bind9.10 dnssec 内联签名失败

bind9.10 dnssec 内联签名失败

我很确定最终的错误是这样的:

[\u@r2d2:/home/ex-mailer-domains/domain.com] # dig domain.com +dnssec @8.8.8.8

; <<>> DiG 9.10.3 <<>> domain.com +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16509
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;domain.com.               IN      A

;; Query time: 187 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 08 19:17:22 UTC 2015
;; MSG SIZE  rcvd: 44

我可以查询服务器(主服务器和从服务器)

[\u@r2d2:/home/ex-mailer-domains/domain.com] # dig domain.com @108.61.190.64 +dnssec +multi

; <<>> DiG 9.10.3 <<>> domain.com @108.61.190.64 +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50374
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;domain.com.       IN A

;; ANSWER SECTION:
domaian.com.        86400 IN A 108.61.175.20
domaian.com.        86400 IN RRSIG A 8 2 86400 (
                                20160107130220 20151208123524 65103 domaian.com.
                                DLxITL2qKeDpiN/2Zxb/vzllFV1ZaDmzyYObKTMeiFS/
                                JFCSKIWQlvdz3uGQwjmZaNUAW59NTqfPPLDr3d94h1/L
                                KfY2PAd0rN74HSyApOiU0VaoU7sFCbIJzavyNmKeYOw0
                                yS1SUvsOWOPFj6qZx0uUzWOeD0thsH4GgbHjKKYKB5cR
                                djGmxzpxWgV7GdVKrn1G/Uhf/oDDavAVQa8BylfGSGO/
                                djcjjVgf/bJ3NRgcFnZUL7LLioRRlZ+pGsa43tKmIRFC
                                QgmV0DS3mLqZXAi7MpK01pFsfKg8lsF88jgVGxuR6TAD
                                VKCgr9lVftyF/hdKwGP1RERnO+fGRfpQyw== )

;; AUTHORITY SECTION:
domaian.com.        86400 IN NS r2d2.ex-mailer.com.
domaian.com.        86400 IN NS yoda.ex-mailer.com.
domaian.com.        86400 IN RRSIG NS 8 2 86400 (
                                20160107130220 20151208123524 65103 domaian.com.
                                ryHGOpEncjwVPHc+zs2HrESijbBLH/rrmOYkpmoRSKpO
                                yJTzAMN2u8cKTfJfBvFQ/Pk79kJ2vsu6c3dvWTXCB1sD
                                jQFuhQTbT4XlYFbzx/2tyxvWOlYRBetmwRV8TcrwH7TT
                                VlBX4fMoNA/mVmU9W/fzY5rKLH/X5RhWL1zOD+yF4CSk
                                sTrFcTXDppENdTfzbyoSSpaDmliQYDmQ5cPaXsVa4RFb
                                fwDdmohS1IhQe9mw5GnciEE8x1ayxNf3043ysoo9a+ST
                                4egpc3XfqwE1w8xTJYjZYXFTPBDqQnWLmLDFfluat5Wo
                                JwLBzB2qRoxHQmaP05BHuKFPwLDXoPx77Q== )

