Linux与云计算——第二阶段Linux服务器架设
第四章:DNS服务器架设4-启用密钥加密传输
DNS服务是互联网的基础建设设施,几乎所有的网络应用都依赖于DNS服务做出的查询结果,如果互联网中的DNS服务不能正常提供解析服务,那么即使Web或Email服务都运行正常,也无法让用户顺利使用到它们了。
13台根DNS服务器以及互联网中的DNS服务器绝大多数(超过95%)是基于BIND服务程序搭建的,BIND服务程序为了能够安全的提供解析服务而支持了TSIG(TSIGRFC 2845)加密机制,TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer),也就是说保证了DNS服务器之间传送区域信息的安全。
TSIG仅有一组密码,而不区分公/私钥,所以一般只会分配给可信任的从服务器。
在主服务器中生成密钥
dnssec-keygen命令用于生成安全的DNS服务密钥,格式为:"dnssec-keygen [参数] "。
-a 指定加密算法(包括:RSAMD5 (RSA)、RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA)
-b 密钥长度(HMAC-MD5长度在1-512位之间)
-n 密钥的类型(HOST为与主机相关的)
密钥参数:128位HMAC-MD5算法。
[root@demo ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ruiyung
Kruiyung.+157+25187
PS:我在这一步被坑过,你们自行找找感觉:)
[root@demo ~]# ls -al Kruiyung.+157+25187.*
-rw------- 1 root root 51 Jul 9 20:19 Kruiyung.+157+25187.key
-rw------- 1 root root 165 Jul 9 20:19 Kruiyung.+157+25187.private
查看私钥内容(把Key的值记录下来):
[root@demo ~]# cat Kruiyung.+157+25187.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: hKQ/WL/wM6JZhyxdr8pvhw==
Bits: AAA=
Created: 20160709121526
Publish: 20160709121526
Activate: 20160709121526
[root@demo ~]# vim /var/named/chroot/etc/transfer.key
key "ruiyung" {
algorithm hmac-md5;
secret "hKQ/WL/wM6JZhyxdr8pvhw==";
};
[root@demo ~]# chown root.named /var/named/chroot/etc/transfer.key
[root@demo ~]# chmod 640 /var/named/chroot/etc/transfer.key
[root@demo ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key
开启主服务器的密钥验证功能。
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { key ruiyung; };
[root@demo ~]# systemctl restart named
在client那端验证实验结果(无法获得区域数据信息了)
[root@client ~]# rm -rf /var/named/slaves/*
[root@client ~]# systemctl restart named
[root@client ~]# ls -al /var/named/slaves/
total 4
drwxrwx---. 2 named named 6 Jul 9 21:12 .
drwxr-x---. 6 root named 4096 Jul 9 19:23 ..
配置从服务器支持密钥验证
[root@demo ~]# scp /var/named/chroot/etc/transfer.key root@192.168.96.150:/var/named/chroot/etc
The authenticity of host '192.168.96.150 (192.168.96.150)' can't be established.
ECDSA key fingerprint is aa:0a:65:d4:cd:75:0f:70:0c:f8:f7:1c:6e:ed:54:d9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.96.150' (ECDSA) to the list of known hosts.
root@192.168.96.150's password:
transfer.key 100% 74 0.1KB/s 00:00
[root@client ~]# cd /var/named/chroot/etc
[root@client etc]# ls -al transfer.key
-rw-r-----. 1 root root 74 Jul 9 21:14 transfer.key
[root@client etc]# chown root:named transfer.key
[root@client etc]# ln transfer.key /etc/transfer.key
[root@client etc]# vim /etc/named.conf
文件头部添加:include "/etc/transfer.key";
在logging前面添加:
server 192.168.96.128 {
keys { ruiyung; };
};
保存,重启服务后再次检查
[root@client etc]# systemctl restart named
[root@client etc]# ls -al /var/named/slaves/
total 12
drwxrwx---. 2 named named 51 Jul 9 21:19 .
drwxr-x---. 6 root named 4096 Jul 9 19:23 ..
-rw-r--r--. 1 named named 436 Jul 9 21:19 192.168.96.arpa
-rw-r--r--. 1 named named 450 Jul 9 21:19 example.com.zone
详细视频课程请戳—→ http://edu.51cto.com/course/course_id-6574.html
转载于:https://blog.51cto.com/11840455/1829334