我对 DNSSEC 有一些疑问。我有一台服务器充当权威名称服务器,另一台服务器充当缓存/解析器。我使用的是 Bind 9.7.1-P2,这些是我的配置文件:
Named.conf(权威服务器)
// 服务器配置选项
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
options{
version "Peticion no permitida/Query not allowed";
hostname "Peticion no permitida/Query not allowed";
server-id "Peticion no permitida/Query not allowed";
directory "/etc/DNS_RIMA";
pid-file "named.pid";
notify yes;
#files 65535;
dnssec-enable yes;
dnssec-validation yes;
allow-transfer { 172.23.2.37; 172.23.3.39; };
transfer-format many-answers;
transfers-per-ns 5;
transfers-in 10;
max-transfer-time-in 120;
check-names master ignore;
listen-on {172.23.2.57; 80.58.102.13; 80.58.102.103; 127.0.0.1; };
};
zone "test.dnssec" {
type master;
key-directory "keys";
file "db.test.dnssec.signed";
also-notify { 172.23.2.37 ; 172.23.3.39 ; };
allow-transfer { 172.23.2.37 ; 172.23.3.39 ; };
};
test.dnssec 区域
test.dnssec. 86400 IN SOA ns.test.dnssec. mxadmin.test.dnssec. (
2010090902 ; serial
21600 ; refresh (6 hours)
3600 ; retry (1 hour)
1814400 ; expire (3 weeks)
172800 ; minimum (2 days)
)
86400 RRSIG SOA 5 2 86400 20101009062248 (
20100909062248 40665 test.dnssec.
eY99laB6PrtETaXLdCS+G8Uq1lIK7d5vxUB1
pAQ9npv/YbvX1pdWZKGojDgPGw8V65Q0zKQo
YW1VuBzvwfSRKax+yrjJzvHQGfCZPJWARehK
hgLxHOfXLVH7tyndvLD49ZKcWtrop+Tuy4n9
apWWfSJZxCOngwS7zUi0zCTKfPs= )
86400 NS ns1.test.dnssec.
86400 RRSIG NS 5 2 86400 20101009062248 (
20100909062248 40665 test.dnssec.
lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeo
idNuytxbiFnbCOunzvaYpgvDpEr0CPrwXaDL
TSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFw
aaQXFc3rDLsXjCi+WF0/Z7meteM4jYdx5nrV
Qx9pgur7VPbP88bJOqWCPBev2Ho= )
172800 NSEC a.test.dnssec. NS SOA RRSIG NSEC DNSKEY
172800 RRSIG NSEC 5 2 172800 20101009062248 (
20100909062248 40665 test.dnssec.
E76ayamsAAz8Zcj7060KY0nTFzHPztM/Pkc5
OM0EcP7C5+ocn4L8M2J0rmR3jxfYvCpOk0BQ
Zniqn9Aw41Qk068yJ2dfDPwV5zT0+te0nzwC
/awJGPMXLzMj4JejYTlTiKfspGDJCG44F+lb
lHXdcUhbjXf3loqMQadZFQ/eSn0= )
86400 DNSKEY 256 3 5 (
AwEAAbQ8qrNN5vetx/7E1VOgXZ7fLqwG1y/i
55hWGCeLbcS95ratT9A6UospOvPSwPTlrFgF
RWP67Pubzbsy7/damS1F1+p4GgBQway52Hd1
8HjdHKKC6kIxna9pOJBRfhCdzAsv9LnpRvrw
mDpcFAqhdn5k5RqwcUF1eOZrKjxXjAOr
) ; key id = 40665
86400 DNSKEY 257 3 5 (
AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdM
ZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVp
xXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7m
YF29/ZTXB6nmdSxruQlSvYhzkWTaPNtfrUnI
UlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWX
nPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPm
p2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQX
ISmAeV1evGomCC/x9DNleDHCszJOptwurzRP
Z7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTz
CkRnrlvXYJpgzDtgmQxE9Bs=
) ; key id = 59647
86400 RRSIG DNSKEY 5 2 86400 20101009062248 (
20100909062248 40665 test.dnssec.
sa4W3tvl6n0TkIcq3xzhG17C2O0lRhllrpUd
n5Hs6yVo8r7stewP6tm2XscQiAeseDgmv28w
s6Mtiz8uPUbrgFRb6SJk7coH2n/2Y3//S9YP
NldDFv3luPnnU1TBb3jDsBKIZWHU9yl/cLNA
OKUhlMDd40txk+fQi3iiV5Ls9K8= )
86400 RRSIG DNSKEY 5 2 86400 20101009062248 (
20100909062248 59647 test.dnssec.
