| Linux下搭建DNS Server的软件首选Bind,其有不同的版本,Window DNS是从Bind 4.x改进过来的,另外Bind8.x和Bind9.x从安全性及扩充性方面做了很多改进,为了实现对IPv6DNS的支持,采用Bind v9来实现,bind9.x提供IPv6 socket的DNS查询,支持IPv6资源记录?关于Bind9.x的详细特性建议到Bind的Web站点查阅,Bind的最新版本可以到www.isc.org/products/BIND/ 去下载?
#wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz
# tar -xzf bind-9.2.1.tar.gz
# cd bind-9.2.1
#./configure -enable-ipv6 -with-openssl
# make && make install |
Bind软件安装后,会产生几个固有文件,分为两类?一类是配置文件在/etc目录下,一类是DNS记录文件在/var/named目录下?加上其他相关文件,共同设置DNS服务器?named.conf为默认的主配置文件(须手动建立),设置一般的named参数,指向该服务器使用的域数据库信息的源,这类源可以是本地磁盘文件或远程服务器?
named .ca :指向根域名服务器
named .1ocal :用于在本地转换回送地址
named .hosts :将主机名映射为IP地址
下面以笔者实验建立的纯IPv6实验网的域名secv6.your.domain为例说明如何配置支持AAAA及A6记录的IPv6 域名服务器。
文件清单1 /etc/named.conf
|
options ...{
directory "/var/named";
// a caching only nameserver config
zone "." IN ...{
type hint;
file "named.ca";
};
// this defines the loopback name lookup
zone "localhost" IN ...{
type master;
file "master/localhost.zone";
allow-update ...{ none; };
};
// this defines the loopback reverse name lookup
zone "0.0.127.in-addr.arpa" IN ...{
type master;
file "master/localhost.rev";
allow-update ...{ none; };
};
// This defines the secv6 domain name lookup
// Secure (signed) zone file is
// secv6.your.domain.signed
// Regular zone file is secv6.your.domain
zone "secv6.your.domain" IN ...{
type master;
file "master/secv6.your.domain.signed";
// file "master/secv6.your.domain";
};
// this defines the secv6 domain reverse
// name lookup (AAAA)
zone "secv6.int" IN ...{
type master;
file "master/secv6.int";
};
// this defines the secv6 domain reverse
// name lookup (A6)
zone "secv6.arpa" IN ...{
type master;
file "master/secv6.rev";
};
// secret key truncated to fit
key "key" ...{
algorithm hmac-md5;
secret "HxbmAnSO0quVxcxBDjmAmjrmhgDUVFcFNcfmHC";
}; |
文件清单2 /var/named/master/secv6.your.domain
$TTL 86400
$ORIGIN secv6.your.domain.
@ IN SOA secv6.your.domain. hostmaster.your.domain. (
2002011442 ; Serial number (yyyymmdd-num)
3H ; Refresh
15M ; Retry
1W ; Expire
1D ) ; Minimum
IN MX 10 noah.your.domain.
IN NS ns.secv6.your.domain.
$ORIGIN secv6.your.domain.
ns 1D IN AAAA fec0::1:250:b7ff:fe14:35d0
1D IN A6 0 fec0::1:250:b7ff:fe14:35d0
secv6.your.domain. 1D IN AAAA fec0::1:250:b7ff:fe14:35d0 1D IN A6 0
fec0::1:250:b7ff:fe14:35d0
pc2 1D IN AAAA fec0::1:250:b7ff:fe14:35d0 1D IN A6 0
fec0::1:250:b7ff:fe14:35d0
pc3 1D IN A6 0 fec0::1:250:b9ff:fe00:131 1D IN AAAA
fec0::1:250:b9ff:fe00:131
pc6 1D IN A6 0 fec0::1:250:b7ff:fe14:3617 1D IN AAAA
fec0::1:250:b7ff:fe14:3617
pc4 1D IN A6 0 fec0::1:250:b7ff:fe14:35c4 1D IN AAAA
fec0::1:250:b7ff:fe14:35c4
pc5 1D IN A6 0 fec0::1:250:b7ff:fe14:361b 1D IN AAAA
fec0::1:250:b7ff:fe14:361b
pc7 1D IN A6 0 fec0::1:250:b7ff:fe14:365a 1D IN AAAA
fec0::1:250:b7ff:fe14:365a
pc1 1D IN A6 0 fec0::1:250:b9ff:fe00:12e 1D IN AAAA
fec0::1:250:b9ff:fe00:12e
pc1 1D IN A6 0 fec0:0:0:1::1 1D IN AAAA fec0:0:0:1::1
$INCLUDE "/var/named/master/Ksecv6.your.domain.+003+27034.key" | Dnssec配置命令:
dnssec-keygen -a DSA -b 768 -n ZONE secv6.your.domain
dnssec-signzone -o secv6.your.domain secv6.your.domain
说明:DNSSEC主要依靠公钥技术对于包含在DNS中的信息创建密码签名。密码签名通过计算出一个密码hash数来提供DNS中数据的完整性,并将该hash 数封装进行保护。私/公钥对中的私钥用来封装hash数,然后可以用公钥把hash数译出来。如果这个译出的hash值匹配接收者刚刚计算出来的hash树,那么表明数据是完整的。不管译出来的hash数和计算出来的hash数是否匹配,对于密码签名这种认证方式都是绝对正确的,因为公钥仅仅用于解密合法的hash数,所以只有拥有私钥的拥有者可以加密这些信息。
文件清单3 var/named/master/localhost.zone
// localhost.zone Allows for local communications
// using the loopback interface
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1 |
文件清单4 /var/named/master/localhost.rev
// localhost.rev Defines reverse DNS lookup on
// loopback interface
$TTL 86400
$ORIGIN 0.0.127.in-addr.arpa.
