DNS主辅同步(TSIG) 加密
1TSIG: Transaction Signatures
使用共享钥匙进行加密(shared symmetric key)
(1) 是一个安全的访问控制机制。
(2) 保护信息在传输的过程中不会被改变。
要求:时间必须是准确的。
2.加密工具使用 dnsssec-kengen
要求:两台机器必须有一样的key且key名字必须一样
数据只会传输给有key的机器
3.实验环境:(centos 6.0)
主dns:192.168.10.15
辅dns:192.168.10.11
4.主dns配置:
yum install bind bind-chroot -y
service named restar
cd /var/named/chroot/etc/
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST server120-station #生成key
vim cheng.example.key #将生成的key写到secret的地方
key "server120-station" { #注意:这里写的是生成key的名字
algorithm hmac-md5;
secret "ejzKuhKarv5U+Wv3YCiW7w=="; #将生成的key复制到此处
};
chmod 640 cheng.example.com.key #更改权限
chmod root.named cheng.example.com.key #更改所属组所有者
主配置文件的配置:
注意:主dns与辅助dns时间必须同步。
vim /var/named/chroot/etc/named.conf
include "/etc/cheng.example.com.key"; #定义key
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
allow-transfer { key server120-station ; }; # 定义有key的主机才用
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "cheng.com" IN {
type master;
file "cheng.com";
allow-update { none; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "cheng.local";
allow-update { none; };
};
这里正反向文件就略去了
5.辅dns配置:
注意:主辅dns时间必须同步。
yum install bind bind-chroot -y
service named restart
vim /var/named/chroot/etc/cheng.example.key #将生成的key写到secret的地方
key "server120-station" { #注意:这里写的是生成key的名字
algorithm hmac-md5;
secret "ejzKuhKarv5U+Wv3YCiW7w=="; #将主dns生成的key复制到此处,两者必须一致。
};
chmod 640 cheng.example.com.key #更改权限
chmod root.named cheng.example.com.key #更改所属组所有者
辅助dns主文件配置:
vim /var/named/chroot/etc/named.conf
include "/etc/cheng.example.com.key"; # 定义key
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "cheng.com" IN {
type slave;
file "slaves/cheng.com";
masters { 192.168.10.15; };
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
file "slaves/cheng.local";
masters { 192.168.10.15; };
};
server 192.168.10.15 #指定主dns的ip
{ keys { server120-station; }; #指定key
};
6. 查看系统日志测试是否成功。
:
Feb 10 22:10:20 localhost named[27894]: client 192.168.10.12#51660: transfer of '10.168.192.in-addr.arpa/IN': AXFR started: TSIG server120-station
Feb 10 22:10:20 localhost named[27894]: client 192.168.10.12#51660: transfer of '10.168.192.in-addr.arpa/IN': AXFR ended
Feb 10 22:10:21 localhost named[27894]: client 192.168.10.12#33742: transfer of 'cheng.com/IN': AXFR started: TSIG server120-station
Feb 10 22:10:21 localhost named[27894]: client 192.168.10.12#33742: transfer of 'cheng.com/IN': AXFR ended
查看日志文件已经同步过去,主辅dns设置成功。
阅读(5048) | 评论(0) | 转发(0) |