반응형
권한 DNS서버의 도메인 존 DNSSEC 서명 적용 및 네임서버 반영 절차
DNSSEC(Domain Name System Security Extensions)는 DNS를 통해 전송되는 정보의 무결성과 출처의 신뢰성을 보장하기 위한 암호화 기술입니다. DNSSEC를 적용하면 도메인 이름과 IP 주소 간의 매핑 정보가 위변조되지 않았음을 확인할 수 있어, 악의적인 DNS 캐싱 공격이나 DNS 스푸핑 공격으로부터 시스템을 보호할 수 있습니다.
도메인 등록
vim /etc/named.rfc1912.zones$ tail -n5 /etc/named.rfc1912.zones
zone "dnssec.scbyun.com" IN {
type master;
file "dnssec.scbyun.com.zone";
allow-update { none; };
};존 파일 생성
vim dnssec.scbyun.com.zone$TTL 60
dnssec.scbyun.com. IN SOA ns1.dnssec.scbyun.com. root.dnssec.scbyun.com. (
2024010101 ; serial
3600 ; refresh
1800 ; retry
1209600 ; expire
86400 ) ; minimum
;
;
dnssec.scbyun.com. IN NS ns1.dnssec.scbyun.com.
dnssec.scbyun.com. IN A 192.168.10.201
ns1 IN A 192.168.10.201
www IN A 192.168.10.201작업 디렉토리로 이동
cd /var/named1. DNSSEC 키 생성
도메인 존에 대해 DNSSEC 서명을 하기 위해서는 DNS 키 쌍을 생성해야 합니다.
- KSK(Key Signing Key) : DNSKEY 레코드를 서명하는 키.
- ZSK(Zone Signing Key) : 도메인 존의 나머지 모든 레코드를 서명하는 키.
ZSK 생성(2048 비트 이상 사용 권고)
dnssec-keygen -a RSASHA256 -b 1024 -n ZONE dnssec.scbyun.comGenerating key pair.............+++ ....+++
Kdnssec.scbyun.com.+008+33675KSK 생성(1024 비트 이상 사용 권고)
dnssec-keygen -a RSASHA256 -b 2048 -f KSK -n ZONE dnssec.scbyun.comGenerating key pair........................++++++ ........++++++
Kdnssec.scbyun.com.+008+32557KSK Export
export kskey="Kdnssec.scbyun.com.+008+32557"echo ${kskey}2. 존 파일에 공개키(DNSKEY 레코드) 추가
ls | grep "^K" | grep keyKdnssec.scbyun.com.+008+32557.key
Kdnssec.scbyun.com.+008+33675.keyvim dnssec.scbyun.com.zone$INCLUDE Kdnssec.scbyun.com.+008+32557.key
$INCLUDE Kdnssec.scbyun.com.+008+33675.key또는
cat ${kskey}.key >> /var/named/dnssec.scbyun.com.zone3. 도메인 존 파일 서명
도메인 존 파일에 대해 DNSSEC 서명을 생성해야 합니다.
ZSK로 존 내 레코드를 서명하고 KSK로 DNSKEY 레코드를 서명합니다.
- -o dnssec.scbyun.com : 서명할 도메인 존 이름.
- -k : KSK 키 파일(Kdnssec.scbyun.com.+000+00000)을 지정.
- dnssec.scbyun.com.zone : 서명할 도메인 존 파일.
dnssec-signzone -A -N INCREMENT -o dnssec.scbyun.com \
-k ${kskey} dnssec.scbyun.com.zoneVerifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
dnssec.scbyun.com.zone.signeddnssec-signzone -A -N INCREMENT -o dnssec.scbyun.com \
-k ${kskey} -z dnssec.scbyun.com.zoneVerifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
dnssec.scbyun.com.zone.signed4. 네임서버 설정 업데이트
/etc/named.rfc1912.zones에서 서명된 존 파일을 사용하도록 설정 파일을 업데이트합니다.
vim /etc/named.rfc1912.zoneszone "dnssec.scbyun.com" IN {
type master;
file "dnssec.scbyun.com.zone.signed";
//file "dnssec.scbyun.com.zone";
allow-update { none; };
//key-directory "key";
//auto-dnssec maintain;
//update-policy local;
};5. 서비스 재시작
sudo systemctl restart named6. 서비스 상태 확인
서비스 상태 확인
sudo systemctl status named로그 확인
sudo journalctl -xe | grep named포트 상태 확인
ss -tuln | grep 537. DS 레코드 생성
레지스트라 또는 상위 DNS 서비스 제공업체에 DS 레코드를 등록해야 합니다. DNSKEY를 사용해 DS 레코드를 생성할 수 있습니다.
