yCEU9tKsbJ4DZ70wef1dmMLH 7xBL72GUnro7BRTPmUIa32CY4QOo3N5TYafAK5QHj0jUD+D929PkZg5O 8OLFX+wI0fNlPrMUQWZ5lrFNr3lj/E0NosSOWEAAzkx0vQK0Wc7sOidM X6lhsao36HyZryaMMRw6MUBgF4ye325DkTG5nBl4EA24tBw4JDwqwXHj NywZWQ=; Query time: 0 msec; SERVER: 0#5

13、3(0); WHEN: Thu Dec 11 14:28:38 CST 2014; MSG SIZE rcvd: 9797、启动named的进程 #named -c /root/dnssec/named.conf8、dnssec部署及验证设计到整个dns解析系统。下层的域名管理需要把自己管理的域的DS记录提交给你打上层域名管理员。生成DS记录：dnssec-dsfromkey K.+007+54399.key. IN DS 54399 7 1 D216164642505957520A77E8B7D2C9B5F0FF8D15. IN DS 54399 7 2 EAB4A54498

14、EB27A4EA545C7AC4A273733FC320930F55834962986A4290F4800B到此为止域的DNSSEC 部署已经完成。下面我们开始部署com的DNSSec二、顶级域com的dnssec部署： 1、配置named.conf 文件#more named.confoptions directory /root/dnssec/; pid-file named.pid; version none; hostname none; recursion no; allow-query any; ; querylog yes;dnssec-enable yes;dnssec-val

15、idation yes;dnssec-lookaside auto; listen-on port 53 any; ; listen-on-v6 port 53 any;logging channel query_log file log/query.log versions 5 size 50m; print-time yes; severity info; ; category queries query_log; channel general_log file log/general.log versions 5 size 20m; print-time yes; print-cate

16、gory yes; print-severity yes; severity info; ; category default general_log; ; category general general_log; ;zone com. key-directory /root/dnssec/key; auto-dnssec maintain; inline-signing yes;type master;file zone/com.zone; 2、生成com的KSK及ZSK 生成KSK： dnssec-keygen -K /root/dnssec/key/ -r /dev/urandom -

17、f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE com.Generating key pair.+ .+Kcom.+007+16329 生成ZSK： dnssec-keygen -K /root/dnssec/key/ -r /dev/urandom -a NSEC3RSASHA1 -b 1024 -n ZONE com.Generating key pair.+ .+Kcom.+007+310253、检查生成的keyrootdipei16key# lltotal 16-rw-r-r- 1 root root 589 Dec 11 14:43 Kcom.+007+1

18、6329.key-rw- 1 root root 1779 Dec 11 14:43 Kcom.+007+16329.private-rw-r-r- 1 root root 415 Dec 11 14:43 Kcom.+007+31025.key-rw- 1 root root 1015 Dec 11 14:43 Kcom.+007+31025.private4、把 的DS记录追到到com的zone文件#vi com.zonerootdipei16zone# vi com.zone$TTL 3600com. IN SOA . . (2014011202 600 300 86400 36000)

19、com. IN NS . IN A . IN NS test-.test-dns IN A 0. IN DS 54399 7 1 D216164642505957520A77E8B7D2C9B5F0FF8D15. IN DS 54399 7 2 EAB4A54498EB27A4EA545C7AC4A273733FC320930F55834962986A4290F4800B 5、检查配置文件named.conf 与com区域文件的语法是否正确 # named-checkconf named.conf# named-checkzone com ./zone/com.

20、zonezone com/IN: loaded serial 2014011202OK6、启动named进程。rootdipei16zone# ps -ef |grep namedroot 38781 38716 0 14:54 pts/1 00:00:00 grep namedrootdipei16zone#named -c /root/dnssec/named.confrootdipei16zone#ps -ef |grep namedroot 38783 1 0 14:55 ? 00:00:00 named -c /root/dnssec/named.confroot 38791 387

21、16 0 14:55 pts/1 00:00:00 grep named7、查看及验证com是否被签名rootdipei16zone# lltotal 20-rw-r-r- 1 root root 368 Dec 11 14:49 com.zone-rw-r-r- 1 root root 512 Dec 11 14:55 com.zone.jbk-rw-r-r- 1 root root 1630 Dec 11 14:55 com.zone.signed-rw-r-r- 1 root root 4937 Dec 11 14:55 com.zone.signed.jnlrootdipei16zon

22、e#dig com ns +dnssec; DiG 9.9.6 com ns +dnssec; (1 server found); global options: +cmd; Got answer:; -HEADER- opcode: QUERY, status: NOERROR, id: 29153; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3; WARNING: recursion requested but not available; OPT PSEUDOSECT

