linux:dns_rndc_dnssec

Ubuntu DNS server + DNSSEC + RNDC (Bind9)實作


Install Bind9


  • $ sudo apt update
  • $ sudo apt install bind9
  • $ sudo apt install dnsutils
  • $ sudo vi /etc/bind/named.conf.options
    修改如下
  • $ sudo systemctl restart bind9
  • $ sudo systemctl status bind9
    如下即為成功啟動
  • $sudo vi /etc/bind/named.conf.local
    加入正解區域
  • $ sudo cp /etc/bind/db.local /etc/bind/db.domainname
    * $ sudo vi /etc/bind/db.local /etc/bind/db.domain    name
    修改如下
  • $ sudo systemctl restart bind9
    加入反解區域 (optional)
  • $ sudo cp /etc/bind/db.127 /etc/bind/ccc.bbb.aaa.rev
  • $ sudo vi /etc/bind/ccc.bbb.aaa.rev
    修改如下

檢查錯誤
* $ named-checkzone domainname /etc/bind/db.domainname
* $ named-checkzone “ccc.bbb.aaa.in-addr.arpa” /etc/bind/ccc.bbb.aaa.rev [如果有的話]
* $ sudo named-checkconf /etc/bind/named.conf
* $ sudo named-checkconf /etc/bind/named.conf.local

RNDC 設置

  • $ sudo rndc-confgen > /etc/bind/rndc.conf
  • $ sudo vi /etc/bind/rndc.conf
    複製以下區域至 /etc/bind/named.conf 底下, 並拿掉#
  • $ sudo service named restart
  • $ sudo rndc status

DNSSEC 設置

  • $ sudo mkdir /var/cache/bind/keys
  • $ cd /var/cache/bind/keys
  • $ sudo dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE domainname
    * $ sudo dnssec-keygen -a RSASHA256 -b 1024 -n ZONE domain    name
  • $ cat .key » /etc/bind/db.domainname
    * $ sudo chmod 700 /var/cache/bind/keys/
     $ sudo dnssec-signzone -o domain -k KSK.key zone    file ZSK.key
    [p.s. 檔案較大者為KSK.key]
     $ sudo vi /etc/bind/named.conf.local
    修改如下
  • $ sudo service named reload
  • linux/dns_rndc_dnssec.txt
  • 上一次變更: 2022/02/05 20:26
  • 211.75.215.83