생성된 DS 레코드를 레지스트라에 제출합니다.
dnssec-dsfromkey -f /var/named/dnssec.scbyun.com.zone.signed /var/named/${kskey}.key$ dnssec-dsfromkey -f /var/named/dnssec.scbyun.com.zone.signed /var/named/Kdnssec.scbyun.com.+008+02830.key
dnssec-dsfromkey: error: dns_master_load: /var/named/dnssec.scbyun.com.zone.signed:115: dnssec.scbyun.com: not at top of zone
dnssec-dsfromkey: fatal: can't load /var/named/dnssec.scbyun.com.zone.signed: not at top of zoneDNSSEC 테스트
DS 레코드 질의 테스트
dig @127.0.0.1 dnssec.scbyun.com DS +dnssec +multi더보기
---
$ dig @127.0.0.1 dnssec.scbyun.com DS +dnssec +multi
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> @127.0.0.1 dnssec.scbyun.com DS +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62123
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.scbyun.com. IN DS
;; AUTHORITY SECTION:
dnssec.scbyun.com. 1314 IN RRSIG NSEC 13 3 1800 (
20241006155058 20241004135058 34505 scbyun.com.
Ok8snsn0gE9M+GtTqNY3Z2brs7LMQWHq6n2Wg+K9dchQ
SqnRl0Hwd2vOw+d95gKkeCmKXtLhqM07ga+pgOyxhQ== )
dnssec.scbyun.com. 1314 IN NSEC dnssec\000.scbyun.com. NS RRSIG NSEC
scbyun.com. 1314 IN SOA cruz.ns.cloudflare.com. dns.cloudflare.com. (
2353614750 ; serial
10000 ; refresh (2 hours 46 minutes 40 seconds)
2400 ; retry (40 minutes)
604800 ; expire (1 week)
1800 ; minimum (30 minutes)
)
scbyun.com. 1314 IN RRSIG SOA 13 2 1800 (
20241006155058 20241004135058 34505 scbyun.com.
NmwJh1ogDFg3ZfpYeQyR4PPunKHixFrp6+fRpHxNjKrh
WZKXQns9+iWRtHtBIYJMcZGWlqfZBUO7QgWD9dhmbQ== )
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 토 10월 05 23:56:26 KST 2024
;; MSG SIZE rcvd: 357---
DNSKEY 레코드 질의 테스트
dig @127.0.0.1 dnssec.scbyun.com DNSKEY +dnssec +multi더보기
---
$ dig @127.0.0.1 dnssec.scbyun.com DNSKEY +dnssec +multi
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> @127.0.0.1 dnssec.scbyun.com DNSKEY +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62667
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.scbyun.com. IN DNSKEY
;; ANSWER SECTION:
dnssec.scbyun.com. 60 IN DNSKEY 257 3 8 (
AwEAAdSEHDyo2Z/ywOSA51hc6pCBnWSUcziUVqq+WOcE
Va/xhnzM4fmrxvQdc33XEJpgltWe2WOoFyEiXDSCNmQL
S/LWGTbE0ERO/A/tFCQIoWXYaZYE92t0CqrwEsZxpTn2
vUeZwgt25Y0gNmdypmEyYfVbG4+oN/voB21GcNfqLPqD
Tu5WAIFlZehb5itNcxoR9KVp0OQcJLbOVx7rxv5gP6L0
mCB124V9oCwa3zKPWw9U/7CSLDZscm6R5OKzmngqIbLl
s5F2RwmZoYvciHmnkMe/R8g1xiEohXsyMLGWJlHr/Bmo
2jKWCuS2wmX3z7nVExN3PLa8nVtANwNaN7IO+ME=
) ; KSK; alg = RSASHA256 ; key id = 32557
dnssec.scbyun.com. 60 IN DNSKEY 256 3 8 (
AwEAAZx2FqikN68wYj/6ooW7Wr9JlR2NTZrwLr4Cypvp
spl+Y+2IiTWX/087VuHbszMRhZfBjYiUUfp8pDwPem42
06xLek6IQQ+sxQcXx9oCQJl6oTB+wcIJR4o6PtuUL4DY
QgrJjxEWB05sYuF+MFykocQx2iSxjA8W9NlAGR+miDEF
) ; ZSK; alg = RSASHA256 ; key id = 33675
dnssec.scbyun.com. 60 IN RRSIG DNSKEY 8 3 60 (
20241104134620 20241005134620 32557 dnssec.scbyun.com.
