본문 바로가기
해봐야 안다.OTL/Linux

[리눅스] DNS : Zone transfer

조정현 2009. 11. 19. 16:40

Zone transfer

[Sendmail서버 설정]

[root@woo:11:55:47]#cd /usr/local/bind/sbin

[root@woo:11:56:05]#ls

dnssec-dsfromkey dnssec-keygen lwresd named-checkconf named-compilezone rndc-confgen

dnssec-keyfromlabel dnssec-signzone named named-checkzone rndc

[root@woo:11:56:12]#./dnssec-keygen

Usage:

dnssec-keygen -a alg -b bits [-n type] [options] name

Version: 9.6.1-P1

Required options:

-a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA | NSEC3RSASHA1 | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | HMAC-SHA384 | HMAC-SHA512

-b key size, in bits:

RSAMD5:        [512..4096]

RSASHA1:        [512..4096]

NSEC3RSASHA1:        [512..4096]

DH:        [128..4096]

DSA:        [512..1024] and divisible by 64

NSEC3DSA:        [512..1024] and divisible by 64

HMAC-MD5:    [1..512]

HMAC-SHA1:    [1..160]

HMAC-SHA224:    [1..224]

HMAC-SHA256:    [1..256]

HMAC-SHA384:    [1..384]

HMAC-SHA512:    [1..512]

-n nametype: ZONE | HOST | ENTITY | USER | OTHER

(DNSKEY generation defaults to ZONE

name: owner of the key

Other options:

-c <class> (default: IN)

-d <digest bits> (0 => max, default)

-e use large exponent (RSAMD5/RSASHA1 only)

-f keyflag: KSK

-g <generator> use specified generator (DH only)

-t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)

-p <protocol>: default: 3 [dnssec]

-s <strength> strength value this key signs DNS records with (default: 0)

-r <randomdev>: a file containing random data

-v <verbose level>

-k : generate a TYPE=KEY key

Output:

K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private

 

[root@woo:11:59:36]#./dnssec-keygen -a hmac-md5 -b 256 -n HOST host1-host2. [엔터]

Khost1-host2.+157+45085

 

[root@woo:12:00:03]#ls

dnssec-dsfromkey dnssec-signzone lwresd named-checkzone rndc-confgen

dnssec-keyfromlabel Khost1-host2.+157+45085.key named named-compilezone

dnssec-keygen Khost1-host2.+157+45085.private named-checkconf rndc

--> 두 파일 생김

 

[root@woo:12:00:44]#cat Khost1-host2.+157+45085.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: ECo0RqbH9nq5aRmGGtudO0zBYue3iIPI83QIRI6UyH8=

Bits: AAA=

--> 랜덤하게 생성된다. /etc/named.conf에 키 값을 복사해 저장한다.

 

[Sendmail서버 설정]

[root@woo:12:01:35]#vi /etc/named.conf

21 key host1-host2. {

22 algorithm hmac-md5;

23 secret "ECo0RqbH9nq5aRmGGtudO0zBYue3iIPI83QIRI6UyH8=";

24 }; 추가 삽입

 

40 //Foward zone

41 zone "cho.iss" IN {

42 type master;

43 file "rain.zone";

44 allow-update {none;};

45 allow-transfer { key host1-host2.;};

46 };

47

48 //Reverse zone

49 zone "100.168.192.in-addr.arpa" IN{

50 type master;

51 file "rain.rev";

52 allow-update {none;};

53 allow-transfer { key host1-host2.;};

 

 

[BIND서버 설정]

[root@jo:~]#vi /etc/named.conf

10 key host1-host2. {

11 algorithm hmac-md5;

12 secret "ECo0RqbH9nq5aRmGGtudO0zBYue3iIPI83QIRI6UyH8=";

13 };

14

15 server 192.168.100.100 {

16 keys {host1-host2.;};

17 };

18

 

그 다음 #tail –f /var/log/messages 를 켜놓고

그 다음 /var/named 안에 slave.zone, slave.rev 파일을 삭제 후

5분 기다리거나 service named restart 한다.

두 서버간의 시간을 동기화 시킨후 rdate –s 아님 강제로 date -s "2009-10-28 10:00:00"

Zone transfer 가 되는 지 보자.

 

[root@jo:/var/named]#ls

data named.empty named.loopback rain.zone slave.zone

named.ca named.localhost rain.rev slave.rev

--> 다시 zone transfer에 의해 slave.zone, slave.rev 파일이 다시 생기고

/var/log/messages 로그를 보자

그럼 이렇게 뜰 것이다.

 

 

Oct 28 10:05:17 jo named[5440]: zone cho.iss/IN: Transfer started.

Oct 28 10:05:17 jo named[5440]: transfer of 'cho.iss/IN' from 192.168.100.100#53: connected using 192.168.100.1#58435

Oct 28 10:05:17 jo named[5440]: zone cho.iss/IN: transferred serial 90915001: TSIG 'host1-host2'

Oct 28 10:05:17 jo named[5440]: transfer of 'cho.iss/IN' from 192.168.100.100#53: Transfer completed: 1 messages, 8 records, 294 bytes, 0.034 secs (8647 bytes/sec)

Oct 28 10:05:17 jo named[5440]: zone 100.168.192.in-addr.arpa/IN: Transfer started.

Oct 28 10:05:17 jo named[5440]: transfer of '100.168.192.in-addr.arpa/IN' from 192.168.100.100#53: connected using 192.168.100.1#42795

Oct 28 10:05:17 jo named[5440]: zone 100.168.192.in-addr.arpa/IN: transferred serial 901020001: TSIG 'host1-host2'

Oct 28 10:05:17 jo named[5440]: transfer of '100.168.192.in-addr.arpa/IN' from 192.168.100.100#53: Transfer completed: 1 messages, 7 records, 300 bytes, 0.018 secs (16666 bytes/sec)

Oct 28 10:06:58 jo named[5440]: network unreachable resolving 'mirrorlist.centos.org/AAAA/IN': 2001:503:c27::2:30#53

Oct 28 10:07:08 jo named[5440]: network unreachable resolving 'mirrorlist.centos.org/A/IN': 2001:503:c27::2:30#53

'해봐야 안다.OTL/Linux' Related Articles

티스토리툴바