我正在尝试运行 dnssec,在 bind9 中签署权威区域,但我已经看到许多不同的版本这样做,我迷失了。
我的named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
logging {
channel bind_log {
file "/var/log/named/bind_log";
print-severity yes;
print-time yes;
severity info;
};
category default { bind_log; };
};
dnssec-policy "custom" {
dnskey-ttl 600;
keys {
ksk lifetime P1Y algorithm ecdsap384sha384;
zsk lifetime 60d algorithm ecdsap384sha384;
};
nsec3param iterations 0 optout no salt-length 0;
};
我的named.conf.default-zones:
zone "ns1.ubuntuserver" in {
type master;
file "/etc/bind/zones/db.ns1";
allow-transfer { none; };
key-directory "/etc/bind/keys/first.com";
inline-signing yes;
dnssec-policy custom;
parental-agents { 192.168.1.16; };
};
我检查了 named-checkconf,一切正确,但是接下来,我知道它与 keyrollover 有关,但我不知道该如何处理。
这些是我使用的链接:
https://kb.isc.org/docs/dnssec-key-and-signing-policy#wait-for-rollovers-to-complete https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 https://bind9.readthedocs.io/en/v9.18.21/dnssec-guide.html
没有可用的 LSB 模块。 分销商 ID:Ubuntu 描述:Ubuntu 23.10 发行版:23.10 代号:mantic