我想在 ubuntu 20.04 上以普通客户端的身份启用 dnssec 验证。当我dig +dnssec在路由器上作为名称服务器执行此操作时,它会返回 rrsig。我假设这意味着路由器能够进行 dnssec 验证。我还向 solved.conf 添加了一些 dnssec 验证 dns 服务器。但是当我通过 127.0.0.53 将 systemd 解析的名称服务器用作默认服务器时,没有 dnssec 验证。这种行为的原因是什么?我不明白。
以下是使用 192.168.178.1 路由器的挖掘:
dig @192.168.178.1 www.cyberciti.biz +dnssec
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.178.1 www.cyberciti.biz +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11146
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.cyberciti.biz. IN A
;; ANSWER SECTION:
www.cyberciti.biz. 300 IN A 104.22.10.214
www.cyberciti.biz. 300 IN A 172.67.7.239
www.cyberciti.biz. 300 IN A 104.22.11.214
www.cyberciti.biz. 300 IN RRSIG A 13 3 300 20210514214150 20210512194150 34505 cyberciti.biz. BX+7UsdHZbSxN8u4p1TLs4qU0WJ2WpIGwwKnbO/io2AbEvmYBBVnmorK WnGtLtp6ZCP0+wVn0gLRGwaeI+OAZQ==
;; Query time: 32 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Do Mai 13 22:41:50 CEST 2021
;; MSG SIZE rcvd: 203
以下是我用我的systemd-resolved解析器进行的挖掘:
root@dellxps13:/etc# dig @127.0.0.53 www.cyberciti.biz +dnssec
; <<>> DiG 9.16.1-Ubuntu <<>> @127.0.0.53 www.cyberciti.biz +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46609
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;www.cyberciti.biz. IN A
;; ANSWER SECTION:
www.cyberciti.biz. 73 IN A 172.67.7.239
www.cyberciti.biz. 73 IN A 104.22.11.214
www.cyberciti.biz. 73 IN A 104.22.10.214
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Do Mai 13 22:55:09 CEST 2021
;; MSG SIZE rcvd: 117
这是我的 /etc/systemd/resolved.conf 文件:
[Resolve]
DNS=5.1.66.255 81.3.27.54 89.233.43.71
FallbackDNS=1.1.1.1
#Domains=
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=no-negative
DNSStubListener=yes
ReadEtcHosts=yes
这是输出resolvectl status:
[Resolve]
DNS=5.1.66.255 81.3.27.54 89.233.43.71
FallbackDNS=1.1.1.1
#Domains=
LLMNR=no
MulticastDNS=no
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=no-negative
DNSStubListener=yes
ReadEtcHosts=yes
root@dellxps13:/etc# resolvectl status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: no
Current DNS Server: 5.1.66.255
DNS Servers: 5.1.66.255
81.3.27.54
89.233.43.71
Fallback DNS Servers: 1.1.1.1
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 4 (enp63s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: no
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
fd00::9a9b:cbff:fe92:c76d
DNS Domain: ~.
fritz.box
Link 2 (wlp2s0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1
fd00::9a9b:cbff:fe92:c76d
DNS Domain: ~.
fritz.box
我需要更改配置文件中的哪些地方才能启用 dnssec?非常感谢您的帮助!Ralph T.