23、ION:; EDNS: version: 0, flags: do; udp: 4096; QUESTION SECTION:;com. IN NS; ANSWER SECTION:com. 3600 IN NS .com. 3600 IN RRSIG NS 7 1 3600 20150110064720 20141211055510 31025 com. opMX/nesJr5JuzqfRackuPd23cdSRAlvoS6lgSMdDW0bPJ81sg8tPVW 0yF7s2XvMybUJhp4DkJaQVaScOF2LNpIF513np1fpb635k7Kr+FpCh0i Vst59fv

24、2jlvDwOPauaDTl6z8Tj3QogXS5K3uNR4yvNRur2PuiGhk49G2 vdk=; ADDITIONAL SECTION:. 3600 IN A . 3600 IN RRSIG A 7 2 3600 20150110064720 20141211055510 31025 com. A7Zgs+oIa4Fku7hNzOChvZ/mtKvYXFrYeiZyetgn6k3wt+OaOS5jWwNi dKGM1p4gqCkErDAHn8D/PamsGIgKPIj8RFXAbNAMmnlDDeUB/AZAePnA TeaWoTUBwRIVFgxTRlSeznc

25、06FtelyM1URNpqQ+9g0u4AZI5sTAORs/U FfM=; Query time: 0 msec; SERVER: #53(); WHEN: Thu Dec 11 14:57:39 CST 2014; MSG SIZE rcvd: 392 8、启动named进程 #named -c /root/dnssec/named.conf 9、提取com的DS记录并把DS提交到根域的管理员： rootlocalhostkey# dnssec-dsfromkey Kcom.+007+16329.keycom. IN DS 16329 7 1 725956

26、0689FE32221CAC7EB420DE907B91AAEBE8com. IN DS 16329 7 2 CCC27C8766D10A26FEC9F41C7795C4AAC22AF04BC9883C78B3F3165276ED6303三、配置根服务器 1、配置named.confoptions directory /root/dnssec/; pid-file named.pid; version none; hostname none; recursion no; allow-query any; ; querylog yes;dnssec-enable yes;dnssec-valid

27、ation yes;dnssec-lookaside auto; listen-on port 53 any; listen-on-v6 port 53 any; ;key rndc-key algorithm hmac-md5; secret VszYG4hrs/tU+GkVwE/7cw=;controls inet port 953 allow ;0; keys rndc-key; ;logging channel query_log file log/query.log versions 5 size 50m; print-time

28、yes; severity info; ; category queries query_log; ; channel general_log file log/general.log versions 5 size 20m; print-time yes; print-category yes; print-severity yes; severity info; ; category default general_log; ; category general general_log; ;zone . type master; file zone/root.zone;key-direct

29、ory /root/dnssec/key;auto-dnssec maintain;inline-signing yes;zone root-. type master; file zone/root-.zone; ;2、zone文件配置 2.1 #根区文件需要把com的DS记录导入 more root.zone$TTL 1d. IN SOA .hostmaster. .( 5 ; Serial 900 ; Refresh 600 ; Retry 86400 ; Expire 3600 ) ; Negative caching TTL. NS a.root-.zone.a.root-.zone

30、. IN A com. IN NS . IN A com. IN DS 16329 7 1 7259560689FE32221CAC7EB420DE907B91AAEBE8com. IN DS 16329 7 2CCC27C8766D10A26FEC9F41C7795C4AAC22AF04BC9883C78B3F3165276ED6303 2.2 #root-.zone (/该zone是为了解析根域的授权记录的a.root-.zone.）所以最好存在，不过不是必须得。 $TTL 3600000root-. IN SOA a.root-. . ( 20141105

31、00 ; Serial 14400 ; Refresh 7200 ; Retry 1209600 ; Expiry 3600000 ) ; Minimumroot-. IN NS a.root-.a.root-. 518400 IN A 3、生成”. 根域的KSK、ZSK dnssec-keyfromlabel dnssec-keygen # dnssec-keygen -K /root/dnssec/key -r /dev/urandom -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE . Generating key pair.+ .+ K.

32、+007+19701 # dnssec-keygen -K /root/dnssec/key -r /dev/urandom -a NSEC3RSASHA1 -b 2048 -n ZONE . Generating key pair.+ .+ K.+007+47654 4、检查配置文件及zone文件的语法配置是否正确 # named-checkconf named.conf （named-checkconf 命令没有输出，便是最好的输出-因为没有错误） #named-checkzone . ./zone/root.zonezone ./IN: com/NS extra GLUE A recor

33、d ()zone ./IN: com/NS missing GLUE A record (08)zone ./IN: loaded serial 5OK#named-checkzone root- ./zone/root-.zonezone root- loaded serial 2014110500OK5、启动named进程并验证签名是否成功rootfreebsd:/dnssec/zone # lltotal 24-rw-r-r- 1 root wheel 375 Dec 11 15:23 root-.zone-rw-r-r- 1 root wheel

34、 611 Dec 11 15:43 root.zone-rw-r-r- 1 root wheel 512 Dec 11 16:01 root.zone.jbk-rw-r-r- 1 root wheel 2124 Dec 11 15:58 root.zone.signed-rw-r-r- 1 root wheel 7531 Dec 11 16:01 root.zone.signed.jnlYou have new mail.rootfreebsd:/dnssec/zone# dig . ns +dnssec; DiG 9.9.6 . ns +dnssec;

35、 (1 server found); global options: +cmd; Got answer:; -HEADER- opcode: QUERY, status: NOERROR, id: 40660; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3; WARNING: recursion requested but not available; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096; QUESTION SECTION:;.

