提前安装好Ubuntu
输入dnssec-keygen -f KSK -r /dev/urandom -a NSEC3RSASHA1 -b 768 -n ZONE jack.com生成KSK密钥。其中NSEC3RSASHA1为采用的签名算法,jack.com为域名。
输入cat Kjack.com.+007+31383.private可以查看KSK私钥
输入cat Kjack.com.+007+31383.key可以查看KSK公钥
输入dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 768 -n ZONE jack.com生成ZSK密钥。
输入cat Kjack.com.+007+32864.private可以查看ZSK私钥
输入cat Kjack.com.+007+32864.key可以查看ZSK公钥
输入指令sudo gedit /etc/bind/db.jack.com编辑文件,在文件末尾加上$INCLUDE ”Kjack.com.+007+31383.key”$INCLUDE ”Kjack.com.+007+32864.key”并保存
输入head -c 1000 /dev/urandom | sha1sum | cut -b 1-16得到NSEC3的salt
如图,salt为86404d8933f0611e输入 sudo dnssec-signzone -3 86404d8933f0611e -o jack.com. db.jack.com对zone进行签名。这里显示错误。分析之前的步骤,发现之前生成的key都在根目录下,所以剪切到bind目录下就好了。
输入命令sudo gedit /named.conf.local进入文件进行配置,引用签名文件。
输入cat dsset-jack.com.向上级zone上传签名时生成的DS文件
输入dig @127.0.0.1 +dnssec www.jack.com
结果如下:; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @127.0.0.1 +dnssec www.jack.com; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47074;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3//AA为权威答案,表示应答主机为问题权威服务器;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;www.jack.com. IN A ;; ANSWER SECTION:www.jack.com. 604800 IN A 192.168.244.128www.jack.com. 604800 IN RRSIG A 7 3 604800 204 204 32864 jack.com. H/4U9a46C2WT0Zmpg8W0O3fzk+e366k3wgvc6C88IByliVpgSy0zTJMJ /pEUgsCxy+GShqMQ5H2TXsRdeDi7wQtZpOlT+UIBJIdeGKLg4/c0IkTP Ht8WkrouV85qvpLR//答案中多了RRSIG;; AUTHORITY SECTION:jack.com. 604800 IN NS ns.jack.com.jack.com. 604800 IN RRSIG NS 7 2 604800 204 204 32864 jack.com. T7eiZ1WbM3beEr9dsznDRw2MfqAfA19q9tdYrjMip3anPBn3zW4R8U6l K8YJc1u63CTYZIR589Ztok1PSDFXGoALC89EphAAzbD31JgGNRlMjVjS KjDnM3IWNa4mv3GD//认证部分也多了RRSIG;; ADDITIONAL SECTION:ns.jack.com. 604800 IN A 192.168.244.128ns.jack.com. 604800 IN RRSIG A 7 3 604800 204 204 32864 jack.com. GU96SEiWM/P7GetQS9wKh/K7O7rQeoScVnFUm8zYqv8g2O0OMl2B7ET1 lvNDP3/HrTtSO8Ds+bqWn3b8UwkPb8S4Zfm2jQbS30QpAtg+cp4sOzAa al0KYzl553if7K32//附加部分也多了RRSIG;; Query time: 7 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Thu Mar 19 21:20:16 PDT 2015;; MSG SIZE rcvd: 498
首先将jack.com的KSK保存到jack.keys文件中。
然后再输入命令行:dig @127.0.0.1 +sigchase +trusted-key=jack.keys www.jack.com。此时提示有错误,在jack.keys签名加上 $TTL 604800就好了。
dig +densec www.gov.cn