메뉴 건너뛰기

리눅스 관련 모음

본문시작

설치관련
2013.06.07 21:47

dnssec-keygen 사용법 및 구축과 검증

조회 수 24604 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄
?

단축키

Prev이전 문서

Next다음 문서

크게 작게 위로 아래로 댓글로 가기 인쇄

국산 통나무 수공예 남원제기, 남원목기

자료가 도움이 되셨다면
혼수용품제수용품 필요시
남원제기 공식 홈페이지 http://남원제기.kr
남원목기 공식 홈페이지 http://otchil.kr
에서 구매 해 주세요
정성껏 모시겠습니다.
 

[bind] DNSSEC 구축 방법 및 검증

anti1346.egloos.com/5174378

DNSSEC 구축 방법 및 검증

1.
도메인 설정 및 존파일 작성

[root@LAMP01 named]# tail /etc/named.conf

zone "sangchul.kr" { type master; file "sangchul.kr-zone"; allow-update { none; }; };

 

[root@LAMP01 named]# cat sangchul.kr-zone

$TTL 600

@             IN SOA       ns.sangchul.kr.  dns.netpiacorp.com.  (

                           2013022701      ; Serial

                           2H              ; Refresh

                           1H              ; Retry

                           1W              ; Expire

                           1H )            ; Minimum

 

                     IN NS              ns1.sangchul.kr.

                     IN NS              ns2.sangchul.kr.

 

                     IN A                211.234.242.174

www               IN CNAME        @

*                    IN A                211.234.242.174

 

ngb                IN A                127.0.0.1

ns1                 IN A            127.0.0.1

ns2                 IN A            127.0.0.1

 

질의 테스트

[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr +short

127.0.0.1

 

2.  서명키 생성

sangchul.kr 존 서명키(ZSK) 생성(1024 비트 이상 사용 권고)

[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 1024 -n ZONE sangchul.kr.

Generating key pair...................................++++++ ...............++++++

Ksangchul.kr.+007+18434

 

sangchul.kr 키 서명키(KSK) 생성(2048 비트 이상 사용 권고)

[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE -f KSK sangchul.kr.

Generating key pair...............................+++ ................+++

Ksangchul.kr.+007+53403

 

[root@LAMP01 named]# ls -l Ksangchul.kr.*

-rw-r--r-- 1 root root  380  3 18 17:54 Ksangchul.kr.+007+18434.key

-rw------- 1 root root 1015  3 18 17:54 Ksangchul.kr.+007+18434.private

-rw-r--r-- 1 root root  554  3 18 17:54 Ksangchul.kr.+007+53403.key

-rw------- 1 root root 1779  3 18 17:54 Ksangchul.kr.+007+53403.private

 

3. Public Key 존 반영

[root@LAMP01 named]# vi sangchul.kr-zone

$TTL 600

@             IN SOA       ns.sangchul.kr.  dns.netpiacorp.com.  (

                           2013022701      ; Serial

                           2H              ; Refresh

                           1H              ; Retry

                           1W              ; Expire

                           1H )            ; Minimum

 

                     IN NS              ns1.sangchul.kr.

                     IN NS              ns2.sangchul.kr.

 

                     IN A                211.234.242.174

www               IN CNAME        @

*                    IN A                211.234.242.174

 

ngb                IN A                127.0.0.1

ns1                 IN A            127.0.0.1

ns2                 IN A            127.0.0.1

 

$INCLUDE Ksangchul.kr.+007+18434.key

$INCLUDE Ksangchul.kr.+007+53403.key

 

4. 존 서명

[root@LAMP01 named]# dnssec-signzone -S -3 96e920 -o sangchul.kr. sangchul.kr-zone

Verifying the zone using the following algorithms: NSEC3RSASHA1.

Zone signing complete:

Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked

                         ZSKs: 1 active, 0 stand-by, 0 revoked

sangchul.kr-zone.signed

 

5. 네임서버에 존 반영

options {

        listen-on port 53 { any; };

//      listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        recursion yes;

 

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside auto;

 

        /- Path to ISC DLV key *-

        bindkeys-file "/etc/named.iscdlv.key";

};

 

zone "sangchul.kr" { type master; file "sangchul.kr-zone.signed"; key-directory "key"; auto-dnssec maintain; allow-update { none; }; };

 

6. 서명검증 상태 점검방법

[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline

 

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-10.P2.el5_8.5 <<>> @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7567

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;ngb.sangchul.kr. IN A

 

;; ANSWER SECTION:

ngb.sangchul.kr.  600 IN A 127.0.0.1

ngb.sangchul.kr.  600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          JSfTay1PS9gXHc3YRIPnTTevFwrUXxtv3EFmiwtaaNyV

                                          cZgTf2oIQOMnEsNzbOFHAfoZi+MiLDmg/ddNtp5qDrmq

                                          x+DE77O7ty5eNL5VR/UROjD40IIe6v46opcVotpkIddJ

                                          gP+R2eC/OLleFDw0izWJEFgUCzwG/MDqdYdInx4= )

