[네임서버] DNSSEC 구축 방법 및 검증

DNSSEC 구축 방법 및 검증

1. 도메인 설정 및 존파일 작성

[root@LAMP01 named]# tail /etc/named.conf

zone "sangchul.kr" { type master; file "sangchul.kr-zone"; allow-update { none; }; };

[root@LAMP01 named]# cat sangchul.kr-zone

$TTL 600

@ IN SOA ns.sangchul.kr. dns.netpiacorp.com. (

2013022701 ; Serial

2H ; Refresh

1H ; Retry

1W ; Expire

1H ) ; Minimum

                     IN NS              ns1.sangchul.kr.

                     IN NS              ns2.sangchul.kr.

                     IN A                211.234.242.174

www               IN CNAME        @

*                    IN A                211.234.242.174

ngb                IN A                127.0.0.1

ns1                 IN A 127.0.0.1

ns2                 IN A 127.0.0.1

질의 테스트

[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr +short

127.0.0.1

 

 

2. 서명키 생성sangchul.kr 존 서명키(ZSK) 생성(1024 비트 이상 사용 권고)

[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 1024 -n ZONE sangchul.kr.

Generating key pair...................................++++++ ...............++++++

Ksangchul.kr.+007+18434

sangchul.kr 키 서명키(KSK) 생성(2048 비트 이상 사용 권고)

[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE -f KSK sangchul.kr.

Generating key pair...............................+++ ................+++

Ksangchul.kr.+007+53403

[root@LAMP01 named]# ls -l Ksangchul.kr.*

-rw-r--r-- 1 root root 380 3월 18 17:54 Ksangchul.kr.+007+18434.key-rw------- 1 root root 1015 3월 18 17:54 Ksangchul.kr.+007+18434.private-rw-r--r-- 1 root root 554 3월 18 17:54 Ksangchul.kr.+007+53403.key-rw------- 1 root root 1779 3월 18 17:54 Ksangchul.kr.+007+53403.private

 

3. Public Key 존 반영

[root@LAMP01 named]# vi sangchul.kr-zone

$TTL 600

@ IN SOA ns.sangchul.kr. dns.netpiacorp.com. (

2013022701 ; Serial

2H ; Refresh

1H ; Retry

1W ; Expire

1H ) ; Minimum

                     IN NS              ns1.sangchul.kr.

                     IN NS              ns2.sangchul.kr.

                     IN A                211.234.242.174

www               IN CNAME        @

*                    IN A                211.234.242.174

ngb                IN A                127.0.0.1

ns1                 IN A 127.0.0.1

ns2                 IN A 127.0.0.1

$INCLUDE Ksangchul.kr.+007+18434.key

$INCLUDE Ksangchul.kr.+007+53403.key

 

 

4. 존 서명

[root@LAMP01 named]# dnssec-signzone -S -3 96e920 -o sangchul.kr. sangchul.kr-zone

Verifying the zone using the following algorithms: NSEC3RSASHA1.

Zone signing complete:

Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked

ZSKs: 1 active, 0 stand-by, 0 revoked

sangchul.kr-zone.signed

 

 

5. 네임서버에 존 반영

options {

listen-on port 53 { any; };

// listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { any; };

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/- Path to ISC DLV key *-

bindkeys-file "/etc/named.iscdlv.key";

};

zone "sangchul.kr" { type master; file "sangchul.kr-zone.signed"; key-directory "key"; auto-dnssec maintain; allow-update { none; }; };

 

 

6. 서명검증 상태 점검방법

[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-10.P2.el5_8.5 <<>> @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7567

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;ngb.sangchul.kr. IN A

;; ANSWER SECTION:

ngb.sangchul.kr. 600 IN A 127.0.0.1

ngb.sangchul.kr. 600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          JSfTay1PS9gXHc3YRIPnTTevFwrUXxtv3EFmiwtaaNyV

                                          cZgTf2oIQOMnEsNzbOFHAfoZi+MiLDmg/ddNtp5qDrmq

                                          x+DE77O7ty5eNL5VR/UROjD40IIe6v46opcVotpkIddJ

                                          gP+R2eC/OLleFDw0izWJEFgUCzwG/MDqdYdInx4= )

;; AUTHORITY SECTION:

sangchul.kr.                 600 IN NS ns1.sangchul.kr.

sangchul.kr.                 600 IN NS ns2.sangchul.kr.

sangchul.kr.                 600 IN RRSIG NS 7 2 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          f3GNqt3IajADVKyPK7vkyAvI36StExpcV0XHL6gQ4pn0

                                          vG5NJ7EpR/lyGZAYomhzQzENmF9OA/KuVNFwwOxnVKT7

                                          NM6Ww7+NfIb6c5xCpRtVbh7NLYUY+Eyzhy06ZxJmHxkV

                                          k7AG52yrWGPptXpCz3HlkytbonjJjdEGs5ty2iQ= )

;; ADDITIONAL SECTION:

ns1.sangchul.kr.  600 IN A 127.0.0.1

ns2.sangchul.kr.  600 IN A 127.0.0.1

ns1.sangchul.kr.  600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          PI/QEb/mIAEuivvcyUr01V2HnEKMpdN27DZMrVD/dVuU

                                          E1vuELnIcMESxmakQyrAD0Q8bi8v97EdV/HLhnV1M7lj

                                          0uSAO11RC2tHW/aaI3v8fgdHFXAynwhqr5wBRqTgL58f

                                          wyh2967lPWXtXoclIhTdIwOT/GzD3clscrXFFzs= )

ns2.sangchul.kr.  600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          JKBNfYIRFZcitbmXuOwYxNGR+Z8K4Dl6V8haFzyqWtZM

                                          w+9pFjumpcgWE2v1pehRud87KZr8lr7DrSgIUa3uLCj7

                                           cuwndDVZ6ajzDqWymSsdl4HdqIIFErnPd0GlSUTjxzgK

                                          zIJDcYQDC5k8jLJrm5Ab3KRrzuMxeiqjgr4qBRU= )

;; Query time: 1 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Mar 18 18:09:06 2013

;; MSG SIZE rcvd: 812