V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Recommended Services
Amazon Web Services
LeanCloud
New Relic
ClearDB
TrustyWolf
V2EX  ›  云计算

有设置过 DNSSEC 的 V 友么,为什么我生成的 DS 记录在 Name.com 被提示参数错误?

  •  
  •   TrustyWolf · 2014-10-14 09:32:49 +08:00 · 4880 次点击
    这是一个创建于 3675 天前的主题,其中的信息可能已经有所发展或是发生改变。
    最近自己学着用BIND9搭建了DNS服务器(纯粹实验性质),测试了一下运行正常。
    然后使用dig命令的时候发现别的域名记录有NSEC RRSIG等之前没遇到过的记录,抱着好奇心搜索了一下,结果入坑了...
    在http://dnssec.tanet.edu.tw/学了一些基础知识
    实际操作参考了https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2/的步骤
    但是在dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>这个命令中使用了61这个salt值(教程提供的命令在CentOS7上没法运行,遂替换成TANet學術網路教程推荐的61)
    最后成功生成了域名.zone.signed文件并查到了相关记录:
    [root@122-10-113-230 ~]# dig DNSKEY wolf.moe. @sg.0w0.ro +multiline

    ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> DNSKEY wolf.moe. @sg.0w0.ro +multiline
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49101
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;wolf.moe. IN DNSKEY

    ;; ANSWER SECTION:
    wolf.moe. 86400 IN DNSKEY 257 3 7 (
    AwEAAdfGpACSm4ODzjgw5Lrc4CJ//Jce5zWs7Fcoty3g
    eyy0qFwFFOg88nmQQzvBviZ+Do1QchDieypaJnJJLZsw
    5QJa9jDUQj+EW8NpKPMLmtzsuLyzrXs4DmmJyV5Wd9Eq
    6DD/R2trUI7d54j5SmZ0lkuCL3+Q0dNQjRVpaGgdA/Ay
    QfL8uZ3cdQ7do+oYpTxQ1NfZfqzg+2v2l025UbCzPwbW
    GwKcvsa3UmtOEyyVhRCOYiSFrOtLr4KaEp3RDMAiueKs
    CN8esrAgN6Clp8MGEcg4dMYgA3tP+ILVLxtOvXZCEJId
    A6XINNTwVK1E4SW3TtRJEdsV1grxNESnvvhgahpQ2Qoy
    m8v8maTnCKMvrLG/2Gi2vZX7URzQwzPo13heh8eyz+Xa
    zL0G8woAj1+JlMrxVjs10I7QqXqxaBSz2hEdOKNJH5bd
    Bo4o88nMKxz1oBSLtqPQdYo69TWrEd0t0tRUL9o6oL1C
    0eDDulMFrKVv5pE4CaDI6LSrAp88/9lTdO692BRyuPA7
    PjSNMrP07rgo6uj/2+M4iyy/Chx72aQc440VD+NThRgK
    EK2T8eKT179coAz1Ow7jHlDFIkEZw2x7T4nbJUClmQLJ
    3TdPBjRXUV4aVrHr2MVBlctjJREXkIvt+mLap7YnlTGX
    in/BTAOR+g/LcvBkuw5Kwq55H70R
    ) ; KSK; alg = NSEC3RSASHA1; key id = 16593
    wolf.moe. 86400 IN DNSKEY 256 3 7 (
    AwEAAeTvUWcmU13l5cftJ1peb/ccecrmu9dhBvzp72fW
    dS9KaeWMEKLObCYaFOhC5Kr5onN7SSE+dJxPfmRyreXG
    iC56/qGBfIirleufYI8fS8uzjToY8NS/VfskzDmK6SVL
    dLzMtOm87htiKwfAFyF0o08xB8+zWi5omSdx3VlJwwQ4
    u/qDyKONZ4fzsg3e2bZgmNJPcgBVm65gfnJoMdm0hTkg
    jHK0kLIntFbssIn3ICdihb9xZVsqGV6LddO4I64JiNVB
    gIqUtoANBVcbQ3RWi5UPuF+gAMzIJXZbpe0du8a35l22
    e/CWAjQhHQeVmYAMQb3rMfVqenkWVRBXuNq07kc=
    ) ; ZSK; alg = NSEC3RSASHA1; key id = 2738

