Server 端操作如下:
1:产生密钥,应用dnssec-keygen
[root@kook tt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST kook
Kkook.+157+53326
[root@kook tt]# ll
-rw------- 1 root root 48 09-26 13:18 Kkook.+157+53326.key
-rw------- 1 root root 81 09-26 13:18 Kkook.+157+53326.private
查看一下这个命令的用法
[root@kook tt]# dnssec-keygen
Usage:
dnssec-keygen -a alg -b bits -n type [options] name
Version: 9.3.3rc2
Required options:
-a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5
-b key size, in bits:
RSAMD5: [512..4096]
RSASHA1: [512..4096]
DH: [128..4096]
DSA: [512..1024] and divisible by 64
HMAC-MD5: [1..512]
-n nametype: ZONE | HOST | ENTITY | USER | OTHER
name: owner of the key
Other options:
-c <class> (default: IN)
-e use large exponent (RSAMD5/RSASHA1 only)
-f keyflag: KSK
-g <generator> use specified generator (DH only)
-t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-p <protocol>: default: 3 [dnssec]
-s <strength> strength value this key signs DNS records with (default: 0)
-r <randomdev>: a file containing random data
-v <verbose level>
-k : generate a TYPE=KEY key
Output:
K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
查看文件内容,
[root@kook tt]# more Kkook.+157+53326.key
kook. IN KEY 512 3 157 do/q08XmwO1V9PLaS89N2w==
[root@kook tt]# more Kkook.+157+53326.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: do/q08XmwO1V9PLaS89N2w==
2:编辑配置文件/etc/named.conf
下面的字段非常容易理解。
第一段是Key,就是上面生成的key转换到/etc/named.conf写法。
包括加密类型和那个密文,就是上面文件里面的。
第二段是域下面可以通过这个key来更新的主机地址。也就是说那些拥有这个Key的人,可以更改下面那三个主机的A类型。
*************略*****************
key "kook" {
algorithm hmac-md5;
secret "d6GR0xmw5sKRirUkFMwPYQ==";
};
zone "52zhe.com" IN {
type master;
file "named.52zhe";
update-policy {
grant kook name kook.52zhe.com. A;
grant kook name office.52zhe.com. A;
grant kook name home.52zhe.com. A;
};
};
***************略*******************
