DNSSEC 설정 및 적용
각각의 도메인 존에 대해 Zone Signing Key(ZSK)와 Key Signing Key(KSK)를 생성한다.
•Zone Signing Key (ZSK)
◦존의 모든 RR 를 서명한다.
•Key Signing Key (KSK)
◦ZSK를 서명하는데 사용한다.
◦존의 Secure Entry Point (SEP) 키로 사용된다.
▶ Key-Signing Key (KSK) 생성
[root@sangchul named]# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 2048 -n ZONE -f KSK sangchul.kr
Generating key pair.......................................+++ ....................................................................+++
Ksangchul.kr.+005+37828
[root@sangchul named]# ls -l
-rw-r--r-- 1 root root 605 2월 21 19:39 Ksangchul.kr.+005+37828.key
-rw------- 1 root root 1774 2월 21 19:39 Ksangchul.kr.+005+37828.private
▶ Zone-Signing Key (ZSK) 생성
[root@sangchul named]# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE sangchul.kr
Generating key pair..................++++++ ....++++++
Ksangchul.kr.+005+55767
[root@sangchul named]# ls -l
-rw-r--r-- 1 root root 431 2월 21 19:41 Ksangchul.kr.+005+55767.key
-rw------- 1 root root 1010 2월 21 19:41 Ksangchul.kr.+005+55767.private
▶ ZONE 파일에 KSK와 ZSK 공개 키 추가
[root@sangchul named]# cat Ksangchul.kr.+005+37828.key >> sangchul.kr.zone
[root@sangchul named]# cat Ksangchul.kr.+005+55767.key >> sangchul.kr.zone
[root@sangchul named]# cat sangchul.kr.zone
$TTL 3600 ; 1 hour
@ IN SOA ns.sangchul.kr. dns.dreamline.co.kr. (
2007040461 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS ns.sangchul.kr.
@ IN A 222.222.222.222
www IN A 222.222.222.222
ns IN A 222.222.222.222
; This is a key-signing key, keyid 37828, for sangchul.kr.
; Created: 20110221103921 (Mon Feb 21 19:39:21 2011)
; Publish: 20110221103921 (Mon Feb 21 19:39:21 2011)
; Activate: 20110221103921 (Mon Feb 21 19:39:21 2011)
sangchul.kr. IN DNSKEY 257 3 5 AwEAAcuM3tRuTCCz6t08Rk3mYfuGHpSNy5ZI+5AuDdzsdGfQj9OTr1uQ EnGVq7adHjiFV+EJLTJlZt+89jvuRRZbkWKo1E42iSzuRXzmLrlLOwLd xe8K7T4TK2eP4b9FQrVkGmJzQ0a25VdpeUlM+yrWEheouQkYGaC1Dj3D GXdSdusU+LW2tLWyvgtNbazsHYX/2pFd2Hdt+0L6BvEHvlXB4OskZxPI VypZz0NjheZobGV7kJdTQJXSWDnHyjde+idabC2m/SNzcEUW/zUk4c34 js2TNJr+Q+v0y+US4xisf2/yytRCIqQS6Swy81fca8/h/Nklv3rimnsI LNwhvFrlkXU=
; This is a zone-signing key, keyid 55767, for sangchul.kr.