b5fz0dEp2co2pVO7biY896XmsJanjQIR69vC
MvSF104/9iZk6eGVFi6hsa4aZcXutEjUDESB
ynPkDjMWWIIhN6K1jYKGIc/sFKv1IUONRYHF
KXGgZhC6aI0B1E4NA9AXLjlBVF60nHdc3iw8
5gTLDjypP3qAZrnzMvdiBopLnVdB25UZYKn8
mGpOuzKqX02TGMCFMlEVtMX4FP/XKAE8UjiQ
5ehC1JvIKIyg/2zM+ot3nmcqqtUfzp/Hweyc
aIkl/9wPJPwMedfTqOjfUKFdB+GiZ0Zz16HZ
5MfJui5IGh5Y6Q04kMrnap2V5U7mByTzx/ud
V/eFYhmSHGtAXzBjMA== )
a.test.dnssec. 86400 IN A 1.1.1.1
86400 RRSIG A 5 3 86400 20101009062248 (
20100909062248 40665 test.dnssec.
P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzH
oU63fHJHQHeQV+fc0Rx8cCmZSzuqk1lSBelV
3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsg
YEUQJMfk4FLjYW67DHNcuoCnKbDJhZS0ndVf
I474k7ZEZJsGslwk/vcIoFnTa4o= )
172800 NSEC b.test.dnssec. A RRSIG NSEC
172800 RRSIG NSEC 5 3 172800 20101009062248 (
20100909062248 40665 test.dnssec.
TCduf7xPSrWvEAzBO7Kx5haR85yA/lbsswkQ
v0QxlskqAqo+9YedGQV+wGblbCIOmkomrYcq
u/rXQ5yoQ3SDXd/bw6EFdoQmH8UJOjMc7SdR
xY93MjawPB6XXlJsSlbBFPWJwEpILVRhdBFX
czdS5VCa1KmhAYZYQp1FY9rMelA= )
b.test.dnssec. 86400 IN A 2.2.2.2
86400 RRSIG A 5 3 86400 20101009062248 (
20100909062248 40665 test.dnssec.
f0M6Tcqe6B09ctaN3BGAit4u4cJE8x3Ik8sh
gyMu0GN/lMv/Bo7PB6hgylLam3HXtF1pPAzX
oYudXmhU8afPapHMXfUitC1lFQB5ZW052ZC7
JXV9MnGULydz1blj2EdN+JL3Za8SJKM0LrLB
XdQ+QUV+A/6N7hUV6usz5YmdBeI= )
172800 NSEC ns1.test.dnssec. A RRSIG NSEC
172800 RRSIG NSEC 5 3 172800 20101009062248 (
20100909062248 40665 test.dnssec.
sc6v19dcOFVa295/Xf1pKxBhbdpEErY8CTDQ
fw2fjJf0Y3wL1Y1Mlr5zi5ShceQwgua+6YHE
DWNbAPcXrJ0lLMU4DU5r0sAyBiBCgCavngGk
i59W+nv11zuIpPMnlaMHpJVfJrQ+c4z7H9MH
77B0fMRFTUnvAXoq6ag8Q5POITI= )
ns1.test.dnssec. 86400 IN A 3.3.3.3
86400 RRSIG A 5 3 86400 20101009062248 (
20100909062248 40665 test.dnssec.
UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Ke
z0tdFiNfxvGbm85XyCtSqJIo2S/ZLVJUv/mG
nGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP
5FL8SbjlovVYYAG5woW4p3+os28mmCAJA8gP
JTywbcREEhFB4cir2M/QVP+9h+Y= )
172800 NSEC test.dnssec. A RRSIG NSEC
172800 RRSIG NSEC 5 3 172800 20101009062248 (
20100909062248 40665 test.dnssec.
