Linux与云计算——第二阶段 第四章：DNS服务器架设4-启用密钥加密传输

[b]Linux与云计算——第二阶段Linux服务器架设[/b]

第四章：DNS服务器架设4-启用密钥加密传输

DNS服务是互联网的基础建设设施，几乎所有的网络应用都依赖于DNS服务做出的查询结果，如果互联网中的DNS服务不能正常提供解析服务，那么即使Web或Email服务都运行正常，也无法让用户顺利使用到它们了。13台根DNS服务器以及互联网中的DNS服务器绝大多数(超过95%)是基于BIND服务程序搭建的，BIND服务程序为了能够安全的提供解析服务而支持了TSIG(TSIGRFC 2845)加密机制，TSIG主要是利用密码编码方式保护区域信息的传送(Zone Transfer)，也就是说保证了DNS服务器之间传送区域信息的安全。TSIG仅有一组密码，而不区分公/私钥，所以一般只会分配给可信任的从服务器。在主服务器中生成密钥dnssec-keygen命令用于生成安全的DNS服务密钥，格式为："dnssec-keygen [参数] "。-a 指定加密算法（包括:RSAMD5 (RSA)、RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA）-b 密钥长度(HMAC-MD5长度在1-512位之间)-n 密钥的类型(HOST为与主机相关的)密钥参数：128位HMAC-MD5算法。[root@demo ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ruiyungKruiyung.+157+25187PS：我在这一步被坑过，你们自行找找感觉：）[root@demo ~]# ls -al Kruiyung.+157+25187.*-rw------- 1 root root 51 Jul 9 20:19 Kruiyung.+157+25187.key-rw------- 1 root root 165 Jul 9 20:19 Kruiyung.+157+25187.private查看私钥内容（把Key的值记录下来）：[root@demo ~]# cat Kruiyung.+157+25187.private Private-key-format: v1.3Algorithm: 157 (HMAC_MD5)Key: hKQ/WL/wM6JZhyxdr8pvhw==Bits: AAA=Created: 20160709121526Publish: 20160709121526Activate: 20160709121526[root@demo ~]# vim /var/named/chroot/etc/transfer.keykey "ruiyung" {algorithm hmac-md5;secret "hKQ/WL/wM6JZhyxdr8pvhw==";};[root@demo ~]# chown root.named /var/named/chroot/etc/transfer.key [root@demo ~]# chmod 640 /var/named/chroot/etc/transfer.key[root@demo ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key开启主服务器的密钥验证功能。include "/etc/transfer.key";options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-transfer { key ruiyung; }；[root@demo ~]# systemctl restart named在client那端验证实验结果（无法获得区域数据信息了）[root@client ~]# rm -rf /var/named/slaves/*[root@client ~]# systemctl restart named[root@client ~]# ls -al /var/named/slaves/total 4drwxrwx---. 2 named named 6 Jul 9 21:12 .drwxr-x---. 6 root named 4096 Jul 9 19:23 ..配置从服务器支持密钥验证[root@demo ~]# scp /var/named/chroot/etc/transfer.key root@192.168.96.150:/var/named/chroot/etcThe authenticity of host '192.168.96.150 (192.168.96.150)' can't be established.ECDSA key fingerprint is aa:0a:65:d4:cd:75:0f:70:0c:f8:f7:1c:6e:ed:54:d9.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.96.150' (ECDSA) to the list of known hosts.root@192.168.96.150's password: transfer.key 100% 74 0.1KB/s 00:00[root@client ~]# cd /var/named/chroot/etc[root@client etc]# ls -al transfer.key -rw-r-----. 1 root root 74 Jul 9 21:14 transfer.key[root@client etc]# chown root:named transfer.key [root@client etc]# ln transfer.key /etc/transfer.key[root@client etc]# vim /etc/named.conf文件头部添加：include "/etc/transfer.key";在logging前面添加：server 192.168.96.128 { keys { ruiyung; };};保存，重启服务后再次检查[root@client etc]# systemctl restart named[root@client etc]# ls -al /var/named/slaves/total 12drwxrwx---. 2 named named 51 Jul 9 21:19 .drwxr-x---. 6 root named 4096 Jul 9 19:23 ..-rw-r--r--. 1 named named 436 Jul 9 21:19 192.168.96.arpa-rw-r--r--. 1 named named 450 Jul 9 21:19 example.com.zone
详细视频课程请戳—→ http://edu.51cto.com/course/course_id-6574.html