DNSSEC 구축 방법 및 검증
1. 도메인 설정 및 존파일 작성
[root@LAMP01 named]# tail /etc/named.conf
zone "sangchul.kr" { type master; file "sangchul.kr-zone"; allow-update { none; }; };
[root@LAMP01 named]# cat sangchul.kr-zone
$TTL 600
@ IN SOA ns.sangchul.kr. dns.netpiacorp.com. (
2013022701 ; Serial
2H ; Refresh
1H ; Retry
1W ; Expire
1H ) ; Minimum
IN NS ns1.sangchul.kr.
IN NS ns2.sangchul.kr.
IN A 211.234.242.174
www IN CNAME @
* IN A 211.234.242.174
ngb IN A 127.0.0.1
ns1 IN A 127.0.0.1
ns2 IN A 127.0.0.1
질의 테스트
[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr +short
127.0.0.1
2. 서명키 생성
sangchul.kr 존 서명키(ZSK) 생성(1024 비트 이상 사용 권고)
[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 1024 -n ZONE sangchul.kr.
Generating key pair...................................++++++ ...............++++++
Ksangchul.kr.+007+18434
sangchul.kr 키 서명키(KSK) 생성(2048 비트 이상 사용 권고)
[root@LAMP01 named]# dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE -f KSK sangchul.kr.
Generating key pair...............................+++ ................+++
Ksangchul.kr.+007+53403
[root@LAMP01 named]# ls -l Ksangchul.kr.*
-rw-r--r-- 1 root root 380 3월 18
-rw------- 1 root root 1015 3월 18
-rw-r--r-- 1 root root 554 3월 18
-rw------- 1 root root 1779 3월 18
3. Public Key 존 반영
[root@LAMP01 named]# vi sangchul.kr-zone
$TTL 600
@ IN SOA ns.sangchul.kr. dns.netpiacorp.com. (
2013022701 ; Serial
2H ; Refresh
1H ; Retry
1W ; Expire
1H ) ; Minimum
IN NS ns1.sangchul.kr.
IN NS ns2.sangchul.kr.
IN A 211.234.242.174
www IN CNAME @
* IN A 211.234.242.174
ngb IN A 127.0.0.1
ns1 IN A 127.0.0.1
ns2 IN A 127.0.0.1
$INCLUDE Ksangchul.kr.+007+18434.key
$INCLUDE Ksangchul.kr.+007+53403.key
4. 존 서명
[root@LAMP01 named]# dnssec-signzone -S -3 96e920 -o sangchul.kr. sangchul.kr-zone
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone signing complete:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
sangchul.kr-zone.signed
5. 네임서버에 존 반영
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/- Path to ISC DLV key *-
bindkeys-file "/etc/named.iscdlv.key";
};
zone "sangchul.kr" { type master; file "sangchul.kr-zone.signed"; key-directory "key"; auto-dnssec maintain; allow-update { none; }; };
6. 서명검증 상태 점검방법
[root@LAMP01 named]# dig @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-10.P2.el5_8.5 <<>> @127.0.0.1 ngb.sangchul.kr A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7567
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ngb.sangchul.kr. IN A
;; ANSWER SECTION:
ngb.sangchul.kr. 600 IN A 127.0.0.1
ngb.sangchul.kr. 600 IN RRSIG A 7 3 600 20130417075639 (
20130318075639 18434 sangchul.kr.
JSfTay1PS9gXHc3YRIPnTTevFwrUXxtv3EFmiwtaaNyV
cZgTf2oIQOMnEsNzbOFHAfoZi+MiLDmg/ddNtp5qDrmq
x+DE77O7ty5eNL5VR/UROjD40IIe6v46opcVotpkIddJ
gP+R2eC/OLleFDw0izWJEFgUCzwG/MDqdYdInx4= )
;; AUTHORITY SECTION:
sangchul.kr. 600 IN NS ns1.sangchul.kr.
sangchul.kr. 600 IN NS ns2.sangchul.kr.
sangchul.kr. 600 IN
20130318075639 18434 sangchul.kr.
f3GNqt3IajADVKyPK7vkyAvI36StExpcV0XHL6gQ4pn0
vG5NJ7EpR/lyGZAYomhzQzENmF9OA/KuVNFwwOxnVKT7
NM6Ww7+NfIb6c5xCpRtVbh7NLYUY+Eyzhy06ZxJmHxkV
k7AG52yrWGPptXpCz3HlkytbonjJjdEGs5ty2iQ= )
;; ADDITIONAL SECTION:
ns1.sangchul.kr. 600 IN A 127.0.0.1
ns2.sangchul.kr. 600 IN A 127.0.0.1
ns1.sangchul.kr. 600 IN RRSIG A 7 3 600 20130417075639 (
20130318075639 18434 sangchul.kr.
PI/QEb/mIAEuivvcyUr01V2HnEKMpdN27DZMrVD/dVuU
E1vuELnIcMESxmakQyrAD0Q8bi8v97EdV/HLhnV1M7lj
0uSAO11RC2tHW/aaI3v8fgdHFXAynwhqr5wBRqTgL58f
wyh2967lPWXtXoclIhTdIwOT/GzD3clscrXFFzs= )
ns2.sangchul.kr. 600 IN RRSIG A 7 3 600 20130417075639 (
20130318075639 18434 sangchul.kr.
JKBNfYIRFZcitbmXuOwYxNGR+Z8K4Dl6V8haFzyqWtZM
w+9pFjumpcgWE2v1pehRud87KZr8lr7DrSgIUa3uLCj7
cuwndDVZ6ajzDqWymSsdl4HdqIIFErnPd0GlSUTjxzgK
zIJDcYQDC5k8jLJrm5Ab3KRrzuMxeiqjgr4qBRU= )
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 18
;; MSG SIZE rcvd: 812
