最近自己学着用BIND9搭建了DNS服务器(纯粹实验性质),测试了一下运行正常。
然后使用dig命令的时候发现别的域名记录有NSEC RRSIG等之前没遇到过的记录,抱着好奇心搜索了一下,结果入坑了...
在http://dnssec.tanet.edu.tw/学了一些基础知识
实际操作参考了https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2/的步骤
但是在dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>这个命令中使用了61这个salt值(教程提供的命令在CentOS7上没法运行,遂替换成TANet學術網路教程推荐的61)
最后成功生成了域名.zone.signed文件并查到了相关记录:
[root@122-10-113-230 ~]# dig DNSKEY wolf.moe. @
sg.0w0.ro +multiline
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> DNSKEY wolf.moe. @
sg.0w0.ro +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49101
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wolf.moe. IN DNSKEY
;; ANSWER SECTION:
wolf.moe. 86400 IN DNSKEY 257 3 7 (
AwEAAdfGpACSm4ODzjgw5Lrc4CJ//Jce5zWs7Fcoty3g
eyy0qFwFFOg88nmQQzvBviZ+Do1QchDieypaJnJJLZsw
5QJa9jDUQj+EW8NpKPMLmtzsuLyzrXs4DmmJyV5Wd9Eq
6DD/R2trUI7d54j5SmZ0lkuCL3+Q0dNQjRVpaGgdA/Ay
QfL8uZ3cdQ7do+oYpTxQ1NfZfqzg+2v2l025UbCzPwbW
GwKcvsa3UmtOEyyVhRCOYiSFrOtLr4KaEp3RDMAiueKs
CN8esrAgN6Clp8MGEcg4dMYgA3tP+ILVLxtOvXZCEJId
A6XINNTwVK1E4SW3TtRJEdsV1grxNESnvvhgahpQ2Qoy
m8v8maTnCKMvrLG/2Gi2vZX7URzQwzPo13heh8eyz+Xa
zL0G8woAj1+JlMrxVjs10I7QqXqxaBSz2hEdOKNJH5bd
Bo4o88nMKxz1oBSLtqPQdYo69TWrEd0t0tRUL9o6oL1C
0eDDulMFrKVv5pE4CaDI6LSrAp88/9lTdO692BRyuPA7
PjSNMrP07rgo6uj/2+M4iyy/Chx72aQc440VD+NThRgK
EK2T8eKT179coAz1Ow7jHlDFIkEZw2x7T4nbJUClmQLJ
3TdPBjRXUV4aVrHr2MVBlctjJREXkIvt+mLap7YnlTGX
in/BTAOR+g/LcvBkuw5Kwq55H70R
) ; KSK; alg = NSEC3RSASHA1; key id = 16593
wolf.moe. 86400 IN DNSKEY 256 3 7 (
AwEAAeTvUWcmU13l5cftJ1peb/ccecrmu9dhBvzp72fW
dS9KaeWMEKLObCYaFOhC5Kr5onN7SSE+dJxPfmRyreXG
iC56/qGBfIirleufYI8fS8uzjToY8NS/VfskzDmK6SVL
dLzMtOm87htiKwfAFyF0o08xB8+zWi5omSdx3VlJwwQ4
u/qDyKONZ4fzsg3e2bZgmNJPcgBVm65gfnJoMdm0hTkg
jHK0kLIntFbssIn3ICdihb9xZVsqGV6LddO4I64JiNVB
gIqUtoANBVcbQ3RWi5UPuF+gAMzIJXZbpe0du8a35l22
e/CWAjQhHQeVmYAMQb3rMfVqenkWVRBXuNq07kc=
) ; ZSK; alg = NSEC3RSASHA1; key id = 2738
;; Query time: 79 msec
;; SERVER: 128.199.184.100#53(128.199.184.100)
;; WHEN: Mon Oct 13 11:28:50 CST 2014
;; MSG SIZE rcvd: 845
[root@122-10-113-230 ~]# dig A wolf.moe. @
sg.0w0.ro +noadditional +dnssec +multiline
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> A wolf.moe. @
sg.0w0.ro +noadditional +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54434
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;wolf.moe. IN A
;; ANSWER SECTION:
wolf.moe. 86400 IN A 198.148.115.101
wolf.moe. 86400 IN A 122.10.113.230
wolf.moe. 86400 IN RRSIG A 7 2 86400 (
20141112013623 20141013013623 2738 wolf.moe.
ggEVT6wD2bimThP2rQrWlze1LnNyHUrUb6x3bot9WAgd
ZwdxNQb9ivxZC1RSbmtp/HhUDfDZRPq3q28sfmzwla4n
csk8iuJgZkTA5Y+z7FZKMwe0Ps4MlhKrPW5B4UqsXd1H
dTq/f3Rl7BO6pzMKEiho4bowxD4LM2zXCpvvbHUG4Eom
31qxYzDH+O7LGlnVPpt2N8IKwyozZhIipT8+jtV2F2+i
+fX+K1fDdG2e43NiDJ2J0OPjG4/1BKcBGA1qyLGIXX0D
wMHmhCP0n/CorYDELsh7wk+xJz1fLEABBXpxGQ7Dqxna
ZyQQLVazXI5xRKuczyBgncBO8J5RiL0qUw== )
;; AUTHORITY SECTION:
wolf.moe. 86400 IN NS ns1.netlab.wolf.moe.
wolf.moe. 86400 IN NS ns0.netlab.wolf.moe.
wolf.moe. 86400 IN RRSIG NS 7 2 86400 (
20141112013623 20141013013623 2738 wolf.moe.
ya33GGVOqHW3DmUc8UtEzH2yb1Oe/nRg1GnT8Pxj6EOO
UgRIt7wZ1jUGDEqxkF4ircfCyhn4o+krgaS1WuaAJMIL
kAlFZZSdC7VE3+mlf+4rSOGmf1ugl8c8MZl580LWVRCs
fZGvCST/mEmnmmEZdl7sXotZEdnCQNW9iqttn1Ew/jEN
3fzTlWnx8RW1l2WjnBq5sMd1GWkh0pchU1zPoK+myxQJ
oiKYYhBrKPHMmcMt2ywMnri3NLAsnHY32B7OpShgzNFm
gi+d2ohEH3ZtoWLF2dGxkvf1VG6XhAoUsYik+Sm39btY
9M1vbyRSzVWQhGdUMGYTvxrZBYRKto0Ngg== )
;; Query time: 80 msec
;; SERVER: 128.199.184.100#53(128.199.184.100)
;; WHEN: Mon Oct 13 11:27:03 CST 2014
;; MSG SIZE rcvd: 1652
[root@sg named]# cat dsset-wolf.moe.
wolf.moe. IN DS 16593 7 1 D4D34780445A31E50A8682659FAB20D1055CB578
wolf.moe. IN DS 16593 7 2 DF48ADD15C10EE7C1D38E7855863D89A51E951BD5B23AE0A867F778D 16278AF9
但是当我准备将自己的DS记录提交给Name.com是却在管理面板上看到:
No supported DNSKEY records were found in DNS. This usually means that your name servers are not properly configured for DNSSEC.
No DNSSEC records were found at the registry. This means that your domain is not properly configured for DNSSEC.
提交了DS记录之后却显示参数错误,这到底是为什么,求助各位V友,非常感谢!