签署权威区域 bind9 ubuntu 服务器

签署权威区域 bind9 ubuntu 服务器

我正在尝试运行 dnssec,在 bind9 中签署权威区域,但我已经看到许多不同的版本这样做,我迷失了。

我的named.conf:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/rndc.key";

controls {
     inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

logging { 
     channel bind_log {
         file "/var/log/named/bind_log";
         print-severity yes;
         print-time yes;
         severity info;
    };
    category default { bind_log; };
};

dnssec-policy "custom" {
        dnskey-ttl 600;
        keys {
            ksk lifetime P1Y algorithm ecdsap384sha384;
            zsk lifetime 60d algorithm ecdsap384sha384;
 };
        nsec3param iterations 0 optout no salt-length 0;
 };

我的named.conf.default-zones:

zone "ns1.ubuntuserver" in {
    type master;
    file "/etc/bind/zones/db.ns1";
    allow-transfer { none; };
    key-directory "/etc/bind/keys/first.com";
    inline-signing yes;
    dnssec-policy custom;
    parental-agents { 192.168.1.16; };

};

我检查了 named-checkconf,一切正确,但是接下来,我知道它与 keyrollover 有关,但我不知道该如何处理。

这些是我使用的链接:

https://kb.isc.org/docs/dnssec-key-and-signing-policy#wait-for-rollovers-to-complete https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 https://bind9.readthedocs.io/en/v9.18.21/dnssec-guide.html

没有可用的 LSB 模块。 分销商 ID:Ubuntu 描述:Ubuntu 23.10 发行版:23.10 代号:mantic

相关内容