;; ADDITIONAL SECTION:
r2d2.ex-mailer.com.     86400 IN A 107.191.60.48
r2d2.ex-mailer.com.     86400 IN AAAA 2001:19f0:7000:8945::64
yoda.ex-mailer.com.     86400 IN A 108.61.190.64
yoda.ex-mailer.com.     86400 IN AAAA 2001:19f0:6c00:8141::64
r2d2.ex-mailer.com.     86400 IN RRSIG A 8 3 86400 (
                                20170604020000 20150604233623 9381 ex-mailer.com.
                                Ea+o29rgxJRTo0pZlNHIL6vPMCgQvgt+tcJJf3VvH7BK
                                U4gNjOfEJB4uvy+3PYB9OX0KQ5gngbWzdAAXdiSveaoo
                                XJ+REc07V7aHjlqLn4SuBBAzfEhFVUGjrLT3wXTVp0bK
                                kAkooksctvB2tWnlnkrXM8i5PES8tPXT2By50DN57LTE
                                V3l0mSlBb4ibWn8SfFDsELVYzTE3SwMsiMfA0DaJj8th
                                6v0qmQp1LzE1yyMm6Bu7OrgMRCAG8wOLqGg8jOw+BNq7
                                4gvmnUm8mjh2iaUg2etc2h2oi6RqOdHVDTYYD+VzxJYv
                                H3FDvnSbEgSqcBIB8GTTgQ/MRLLpzf0MuA== )
r2d2.ex-mailer.com.     86400 IN RRSIG AAAA 8 3 86400 (
                                20170604020000 20150604233623 9381 ex-mailer.com.
                                YHSyU0k2yNl9dJ551Kl1YnDpwqqcDSdeiPoA1ZNbcJ2u
                                QcuXlAugTsyII0HLxVi+oRXarhPLE11Mr4WiFh5EVuGA
                                gLJDMgQoZx8wSTaWKE8l5norrel61prlgiI13dM2frzB
                                opQnHhxQl6EINIfek/j9DGOMOfQRiJFpqPnW/W+w+TxQ
                                +KXycIDPMGJ6s+PD0JzG8L8mBwpWkbCxKDDckpWDJYy4
                                tH9rHwiXcpvHix7vI3SB55wn9/LFs8bZ3S10AbxS0O0G
                                W6tDFAOQ5f0mRvWxbVAjXaMV17l6T9vlFEGY8UoBqtqO
                                +NvXV/X4G2Umw+i8QVW+TYP0ILqgqCSDNg== )
yoda.ex-mailer.com.     86400 IN RRSIG A 8 3 86400 (
                                20170604020000 20150604233623 9381 ex-mailer.com.
                                Rb2VgE/mrZnlALugk11vWPHBkOd0qk/TN2q7Qypap49L
                                SR50HzZWm1KE40/emOaGABCjMyz7HLD3XaUieNjIYZI9
                                0Fpg05CpqVNN1AetdRWNRZWXqCykAz1RlcXGjPIQzWHT
                                Rv8lEmyQhQSEiq7G9fKG23bHL9NV1oveBm21CHDVSi4e
                                lUVxhvuM3oQGH6WtBrK5EmVPz4KH7a3Cmp0OctJoVw3M
                                JWZoeqJ4BmrYhm7ZRg0zm9lZwC/6YoYXBVWOg44T8mrK
                                iAioNhIaLYVcSXocod12YeoEgIhEQ4Ett+gY0ryXkY1P
                                0Ew4b7Xwu5DLHPysa0bojVyIBIcBRahm9A== )
yoda.ex-mailer.com.     86400 IN RRSIG AAAA 8 3 86400 (
                                20170604020000 20150604233623 9381 ex-mailer.com.
                                iyooXElsu4ATuoSvgp2JmaLnTPvXQ7s2KcwmZBmvLQL/
                                Y3gCmdm1vpyNm2Dy7qSKMZWMowaB9ZITxPDRlPE7tAEd
                                UvgqmgpnOTSTiQC8fkvi29LZ/tlpHBW5ptwttR6HIQH4
                                cOCawqtCCcHt2a8I6z7dbokCzcKpexWoIvmsL4tkE9Kf
                                s07+z9YXwWzyph/X6hUYOH3ycZpztHFwvZNi12eTmR/m
                                GiVfbn+ny7a7uNzdnTvu00CqBniKvprLheot2nqjMj8/
                                0MRbZXKaS5NTHrgMQeFBgaG8OqUB8MZ89+MEy5FCQ4hf
                                6+pDyUoe2KeU2PwVolYip0bjSoZyk9Sv2g== )

;; Query time: 269 msec
;; SERVER: 108.61.190.64#53(108.61.190.64)
;; WHEN: Tue Dec 08 19:17:14 UTC 2015
;; MSG SIZE  rcvd: 2006

