본문 바로가기

네임서버

[네임서버] DNSSEC 설정 및 적용

반응형

DNSSEC 설정 및 적용
각각의 도메인 존에 대해 Zone Signing Key(ZSK)와 Key Signing Key(KSK)를 생성한다.

 

•Zone Signing Key (ZSK)
◦존의 모든 RR 를 서명한다.

 

•Key Signing Key (KSK)
◦ZSK를 서명하는데 사용한다.
◦존의 Secure Entry Point (SEP) 키로 사용된다.

 

▶ Key-Signing Key (KSK) 생성
[root@sangchul named]# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 2048 -n ZONE -f KSK sangchul.kr
Generating key pair.......................................+++ ....................................................................+++
Ksangchul.kr.+005+37828

 

[root@sangchul named]# ls -l
-rw-r--r-- 1 root   root    605  2월 21 19:39 Ksangchul.kr.+005+37828.key
-rw------- 1 root   root   1774  2월 21 19:39 Ksangchul.kr.+005+37828.private

 

▶ Zone-Signing Key (ZSK) 생성
[root@sangchul named]# dnssec-keygen -r /dev/urandom -a RSASHA1 -b 1024 -n ZONE sangchul.kr
Generating key pair..................++++++ ....++++++
Ksangchul.kr.+005+55767

 

[root@sangchul named]# ls -l
-rw-r--r-- 1 root   root    431  2월 21 19:41 Ksangchul.kr.+005+55767.key
-rw------- 1 root   root   1010  2월 21 19:41 Ksangchul.kr.+005+55767.private


▶ ZONE 파일에 KSK와 ZSK 공개 키 추가
[root@sangchul named]# cat Ksangchul.kr.+005+37828.key >> sangchul.kr.zone
[root@sangchul named]# cat Ksangchul.kr.+005+55767.key >> sangchul.kr.zone
[root@sangchul named]# cat sangchul.kr.zone
$TTL 3600       ; 1 hour
@                       IN SOA  ns.sangchul.kr. dns.dreamline.co.kr. (
                                2007040461 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )
                        NS      ns.sangchul.kr.
@                       IN A    222.222.222.222
www                     IN A    222.222.222.222
ns                      IN A    222.222.222.222
; This is a key-signing key, keyid 37828, for sangchul.kr.
; Created: 20110221103921 (Mon Feb 21 19:39:21 2011)
; Publish: 20110221103921 (Mon Feb 21 19:39:21 2011)
; Activate: 20110221103921 (Mon Feb 21 19:39:21 2011)
sangchul.kr. IN DNSKEY 257 3 5 AwEAAcuM3tRuTCCz6t08Rk3mYfuGHpSNy5ZI+5AuDdzsdGfQj9OTr1uQ EnGVq7adHjiFV+EJLTJlZt+89jvuRRZbkWKo1E42iSzuRXzmLrlLOwLd xe8K7T4TK2eP4b9FQrVkGmJzQ0a25VdpeUlM+yrWEheouQkYGaC1Dj3D GXdSdusU+LW2tLWyvgtNbazsHYX/2pFd2Hdt+0L6BvEHvlXB4OskZxPI VypZz0NjheZobGV7kJdTQJXSWDnHyjde+idabC2m/SNzcEUW/zUk4c34 js2TNJr+Q+v0y+US4xisf2/yytRCIqQS6Swy81fca8/h/Nklv3rimnsI LNwhvFrlkXU=
; This is a zone-signing key, keyid 55767, for sangchul.kr.
; Created: 20110221104100 (Mon Feb 21 19:41:00 2011)
; Publish: 20110221104100 (Mon Feb 21 19:41:00 2011)
; Activate: 20110221104100 (Mon Feb 21 19:41:00 2011)
sangchul.kr. IN DNSKEY 256 3 5 AwEAAd01uOzKjvK+g4Ht3s7aXXS20UUCjVgk0b8aep1JMRelJ9E+E3UU OcKnL9oWqC+m6I89g00Su14U6wzPN3FQIM3xmwWIXXhrkbuOl8BXV1Xm sR8DiFCWHKW3NSmyPuS+A6t/A/aLPaOS4G3ForfRefbllbFWmJQGu3Y9 NXf3bpRh

