티스토리 뷰

___네임서버

[BIND] TSIG 설정

변군 변군이글루 2013. 7. 4. 10:41

BIND TSIG 설정

 

[1차 DNS]

 

dnssec Key 파일 생성

[root@NS1 named]# dnssec-keygen -a HMAC-MD5 -b 128 -n Host my-domain.re.kr.
Kmy-domain.re.kr.+157+32789

 

[root@NS1 named]# ls -l Kmy*
-rw------- 1 root root  59 2013-07-04 09:58 Kmy-domain.re.kr.+157+32789.key
-rw------- 1 root root 165 2013-07-04 09:58 Kmy-domain.re.kr.+157+32789.private

 

[root@NS1 named]# cat Kmy-domain.re.kr.+157+32789.key
my-domain.re.kr. IN KEY 512 3 157 WUqP/du3BIcjhAN87/iZ+A==

 

[root@NS1 named]# cat Kmy-domain.re.kr.+157+32789.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: WUqP/du3BIcjhAN87/iZ+A==
Bits: AAA=
Created: 20130704005732
Publish: 20130704005732
Activate: 20130704005732

 

my-domain.key.conf 파일 생성

[root@NS1 named]# vi /etc/my-domain.key.conf

[root@NS1 named]# cat /etc/my-domain.key.conf
key my-domain.re.kr. {
Algorithm hmac-md5;
secret "WUqP/du3BIcjhAN87/iZ+A==";
};

 

named.conf에 my-domain.key.conf 파일 추가

[root@NS1 named]# vi /etc/named.conf
...
zone "my-domain.re.kr" {
        type master;
        file "my-domain.re.kr-zone";
        allow-update { key my-domain.re.kr.; };
        };

 

include "/etc/my-domain.key.conf";

 

[2차 DNS]

 

my-domain.key.conf 생성

[root@NS2 named]# vi /etc/my-domain.key.conf

[root@NS2 named]# cat /etc/my-domain.key.conf
key my-domain.re.kr. {
Algorithm hmac-md5;
secret "WUqP/du3BIcjhAN87/iZ+A==";
};


ns1에서 키 파일 가져오기
[root@NS2 named]# scp 10.0.0.11:/var/named/K* /var/named/.


[root@NS2 named]# nsupdate -k Kmy-domain.re.kr.+157+32789.key
> server 10.0.0.11
> update add book.my-domain.re.kr. 300 IN A 10.0.0.55
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
book.my-domain.re.kr.   300     IN      A       10.0.0.55

> send

>
> quit

 

key 파일 없이 nsupdate 시도
[root@NS2 named]# nsupdate
> server 10.0.0.11
> update add book.my-domain.re.kr. 300 IN A 10.0.0.55
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
book.my-domain.re.kr.   300     IN      A       10.0.0.55

> send
update failed: REFUSED

 

[다른 서버에서 nsupdate 실행하기]

 

key 파일 가져오기
[root@resursive named]# scp 10.0.0.11:/var/named/K* /var/named/.
The authenticity of host '10.0.0.11 (10.0.0.11)' can't be established.
RSA key fingerprint is 43:08:da:18:32:3c:19:fd:1b:2b:3e:21:ad:50:d1:7f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.11' (RSA) to the list of known hosts.
root@10.0.0.11's password:
Kmy-domain.re.kr.+157+32789.key                                            100%   59     0.1KB/s   00:00
Kmy-domain.re.kr.+157+32789.private                                        100%  165     0.2KB/s   00:00

 

nsupdate으로 car.my-domain.re.kr 도메인 추가
[root@resursive named]# nsupdate -k Kmy-domain.re.kr.+157+32789.key
> server 10.0.0.11
> update add car.my-domain.re.kr. 7200 IN A 127.0.0.1
> show
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
car.my-domain.re.kr.    7200    IN      A       127.0.0.1

> send
> quit

 

질의 테스트
[root@resursive named]# dig @10.0.0.11 car.my-domain.re.kr +short
127.0.0.1

 

 

'___네임서버' 카테고리의 다른 글

[BIND] bind-9.9.3rc2 소스 컴파일  (0) 2013.07.04
[BIND] .jnl 데이타를 zone로 가져오기  (0) 2013.07.04
[BIND] TSIG 설정  (0) 2013.07.04
[네임서버] 포워딩(forwarding)  (0) 2013.07.03
[bind] hint(named.cache) 파일 설치  (0) 2013.07.03
[네임서버] DNS caching  (0) 2013.07.02
댓글
댓글쓰기 폼