라. DNS 서비스

DMZSRV, SITE1SRV, SITE2SRV, PUBROOT, PUBSRV

apt update
apt install -y bind9

dmzsrv

mkdir /var/cache/bind/keys
cd /var/cache/bind/keys

dnssec-keygen -a ECDSAP256SHA256 -f KSK skill39.com
dnssec-keygen -a ECDSAP256SHA256 skill39.com

mkdir /etc/bind/rndc-key
tsig-keygen > /etc/bind/tsig.key
mv /etc/bind/rndc.key /etc/bind/rndc-key/dmzsrv.key
scp 192.168.0.1:/etc/bind/rndc.key /etc/bind/rndc-key/site1srv.key
scp 172.16.0.1:/etc/bind/rndc.key /etc/bind/rndc-key/site2srv.key

vi /etc/bind/rndc-key/dmzsrv.key

### vi ###
key "dmzsrv-key" {
### vi ###

vi /etc/bind/rndc-key/site1srv.key

### vi ###
key "site1srv-key" {
### vi ###

vi /etc/bind/rndc-key/site2srv.key

### vi ###
key "site2srv-key" {
### vi ###

vi /etc/bind/named.conf.options

### vi ###
dnssec-validation auto;
recursion no;
};

include "/etc/bind/tsig.key";
include "/etc/bind/rndc-key/dmzsrv.key";

controls {
	inet 127.0.0.1 port 953
	allow { localhost; 127.0.0.1; } keys { "dmzsrv-key"; };
};
### vi ###

mkdir -p /etc/rndc
touch /etc/rndc/rndc.conf

vi /etc/rndc/rndc.conf

### vi ###
include "/etc/bind/rndc-key/dmzsrv.key";
include "/etc/bind/rndc-key/site1srv.key";
include "/etc/bind/rndc-key/site2srv.key";

options {
	default-key "dmzsrv-key";
	default-server 127.0.0.1;
	default-port 953;
};

server SITE1SRV {
	key "site1srv-key";
	addresses { 192.168.0.1 port 953; };
};

server SITE2SRV {
	key "site2srv-key";
	addresses { 172.16.0.1 port 953; };
};

server 127.0.0.1 {
	key "dmzsrv-key";
};
### vi ###

vi /etc/bind/named.conf

### vi ###
#include "/etc/bind/named.conf.local";

zone "skill39.com" {
	type master;
	file "skill39-zone";
	key-directory "/var/cache/bind/keys";
	auto-dnssec maintain;
	inline-signing yes;
	allow-transfer { key tsig-key; };
};
### vi ###

cp /etc/bind/db.local /var/cache/bind/skill39-zone

vi /var/cache/bind/skill39-zone

#####
@ IN SOA ns1.skill39.com. root.ns1.skill39.com.

@ IN NS ns1.skill39.com.
@ IN NS ns2.skill39.com.
@ IN NS ns3.skill39.com.
ns1 IN A 100.0.0.1
ns2 IN A 100.0.0.5
ns3 IN A 100.0.0.9
ca IN A 100.0.0.1
ocsp IN A 100.0.0.1
vpn IN A 100.0.0.1
www IN A 100.0.0.1
site IN A 100.0.0.1
site1 IN A 100.0.0.5
site2 IN A 100.0.0.9
#####

chown bind:bind -R /var/cache/bind
chown bind:bind -R /etc/bind

systemctl restart bind9

dig @127.0.0.1 dnskey skill39.com | dnssec-dsfromkey -f - skill39.com > /root/ds-skill39
scp /root/ds-skill39 [email protected]:/root

site1srv, site2srv

scp 10.0.1.1:/etc/bind/tsig.key /etc/bind

vi /etc/bind/named.conf.options

#####
	dnssec-validation auto;
	recursion no;
};

include "/etc/bind/tsig.key";
include "/etc/bind/rndc.key";
controls {
	inet * port 953
	allow { 10.0.1.1; } keys { "rndc-key"; }; 
};
#####

vi /etc/bind/named.conf

#####
#include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";
zone "skill39.com" {
	type slave;
	file "skill39-zone";
	primaries { 10.0.1.1 key tsig-key; };
};
#####

systemctl restart bind9

pubsrv

mkdir /var/cache/bind/keys
cd /var/cache/bind/keys

dnssec-keygen -a ECDSAP256SHA256 -f KSK public.net
dnssec-keygen -a ECDSAP256SHA256 public.net

cp /etc/bind/db.local /var/cache/bind/pub-zone

chown bind:bind -R /etc/bind/

vi /etc/bind/named.conf

#####
#include "/etc/bind/named.conf.local";

zone "." {
	type hint;
	file "db.root"; # 여기서 a.root-servers.net = 1.1.1.100
};

