DNSSEC-广告标志未激活

DNSSEC-广告标志未激活

我对 DNSSEC 有一些疑问。我有一台服务器充当权威名称服务器,另一台服务器充当缓存/解析器。我使用的是 Bind 9.7.1-P2,这些是我的配置文件:

Named.conf(权威服务器)

// 服务器配置选项

include "/etc/rndc.key";

controls {
  inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

 options{
     version "Peticion no permitida/Query not allowed";
     hostname "Peticion no permitida/Query not allowed";
     server-id "Peticion no permitida/Query not allowed";
     directory "/etc/DNS_RIMA";
     pid-file "named.pid";
     notify yes;
    #files 65535;
    dnssec-enable yes;
    dnssec-validation yes;
    allow-transfer { 172.23.2.37; 172.23.3.39; };
    transfer-format many-answers;
    transfers-per-ns 5;
    transfers-in 10;
    max-transfer-time-in 120;
    check-names master ignore;
    listen-on {172.23.2.57; 80.58.102.13; 80.58.102.103; 127.0.0.1; };
};


zone "test.dnssec" {
  type master;
  key-directory "keys";
  file "db.test.dnssec.signed";
  also-notify { 172.23.2.37 ; 172.23.3.39 ; };
  allow-transfer { 172.23.2.37 ; 172.23.3.39 ; };
};

test.dnssec 区域

test.dnssec.            86400   IN SOA  ns.test.dnssec. mxadmin.test.dnssec. (

                                    2010090902 ; serial
                                    21600      ; refresh (6 hours)
                                    3600       ; retry (1 hour)
                                    1814400    ; expire (3 weeks)
                                    172800     ; minimum (2 days)
                                    )
                    86400   RRSIG   SOA 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    eY99laB6PrtETaXLdCS+G8Uq1lIK7d5vxUB1
                                    pAQ9npv/YbvX1pdWZKGojDgPGw8V65Q0zKQo
                                    YW1VuBzvwfSRKax+yrjJzvHQGfCZPJWARehK
                                    hgLxHOfXLVH7tyndvLD49ZKcWtrop+Tuy4n9
                                    apWWfSJZxCOngwS7zUi0zCTKfPs= )
                    86400   NS      ns1.test.dnssec.
                    86400   RRSIG   NS 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeo
                                    idNuytxbiFnbCOunzvaYpgvDpEr0CPrwXaDL
                                    TSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFw
                                    aaQXFc3rDLsXjCi+WF0/Z7meteM4jYdx5nrV
                                    Qx9pgur7VPbP88bJOqWCPBev2Ho= )
                    172800  NSEC    a.test.dnssec. NS SOA RRSIG NSEC DNSKEY
                    172800  RRSIG   NSEC 5 2 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    E76ayamsAAz8Zcj7060KY0nTFzHPztM/Pkc5
                                    OM0EcP7C5+ocn4L8M2J0rmR3jxfYvCpOk0BQ
                                    Zniqn9Aw41Qk068yJ2dfDPwV5zT0+te0nzwC
                                    /awJGPMXLzMj4JejYTlTiKfspGDJCG44F+lb
                                    lHXdcUhbjXf3loqMQadZFQ/eSn0= )
                    86400   DNSKEY  256 3 5 (
                                    AwEAAbQ8qrNN5vetx/7E1VOgXZ7fLqwG1y/i
                                    55hWGCeLbcS95ratT9A6UospOvPSwPTlrFgF
                                    RWP67Pubzbsy7/damS1F1+p4GgBQway52Hd1
                                    8HjdHKKC6kIxna9pOJBRfhCdzAsv9LnpRvrw
                                    mDpcFAqhdn5k5RqwcUF1eOZrKjxXjAOr
                                    ) ; key id = 40665
                    86400   DNSKEY  257 3 5 (
                                    AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdM
                                    ZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVp
                                    xXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7m
                                    YF29/ZTXB6nmdSxruQlSvYhzkWTaPNtfrUnI
                                    UlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWX
                                    nPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPm
                                    p2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQX
                                    ISmAeV1evGomCC/x9DNleDHCszJOptwurzRP
                                    Z7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTz
                                    CkRnrlvXYJpgzDtgmQxE9Bs=
                                    ) ; key id = 59647
                    86400   RRSIG   DNSKEY 5 2 86400 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    sa4W3tvl6n0TkIcq3xzhG17C2O0lRhllrpUd
                                    n5Hs6yVo8r7stewP6tm2XscQiAeseDgmv28w
                                    s6Mtiz8uPUbrgFRb6SJk7coH2n/2Y3//S9YP
                                    NldDFv3luPnnU1TBb3jDsBKIZWHU9yl/cLNA
                                    OKUhlMDd40txk+fQi3iiV5Ls9K8= )
                    86400   RRSIG   DNSKEY 5 2 86400 20101009062248 (
                                    20100909062248 59647 test.dnssec.
                                    b5fz0dEp2co2pVO7biY896XmsJanjQIR69vC
                                    MvSF104/9iZk6eGVFi6hsa4aZcXutEjUDESB
                                    ynPkDjMWWIIhN6K1jYKGIc/sFKv1IUONRYHF
                                    KXGgZhC6aI0B1E4NA9AXLjlBVF60nHdc3iw8
                                    5gTLDjypP3qAZrnzMvdiBopLnVdB25UZYKn8
                                    mGpOuzKqX02TGMCFMlEVtMX4FP/XKAE8UjiQ
                                    5ehC1JvIKIyg/2zM+ot3nmcqqtUfzp/Hweyc
                                    aIkl/9wPJPwMedfTqOjfUKFdB+GiZ0Zz16HZ
                                    5MfJui5IGh5Y6Q04kMrnap2V5U7mByTzx/ud
                                    V/eFYhmSHGtAXzBjMA== )
 a.test.dnssec.          86400   IN A    1.1.1.1
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzH
                                    oU63fHJHQHeQV+fc0Rx8cCmZSzuqk1lSBelV
                                    3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsg
                                    YEUQJMfk4FLjYW67DHNcuoCnKbDJhZS0ndVf
                                    I474k7ZEZJsGslwk/vcIoFnTa4o= )
                    172800  NSEC    b.test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    TCduf7xPSrWvEAzBO7Kx5haR85yA/lbsswkQ
                                    v0QxlskqAqo+9YedGQV+wGblbCIOmkomrYcq
                                    u/rXQ5yoQ3SDXd/bw6EFdoQmH8UJOjMc7SdR
                                    xY93MjawPB6XXlJsSlbBFPWJwEpILVRhdBFX
                                    czdS5VCa1KmhAYZYQp1FY9rMelA= )
b.test.dnssec.          86400   IN A    2.2.2.2
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    f0M6Tcqe6B09ctaN3BGAit4u4cJE8x3Ik8sh
                                    gyMu0GN/lMv/Bo7PB6hgylLam3HXtF1pPAzX
                                    oYudXmhU8afPapHMXfUitC1lFQB5ZW052ZC7
                                    JXV9MnGULydz1blj2EdN+JL3Za8SJKM0LrLB
                                    XdQ+QUV+A/6N7hUV6usz5YmdBeI= )
                    172800  NSEC    ns1.test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    sc6v19dcOFVa295/Xf1pKxBhbdpEErY8CTDQ
                                    fw2fjJf0Y3wL1Y1Mlr5zi5ShceQwgua+6YHE
                                    DWNbAPcXrJ0lLMU4DU5r0sAyBiBCgCavngGk
                                    i59W+nv11zuIpPMnlaMHpJVfJrQ+c4z7H9MH
                                    77B0fMRFTUnvAXoq6ag8Q5POITI= )
ns1.test.dnssec.        86400   IN A    3.3.3.3
                    86400   RRSIG   A 5 3 86400 20101009062248 (