DvJPzI26kMJg9YS/uWcXE/DfWItUT5p3py93M1KHwijd
djzBOdRB5ppqw2mq0pvsspLxV8tjFKR8Icxwgm3a2CYL
q+L/MYhYPjDDhAErhNiEKGH0t9eCYnlx9Ja/WPGPfPyT
hpWN77RQZK3hlKujj1gQmxPMiqnN9idD2JTp+IHZmSYx
o4Fw1dsBPg1p2jgIDu6skzmDCVp7tHw40CzTeC+/uE27
y3PAV9gFFW/Hy/EEXjnvh3Sm/FUY43roDJ5kV7OkZVeU
4iu3vWqdRwHGHQx0ELYqZJ/wTAVv6XeQ9UmhU1pvvPwM
2/RYWVaqaztif3xdt/A/poR7XQD11c49qg== )
dnssec.scbyun.com. 60 IN RRSIG DNSKEY 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
B8v8AplU9LeEFZxmwZ34eXPJDdwjaixZauT/N+4HDK3g
yZ9Ia8WPPOU5mI9VoAXjQhMeOqW42XMYW3YUJDLjtJIx
4Ocjht3zMBpTU1xcs8UGb6bUJyrUEeQ6mIkAX8GYlPQo
fzc9gIaQ7snLTz/z7/WDWUxSNElh5JuyZIr2FXg= )
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 토 10월 05 23:56:54 KST 2024
;; MSG SIZE rcvd: 952---
RRSIG 레코드 질의 테스트
dig @127.0.0.1 dnssec.scbyun.com RRSIG +dnssec +multi더보기
---
$ dig @127.0.0.1 dnssec.scbyun.com RRSIG +dnssec +multi
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> @127.0.0.1 dnssec.scbyun.com RRSIG +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27876
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.scbyun.com. IN RRSIG
;; ANSWER SECTION:
dnssec.scbyun.com. 60 IN RRSIG SOA 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
JC55LVNnJCkgQtoDfwt4beNK7Z8TFeQy07dK2WR8NaLz
MH4oxjnOuImC9v0U5H2sYfwpl0/3S27HfFeH9xZJf+Y9
V/dHUQa8lGEReuL1oRjhXs810SKtUe2ws00YiCqIiLCP
4Lwn9YKKa6vXUtsZFrlIqIcnpfXV7zd1TCKcFGk= )
dnssec.scbyun.com. 60 IN RRSIG NS 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
CM/fUAwjw46QCvVWdwCUA0MHS6AasOjimYnKybaQfZDN
Iy+PUwtsOVcYIhVA5xt9rbP1ayLH58b9QT3HcZZb+XTf
zxz+9da5O/bx6Gn0xyJGGrgXMh2NkGE/ouXttajcJY2G
+7vjdr9Bqg77dAlS4SvWb0herA2EwxgESy29RB0= )
dnssec.scbyun.com. 60 IN RRSIG A 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
KRbNUCjdRcimnCJNQTLpL+e7qZnWinuCKRzyeQR3xBzq
oKq1ZwM/2y45Og1RLvYPZacE+qBJrcTd9U0gKay0Z7r7
FXt/m0xpSW3CLFsG5lGkmflWYbaawSxm8Sk47jLNchUG
bpiEyKcdlPCvL5GmsFOM7qKeFdUtSKEcvhqwjxs= )
dnssec.scbyun.com. 86400 IN RRSIG NSEC 8 3 86400 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
Vf7AUUPaZXZpEq0uBVzXc+zWHapswkHG0wJi3qm+hu+d
BS/1JN2uybQKJFamw83tQaenIvxxkgTet+ot0V9Gkzbz
g7EBQZXH2v+yLwwTUdkG7GI9QlKU7mDh/7I1aH5rQnTa
lt04lQe8jnrmbCOlF84s2oGVgzYc4IbcGub/J0A= )
dnssec.scbyun.com. 60 IN RRSIG DNSKEY 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
B8v8AplU9LeEFZxmwZ34eXPJDdwjaixZauT/N+4HDK3g
yZ9Ia8WPPOU5mI9VoAXjQhMeOqW42XMYW3YUJDLjtJIx
4Ocjht3zMBpTU1xcs8UGb6bUJyrUEeQ6mIkAX8GYlPQo
fzc9gIaQ7snLTz/z7/WDWUxSNElh5JuyZIr2FXg= )
dnssec.scbyun.com. 60 IN RRSIG DNSKEY 8 3 60 (
20241104134620 20241005134620 32557 dnssec.scbyun.com.