; Created: 20110221104100 (Mon Feb 21 19:41:00 2011)
; Publish: 20110221104100 (Mon Feb 21 19:41:00 2011)
; Activate: 20110221104100 (Mon Feb 21 19:41:00 2011)
sangchul.kr. IN DNSKEY 256 3 5 AwEAAd01uOzKjvK+g4Ht3s7aXXS20UUCjVgk0b8aep1JMRelJ9E+E3UU OcKnL9oWqC+m6I89g00Su14U6wzPN3FQIM3xmwWIXXhrkbuOl8BXV1Xm sR8DiFCWHKW3NSmyPuS+A6t/A/aLPaOS4G3ForfRefbllbFWmJQGu3Y9 NXf3bpRh
▶ 존 파일 서명
[root@sangchul named]# dnssec-signzone -l dlv.isc.org -r /dev/urandom -o sangchul.kr -k Ksangchul.kr.+005+37828.key sangchul.kr.zone Ksangchul.kr.+005+55767.key
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
sangchul.kr.zone.signed
▶ named.conf 설정 변경
---------------------------------------------------
zone "sangchul.kr" in {
type master;
file "sangchul.kr.zone";
};
---------------------------------------------------
zone "sangchul.kr" in {
type master;
// file "sangchul.kr_1.zone";
file "sangchul.kr.zone.signed";
};
---------------------------------------------------
▶ named 재시작
[root@sangchul named]# rndc reload
server reload successful
▶ dig 유틸리티로 질의 테스트
[root@sangchul named]# dig @127.0.0.1 127.0.0.1 sangchul.kr soa +dnssec
; <<>> DiG 9.7.3 <<>> @127.0.0.1 127.0.0.1 sangchul.kr soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;127.0.0.1. IN A
;; AUTHORITY SECTION:
. 10128 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011022001 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 21 19:58:32 2011
;; MSG SIZE rcvd: 102
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49472
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sangchul.kr. IN SOA
;; ANSWER SECTION:
sangchul.kr. 3600 IN SOA ns.sangchul.kr. admin.sangchul.kr. 2007040461 7200 3600 604800 3600
sangchul.kr. 3600 IN RRSIG SOA 5 2 3600 20110323094543 20110221094543 55767 sangchul.kr. VE/FDkPcx1sV0nzbnwLsuE8dI3KeJPIu1+FOEZ9j8cT7rE5qtergudF/ jkbjBkr0Eu7avSoR/VnPvXoTcdEsOznfGQ+mcxiUTTvTwXNkQErUQmhX WjPuhcGoG6Rx8/ry+um4yCD909x4wuJYgad1FRL6PUMNx40B/axiWtl0 U3c=
;; AUTHORITY SECTION:
sangchul.kr. 3600 IN NS ns.sangchul.kr.
sangchul.kr. 3600 IN RRSIG NS 5 2 3600 20110323094543 20110221094543 55767 sangchul.kr. d9o8XfHPP4bk5sMV/Zo+CXOKoHx5yK1npp76jS7lw7vKVGryxvd6vUYE ZcMRkl4g6dBksw4cwFJXMxgE3U0fzE2QWA9az56tbu1gUFYNv8tsz+C0 ia9WArsLGSKTFWNa4tBeNJb7fqgSjvwFQx3Q3lVvhW0yLinxPe276ZFn gNs=
;; ADDITIONAL SECTION:
ns.sangchul.kr. 3600 IN A 222.222.222.222
ns.sangchul.kr. 3600 IN RRSIG A 5 3 3600 20110323094543 20110221094543 55767 sangchul.kr. fE3PJmKW1pxMhRgOE1pDV3WqwEWOfN0QQZuJCFer1PAgSbtEXcS+ayhv ze2LnJdmJwZUktgMhLvh/AA0BOB7bCIjN2XcqhdweLFEPeA9BWnwQ7D6 xKWakOR62KUe2SJoqP8dBvm+ami35lHcpIgEgY5PV7Q32rjJXsnx/Ehb nus=
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 21 19:58:32 2011
;; MSG SIZE rcvd: 628
'네임서버' 카테고리의 다른 글
| BIND에서 view를 설정하는 방법 (0) | 2013.06.24 |
|---|---|
| DNS SPF 란, SPF 설정하는 방법 (0) | 2013.06.24 |
| [네임서버] bind view 설정 시 rndc 명령어 (0) | 2013.06.21 |
| [네임서버] dnssec 적용 관련 (0) | 2013.06.21 |
| bind named.conf 파일 소유권 오류 (loading configuration: permission denied) (0) | 2013.06.21 |