                                    20100909062248 40665 test.dnssec.
                                    UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Ke
                                    z0tdFiNfxvGbm85XyCtSqJIo2S/ZLVJUv/mG
                                    nGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP
                                    5FL8SbjlovVYYAG5woW4p3+os28mmCAJA8gP
                                    JTywbcREEhFB4cir2M/QVP+9h+Y= )
                    172800  NSEC    test.dnssec. A RRSIG NSEC
                    172800  RRSIG   NSEC 5 3 172800 20101009062248 (
                                    20100909062248 40665 test.dnssec.
                                    i7F/ezGl/pGXCC6JyVDaxuwdZMAgv9QLxwzi
                                    PTgjCG8Sj6pTIxaQkSLwXsoB9gF77WWBANow
                                    R2SWdz0Zai2vWnv/NYoNm9ZfRJEQ9NuExeYp
                                    rvX/+lLOHvZXN6tUerIQbWAxO2GwdzHoejSn
                                    wReUNVr9MxzZUvuJ33Z7X/7s9VQ= )

Named.conf(缓存/解析器)

include "/etc/rndc.key";

controls {
   inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};


options{

    version "Peticion no permitida/Query not allowed";
    hostname "Peticion no permitida/Query not allowed";
    server-id "Peticion no permitida/Query not allowed";
    directory "/etc/DNS_RIMA";
    pid-file "named.pid";
    recursion yes;
    notify no;
    #DNSSEC
    dnssec-enable yes;
    dnssec-validation yes;
    listen-on {127.0.0.1; 172.23.2.87; 80.58.102.37; 80.58.102.115; };
    #listen-on {127.0.0.1; 80.58.102.37; 80.58.102.115; };
    allow-query { telefonica; };
    allow-transfer { none; };
    recursive-clients 40000;
    max-cache-size 838860800;
    rrset-order { order fixed;};
    max-ncache-ttl 600;
};


