Linux与云计算——第二阶段Linux服务器架设

第四章:DNS服务器架设4-启用密钥加密传输


DNS服务是互联网的基础建设设施,几乎所有的网络应用都依赖于DNS服务做出的查询结果,如果互联网中的DNS服务不能正常提供解析服务,那么即使Web或Email服务都运行正常,也无法让用户顺利使用到它们了。

13台根DNS服务器以及互联网中的DNS服务器绝大多数(超过95%)是基于BIND服务程序搭建的,BIND服务程序为了能够安全的提供解析服务而支持了TSIG(TSIGRFC 2845)加密机制,TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer),也就是说保证了DNS服务器之间传送区域信息的安全。

TSIG仅有一组密码,而不区分公/私钥,所以一般只会分配给可信任的从服务器。

在主服务器中生成密钥

dnssec-keygen命令用于生成安全的DNS服务密钥,格式为:"dnssec-keygen [参数] "。

-a 指定加密算法(包括:RSAMD5 (RSA)、RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA)

-b 密钥长度(HMAC-MD5长度在1-512位之间)

-n 密钥的类型(HOST为与主机相关的)

密钥参数:128位HMAC-MD5算法。

[root@demo ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ruiyung

Kruiyung.+157+25187

PS:我在这一步被坑过,你们自行找找感觉:)

[root@demo ~]# ls -al Kruiyung.+157+25187.*

-rw------- 1 root root  51 Jul  9 20:19 Kruiyung.+157+25187.key

-rw------- 1 root root 165 Jul  9 20:19 Kruiyung.+157+25187.private

查看私钥内容(把Key的值记录下来):

[root@demo ~]# cat Kruiyung.+157+25187.private

Private-key-format: v1.3

Algorithm: 157 (HMAC_MD5)

Key: hKQ/WL/wM6JZhyxdr8pvhw==

Bits: AAA=

Created: 20160709121526

Publish: 20160709121526

Activate: 20160709121526

[root@demo ~]# vim /var/named/chroot/etc/transfer.key

key "ruiyung" {

algorithm hmac-md5;

secret "hKQ/WL/wM6JZhyxdr8pvhw==";

};

[root@demo ~]# chown root.named /var/named/chroot/etc/transfer.key

[root@demo ~]# chmod 640 /var/named/chroot/etc/transfer.key

[root@demo ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

开启主服务器的密钥验证功能。

include "/etc/transfer.key";

options {

        listen-on port 53 { any; };

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        allow-transfer  { key ruiyung; }

[root@demo ~]# systemctl restart named

在client那端验证实验结果(无法获得区域数据信息了)

[root@client ~]# rm -rf /var/named/slaves/*

[root@client ~]# systemctl restart named

[root@client ~]# ls -al /var/named/slaves/

total 4

drwxrwx---. 2 named named    6 Jul  9 21:12 .

drwxr-x---. 6 root  named 4096 Jul  9 19:23 ..

配置从服务器支持密钥验证

[root@demo ~]# scp /var/named/chroot/etc/transfer.key root@192.168.96.150:/var/named/chroot/etc

The authenticity of host '192.168.96.150 (192.168.96.150)' can't be established.

ECDSA key fingerprint is aa:0a:65:d4:cd:75:0f:70:0c:f8:f7:1c:6e:ed:54:d9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.96.150' (ECDSA) to the list of known hosts.

root@192.168.96.150's password:

transfer.key                                                                                                                                                 100%   74     0.1KB/s   00:00

[root@client ~]# cd /var/named/chroot/etc

[root@client etc]# ls -al transfer.key

-rw-r-----. 1 root root 74 Jul  9 21:14 transfer.key

[root@client etc]# chown root:named transfer.key

[root@client etc]# ln transfer.key /etc/transfer.key

[root@client etc]# vim /etc/named.conf

文件头部添加:include "/etc/transfer.key";

在logging前面添加:

server 192.168.96.128 {

        keys    { ruiyung; };

};

保存,重启服务后再次检查

[root@client etc]# systemctl restart named

[root@client etc]# ls -al /var/named/slaves/

total 12

drwxrwx---. 2 named named   51 Jul  9 21:19 .

drwxr-x---. 6 root  named 4096 Jul  9 19:23 ..

-rw-r--r--. 1 named named  436 Jul  9 21:19 192.168.96.arpa

-rw-r--r--. 1 named named  450 Jul  9 21:19 example.com.zone


详细视频课程请戳—→ http://edu.51cto.com/course/course_id-6574.html