 

;; AUTHORITY SECTION:

sangchul.kr.                  600 IN NS ns1.sangchul.kr.

sangchul.kr.                  600 IN NS ns2.sangchul.kr.

sangchul.kr.                  600 IN RRSIG NS 7 2 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          f3GNqt3IajADVKyPK7vkyAvI36StExpcV0XHL6gQ4pn0

                                          vG5NJ7EpR/lyGZAYomhzQzENmF9OA/KuVNFwwOxnVKT7

                                          NM6Ww7+NfIb6c5xCpRtVbh7NLYUY+Eyzhy06ZxJmHxkV

                                          k7AG52yrWGPptXpCz3HlkytbonjJjdEGs5ty2iQ= )

 

;; ADDITIONAL SECTION:

ns1.sangchul.kr.  600 IN A 127.0.0.1

ns2.sangchul.kr.  600 IN A 127.0.0.1

ns1.sangchul.kr.  600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          PI/QEb/mIAEuivvcyUr01V2HnEKMpdN27DZMrVD/dVuU

                                          E1vuELnIcMESxmakQyrAD0Q8bi8v97EdV/HLhnV1M7lj

                                          0uSAO11RC2tHW/aaI3v8fgdHFXAynwhqr5wBRqTgL58f

                                          wyh2967lPWXtXoclIhTdIwOT/GzD3clscrXFFzs= )

ns2.sangchul.kr.  600 IN RRSIG A 7 3 600 20130417075639 (

                                          20130318075639 18434 sangchul.kr.

                                          JKBNfYIRFZcitbmXuOwYxNGR+Z8K4Dl6V8haFzyqWtZM

                                          w+9pFjumpcgWE2v1pehRud87KZr8lr7DrSgIUa3uLCj7

                                          cuwndDVZ6ajzDqWymSsdl4HdqIIFErnPd0GlSUTjxzgK

                                          zIJDcYQDC5k8jLJrm5Ab3KRrzuMxeiqjgr4qBRU= )

 

;; Query time: 1 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Mar 18 18:09:06 2013

;; MSG SIZE  rcvd: 812

   

List of Articles
번호 분류 제목 글쓴이 날짜 조회 수
110 설치관련 PHP CodeSniffer 코딩검사 secret 햇빛소년 2013.01.14 0
109 에러해결 modcurity 에러메세지 secret 햇빛소년 2013.01.17 0
108 설치관련 .htaccess 이용 스팸 IP 차단 햇빛소년 2013.01.17 25737
107 에러해결 apache2.x.x 컴파일 에러 해결 - /usr/local/lib/liblua.a: could not read symbols: Bad value secret 햇빛소년 2013.01.19 0
106 에러해결 pcre최신버전 소스설치 후 modsecurity-apache 컴파일시 에러 햇빛소년 2013.01.19 78562
105 설치관련 Luajit 다운로드 및 설치 햇빛소년 2013.01.19 23341
104 에러해결 ZendGuardLoader.so: undefined symbol: compiler_globals 햇빛소년 2013.01.19 26488
103 설치관련 rndc-confgen — rndc key generation tool 햇빛소년 2013.05.31 17850
102 에러해결 TIFF 설피시 /usr/local/include/jmorecfg.h:263:16: error: expected identifier before numeric constant 에러 햇빛소년 2013.06.04 17956
» 설치관련 dnssec-keygen 사용법 및 구축과 검증 햇빛소년 2013.06.07 24604
100 에러해결 mc(미드나잇 커맨드) 종료시 처음 PWD로 바뀌는 문제 해결 햇빛소년 2013.06.09 18083
99 에러해결 named 에러 (/var/log/massages) 가 있을 때 해결 방법 햇빛소년 2013.06.12 34597
98 에러해결 BIND 9: "Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones" 햇빛소년 2013.06.13 20301
97 설치관련 httpd-2.4.4 httpd.conf 설정 옵션 변경. 햇빛소년 2013.06.13 14460
96 에러해결 php-5.4.16 컴파일시 checking for db4 major version... Header contains different version 에러 햇빛소년 2013.06.18 19758
95 에러해결 phpmyadmin 4.0 로그인시 에러.. 햇빛소년 2013.06.18 60229
94 에러해결 php.ini설정 에러 모음. 햇빛소년 2013.06.18 16735
93 설치관련 /etc/init.d/proftpd 실행 스크립트 secret 햇빛소년 2013.06.19 0
92 에러해결 [MySQL] Incorrect integer value: '' for column '컬럼명' 오류 발생시 햇빛소년 2013.06.19 18016
91 설치관련 rewrite 도메인 포워딩 햇빛소년 2013.06.22 15591
Board Pagination Prev 1 2 3 4 5 6 7 8 9 10 Next
/ 10