trusted-keys {

"test.dnssec." 257 3 5  "AwEAAcd4dxWyTgOuqha0DJADUH0pk5jvnwdMZhgZaqnayUdeTh8U9WOjOUHdVCGywZS6NTVpxXqhcegWzh2ZR5VN6thuhezt7kbzLNWbPe7mYF29/ZT     XB6nmdSxruQlSvYhzkWTaPNtfrUnIUlbDRxUFWQkSHj9LA1TG76FpR6uqOj1sNrWXnPb/Hwp1Sb2Ik4FlifKb/Vu1+/UnclRJgfPmp2HGTeNYpfk15JHBPSYxJ1TuedXQIdkPGlQXIS
mAeV1evGomCC/x9DNleDHCszJOptwurzRPZ7wRXcWnbXz1BU8rAqvUZL3M4UgdNRR5LLTzCkRnrlvXYJpgzDtgmQxE9Bs=";

 };

我已经配置了一个安全区域(test.dnssec),并且正在尝试从解析器到名称服务器(172.23.2.57)执行一些查询:

/usr/local/bin/dig @172.23.2.57 a.test.dnssec +dnssec

; <<>> DiG 9.7.1-P2 <<>> @172.23.2.57 a.test.dnssec +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2654
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;a.test.dnssec. IN A

;; ANSWER SECTION:
a.test.dnssec. 86400 IN A 1.1.1.1
a.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665       test.dnssec. P52N9ypCrYsgS4CFcUmII0xjyE6KNL9ndhzHoU63fHJHQHeQV+ fc0Rx8 cCmZSzuqk1lSBelV3Gcl9UNNuCAQ4ORQ/yJkiZ1zn7h93Mep9qsgYEUQ JMfk4FLjYW67DHNcuoCnKbDJhZS0ndVfI474k7ZEZJsGslwk/vcIoFnT a4o=

;; AUTHORITY SECTION:
test.dnssec. 86400 IN NS ns1.test.dnssec.
test.dnssec. 86400 IN RRSIG NS 5 2 86400 20101009062248 20100909062248 40665 test.dnssec. lmlP/Mb2qEXPSlajgSDn/CqWk/jokVCmqjeoidNuytxbiFnbCOunzvaY pgvDpEr0CPrwXaDLTSnb/w53tZl7GHRImJo50vwwNZljLzNT6CFwaaQX Fc3rDLsXjCi+WF0/Z7meteM4jYdx5nrVQx9pgur7VPbP88bJOqWCPBev 2Ho=

;; ADDITIONAL SECTION:
ns1.test.dnssec. 86400 IN A 3.3.3.3
ns1.test.dnssec. 86400 IN RRSIG A 5 3 86400 20101009062248 20100909062248 40665    test.dnssec. UQ3hR/++ta1GokxGz8Yh+GomMcA+xhd3z2Kez0tdFiNfxvGbm85XyCtS qJIo2S/ZLVJUv/mGnGJbicTfJSziKzYZsD7dp0WJiUK3l7lQ/HpP5FL8 SbjlovVYYAG5woW4p3+os28mmCAJA8gPJTywbcREEhFB4cir2M/QVP+9 h+Y=

;; Query time: 1 msec
;; SERVER: 172.23.2.57#53(172.23.2.57)
;; WHEN: Thu Sep 9 09:47:14 2010
;; MSG SIZE rcvd: 605

我获得了正确答案以及 RRSIG 记录,但问题是我没有看到激活的广告标志。

知道哪里出了问题吗?

答案1

你不会。AD 不是由权威服务器设置的,只有经过信任链验证的递归解析器才能设置。我知道这看起来很愚蠢,因为权威服务器有密钥 - 但事实就是如此。

答案2

根据 user53814 的回答,你不会AD从权威服务器获得该位。这是设计使然 - 仅仅因为服务器有密钥并不能证明它有正确的键。

AD 您的递归解析器将执行验证,但除非客户端已通过DO在查询中发送该位(即+dnssec使用 选项)来表明 DNSSEC 意识,否则它不会发回该位dig。这就是 DNSSEC 保持向后兼容性的方式,通过确保不会将意外的 DNSSEC 数据发送给不期望它的客户端。

但请注意,您的验证递归解析器仍将指示验证失败通过返回SERVFAIL错误代码。因此,仅通过与 DNSSEC 感知递归器对话,仍可防止不支持 DNSSEC 的存根收到错误答案。

答案3

我遇到了同样的问题。通过更新到 Debian jessie (1:9.9.5.dfsg-7) 中包含的绑定并将以下内容放入dnssec-validation auto;/etc/bind/named.conf.options 中解决了该问题。现在,除权威域之外的所有域都设置了 ad 标志。

相关内容