我很确定最终的错误是这样的:
[\u@r2d2:/home/ex-mailer-domains/domain.com] # dig domain.com +dnssec @8.8.8.8
; <<>> DiG 9.10.3 <<>> domain.com +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16509
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;domain.com. IN A
;; Query time: 187 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 08 19:17:22 UTC 2015
;; MSG SIZE rcvd: 44
我可以查询服务器(主服务器和从服务器)
[\u@r2d2:/home/ex-mailer-domains/domain.com] # dig domain.com @108.61.190.64 +dnssec +multi
; <<>> DiG 9.10.3 <<>> domain.com @108.61.190.64 +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50374
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 9
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;domain.com. IN A
;; ANSWER SECTION:
domaian.com. 86400 IN A 108.61.175.20
domaian.com. 86400 IN RRSIG A 8 2 86400 (
20160107130220 20151208123524 65103 domaian.com.
DLxITL2qKeDpiN/2Zxb/vzllFV1ZaDmzyYObKTMeiFS/
JFCSKIWQlvdz3uGQwjmZaNUAW59NTqfPPLDr3d94h1/L
KfY2PAd0rN74HSyApOiU0VaoU7sFCbIJzavyNmKeYOw0
yS1SUvsOWOPFj6qZx0uUzWOeD0thsH4GgbHjKKYKB5cR
djGmxzpxWgV7GdVKrn1G/Uhf/oDDavAVQa8BylfGSGO/
djcjjVgf/bJ3NRgcFnZUL7LLioRRlZ+pGsa43tKmIRFC
QgmV0DS3mLqZXAi7MpK01pFsfKg8lsF88jgVGxuR6TAD
VKCgr9lVftyF/hdKwGP1RERnO+fGRfpQyw== )
;; AUTHORITY SECTION:
domaian.com. 86400 IN NS r2d2.ex-mailer.com.
domaian.com. 86400 IN NS yoda.ex-mailer.com.
domaian.com. 86400 IN RRSIG NS 8 2 86400 (
20160107130220 20151208123524 65103 domaian.com.
ryHGOpEncjwVPHc+zs2HrESijbBLH/rrmOYkpmoRSKpO
yJTzAMN2u8cKTfJfBvFQ/Pk79kJ2vsu6c3dvWTXCB1sD
jQFuhQTbT4XlYFbzx/2tyxvWOlYRBetmwRV8TcrwH7TT
VlBX4fMoNA/mVmU9W/fzY5rKLH/X5RhWL1zOD+yF4CSk
sTrFcTXDppENdTfzbyoSSpaDmliQYDmQ5cPaXsVa4RFb
fwDdmohS1IhQe9mw5GnciEE8x1ayxNf3043ysoo9a+ST
4egpc3XfqwE1w8xTJYjZYXFTPBDqQnWLmLDFfluat5Wo
JwLBzB2qRoxHQmaP05BHuKFPwLDXoPx77Q== )
;; ADDITIONAL SECTION:
r2d2.ex-mailer.com. 86400 IN A 107.191.60.48
r2d2.ex-mailer.com. 86400 IN AAAA 2001:19f0:7000:8945::64
yoda.ex-mailer.com. 86400 IN A 108.61.190.64
yoda.ex-mailer.com. 86400 IN AAAA 2001:19f0:6c00:8141::64
r2d2.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
20170604020000 20150604233623 9381 ex-mailer.com.
Ea+o29rgxJRTo0pZlNHIL6vPMCgQvgt+tcJJf3VvH7BK
U4gNjOfEJB4uvy+3PYB9OX0KQ5gngbWzdAAXdiSveaoo
XJ+REc07V7aHjlqLn4SuBBAzfEhFVUGjrLT3wXTVp0bK
kAkooksctvB2tWnlnkrXM8i5PES8tPXT2By50DN57LTE
V3l0mSlBb4ibWn8SfFDsELVYzTE3SwMsiMfA0DaJj8th
6v0qmQp1LzE1yyMm6Bu7OrgMRCAG8wOLqGg8jOw+BNq7
4gvmnUm8mjh2iaUg2etc2h2oi6RqOdHVDTYYD+VzxJYv
H3FDvnSbEgSqcBIB8GTTgQ/MRLLpzf0MuA== )
r2d2.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
20170604020000 20150604233623 9381 ex-mailer.com.
YHSyU0k2yNl9dJ551Kl1YnDpwqqcDSdeiPoA1ZNbcJ2u
QcuXlAugTsyII0HLxVi+oRXarhPLE11Mr4WiFh5EVuGA
gLJDMgQoZx8wSTaWKE8l5norrel61prlgiI13dM2frzB
opQnHhxQl6EINIfek/j9DGOMOfQRiJFpqPnW/W+w+TxQ
+KXycIDPMGJ6s+PD0JzG8L8mBwpWkbCxKDDckpWDJYy4
tH9rHwiXcpvHix7vI3SB55wn9/LFs8bZ3S10AbxS0O0G
W6tDFAOQ5f0mRvWxbVAjXaMV17l6T9vlFEGY8UoBqtqO
+NvXV/X4G2Umw+i8QVW+TYP0ILqgqCSDNg== )
yoda.ex-mailer.com. 86400 IN RRSIG A 8 3 86400 (
20170604020000 20150604233623 9381 ex-mailer.com.