zone "public.net" {
	type master;
	file "pub-zone";
	auto-dnssec maintain;
	inline-signing yes;
	key-directory "/var/cache/bind/keys";
};
#####

vi /etc/bind/named.conf.options
####
options {
    directory "/var/cache/bind";
    recursion yes;
    dnssec-validation yes;
    allow-query { any; };
};
####

vi /var/cache/bind/pub-zone

#####
@ IN SOA ns.public.net. root.ns.public.net.

@ IN NS ns.public.net.
ns.public.net IN A 1.1.1.1
ns IN A 1.1.1.1
time IN A 1.1.1.100
ca IN A 1.1.1.1
www IN A 1.1.1.1
#####

vi /etc/bind/db.root
####
. 3600000 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 1.1.1.100
####

systemctl restart bind9

chown bind:bind -R /var/cache/bind
chown bind:bind /var/cache/bind/keys/*

dig @127.0.0.1 dnskey public.net | dnssec-dsfromkey -f - public.net > /root/ds-pub
scp /root/ds-pub [email protected]:/root

pubroot

cp /etc/bind/db.local /var/cache/bind/root-zone
cp /etc/bind/db.local /var/cache/bind/com-zone
cp /etc/bind/db.local /var/cache/bind/net-zone

vi /etc/bind/named.conf.options

#####
	recursion no;
	dnssec-validation auto;
	key-directory "/var/cache/bind/keys";
#####

vi /etc/bind/named.conf

#####
#include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";

zone "." {
	type master;
	file "root-zone";
	auto-dnssec maintain;
	inline-signing yes;
	key-directory "/var/cache/bind/keys";
};

zone "com" {
	type master;
	file "com-zone";
	auto-dnssec maintain;
	inline-signing yes;
	key-directory "/var/cache/bind/keys";
};

zone "net" {
	type master;
	file "net-zone";
	auto-dnssec maintain;
	inline-signing yes;
	key-directory "/var/cache/bind/keys";
};
#####

vi /var/cache/bind/root-zone

#####
@ IN SOA a.root-servers.net. root.a.root-servers.net.

@ IN NS a.root-servers.net.
com. IN NS a.gtld-servers.net.
net. IN NS a.gtld-servers.net.

a.root-servers.net. IN A 1.1.1.100
a.gtld-servers.net. IN A 1.1.1.100
#####

vi /var/cache/bind/com-zone

#####
@ IN SOA a.gtld-servers.net. root.a.gtld-servers.net.

@ IN NS a.gtld-servers.net.
skill39.com. IN NS ns1.skill39.com.
skill39.com. IN NS ns2.skill39.com.
skill39.com. IN NS ns3.skill39.com.

ns1.skill39.com. IN A 100.0.0.1
ns2.skill39.com. IN A 100.0.0.5
ns3.skill39.com. IN A 100.0.0.9
#####

vi /var/cache/bind/net-zone

#####
@ IN SOA a.gtld-servers.net. root.a.gtld-servers.net.

@ IN NS a.gtld-servers.net.
a.gtld-servers.net. IN A 1.1.1.100
public.net. IN NS ns.public.net.
ns.public.net. IN A 1.1.1.1
#####

systemctl restart bind9

mkdir /var/cache/bind/keys
cd /var/cache/bind/keys

dnssec-keygen -a ECDSAP256SHA256 -f KSK .
dnssec-keygen -a ECDSAP256SHA256 .
dnssec-keygen -a ECDSAP256SHA256 -f KSK com
dnssec-keygen -a ECDSAP256SHA256 com
dnssec-keygen -a ECDSAP256SHA256 -f KSK net
dnssec-keygen -a ECDSAP256SHA256 net

chown bind:bind -R /var/cache/bind
chown bind:bind /var/cache/bind/keys/*

dig @127.0.0.1 dnskey com | dnssec-dsfromkey -f - com >> /var/cache/bind/root-zone
dig @127.0.0.1 dnskey net | dnssec-dsfromkey -f - net >> /var/cache/bind/root-zone

cat /root/ds-skill39 >> /var/cache/bind/com-zone
cat /root/ds-pub >> /var/cache/bind/net-zone

# Modify the serial value to be higher

systemctl restart bind9

intsrv

vi /etc/bind/named.conf.option
#####
    recursion yes;
    dnssec-validation yes;
    allow-query { any; };
    
    forwarders {
	    1.1.1.1;
    };
};
#####

vi /etc/bind/named.conf
#####
include "/var/lib/samba/bind-dns/named.conf";
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
#####