36、 IN NS; ANSWER SECTION:. 86400 IN NS a.root-.zone. 86400 IN RRSIG NS 7 0 86400 20150110075420 20141211065837 47654 . WtIBrIey+z8jz0pNpuxMMJzIhO7mV5zkLP097RWNdw+5pQc+9GvBPFx2 j5trR2BFvnaqcaW3MVEcAL617cEgmeVXm2yiqf7CBmpcSSVhBjUwF/C4 QxfX/idE25/kCyyoJBEYqKpCvmg5dpqVzd3s+jafR+JpCGJioWIX9nm3 R9qjXUDJlerI

37、nIyOlD5GYOhm3jaaypPNbejkTPLa8FplX9/Sv9zEU3yN BRZ9o2Gas2us91ZQANSd/TOtAzFs9w24+kDFXGVQ2OOd0Ku2HC/3L0vL mr1sq5Y0mPiQzjscQ1Elga3s5boxHtFrQdfHrZEvGStMVpGe3XMOni/W 3WzaKQ=; ADDITIONAL SECTION:a.root-.zone. 86400 IN A 0a.root-.zone. 86400 IN RRSIG A 7 4 86400 20150110075420 20141211065837 47654 .

38、 mEzSLs2lEknPXG3lJ12hGp6BM2NYXMJ7WTaocczwmunkc04Ozkc1micg Mj6sLPSu0EWlJKtVQWjzVsC0QxGhfvy8YJpSWQHTR45llKEkKtuSM5jc ugGt3itTuyc+vqzRBMyTYVETVLVxUqWLgQwuVqYSLzjGlOp5ght7Z8Ew fJubORSzXCRO6Eeh68ADWgX/TyeKTUBIB3Y7s3dcy9hG3KHro7yq4Cfp MMyv92hg8thiYMFdjwRiSwJjkQMXQzNBh1HJ8LT0U5fFmS2lD7CoEZhM 55gkTh0zE+mUqQ

39、ar/gkrAVu7umd/UJ/WmhLh3INBM1iGdUmCpEfOewp5 yV5F7g=; Query time: 1 msec; SERVER: #53(); WHEN: Thu Dec 11 16:11:44 CST 2014; MSG SIZE rcvd: 6536、查看ksk的公钥信息（红色字体的内容在一行之中）rootfreebsd:/dnssec/key # more K.+007+19701.key; This is a key-signing key, keyid 19701, for .; Created: 2014121107

40、5544 (Thu Dec 11 15:55:44 2014); Publish: 20141211075544 (Thu Dec 11 15:55:44 2014); Activate: 20141211075544 (Thu Dec 11 15:55:44 2014). IN DNSKEY 257 3 7 AwEAAdumnYJky5gXempEoEFFcJiJ12WBWf7Qzi3IUE0/kXpYlasuDGUtzUY7nBahm0z9ePzZSlcKmOrGxUHt331oMQz92ZInXIHwo+8cNLIm08yHEkGIyWAvINQj76XIEL90f6isGjdKbM9e

41、bsT3GeM8uVTx9KQ9fLaBLKv/HufVucT6EHV5k+hRk95415KcRbJPUh3/tK5ocoTxck8KxlShHzGVfSYIwfmtWonouzMk6pzaC36sFSuGxiT3GPw8Qio2tLXGDpAxsDLDiUR0+9t 3MqUEMM5AZz+oI/NpYIfM5aY1nttbjdkU823JLvpWwJ2cBRVN1R9DmwU 33VMOBAxkRc= 7、启动named进程 #named -c /root/dnssec/named.conf四、 配置递归服务器 1、配置文件的配置 #more named.confoptions dire

42、ctory /root/dnssec/; pid-file named.pid; version none; hostname none; recursion no; allow-query any; ;dnssec-enable yes;dnssec-validation yes;dnssec-lookaside auto; querylog yes; listen-on port 53 any; ; listen-on-v6 port 53 any;logging channel query_log file log/query.log versions 5 size 50m; print

43、-time yes; severity info; ; category queries query_log; channel general_log file log/general.log versions 5 size 20m; print-time yes; print-category yes; print-severity yes; severity info; ; category default general_log; ; category general general_log; ;zone . type hint;file zone/com.zone;trusted-keys . 257 3 7 AwEAAdumnYJky5gXempEoEFFcJiJ12WBWf7Qzi3IUE0/kXpYlasuDGUtzUY7nBahm0z9ePzZSlcKmOrGxUHt331oMl