如何通过 systemd-resolved 在 ubuntu 20.04 上作为客户端打开 dnssec

如何通过 systemd-resolved 在 ubuntu 20.04 上作为客户端打开 dnssec

我想在 ubuntu 20.04 上以普通客户端的身份启用 dnssec 验证。当我dig +dnssec在路由器上作为名称服务器执行此操作时,它会返回 rrsig。我假设这意味着路由器能够进行 dnssec 验证。我还向 solved.conf 添加了一些 dnssec 验证 dns 服务器。但是当我通过 127.0.0.53 将 systemd 解析的名称服务器用作默认服务器时,没有 dnssec 验证。这种行为的原因是什么?我不明白。

以下是使用 192.168.178.1 路由器的挖掘:

dig @192.168.178.1 www.cyberciti.biz +dnssec
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.178.1 www.cyberciti.biz +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11146
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cyberciti.biz.             IN      A

;; ANSWER SECTION:
www.cyberciti.biz.      300     IN      A       104.22.10.214
www.cyberciti.biz.      300     IN      A       172.67.7.239
www.cyberciti.biz.      300     IN      A       104.22.11.214
www.cyberciti.biz.      300     IN      RRSIG   A 13 3 300 20210514214150 20210512194150 34505 cyberciti.biz. BX+7UsdHZbSxN8u4p1TLs4qU0WJ2WpIGwwKnbO/io2AbEvmYBBVnmorK WnGtLtp6ZCP0+wVn0gLRGwaeI+OAZQ==

;; Query time: 32 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Do Mai 13 22:41:50 CEST 2021
;; MSG SIZE  rcvd: 203

以下是我用我的systemd-resolved解析器进行的挖掘:

root@dellxps13:/etc# dig @127.0.0.53 www.cyberciti.biz +dnssec

; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.53 www.cyberciti.biz +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46609
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;www.cyberciti.biz.             IN      A

;; ANSWER SECTION:
www.cyberciti.biz.      73      IN      A       172.67.7.239
www.cyberciti.biz.      73      IN      A       104.22.11.214
www.cyberciti.biz.      73      IN      A       104.22.10.214

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Do Mai 13 22:55:09 CEST 2021
;; MSG SIZE  rcvd: 117

这是我的 /etc/systemd/resolved.conf 文件:

[Resolve]
DNS=5.1.66.255 81.3.27.54 89.233.43.71
FallbackDNS=1.1.1.1
#Domains=
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=no-negative
DNSStubListener=yes
ReadEtcHosts=yes

这是输出resolvectl status

[Resolve]
DNS=5.1.66.255 81.3.27.54 89.233.43.71
FallbackDNS=1.1.1.1
#Domains=
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=no-negative
DNSStubListener=yes
ReadEtcHosts=yes
root@dellxps13:/etc# resolvectl status
Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: opportunistic       
      DNSSEC setting: allow-downgrade     
    DNSSEC supported: no                  
  Current DNS Server: 5.1.66.255          
         DNS Servers: 5.1.66.255          
                      81.3.27.54          
                      89.233.43.71        
Fallback DNS Servers: 1.1.1.1             
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 4 (enp63s0)
      Current Scopes: DNS                      
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: opportunistic            
      DNSSEC setting: allow-downgrade          
    DNSSEC supported: no                       
  Current DNS Server: 192.168.178.1            
         DNS Servers: 192.168.178.1            
                      fd00::9a9b:cbff:fe92:c76d
          DNS Domain: ~.                       
                      fritz.box                

Link 2 (wlp2s0)
      Current Scopes: DNS                      
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: opportunistic            
      DNSSEC setting: allow-downgrade          
    DNSSEC supported: yes                      
  Current DNS Server: 192.168.178.1            
         DNS Servers: 192.168.178.1            
                      fd00::9a9b:cbff:fe92:c76d
          DNS Domain: ~.                       
                      fritz.box

我需要更改配置文件中的哪些地方才能启用 dnssec?非常感谢您的帮助!Ralph T.

相关内容