Rb2VgE/mrZnlALugk11vWPHBkOd0qk/TN2q7Qypap49L
SR50HzZWm1KE40/emOaGABCjMyz7HLD3XaUieNjIYZI9
0Fpg05CpqVNN1AetdRWNRZWXqCykAz1RlcXGjPIQzWHT
Rv8lEmyQhQSEiq7G9fKG23bHL9NV1oveBm21CHDVSi4e
lUVxhvuM3oQGH6WtBrK5EmVPz4KH7a3Cmp0OctJoVw3M
JWZoeqJ4BmrYhm7ZRg0zm9lZwC/6YoYXBVWOg44T8mrK
iAioNhIaLYVcSXocod12YeoEgIhEQ4Ett+gY0ryXkY1P
0Ew4b7Xwu5DLHPysa0bojVyIBIcBRahm9A== )
yoda.ex-mailer.com. 86400 IN RRSIG AAAA 8 3 86400 (
20170604020000 20150604233623 9381 ex-mailer.com.
iyooXElsu4ATuoSvgp2JmaLnTPvXQ7s2KcwmZBmvLQL/
Y3gCmdm1vpyNm2Dy7qSKMZWMowaB9ZITxPDRlPE7tAEd
UvgqmgpnOTSTiQC8fkvi29LZ/tlpHBW5ptwttR6HIQH4
cOCawqtCCcHt2a8I6z7dbokCzcKpexWoIvmsL4tkE9Kf
s07+z9YXwWzyph/X6hUYOH3ycZpztHFwvZNi12eTmR/m
GiVfbn+ny7a7uNzdnTvu00CqBniKvprLheot2nqjMj8/
0MRbZXKaS5NTHrgMQeFBgaG8OqUB8MZ89+MEy5FCQ4hf
6+pDyUoe2KeU2PwVolYip0bjSoZyk9Sv2g== )
;; Query time: 269 msec
;; SERVER: 108.61.190.64#53(108.61.190.64)
;; WHEN: Tue Dec 08 19:17:14 UTC 2015
;; MSG SIZE rcvd: 2006
但是 google dns 没有回应。
我通过以下方式创建并加载密钥
[\u@yoda:/home/ex-mailer-domains/domaian.com] # dnssec-keygen -a RSASHA256 -b 2048 -3 domaian.com
Generating key pair...........+++ ....+++
Kdomaian.com.+008+65103
[\u@yoda:/home/ex-mailer-domains/domaian.com] # dnssec-keygen -a RSASHA256 -b 2048 -3 -fk domaian.com
Generating key pair...........+++ ......+++
Kdomaian.com.+008+57586
[\u@yoda:/home/ex-mailer-domains/domaian.com] # ls
127.0.0.1
48.60.191.107.in-addr.arpa domaian.com.external
Kdomaian.com.+008+57586.key domaian.com.external.signed
Kdomaian.com.+008+57586.private bad3:50ef:ff00:0045:5498:0007:0f91:1002.ip6.arpa domaian.com.external.signed.jbk
Kdomaian.com.+008+65103.key bad3:50ef:ff:0045:5498:0007:0f91:1002.ip6.arpa domaian.com.external.signed.signed
Kdomaian.com.+008+65103.private default.private domaian.com.external.signed.signed.jnl
[\u@r2d2:/usr/local/etc/namedb] # chown -R bind:bind /home/ex-mailer-domains/domaian.com/
[\u@r2d2:/usr/local/etc/namedb] # rndc reconfig
[\u@r2d2:/usr/local/etc/namedb] # rndc loadkeys domaian.com
[\u@r2d2:/usr/local/etc/namedb] # rndc signing -nsec3param 1 0 10 03F92714 domaian.com.
然后通过以下方式恢复 DS
[\u@r2d2:/home/ex-mailer-domains/domaian.com] # dig @127.0.0.1 dnskey domaian.com | dnssec-dsfromkey -f - domaian.com
domaian.com. IN DS 57586 8 1 0F60CA666664EF85451A548DD0F4DBF9637F2375
domaian.com. IN DS 57586 8 2 9DB66485013AF3C158111D8EF74C6666667FB6E38E8E7D0495B9B705DF8AECDB
并将其上传到我的注册商。但 dnzviz.net 说我的密钥不正确。
我的 named.conf 选项
options {
directory "/usr/local/etc/namedb/working/";
pid-file "/var/run/named/named.pid";
dump-file "/var/log/named/cache_dump.db";
statistics-file "/var/log/named/named_stats.txt";
memstatistics-file "/var/log/named/named_mem_stats.txt";
bindkeys-file "/home/ex-mailer-domains/named.iscdlv.key";
managed-keys-directory "/home/ex-mailer-domains/";
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
listen-on-v6 { ::1; 2001:19f0:6c00:8141:5400:ff:fe05:5309;};
listen-on { 127.0.0.1; 108.61.190.64;};
max-cache-ttl 1600;
version none;
auth-nxdomain no; # conform to RFC1035
allow-recursion-on { trusted; };
allow-recursion{ tusted; };
allow-query-cache-on{ trusted; };
allow-query-on{ any; };
allow-update-forwarding{ trusted; };
allow-new-zones yes;
allow-query {
any;
};
allow-transfer {
trusted;
};
//forward first;
forwarders {
108.61.10.10;
108.61.190.64;
107.191.60.48;
};
};
我的 named.conf 区域
zone "domaian.com" {
type master;
allow-transfer {107.191.60.48;};
also-notify {107.191.60.48;};
key-directory "/home/ex-mailer-domains/domaian.com/";
#file "/usr/local/etc/namedb/domaian.com.external";
file "/home/ex-mailer-domains/domaian.com/domaian.com.external.signed";
update-policy {
grant ddns-key zonesub ANY;
};
auto-dnssec maintain;
inline-signing yes;
};
我的日志中没有错误或警告。
如何正确配置 bind9 dnssec 内联签名?
答案1
我发现 Gandi 是唯一一家需要公钥而不是 DS 的注册商。你可以通过 -> dig @127.0.0.1 dnskey domain.com 获得公钥,然后将公钥而不是 DS 上传到 gandi,然后就会生成匹配的密钥。