但是 google dns 没有回应。

我通过以下方式创建并加载密钥

[\u@yoda:/home/ex-mailer-domains/domaian.com] # dnssec-keygen -a RSASHA256 -b 2048 -3 domaian.com
Generating key pair...........+++ ....+++ 
Kdomaian.com.+008+65103
[\u@yoda:/home/ex-mailer-domains/domaian.com] # dnssec-keygen -a RSASHA256 -b 2048 -3 -fk domaian.com
Generating key pair...........+++ ......+++ 
Kdomaian.com.+008+57586
[\u@yoda:/home/ex-mailer-domains/domaian.com] # ls
127.0.0.1                                        
48.60.191.107.in-addr.arpa                       domaian.com.external
Kdomaian.com.+008+57586.key                  domaian.com.external.signed
Kdomaian.com.+008+57586.private              bad3:50ef:ff00:0045:5498:0007:0f91:1002.ip6.arpa domaian.com.external.signed.jbk
Kdomaian.com.+008+65103.key                  bad3:50ef:ff:0045:5498:0007:0f91:1002.ip6.arpa   domaian.com.external.signed.signed
Kdomaian.com.+008+65103.private              default.private                                  domaian.com.external.signed.signed.jnl


[\u@r2d2:/usr/local/etc/namedb] # chown -R bind:bind /home/ex-mailer-domains/domaian.com/
[\u@r2d2:/usr/local/etc/namedb] # rndc reconfig
[\u@r2d2:/usr/local/etc/namedb] # rndc loadkeys domaian.com
[\u@r2d2:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domaian.com.

然后通过以下方式恢复 DS

[\u@r2d2:/home/ex-mailer-domains/domaian.com] # dig @127.0.0.1 dnskey domaian.com | dnssec-dsfromkey -f - domaian.com
domaian.com. IN DS 57586 8 1 0F60CA666664EF85451A548DD0F4DBF9637F2375
domaian.com. IN DS 57586 8 2 9DB66485013AF3C158111D8EF74C6666667FB6E38E8E7D0495B9B705DF8AECDB

并将其上传到我的注册商。但 dnzviz.net 说我的密钥不正确。

我的 named.conf 选项

options {
        directory "/usr/local/etc/namedb/working/";
        pid-file "/var/run/named/named.pid";
        dump-file "/var/log/named/cache_dump.db";
        statistics-file "/var/log/named/named_stats.txt";
        memstatistics-file "/var/log/named/named_mem_stats.txt";
        bindkeys-file "/home/ex-mailer-domains/named.iscdlv.key";
        managed-keys-directory "/home/ex-mailer-domains/";
        dnssec-enable yes;
        dnssec-validation auto;
        dnssec-lookaside auto;
        listen-on-v6 { ::1; 2001:19f0:6c00:8141:5400:ff:fe05:5309;};
        listen-on { 127.0.0.1; 108.61.190.64;};
        max-cache-ttl 1600;
        version none;
        auth-nxdomain no;    # conform to RFC1035
        allow-recursion-on { trusted; };
        allow-recursion{ tusted; };
        allow-query-cache-on{ trusted; };
        allow-query-on{ any; };
        allow-update-forwarding{ trusted; };                               
        allow-new-zones yes;
        allow-query {
                any;
        };
        allow-transfer {
                trusted;
        };
        //forward first;
        forwarders {
                108.61.10.10;
                108.61.190.64;
                107.191.60.48;
        };
};

我的 named.conf 区域

zone "domaian.com" {
        type master;
        allow-transfer {107.191.60.48;};
        also-notify {107.191.60.48;};
        key-directory "/home/ex-mailer-domains/domaian.com/";
        #file "/usr/local/etc/namedb/domaian.com.external";
        file "/home/ex-mailer-domains/domaian.com/domaian.com.external.signed";
        update-policy {
                grant ddns-key zonesub ANY;
        };
        auto-dnssec maintain;
        inline-signing yes;
};

我的日志中没有错误或警告。

如何正确配置 bind9 dnssec 内联签名?

答案1

我发现 Gandi 是唯一一家需要公钥而不是 DS 的注册商。你可以通过 -> dig @127.0.0.1 dnskey domain.com 获得公钥,然后将公钥而不是 DS 上传到 gandi,然后就会生成匹配的密钥。

相关内容