캐시 DNS서버의 DNSSEC 서명검증 기능 설정
1. dnssec 옵션 설정
# vi named.conf
options {
...
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
...
};
INCLUDE "/etc/named.root.key";
2. managed-keys-directory 생성
# mkdir /var/named/dynamic
3. named.iscdlv.key, named.root.key 파일 생성
# cat /etc/named.iscdlv.key
/* $Id: bind.keys,v 1.7 2011-01-03 23:45:07 each Exp $ */
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of January 2011. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
# NOTE: This key is activated by setting "dnssec-lookaside auto;"
# in named.conf.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
# NOTE: This key is activated by setting "dnssec-validation auto;"
# in named.conf.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
# cat /etc/named.root.key
managed-keys {
# DNSKEY for the root zone.
# Updates are published on root-dnssec-announce@icann.org
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};
4. DNSSEC 점검
DNS ANSWER 섹션에 응답 레코드로 응답되고, 메시지 플래그 값에 "ad"가 설정되어 있다면
캐시 DNS서버가 이 도메인네임의 A 레코드에 대한 서명검증 절차를 원활히 수행하여 검증된
응답 메시지로 응답처리하고 있음을 확인
# dig @127.0.0.1 kisa.or.kr +dnssec +multi
; <<>> DiG 9.8.4-P2_NLIA_NS_130506 <<>> @127.0.0.1 kisa.or.kr +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63811
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;kisa.or.kr. IN A
;; ANSWER SECTION:
kisa.or.kr. 600 IN A 118.107.173.70
kisa.or.kr. 600 IN A 121.156.115.59
kisa.or.kr. 600 IN A 222.122.217.24
kisa.or.kr. 600 IN RRSIG A 7 3 600 20140602220403 (
20130528210403 9623 kisa.or.kr.
hIQw81yOOxsy75Ctgo0wflohlaZ73jR0/bLRcnu+n1bg
7MDu3eOqE6LmE2x306YKgWQD+t3w2TLLdOoGKD2uRKdF
Ti6W4bM/FSMj5o1uJiH0dMLCe2Aa5pBDffV64KjyR2eX
UX5kSpbIggdbE0RlSmwgDerYPPjAQlIXeLteC/I= )
;; Query time: 864 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 30 14:41:30 2013
;; MSG SIZE rcvd: 257
참고 URL : https://www.isc.org/bind-keys
'네임서버' 카테고리의 다른 글
DNS amplification attacks(DNS 증폭 공격) (0) | 2013.06.18 |
---|---|
권한 DNS서버의 도메인 존 DNSSEC 서명 적용 및 네임서버 반영 절차 (0) | 2013.06.18 |
네임서버 구동 스크립트 S72inetsvc (0) | 2013.06.17 |
[네임서버] BIND 관리를 위한 RNDC 설정 (0) | 2013.06.17 |
[네임서버] named 계정 생성 (0) | 2013.06.17 |