 

▶ 존 파일 서명
[root@sangchul named]# dnssec-signzone -l dlv.isc.org -r /dev/urandom -o sangchul.kr -k Ksangchul.kr.+005+37828.key sangchul.kr.zone Ksangchul.kr.+005+55767.key
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked
sangchul.kr.zone.signed

 

▶ named.conf 설정 변경
---------------------------------------------------
zone "sangchul.kr" in {
        type master;
        file "sangchul.kr.zone";
        };
---------------------------------------------------
zone "sangchul.kr" in {
        type master;
//        file "sangchul.kr_1.zone";
        file "sangchul.kr.zone.signed";
        };
---------------------------------------------------

 

▶ named 재시작
[root@sangchul named]# rndc reload
server reload successful

 

▶ dig 유틸리티로 질의 테스트
[root@sangchul named]# dig @127.0.0.1 127.0.0.1 sangchul.kr soa +dnssec

 

; <<>> DiG 9.7.3 <<>> @127.0.0.1 127.0.0.1 sangchul.kr soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 

;; QUESTION SECTION:
;127.0.0.1.                     IN      A

 

;; AUTHORITY SECTION:
.                       10128   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2011022001 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 21 19:58:32 2011
;; MSG SIZE  rcvd: 102

 

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49472
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

 

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sangchul.kr.                   IN      SOA

 

;; ANSWER SECTION:
sangchul.kr.            3600    IN      SOA     ns.sangchul.kr. admin.sangchul.kr. 2007040461 7200 3600 604800 3600
sangchul.kr.            3600    IN      RRSIG   SOA 5 2 3600 20110323094543 20110221094543 55767 sangchul.kr. VE/FDkPcx1sV0nzbnwLsuE8dI3KeJPIu1+FOEZ9j8cT7rE5qtergudF/ jkbjBkr0Eu7avSoR/VnPvXoTcdEsOznfGQ+mcxiUTTvTwXNkQErUQmhX WjPuhcGoG6Rx8/ry+um4yCD909x4wuJYgad1FRL6PUMNx40B/axiWtl0 U3c=

 

;; AUTHORITY SECTION:
sangchul.kr.            3600    IN      NS      ns.sangchul.kr.
sangchul.kr.            3600    IN      RRSIG   NS 5 2 3600 20110323094543 20110221094543 55767 sangchul.kr. d9o8XfHPP4bk5sMV/Zo+CXOKoHx5yK1npp76jS7lw7vKVGryxvd6vUYE ZcMRkl4g6dBksw4cwFJXMxgE3U0fzE2QWA9az56tbu1gUFYNv8tsz+C0 ia9WArsLGSKTFWNa4tBeNJb7fqgSjvwFQx3Q3lVvhW0yLinxPe276ZFn gNs=

 

;; ADDITIONAL SECTION:
ns.sangchul.kr.         3600    IN      A       222.222.222.222
ns.sangchul.kr.         3600    IN      RRSIG   A 5 3 3600 20110323094543 20110221094543 55767 sangchul.kr. fE3PJmKW1pxMhRgOE1pDV3WqwEWOfN0QQZuJCFer1PAgSbtEXcS+ayhv ze2LnJdmJwZUktgMhLvh/AA0BOB7bCIjN2XcqhdweLFEPeA9BWnwQ7D6 xKWakOR62KUe2SJoqP8dBvm+ami35lHcpIgEgY5PV7Q32rjJXsnx/Ehb nus=

 

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 21 19:58:32 2011
;; MSG SIZE  rcvd: 628

 

 

 


 

728x90
반응형