@ IN SOA 0.0.127.in-addr.arpa. hostmaster.secv6.your.domain. (
42 ; Serial number (d. adams)
3H ; Refresh
15M ; Retry
1W ; Expire
1D ) ; Minimum
NS ns.secv6.your.domain.
MX 10 noah.ip6.your.domain.
PTR localhost. |
文件清单5 /var/named/master/secv6.rev
// secv6.rev Defines reverse lookup for secv6
// domain in A6 format
$TTL 86400
$ORIGIN secv6.arpa.
@ IN SOA secv6.arpa. hostmaster.secv6.your.domain. (
2002011442 ; Serial number (yyyymmdd-num)
3H ; Refresh
15M ; Retry
1W ; Expire
1D ) ; Minimum
NS ns.secv6.your.domain.
MX 10 noah.your.domain.
; fec0:0:0:1::/64
$ORIGIN \[xfec0000000000001/64].secv6.arpa.
\[x0250b7fffe1435d0/64] 1D IN PTR pc2.secv6.your.domain.
\[x0250b9fffe000131/64] 1D IN PTR pc3.secv6.your.domain.
\[x0250b7fffe143617/64] 1D IN PTR pc6.secv6.your.domain.
\[x0250b7fffe1435c4/64] 1D IN PTR pc4.secv6.your.domain.
\[x0250b7fffe14361b/64] 1D IN PTR pc5.secv6.your.domain.
\[x0250b7fffe14365a/64] 1D IN PTR pc7.secv6.your.domain.
\[x0250b9fffe00012e/64] 1D IN PTR pc1.secv6.your.domain. |
文件清单6. /var/named/master/secv6.int
// secv6.int Defines reverse lookup for secv6
// domain in AAA format
$TTL 86400
$ORIGIN secv6.int.
@ IN SOA secv6.int. hostmaster.secv6.your.domain. (
2002011442 ; Serial number (yyyymmdd-num)
3H ; Refresh
15M ; Retry
1W ; Expire
1D ) ; Minimum
NS ns.secv6.your.domain.
MX 10 noah.your.domain.
; fec0:0:0:1::/64
$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.c.e.f.secv6.int.
0.d.5.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc2.secv6.your.domain.
e.2.1.0.0.0.e.f.f.f.9.b.0.5.2.0 IN PTR pc1.secv6.your.domain.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR pc1.secv6.your.domain.
1.3.1.0.0.0.e.f.f.f.9.b.0.5.2.0 IN PTR pc3.secv6.your.domain.
7.1.6.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc6.secv6.your.domain.
4.c.5.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc4.secv6.your.domain.
b.1.6.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc5.secv6.your.domain. | DNS客户端的配置
/etc/hosts 是主机的一个列表文件。作用是如果系统的 IP 不是动态生成,就可以使用它。对于简单的主机名解析(点分表示法),在请求 DNS 或 NIS 网络名称服务器之前,/etc/hosts.conf 通常会告诉解析程序先查看这里。
search secv6.your.domain
nameserver fec0::1:250:b7ff:fe14:35d0
DNS服务器测试
使用dig命令重新:
A6 格式DNS 查询
pc2% dig 0.0.0.0 secv6.your.domain a6
; <<>> DiG 9.1.0 <<>> 0.0.0.0 secv6.your.domain A6
[...]
;secv6.your.domain. IN A6
;; ANSWER SECTION:
secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0
;; AUTHORITY SECTION:
secv6.your.domain. 86400 IN NS ns.secv6.your.domain.
;; ADDITIONAL SECTION:
ns.secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0
ns.secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0
AAAA 格式DNS 查询
pc2% dig 0.0.0.0 secv6.your.domain aaaa
; <<>> DiG 9.1.0 <<>> 0.0.0.0 secv6.your.domain AAAA
[...]
;secv6.your.domain. IN AAAA
;; ANSWER SECTION:
secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0
;; AUTHORITY SECTION:
secv6.your.domain. 86400 IN NS ns.secv6.your.domain.
;; ADDITIONAL SECTION:
ns.secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0
ns.secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0 |
至此,IPv6环境下DNS服务器搭建完毕。 |
