How to configure BIND with DESSEC

출처 : http://dns.kisa.or.kr/jsp/resources/dns/dnssecInfo/dnssecBind.jsp

 

 

CentOS 7 Version

Linux localhost.localdomain 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

 

Network Interface Card

[root@localhost ~]# ip addr show eno16777736 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000     link/ether 00:0c:29:a3:28:3a brd ff:ff:ff:ff:ff:ff     inet 192.168.8.136/24 brd 192.168.8.255 scope global dynamic eno16777736        valid_lft 1431sec preferred_lft 1431sec     inet6 fe80::20c:29ff:fea3:283a/64 scope link        valid_lft forever preferred_lft forever

 

To install packages for BIND

[root@localhost ~]# yum -y install bind bind-libs bind-utils

 

[root@localhost ~]# vi /etc/named.conf

options {         listen-on port 53 { 192.168.8.136; }; //      listen-on-v6 port 53 { ::1; };         directory       "/var/named";         dump-file       "/var/named/data/cache_dump.db";         statistics-file "/var/named/data/named_stats.txt";         memstatistics-file "/var/named/data/named_mem_stats.txt";         allow-query     { any; };         recursion no;           dnssec-enable yes;         dnssec-validation yes;

 

[root@localhost ~]# vi /etc/named.rfc1912.zones

zone "kgitbank.local" IN {         type master;          file "kgitbank.local.db.signed";         key-directory "keys" ;         auto-dnssec maintain ;         allow-update{ none; }; };   zone "8.168.192.in-addr.arpa" IN {         type master;         file "kgitbank.local.rdb";         allow-update { none; }; };

 

[root@localhost ~]# cd /var/named

[root@localhost named]#cp -a named.empty kgitbank.local.db [root@localhost named]#cp -a named.loopback kgitbank.local.rdb

 

[root@localhost named]# vi /var/named/kgitbank.local.db

$TTL 3H @       IN SOA  @ kgitbank.local. (                                         0       ; serial                                         1D      ; refresh                                         1H      ; retry                                         1W      ; expire                                         3H )    ; minimum            NS      lux01. lux01    A       192.168.8.136 www    CNAME   lux01.kgitbank.local.

 

[root@localhost named]# vi /var/named/kgitbank.local.rdb

$TTL 1D @       IN SOA  @ kgitbank.local. (                                         0       ; serial                                         1D      ; refresh                                         1H      ; retry                                         1W      ; expire                                         3H )    ; minimum           NS      lux01. lux01   A       192.168.8.136 136     PTR     lux01.kgitbank.local.

 

kgitbank.local 존의 존 서명키(ZSK) 생성

# mkdir /var/named/keys # chown root:named /var/named/keys # cd /var/named/keys # dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 1024 -n ZONE kgitbank.local.

 

kgitbank.local 존의 키 서명키(KSK) 생성

# cd /var/named/keys   # dnssec-keygen -a NSEC3RSASHA1 -r /dev/urandom -b 2048 -n ZONE -f KSK kgitbank.local.

 

[root@lux01 keys]# ls -l total 16 -rw-r--r--. 1 root root  436 Sep 19 16:09 Kkgitbank.local.+007+46143.key -rw-------. 1 root root 1015 Sep 19 16:09 Kkgitbank.local.+007+46143.private -rw-r--r--. 1 root root  437 Sep 19 16:08 Kkgitbank.local.+007+57209.key -rw-------. 1 root root 1015 Sep 19 16:08 Kkgitbank.local.+007+57209.private

 

kgitbank.local 의 공개키(public key)는 키 서명키(KSK)와 존 서명키(ZSK) 각각에 해당하는 DNSKEY 리소스 레코드를 도메인 존 파일에 반영 설정하는 절차입니다. kgitbank.local 의 존 파일 kgitbank.local.db 을 열어서 아래와 같이 존 서명키(ZSK), 키 서명키(KSK) 각각의 공개키 파일(*.key)을 존 파일에 포함시키는 설정을 합니다.

# vi /var/named/kgitbank.local.db $INCLUDE Kkgitbank.local.+007+46143.key $INCLUDE Kkgitbank.local.+007+57209.key

 

kgitbank.local 의 기본 존 파일 kgitbank.local.db 을 대상으로 DNSSEC 서명처리를 수행하는 절차입니다. 여기서는 서명키들이 /var/named/keys 에 저장되어 있다고 가정합니다.

# dnssec-signzone -S –K /var/named/keys -3 96e920 -o kgitbank.local. kgitbank.local.db   서명처리에 의해 "서명된 존 파일"은 kgitbank.local.db.signed 라는 이름으로 생성됩니다.

 

Describe used options

-S : Smart signing: Instructs dnssec-signzone to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.   -K directory : Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory. -3 salt : Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain.   -o origin :The zone origin. If not specified, the name of the zone file is assumed to be the origin.

 

 

 

Start bind daemon

[root@localhost named]# systemctl start named.service

 

Auto remount

[root@localhost named]# systemctl enable named.service Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@localhost ~]# systemctl list-unit-files

 

 

# named-checkzone kgitbank.local /var/named/kgitbank.local.db.signed

zone kgitbank.local/IN: loaded serial 2017091805 (DNSSEC signed) OK

 

DNSSEC valification

[root@lux01 keys]# dig @192.168.8.136 kgitbank.local soa +dnssec +multiline

 

 

DNSSEC

http://dns.kisa.or.kr/jsp/business/operate/main.jsp