    ;; Query time: 79 msec
    ;; SERVER: 128.199.184.100#53(128.199.184.100)
    ;; WHEN: Mon Oct 13 11:28:50 CST 2014
    ;; MSG SIZE rcvd: 845

    [root@122-10-113-230 ~]# dig A wolf.moe. @sg.0w0.ro +noadditional +dnssec +multiline

    ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> A wolf.moe. @sg.0w0.ro +noadditional +dnssec +multiline
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54434
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 7
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;wolf.moe. IN A

    ;; ANSWER SECTION:
    wolf.moe. 86400 IN A 198.148.115.101
    wolf.moe. 86400 IN A 122.10.113.230
    wolf.moe. 86400 IN RRSIG A 7 2 86400 (
    20141112013623 20141013013623 2738 wolf.moe.
    ggEVT6wD2bimThP2rQrWlze1LnNyHUrUb6x3bot9WAgd
    ZwdxNQb9ivxZC1RSbmtp/HhUDfDZRPq3q28sfmzwla4n
    csk8iuJgZkTA5Y+z7FZKMwe0Ps4MlhKrPW5B4UqsXd1H
    dTq/f3Rl7BO6pzMKEiho4bowxD4LM2zXCpvvbHUG4Eom
    31qxYzDH+O7LGlnVPpt2N8IKwyozZhIipT8+jtV2F2+i
    +fX+K1fDdG2e43NiDJ2J0OPjG4/1BKcBGA1qyLGIXX0D
    wMHmhCP0n/CorYDELsh7wk+xJz1fLEABBXpxGQ7Dqxna
    ZyQQLVazXI5xRKuczyBgncBO8J5RiL0qUw== )

    ;; AUTHORITY SECTION:
    wolf.moe. 86400 IN NS ns1.netlab.wolf.moe.
    wolf.moe. 86400 IN NS ns0.netlab.wolf.moe.
    wolf.moe. 86400 IN RRSIG NS 7 2 86400 (
    20141112013623 20141013013623 2738 wolf.moe.
    ya33GGVOqHW3DmUc8UtEzH2yb1Oe/nRg1GnT8Pxj6EOO
    UgRIt7wZ1jUGDEqxkF4ircfCyhn4o+krgaS1WuaAJMIL
    kAlFZZSdC7VE3+mlf+4rSOGmf1ugl8c8MZl580LWVRCs
    fZGvCST/mEmnmmEZdl7sXotZEdnCQNW9iqttn1Ew/jEN
    3fzTlWnx8RW1l2WjnBq5sMd1GWkh0pchU1zPoK+myxQJ
    oiKYYhBrKPHMmcMt2ywMnri3NLAsnHY32B7OpShgzNFm
    gi+d2ohEH3ZtoWLF2dGxkvf1VG6XhAoUsYik+Sm39btY
    9M1vbyRSzVWQhGdUMGYTvxrZBYRKto0Ngg== )

    ;; Query time: 80 msec
    ;; SERVER: 128.199.184.100#53(128.199.184.100)
    ;; WHEN: Mon Oct 13 11:27:03 CST 2014
    ;; MSG SIZE rcvd: 1652

    [root@sg named]# cat dsset-wolf.moe.
    wolf.moe. IN DS 16593 7 1 D4D34780445A31E50A8682659FAB20D1055CB578
    wolf.moe. IN DS 16593 7 2 DF48ADD15C10EE7C1D38E7855863D89A51E951BD5B23AE0A867F778D 16278AF9

    但是当我准备将自己的DS记录提交给Name.com是却在管理面板上看到:
    No supported DNSKEY records were found in DNS. This usually means that your name servers are not properly configured for DNSSEC.

    No DNSSEC records were found at the registry. This means that your domain is not properly configured for DNSSEC.

    提交了DS记录之后却显示参数错误,这到底是为什么,求助各位V友,非常感谢!
    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   997 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 21:22 · PVG 05:22 · LAX 13:22 · JFK 16:22
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.