apt install -y bind9
‣
cd /var/cache/bind/keys
dnssec-keygen -a ECDSAP256SHA256 -f KSK skill39.com
dnssec-keygen -a ECDSAP256SHA256 skill39.com
cd /etc/bind
mkdir rndc-key
mv rndc.key rndc-key/dmzsrv.key
scp 192.168.0.1:/etc/bind/rndc.key /etc/bind/rndc-key/site1srv.key
scp 172.16.0.1:/etc/bind/rndc.key /etc/bind/rndc-key/site2srv.key
cd /rndc-key
vi dmzsrv.key
### vi ###
key "dmzsrv-key"
### vi ###
vi site1srv.key
### vi ###
key "site1srv.key"
### vi ###
vi site2srv.key
### vi ###
key "site2srv.key"
### vi ###
tsig-keygen > /etc/bind/tsig-keygen
cd ..
tsig-keygen > tsig.key
vi named.conf.options
### vi ###
...
recursion no;
};
include "/etc/bind/tsig.key";
include "/etc/bind/rndc-key/dmzsrv.key";
controls {
inet 127.0.0.1 port 953
allow { localhost; 127.0.0.1; } keys { "dmzsrv-key"; };
}
### vi ###
vi rndc.conf
### vi ###
include "/etc/bind/rndc-key/dmzsrv.key";
include "/etc/bind/rndc-key/site1srv.key";
include "/etc/bind/rndc-key/site2srv.key";
options {
default-key "dmzsrv-key";
default-server localhost;
default-port 953;
};
server SITE1SRV {
key "site1srv-key";
addresses { 192.168.0.1 port 953 };
};
server SITE2SRV {
key "site2srv-key";
addresses { 172.16.0.1 port 953 };
};
server localhost {
key "dmzsrv-key";
};
### vi ###
vi named.conf
### vi ###
#include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";
zone "skill39.com" {
type master;
file "skill39-zone";
key-directory "/var/cache/bind/keys";
inline-signing yes;
dnssec-policy default;
allow-transfer { key tsig-key; };
};
### vi ###
cp db.local /var/cache/bind/skill39-zone
cd /var/cache/bind
vi db.skill39.com
### vi ###
$TTL 86400
@ IN SOA ns1.skill39.com. admin.ns1.skill39.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.skill39.com.
@ IN NS ns2.skill39.com.
@ IN NS ns3.skill39.com.
ns1 IN A 100.0.0.1
ns2 IN A 100.0.0.5
ns3 IN A 100.0.0.9
ca IN A 100.0.0.1
ocsp IN A 100.0.0.1
vpn IN A 100.0.0.1
www IN A 100.0.0.1
site IN A 100.0.0.1
site1 IN A 100.0.0.5
site2 IN A 100.0.0.9
### vi ###
chown bind:bind -R /var/cache/bind
chown bind:bind -R /etc/bind
systemctl restart bind9
ss -ln | grep 53
dig @127.0.0.1 dnskey skill39.com | dnssec-dsfromkey -f - skill39.com
dig @127.0.0.1 dnskey skill39.com | dnssec-dsfromkey -f - skill39.com > /root/ds-skill39
scp /root/ds-skill39 [email protected]:/root
rndc -s site1srv status
rndc -s site2srv status
cd /etc/bind
scp 10.0.1.1:/etc/bind/tsig.key /etc/bind
vi named.conf.options
### vi ###
...
recursion no;
};
include "/etc/bind/tsig.key";
include "/etc/bind/rndc.key";
controls {
inet * port 953
allow { 10.0.1.1; } keys { "rndc-key"; };
};
### vi ###
vi named.conf
### vi ###
#include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";
zone "skill39.com" {
type slave;
file "skill39-zone";
masters { 10.0.1.1 key tsig-key; };
};
### vi ###
systemctl restart bind9
cd /var/cache/bind
dig ns1.skill39.local @localhost
dig ns1.skill39.com @localhost
# 값이 정상적으로 출력되면 성공
mkdir /var/cache/bind/keys
cd /var/cache/bind/keys
dnssec-keygen -a ECDSAP256SHA256 -f KSK public.net
dnssec-keygen -a ECDSAP256SHA256 public.net
cd ..
cp /etc/bind/db.local pub-zone
vi /etc/bind/named.conf
### vi ###
#include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";
zone "public.net" {
type master;
file "pub-zone";
key-directory "/var/cache/bind/keys";
inline-signing yes;
dnssec-policy default;
};
### vi ###
vi pub-zone
### vi ###
$TTL 86400
@ IN SOA ns.public.net. admin.ns.public.net. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.public.net.
ns IN A 1.1.1.1
time IN A 1.1.1.100
ca IN A 1.1.1.1
www IN A 1.1.1.1
### vi ###
chown bind:bind -R /var/cache/bind
systemctl restart bind9
dig @127.0.0.1 dnskey public.net | dnssec-dsfromkey -f - public.net
dig @127.0.0.1 dnskey public.net | dnssec-dsfromkey -f - public.net > /root/ds-pub
scp /root/ds-pub [email protected]:/root
vi /etc/bind/named.conf
### vi ###
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
### vi ###
dig @1.1.1.100 . dnskey +multi +norec >> /etc/bind/named.conf.options
vi /etc/bind/named.conf.options
### vi ###
allow-query { any; };
trust-anchors {
. initial-key 257 3 13
"2XaUDT...Yww==";
};
### vi ###
vi /usr/share/dns/root.hints
### vi ###
# 수정 없이 추가
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 1.1.1.100
### vi ###
systemctl restart bind9
