Parent zone named.conf.options ( Root) shell script shell script 2
Child zone named.conf.options ( ) ( ) ( ) ( ) ( ) ( parent zone) 3
Parent zone named.conf.options $ vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; // Authoritative-only Name Server allow-query-cache { none; }; allow-query { any; }; recursion no; // Set Secure Default allow-transfer { none; }; notify yes; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; 4
zone Parent zone /etc/bind/named.conf.local $ vi /etc/bind/named.conf.local zone config zone "domain051." { type master; enable automatic signing auto-dnssec maintain; update-policy local; allow-transfer { none; }; file "/etc/bind/parent051/db.parent051.signed"; key-directory "/etc/bind/parent051"; }; 5
Parent zone key directory ( zone file ) $ mkdir /etc/bind/parent051 zone file $ vi /etc/bind/parent051/db.parent051 $TTL 60 @ IN SOA ns.domain051. admin.domain051. ( 1 ; Serial 3600 ; Refresh 60 ; Retry 86400 ; Expire 60 ; Negative Cache TTL ) ; @ IN NS ns.domain051. @ IN NSEC3PARAM 1 0 100 61 ns IN A 10.113.87.51 p1 IN A 9.78.78.78 錄 6 iteration salt
Parent zone $ dnssec-keygen \ -a NSEC3RSASHA1 \ -b 2048 \ -f KSK \ -r /dev/urandom \ key directory -K /etc/bind/parent051 \ domain051. 金 7
Parent zone $ dnssec-signzone \ -3 61 \ salt -H 100 \ iteration -K /etc/bind/parent051 \ key directory -o domain051. \ -S \ -u \ -z \ zone file /etc/bind/parent051/db.parent051 key directory zone file (/etc/bind/parent051/db.parent051) zone file (/etc/bind/parent051/db.parent051.signed) 8
Parent zone zone directory bind $ chown -R bind /etc/bind/parent051 BIND ( ) $ rndc reload dig authoritative server $ dig +multiline +dnssec p1.domain051. @10.113.87.51 9
Parent zone ( Root) DS Record $ dnssec-dsfromkey /etc/bind/parent051/knnnn.+aaa+iiiii nsupdate ( /dnssec/demo/update_example) NS Record & Glue Record update add domain051. 60 IN NS ns.domain051. update add ns.domain051. 60 IN A 10.113.87.51 update add domain051. 60 IN DS 44841 7 1 44F6311351383AF9ADBB4AC4BBABFB8B2716236F SHA-1 glue record update add domain051. 60 IN DS 44841 7 2 0D5CA5EB7CF0B5014BDC2F1F1F1B912B4DF4EFBB99E7EE4FC07EDE39 E72196CF SHA-256 10
Parent zone ( Root) /dnssec/ds/domain051 $ vi /dnssec/ds/domain051 1 /dnssec/ds domain051.log Root Server ex: $ dig +multiline +dnssec DS domain051. @10.113.87.2 11
Parent zone dig Public Resolver parent zone $ dig +multiline +dnssec p1.domain051. @10.113.87.3 ad ; <<>> DiG 9.8.1-P1 <<>> +multiline +dnssec p1.domain051. @10.113.87.3 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48255 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 12
shell script shell script $ vi /etc/bind/parent051/update.sh #!/bin/sh rndc freeze dnssec-signzone \ -3 61 \ -H 100 \ -K /etc/bind/parent051 \ -o domain051. \ -S \ -u \ -z \ /etc/bind/parent051/db.parent051 chown -R bind /etc/bind/parent051 rndc thaw script $ chmod a+x /etc/bind/parent051/update.sh 13
zone file $ vi /etc/bind/parent051/db.parent051 $TTL 60 @ IN SOA ns.domain051. admin.domain051. ( 1 ; Serial 3600 ; Refresh 60 ; Retry 86400 ; Expire 60 ; Negative Cache TTL ) ; @ IN NS ns.domain051. @ IN NSEC3PARAM 1 0 100 61 ns IN A 10.113.87.51 p1 IN A 9.78.78.78 p2 IN A 59.87.87.87 錄 14
shell script shell script $ /etc/bind/parent051/update.sh dig Public Resolver parent zone $ dig +multiline +dnssec p2.domain051. @10.113.87.3 15
Child zone named.conf.options $ vi /etc/bind/named.conf.options options { directory "/var/cache/bind"; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; // Authoritative-only Name Server allow-query-cache { none; }; allow-query { any; }; recursion no; // Set Secure Default allow-transfer { none; }; notify yes; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; 16
zone Child zone /etc/bind/named.conf.local $ vi /etc/bind/named.conf.local zone config zone "child051.domain051." { type master; enable automatic signing auto-dnssec maintain; update-policy local; allow-transfer { none; }; file "/etc/bind/child051/db.child051.signed"; key-directory "/etc/bind/child051"; }; 17
Child zone key directory ( zone file ) $ mkdir /etc/bind/child051 zone file $ vi /etc/bind/child051/db.child051 $TTL 60 @ IN SOA ns.child051.domain051. admin.child051.domain051. ( 1 ; Serial 3600 ; Refresh 60 ; Retry 86400 ; Expire 60 ; Negative Cache TTL ) ; @ IN NS ns.child051.domain051. @ IN NSEC3PARAM 1 0 100 61 ns IN A 10.113.87.52 c1 IN A 9.87.87.87 salt iteration 錄 18
Child zone $ dnssec-keygen \ -a NSEC3RSASHA1 \ -b 2048 \ -f KSK \ -r /dev/urandom \ -K /etc/bind/child051 \ child051.domain051. key directory 金 19
Child zone $ dnssec-signzone \ -3 61 \ salt -H 100 \ iteration -K /etc/bind/child051 \ key directory -o child051.domain051. \ -S \ -u \ -z \ zone file /etc/bind/child051/db.child051 key directory zone file (/etc/bind/child051/db.child051) zone file (/etc/bind/child051/db.child051.signed) 20
Child zone zone directory bind $ chown -R bind /etc/bind/child051 BIND ( ) $ rndc reload dig authoritative server $ dig +multiline +dnssec c1.child051.domain051. @10.113.87.52 21
Child zone ( parent zone) DS Record $ dnssec-dsfromkey /etc/bind/child051/knnnn.+aaa+iiiii DS Record NS Record, Glue Record parent zone child051.domain051. IN NS ns.child051.domain051. ns.child051.domain051. IN A 10.113.87.52 child051.domain051. IN DS 51279 7 1 F9AC20D2257723A83B45371C1DCAEF7E6443B437 child051.domain051. IN DS 51279 7 2 1172A445ED9DE6DE1F7CCB014C434844A35C4482EB909D2D4E051C1B 4C220919 22
Child zone dig Public Resolver child zone $ dig +multiline +dnssec c1.child051.domain051. @10.113.87.3 ad ; <<>> DiG 9.8.1-P1 <<>> +multiline +dnssec c1.child051.domain051. @10.113.87.3 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48255 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1 23
Q&A Any Question? 24