i7F/ezGl/pGXCC6JyVDaxuwdZMAgv9QLxwzi
PTgjCG8Sj6pTIxaQkSLwXsoB9gF77WWBANow
R2SWdz0Zai2vWnv/NYoNm9ZfRJEQ9NuExeYp
rvX/+lLOHvZXN6tUerIQbWAxO2GwdzHoejSn
wReUNVr9MxzZUvuJ33Z7X/7s9VQ= )
Named.conf(缓存/解析器)
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
options{
version "Peticion no permitida/Query not allowed";
hostname "Peticion no permitida/Query not allowed";
server-id "Peticion no permitida/Query not allowed";
directory "/etc/DNS_RIMA";
pid-file "named.pid";
recursion yes;
notify no;
#DNSSEC
dnssec-enable yes;
dnssec-validation yes;
listen-on {127.0.0.1; 172.23.2.87; 80.58.102.37; 80.58.102.115; };
#listen-on {127.0.0.1; 80.58.102.37; 80.58.102.115; };
allow-query { telefonica; };
allow-transfer { none; };
recursive-clients 40000;
max-cache-size 838860800;
rrset-order { order fixed;};
max-ncache-ttl 600;
};
trusted-keys {
"test.dnssec." 257 3 5 "AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdMZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVpxXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7mYF29/ZT XB6nmdSxruQlSvYhzkWTaPNtfrUnIUlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWXnPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPmp2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQXIS
mAeV1evGomCC/x9DNleDHCszJOptwurzRPZ7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTzCkRnrlvXYJpgzDtgmQxE9Bs=";
};
我已经配置了一个安全区域(test.dnssec),并且正在尝试从解析器到名称服务器(172.23.2.57)执行一些查询:
/usr/local/bin/dig @172.23.2.57 a.test.dnssec +dnssec
; <<>> DiG 9.7.1-P2 <<>> @172.23.2.57 a.test.dnssec +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2654
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.test.dnssec. IN A
;; ANSWER SECTION:
a.test.dnssec. 86400 IN A 1.1.1.1
a.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665 test.dnssec. P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzHoU63fHJHQHeQV+ fc0Rx8 cCmZSzuqk1lSBelV3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsgYEUQ JMfk4FLjYW67DHNcuoCnKbDJhZS0ndVfI474k7ZEZJsGslwk/vcIoFnT a4o=
;; AUTHORITY SECTION:
test.dnssec. 86400 IN NS ns1.test.dnssec.
test.dnssec. 86400 IN RRSIG NS 5 2 86400 20101009062248 20100909062248 40665 test.dnssec. lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeoidNuytxbiFnbCOunzvaY pgvDpEr0CPrwXaDLTSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFwaaQX Fc3rDLsXjCi+WF0/Z7meteM4jYdx5nrVQx9pgur7VPbP88bJOqWCPBev 2Ho=
;; ADDITIONAL SECTION:
ns1.test.dnssec. 86400 IN A 3.3.3.3
ns1.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665 test.dnssec. UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Kez0tdFiNfxvGbm85XyCtS qJIo2S/ZLVJUv/mGnGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP5FL8 SbjlovVYYAG5woW4p3+os28mmCAJA8gPJTywbcREEhFB4cir2M/QVP+9 h+Y=
;; Query time: 1 msec
;; SERVER: 172.23.2.57#53(172.23.2.57)
;; WHEN: Thu Sep 9 09:47:14 2010
;; MSG SIZE rcvd: 605
我获得了正确答案以及 RRSIG 记录,但问题是我没有看到激活的广告标志。
知道哪里出了问题吗?
答案1
你不会。AD 不是由权威服务器设置的,只有经过信任链验证的递归解析器才能设置。我知道这看起来很愚蠢,因为权威服务器有密钥 - 但事实就是如此。
答案2
根据 user53814 的回答,你不会AD
从权威服务器获得该位。这是设计使然 - 仅仅因为服务器有密钥并不能证明它有正确的键。
AD
您的递归解析器将执行验证,但除非客户端已通过DO
在查询中发送该位(即+dnssec
使用 选项)来表明 DNSSEC 意识,否则它不会发回该位dig
。这就是 DNSSEC 保持向后兼容性的方式,通过确保不会将意外的 DNSSEC 数据发送给不期望它的客户端。
但请注意,您的验证递归解析器仍将指示验证失败通过返回SERVFAIL
错误代码。因此,仅通过与 DNSSEC 感知递归器对话,仍可防止不支持 DNSSEC 的存根收到错误答案。
答案3
我遇到了同样的问题。通过更新到 Debian jessie (1:9.9.5.dfsg-7) 中包含的绑定并将以下内容放入dnssec-validation auto;
/etc/bind/named.conf.options 中解决了该问题。现在,除权威域之外的所有域都设置了 ad 标志。