DvJPzI26kMJg9YS/uWcXE/DfWItUT5p3py93M1KHwijd
djzBOdRB5ppqw2mq0pvsspLxV8tjFKR8Icxwgm3a2CYL
q+L/MYhYPjDDhAErhNiEKGH0t9eCYnlx9Ja/WPGPfPyT
hpWN77RQZK3hlKujj1gQmxPMiqnN9idD2JTp+IHZmSYx
o4Fw1dsBPg1p2jgIDu6skzmDCVp7tHw40CzTeC+/uE27
y3PAV9gFFW/Hy/EEXjnvh3Sm/FUY43roDJ5kV7OkZVeU
4iu3vWqdRwHGHQx0ELYqZJ/wTAVv6XeQ9UmhU1pvvPwM
2/RYWVaqaztif3xdt/A/poR7XQD11c49qg== )
;; AUTHORITY SECTION:
dnssec.scbyun.com. 60 IN NS ns1.dnssec.scbyun.com.
dnssec.scbyun.com. 60 IN RRSIG NS 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
CM/fUAwjw46QCvVWdwCUA0MHS6AasOjimYnKybaQfZDN
Iy+PUwtsOVcYIhVA5xt9rbP1ayLH58b9QT3HcZZb+XTf
zxz+9da5O/bx6Gn0xyJGGrgXMh2NkGE/ouXttajcJY2G
+7vjdr9Bqg77dAlS4SvWb0herA2EwxgESy29RB0= )
;; ADDITIONAL SECTION:
ns1.dnssec.scbyun.com. 60 IN A 121.168.247.192
ns1.dnssec.scbyun.com. 60 IN RRSIG A 8 4 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
IuPvFQhM7uXvXBmDv0/bFL2wxOxtlxzEogSNGbuHDecZ
ts710uIjFUhxcgzkF72+MOMGZ1D0Upv9V2mqcIKGkWKi
42t8MXb0Azuc0Jxt1Thr9IL8uZPJUCHewWgKul6oipSk
UaST8dwFTU9WI9UJNBfDHujprDWikBVNxL6c7IE= )
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 토 10월 05 23:57:13 KST 2024
;; MSG SIZE rcvd: 1624---
NSEC 레코드 질의 테스트
dig @127.0.0.1 dnssec.scbyun.com NSEC +dnssec +multi더보기
---
$ dig @127.0.0.1 dnssec.scbyun.com NSEC +dnssec +multi
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> @127.0.0.1 dnssec.scbyun.com NSEC +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32304
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.scbyun.com. IN NSEC
;; ANSWER SECTION:
dnssec.scbyun.com. 86400 IN NSEC ns1.dnssec.scbyun.com. A NS SOA RRSIG NSEC DNSKEY
dnssec.scbyun.com. 86400 IN RRSIG NSEC 8 3 86400 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
Vf7AUUPaZXZpEq0uBVzXc+zWHapswkHG0wJi3qm+hu+d
BS/1JN2uybQKJFamw83tQaenIvxxkgTet+ot0V9Gkzbz
g7EBQZXH2v+yLwwTUdkG7GI9QlKU7mDh/7I1aH5rQnTa
lt04lQe8jnrmbCOlF84s2oGVgzYc4IbcGub/J0A= )
;; AUTHORITY SECTION:
dnssec.scbyun.com. 60 IN NS ns1.dnssec.scbyun.com.
dnssec.scbyun.com. 60 IN RRSIG NS 8 3 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
CM/fUAwjw46QCvVWdwCUA0MHS6AasOjimYnKybaQfZDN
Iy+PUwtsOVcYIhVA5xt9rbP1ayLH58b9QT3HcZZb+XTf
zxz+9da5O/bx6Gn0xyJGGrgXMh2NkGE/ouXttajcJY2G
+7vjdr9Bqg77dAlS4SvWb0herA2EwxgESy29RB0= )
;; ADDITIONAL SECTION:
ns1.dnssec.scbyun.com. 60 IN A 121.168.247.192
ns1.dnssec.scbyun.com. 60 IN RRSIG A 8 4 60 (
20241104134620 20241005134620 33675 dnssec.scbyun.com.
IuPvFQhM7uXvXBmDv0/bFL2wxOxtlxzEogSNGbuHDecZ
ts710uIjFUhxcgzkF72+MOMGZ1D0Upv9V2mqcIKGkWKi
42t8MXb0Azuc0Jxt1Thr9IL8uZPJUCHewWgKul6oipSk
UaST8dwFTU9WI9UJNBfDHujprDWikBVNxL6c7IE= )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 토 10월 05 23:57:55 KST 2024
;; MSG SIZE rcvd: 651---
참고URL
- 한국인터넷정보센터 : DNSSEC 구축방법
728x90
반응형
'네임서버' 카테고리의 다른 글
| NAMED 구동 스크립트 (0) | 2013.06.18 |
|---|---|
| DNS amplification attacks(DNS 증폭 공격) (0) | 2013.06.18 |
| [네임서버] 캐시 DNS서버의 DNSSEC 서명검증 기능 설정 (0) | 2013.06.18 |
| 네임서버 구동 스크립트 S72inetsvc (0) | 2013.06.17 |
| [네임서버] BIND 관리를 위한 RNDC 설정 (0) | 2013.06.17 |
