碼上快樂

相關內容    簡體    繁體

ubuntu20.04 主從dns和自動更新配置

本文轉載自   查看原文   2021-07-02 15:35   244    Linux/ bind9

環境

系統:ubuntu20.04

bind9:9.16.1

問題:dnssec-keygen -a hmac-md5 -b 128 -n USER devops

通過man dnssec-keygen可以看到bind9;9.13版本之后不支持HMAC生成秘鑰了;通過tsig-keygen生成

In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature has been removed as of BIND 9.13.0. Use tsig-keygen to generate TSIG keys

tsig-keygen -a hmac-sha512 devops > devops.key

root@opstack21-83:/etc/bind# cat devops.key
key "devops" {
algorithm hmac-sha512;
secret "N0AS/Of5dgDNa/QLVirQ8tDpckEFCix/FC/UECcWWUNUz5OjaS0JSKUapxCuA4nUqi+K3JtYn7myZTcSP6P2Mw==";
};

問題:nsupdate提示update failed: SERVFAIL

查看日志發現創建jnl文件時權限不足: /etc/bind/devops.com/devops.com.zone.jnl: create: permission denied

突然想起來前面做主從時也提示權限問題,原因是ubuntu20安裝bind9時/etc/bind目錄權限比較特殊,我把zone的配置文件放在了/etc/bind下,

 

 將zone配置文件放到其他地方,我這里放在了/var/lib/bind/目錄下;相應的修改name.conf

root@opstack21-83:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/bind/devops.com/devops.com.conf"; include "/var/lib/bind/host.com/host.com.conf";

bind9配置

tsig-key創建秘鑰

# man tsig-keygen可以查看支持算法類型

man tsig-keygen
...
-a algorithm
           Specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is
           hmac-sha256. Options are case-insensitive, and the "hmac-" prefix may be omitted.
...

# 創建key
root@opstack21-83:/etc/bind# tsig-keygen -a hmac-sha512 devops > devops.key
root@opstack21-83:/etc/bind# cat devops.key
key "devops" {
algorithm hmac-sha512;
secret "N0AS/Of5dgDNa/QLVirQ8tDpckEFCix/FC/UECcWWUNUz5OjaS0JSKUapxCuA4nUqi+K3JtYn7myZTcSP6P2Mw==";
};

配置/etc/bind/named.conf

root@opstack21-83:/etc/bind# cat named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/bind/devops.com/devops.com.conf";
include "/var/lib/bind/host.com/host.com.conf";

配置/etc/bind/named.conf.options

主dns配置

options {
        directory "/var/cache/bind";
        forwarders {
                221.228.255.1;
                221.6.4.66;
                114.114.114.114;
        };

        listen-on port 53 {
                192.168.20.77;
        };

        allow-query {
                any;
        };

 allow-transfer { key devops; }; allow-update { key devops;}; // 啟用dnssec認證
        dnssec-enable yes;
        dnssec-validation no;

        // listen-on-v6 { any; };

};

key "devops" { // tsig-keygen支持算法
 algorithm hmac-sha512; secret "N0AS/Of5dgDNa/QLVirQ8tDpckEFCix/FC/UECcWWUNUz5OjaS0JSKUapxCuA4nUqi+K3JtYn7myZTcSP6P2Mw=="; };

 

從dns配置

options {
        directory "/var/cache/bind";
        forwarders {
                221.228.255.1;
                221.6.4.66;
                114.114.114.114;
        };
        listen-on port 53 {
                192.168.20.40;
        };


        allow-query {
                any;
        };
        dnssec-enable yes;
        dnssec-validation yes;
};

key "devops" { algorithm hmac-sha512; secret "N0AS/Of5dgDNa/QLVirQ8tDpckEFCix/FC/UECcWWUNUz5OjaS0JSKUapxCuA4nUqi+K3JtYn7myZTcSP6P2Mw=="; }; # 主dns服務器IP地址 server 192.168.20.77 { keys { devops; }; };

 

域名conf配置/var/lib/bind/devops.com/devops.com.conf

主dns配置

zone "devops.com" IN {
 type master; file "/var/lib/bind/devops.com/devops.com.zone";
};

從dns配置

zone "devops.com" IN {
 type slave; file "/var/lib/bind/devops.com.zone"; masters { 192.168.20.77; };
};

 

域名zone配置

只有主dns需要配置

$TTL 86400      ; 1 day
@       IN SOA  devops.com. root.devops.com. (
                        0         ; serial
                        604800     ; refresh (1 week)
                        86400      ; retry (1 day)
                        2419200    ; expire (4 weeks)
                        86400      ; minimum (1 day)
                        )
@               IN      NS      ns1
@               IN      NS      ns2
ns1             IN      A       192.168.20.77
ns2             IN      A       192.168.20.40

 

 

 

 nsupdate更新dns配置

 

# 配置dns服務地址 

server 192.168.20.77

# 增加A記錄

update add nsupdate.devops.com 86400 A 172.18.21.55

# 刪除解析記錄

update del nsupdate.devops.com

# 查看幫助命令

help

# 將配置提交到服務器

send

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Ubuntu20.04 網卡配置 ubuntu20.04 samba配置 Ubuntu20.04 網絡配置 ubuntu20.04修改和配置ip地址 Ubuntu 20.04 LTS安裝搜狗輸入法,只需三條命令,還能自動更新 ubuntu20.04設置靜態ip方法,ubuntu20.04配置靜態IP ubuntu20.04打包iso鏡像自動安裝 ubuntu禁止內核自動更新 ubuntu禁止內核自動更新 ubuntu 禁止系統自動更新內核
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM