RSS訂閱

2012年8月8日 星期三

啟用與設定 BIND DNSSEC (DNSSEC Implementation Using Bind)

DNSSEC (Domain Name System Security Extensions) 延伸了標準DNS功能,用以確保資料不會被假造竄改並且來自正確的授權來源,全球佔有率最高的BIND DNS 服務第9版支援了這項重要的安全性標準,BIND 9.3 開始支援較新的DNSSEC-bis (DS records),9.6版開始支援NSEC3記錄,本文將利用BIND 9.8版來說明如何使用與設定 BIND DNSSEC功能。若您對DNSSEC的功能、運作與相關名詞並不熟悉,請先查閱作者的另一篇DNSSEC基礎文章 簡介 DNSSEC (Introduction to DNS Security Extensions)

準備DNSSEC

欲成功啟用DNSSEC功能,下列重要事項需先加以檢查與確認:

  • 使用支援DNSSEC的用戶端
  • 確認網路設備不會過濾掉EDNS0和DNSSEC相關的流量
  • 確認系統的時間正確
  • 確認主要伺服器和次要伺服器均支援並啟用DNSSEC功能

DNSSEC實務概念

在實做BIND DNSSEC之前,先把DNSSEC的重要實務概念予以列出以利後面實做上的說明。

  • DNS區域需利用數位簽章將DNS記錄予以簽署。
  • 用戶端需驗證簽署以確保收到的資料正確、無被篡改並來自授權的來源。
  • DNSSEC使用公開金鑰(非對稱性)加密技術,卻又不是PKI(不使用憑證)架構。
    • 私密金鑰(Private key)用來簽署DNS資料。
    • 公開金鑰(Public Key)透過DNS發佈,以便驗證者可以順利取得藉以驗證簽章的真偽。
    • 每個區域需要使用二組金鑰對--Zone Signing Key (ZSK)和Key Signing Key (KSK)。
  • DNSSEC並不處理動態更新的資料以及區域傳送(Zone Transfer)的資料。
  • DNSSEC必需建立信任鏈(Chain of trust),信任鏈的頂端稱為信任起源(Trust Anchor),每個簽署的根網域(.),就是一個信任起源,接著頂層層級(TLDs)的網域也被簽署,依此類推。
    • BIND DNS使用 "trusted-keys" 敘述來新增信任起源。

BIND DNSSEC 部署實務

BIND DNSSEC部署的步驟如下:

  1. 產生需要的金鑰對
    -- dnssec-keygen
  2. 簽署區域記錄
    -- dnssec-signzone
  3. 啟用DNSSEC功能
    -- 編輯named.conf檔案
  4. 重新載入DNS區域
  5. 向上層註冊 DS記錄
  6. 測試

壹. 使用dnssec-keygen產生DNSSEC金鑰-ZSK 和 KSK

首先您需要使用dnssec-keygen工具來產生Zone signing key (ZSK)金鑰對,底下範例為採用RSA非對稱加密技術與SHA1雜湊演算法、針對lij.com這個DNS區域產生1024位元長度的DNSSEC區域金鑰(ZSK):
# dnssec-keygen -a RSASHA1 -b 1024 -n ZONE lij.com

-f : 金鑰類型
-a : 演算法
-b : 金鑰大小
-n : 金鑰擁有者類型
-r : 隨機裝置,如果您在執行dnssec-keygen時發現其非常慢或停頓許久,這應是隨機數產生的問題,解決方法是在-a之前加上另一個隨機裝置: -r /dev/urandom

執行dnssec-keygen指令成功後將產生二把成對的金鑰,名稱格式為K<ZoneName>+<Algorithm>+<KeyID>.keyK<ZoneName>+<Algorithm>+<KeyID>.private,副檔名為 .key的為用來驗證簽章的公開金鑰 (Public Key),副檔名為 .private的為用來產生簽章的私密金鑰 (Private key)。公開金鑰需被定義在區域檔案內的DNSKEY記錄,私密金鑰而妥善保管,不能讓它人取得。

底下範例示範如何產生用來簽署lij.com區域的ZSK的KSK金鑰對,採用了RSA非對稱加密技術與SHA1雜湊這二個簽章演算法(-a)、並產生2048長度的KSK金鑰和1024位元長度的ZSK金鑰(-b)。

# dnssec-keygen –r /dev/urandom -a RSASHA1 -b 1024 -n ZONE lij.com
Generating key pair............++++++ ...........................++++++
Klij.com.+005+39075
# dnssec-keygen –r /etc/urandom -a RSASHA1 -b 2048 -n ZONE -f KSK lij.com
Generating key pair.................+++ ................................+++
Klij.com.+005+21496
# ls -l K*
-rw-r--r-- 1 root root 597 2012-08-05 21:13 Klij.com.+005+21496.key
-rw------- 1 root root 1774 2012-08-05 21:13 Klij.com.+005+21496.private
-rw-r--r-- 1 root root 423 2012-08-05 21:12 Klij.com.+005+39075.key
-rw------- 1 root root 1010 2012-08-05 21:12 Klij.com.+005+39075.private

下表則為KSK的公開金鑰檔和私密金鑰檔案內容:

# cat Klij.com.+005+05848.key
; This is a key-signing key, keyid 5848, for lij.com.
; Created: 20120806150808 (Mon Aug 6 23:08:08 2012)
; Publish: 20120806150808 (Mon Aug 6 23:08:08 2012)
; Activate: 20120806150808 (Mon Aug 6 23:08:08 2012)
lij.com. IN DNSKEY 257 3 5 AwEAAc2j3FiwWHt0AbX0ncKo7YYEh/IJHCG3mESvl1UAjOub2haYId1u
bviNh46TPk9ywvTUy370u7hyOwn9B1bT64OAl2s1XE1t2V5hGiH+eKvp
YeJnV7f+G6xhqxd4XNDetZqd3lX8MfqwLQElBTXz1uj1NU0pTpB1Y4dS
/lfUcdhktxMPf9C48DfS/SQayEoUQfV/KhSm2UU4DDDqvpXLTyd/HlFw
V4lYe90EYms+mbiHgBVeT0qxSqZaxfJXWgc7jnKGBdwsLeZt+IIvA3Kr
tGr96/IbVRLoTott0YfM2lThxGFvb77gw3KYSJMmKRqtrkDeu4mMQ6a+ f4sy6q9cO88=
# cat Klij.com.+005+05848.private
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: zaPcWLBYe3QBtfSdwqjthgSH8gkcIbeYRK+XVQCM65vaFpgh3W5u+I2
HjpM+T3LC9NTLfvS7uHI7Cf0HVtPrg4CXazVcTW3ZXmEaIf54q+lh4m
dXt/4brGGrF3hc0N61mp3eVfwx+rAtASUFNfPW6PU1TSlOkHVjh1L+V
9Rx2GS3Ew9/0LjwN9L9JBrIShRB9X8qFKbZRTgMMOq+lctPJ38eUXBX
iVh73QRiaz6ZuIeAFV5PSrFKplrF8ldaBzuOcoYF3Cwt5m34gi8Dcqu
0av3r8htVEuhOi23Rh8zaVOHEYW9vvuDDcphIkyYpGq2uQN67iYxDpr
5/izLqr1w7zw==
PublicExponent: AQAB
PrivateExponent: zUqypU+XZdeQBaho/nZKeap4VSbHENoKhzeMqm
1cQbJbbIb/9+FRo40XMTzJzeLRwj3V0a5c4WwYiIY0F3iE

貳. 簽署區域記錄 – dnssec-signzone

接下來,請利用dnssec-signzone工具建立區域內的所有記錄建立數位簽章,dnssec-signzone工具基本格式如下:

dnssec-signzone [options] zonefile [keys]

重要選項:
-S: 智慧型簽章,自動找到區域的金鑰檔案並判斷如何使用
-z : 忽略 KSK 金鑰位元SEP 並簽署所有區域
-e : 簽署的到期日(格式為 AAAAMMDDHHMMSS),預設為30天
最後一個參數為區域檔

為了讓工具可以順利找到區域檔案和金鑰檔並加以成功簽署,請將區域檔案名稱設定成區域名稱,若區域檔案名稱並非區域名稱,請建立一個符號連結檔案以免產生一個 "not at top of zone"的錯誤,例如原來的區域檔案為lij.com.hosts(非區域名稱),所以在執行區域簽署前,先行輸入指令:

ln –s lij.com.hosts lij.com

底下為dnssec-signzone指令執行過程,dnssec-signzone將產生NSEC和RRSIG記錄,並且也會產生一個簽章版本的區域檔,此簽章後的區域檔案名稱為原先區域檔案名稱附加上.signed。

# dnssec-signzone -S -z lij.com
Fetching ZSK 51147/RSASHA1 from key repository.
Fetching KSK/ZSK 52549/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                                  ZSKs: 1 active, 0 stand-by, 0 revoked
lij.com.signed

底下為區域簽章檔案(lij.com.hosts.signed)的內容,可清楚的看出區域檔案內記錄以字母排序,每個記錄均已產生了簽署的RRSIG記錄和指向下一筆記錄的NSEC及其簽章,所以整個區域檔案看起來相當大,這將會明顯的影響到日後查詢回應的效率。

; File written on Sun Aug 5 22:16:51 2012
; dnssec_signzone version 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6
lij.com.   38400 IN SOA linxsrv.lij.com. david.mail1.lij.com. (
                                     1339957425 ; serial
                                     10800 ; refresh (3 hours)
                                     3600 ; retry (1 hour)
                                     604800 ; expire (1 week)
                                     38400 ; minimum (10 hours 40 minutes)
                                       )
             38400 RRSIG SOA 5 2 38400 20120904131651 (
                                     20120805131651 39075 lij.com.
                                     H9Kz8mpCmshNrdkUp/r3TmWScpYwV1m7QuGb
                                      fTBBR1pvotBbjSWBETcP3QJfvf9Kut9/mxGd
                                     4lBp6vuvivpT6HcmQYfrXNEFypAGfUYXiLST
                                     eHJOthaMnZ1Aq4FLK0XvNcH4+9l2TUYSPZVN
                                     qVZjIHB+PoQPxwXr9YpTwc52vb0= )
             38400 NS linxsrv.lij.com.
             38400 RRSIG  NS 5 2 38400 20120904131651 (
                                      20120805131651 39075 lij.com.
                                      qbQOtRLMf17eEfZdOoQLObPeVu4SiGbh66yA
                                      7YetQwMF+F8eHqjYR23gKXDJplUU9u0udA5s
                                      4fuPlTDKL0g6tqNcYlkxWAXjSFmh0cVDgpoo
                                      5vj0gjhb1KR5+L0U/1/g1dYevAlvr9mqfDOF
                                       fYp+2+qkjTt4MNZ37sSG0pc9ZUU= )
             38400 MX 10 mail1.lij.com.
             38400 RRSIG MX 5 2 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                        kKPR5m+gtyAuNRHpLOWNegoUZOtz+DISXolP
                                        Z4/tKUliha65CmhnA9LzBWTvyQRvlsaDmsVZ
                                        71/alUtPY8Eodke1+O9fwM03Ojnj/r24Umiq
                                        VwM0OFzG2jQWTQ+IZ0y1HSZxE+4H5wQJ63+F
                                        phDkTdg/XuwVJkirrTVfwrGxpN8= )
             38400 NSEC ftp.lij.com. NS SOA MX RRSIG NSEC DNSKEY
             38400 RRSIG NSEC 5 2 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                         vgTIS+bBSUNDM5XE0OQ1E9Taf2oimKX33JfV
                                         OQHC879SIMI9Gwdf7MtoAWQsj4qY37GB8j7+
                                         BOzRR+bsCSG7espmLd/+eVIUoo91yaO/hB23
                                         jOzUYN2jGHUFIuJrv3T+r9D6ZX3lsgqF0bFP
                                         PiR0P0rt2iC7t/NAD0KfnHWkpOI= )
              38400 DNSKEY 257 3 5 (
                                          AwEAAfNMzmKxwiKzKT+9qUTTMC0U0QhMPMPM
                                          yvN/Bakxc3qtzQZHOfIjrlKn8AICVeH2HY67
                                          nAW1WNSvda3nomcmaHfxAbOmiFNALnwUi6ib
                                          Vj4qPaoQi0EbnCHdKKJdvtOgz2JKiBtCrRn6
                                          8lueRFt54tXplRB9tF+tTdxoqeLhT+HDSKfT
                                           QTyz8iBGvDOm28pIQ1HlRM+L3soo8leQ5tEv
                                           PdkHXXtjDmt5vj18zOZMzXk9VuGWSi9g325c
                                            9hkPnO8sCNp2zXrfRFJ0XzsZzybCs3GM2T7j
                                           0DqKmdszjkTFuCx1rU5lGukwjwO9do4OIPk4
                                          PFLUj1ec26DmVcpux24rPsU=
                                            ) ; key id = 21496
               38400 DNSKEY 256 3 5 (
                                         AwEAAcA1g3m4H9RqbE5x4jK5Uqw4R5/nU5rC
                                          eJhU7MXccO8zohfL21tr9PnBret9IPL0fkj4
                                          /K32Ax+1610/yu2fKB39OVGIUkfCzVv7pm1G
                                         WCYWJsf4T5A1B720iYq9WOlwA9Y05roGGkC3
                                         bEq2y4EQt3jBdVFxeumu5kuLG0F8CPC3
                                          ) ; key id = 39075
              38400 RRSIG DNSKEY 5 2 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                        WXnpIfaewBkUpos905zICMksRq0F7lTO9jYT
                                        tauCrZvb1Sho2BnbuHaIiu5bQEaIiW3qyXBa
                                        pwW3H7OTk1ZtVJ7U8N4RehMKS4+Q02LdAqlV
                                        GGWEKkMMWxC3O077oifHA1MBMIoXpfcnf0z3
                                        K/aG2GcWBpuYJgwbYBhysISQPnw= )
               38400 RRSIG DNSKEY 5 2 38400 20120904131651 (
                                        20120805131651 21496 lij.com.
                                        sIkSmxuwbzOsu1UZ13dSQqUDNPW5MkvtNwEU
                                        TzHnuHz47XcPxZf37Rh/5lbgPrHttAbt+JsR
                                        C2IwuAPeRqu1DbdCKs099opIiS1VE3fubDYQ
                                         sAGkR1fpJIhee+2boM7yn2tdbW2T/S/xwvgL
                                         kUh0YM/VC86x1sZAxaOSJusEBaCQC6UmTOwk
                                        mkr/78fM1j7anrcpktIH4qsSJuujyc0swdkz
                                        4EnXOgue7l6YQfOUeGScLC94oHXNft+dMCkm
                                        7Ahf87ZgqQxbOqC3g14tp2yiLSNLqaDbqtTc
                                        p9WODpxovrp60nc6lfl4L5grrB5FV5DAz5iQ
                                        dv75KMz3/XmiBM+QaQ== )
ftp.lij.com. 38400 IN CNAME www.lij.com.
                  38400 RRSIG CNAME 5 3 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                        sbB4aO+wDqod92DRB5ij+SSRYp+N+XayGYRu
                                        FvBCOLgOqDiI7Ydzj0rszlP/kd/KdLWaHb2C
                                        kIS3MsaW4uZLP3FBGkYVk3xz73OihheMcwVM
                                        Gpa726JUcFaS9PmOhXH2vCrYXMiRnXJFB+Oi
                                        ixg1jHVulnUocQvAaN7fg8WNmGc= )
                  38400 NSEC linxsrv.lij.com. CNAME RRSIG NSEC
                  38400 RRSIG NSEC 5 3 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                        MmhUN/+8FhKit3FIilaD4ib8gqgIUIUG7V2z
                                        4HyzFFUKQuKvc1fuVQUtyA1SPh7mIZX3mLMd
                                       +kkK057Wog3IIq6HFkmUOPWp/37yIyWyKbZf
                                        q8lXcbFdwo5Znub10wCGsA+ZwpGUC8qYkIVu
                                        Rd40JjzqkamWx2R0WbG593KmLdo= )
linxsrv.lij.com. 38400 IN A 192.168.2.74
                  38400 RRSIG A 5 3 38400 20120904131651 (
                                         20120805131651 39075 lij.com.
                                         O4z7zSI09FzRWcE8kLcFo2QmgfhuN+YFEhZn
                                         3F+gaTzXIHWQYFcEzO4zmSjSem3u8cg38qCF
                                        4UH51Dfhi2dsPbfSuRQj0WoSIvHjWePZpG7t
                                        kZKUjCp92HF8oSoZpePOVJPXZnzIccwhuVEp
                                        KcORjKE07HkkMaEOin2JU7CxHGc= )
                   38400 NSEC mail1.lij.com. A RRSIG NSEC
                   38400 RRSIG NSEC 5 3 38400 20120904131651 (
                                        20120805131651 39075 lij.com.
                                        WrbzpOagRVW1zvnaFLU5omS52n6m3wGO2Bf7
                                         vySIaYk0MUHfYD0nOGt7Zb6R3TAHioirmgmR
                                         EV1lAzd+83D+2lq7ceKWM4OxX1gq9bQSPKJ3
                                         HWlQYnRhBfzt9e8QwyxpTz8L+Qi7PQ/lLJjr
                                          pF0+awsA09f+xao2OkUiwIffLPI= )
mail1.lij.com. 38400 IN A 192.168.2.222
                       38400 RRSIG A 5 3 38400 20120904131651 (
                                           20120805131651 39075 lij.com.
                                           TnSAA04c8PYk6kANU9EhHwzm3IwL8olaWGOl
                                            j3VNc1E4GNQBJMSHskg4ZFSnLBNKiS6k2C8q
                                            1wZ2OzXP1ii7BiUtep3e61SYsy1OTDX1oLAt
                                            O5ADTx45Mby0U+xynSVIDdc+uXJkX18tYQvk
                                            Ny2ki15zJsMAYlvOuU11WDZDIIU= )
                        38400 NSEC www.lij.com. A RRSIG NSEC
                        38400 RRSIG NSEC 5 3 38400 20120904131651 (
                                            20120805131651 39075 lij.com.
                                            fCmQfArhURg0xfKOjtGFazrJH93Ci/jn/83z
                                            8ff3nnX79tXRSDildRGQ++9yVEBkprlVuVdS
                                            J7sdqABaUhh42JoHzZRoygJBy5WGbYY0RHQP
                                            kCL28UG09qSLiWuxcQgDjyBRY2WcUqihBr78
                                            f4/gmsmpwec6UZX0h0r7SJvYM+0= )
www.lij.com. 38400 IN A 192.168.2.111
                         38400 RRSIG A 5 3 38400 20120904131651 (
                                            20120805131651 39075 lij.com.
                                             h0J15jYupS04cqBWHEYaqc1DeuKlayIvpKS5
                                             FALLIZ7bHRTcKBIBQfLdsQ8v43PmQoAOZtj4
                                             Sw+/7pUm9e0Vf+Ptgyl1xpmOloV6mP+T4xX6
                                             tKdTbFOGN2Et6JZ10DuA2jYaLDcLeHdmzMJk
                                             7HpmzeWue8f4LNwGO/WFclWwtvw= )
                          38400 NSEC lij.com. A RRSIG NSEC
                          38400 RRSIG NSEC 5 3 38400 20120904131651 (
                                             20120805131651 39075 lij.com.
                                              hs+ofBWEmoL0bUKOJGYjhuIlTdnk3Z4r9bpo
                                              PBUfjA30wOvVJVXnx0PB/RZiDKma6xMDBQRY
                                              eIG9eV1tRYH0PgAqV+zY8VjuBLQ4CaPMOjmu
                                              1V6+/DoW82l67xTutqy0KqQYLNBbw0hewJkS
                                              xnETCm/YV3NRTcx94NN3D5FGe30= )
 

參. 啟用BIND DNSSEC簽章功能

下一步驟將直接編輯BIND DNS主要組態檔 named.conf檔案來設定啟用DNSSEC數位簽章的功能。

options {
dnssec-enable yes;
dnssec-validation yes;
};
zone "lij.com" {
type master; file "/var/named/lij.com.signed";
};

肆. 重新啟動服務或重新載入區域

最後為了讓DNSSEC生效,所以您可以利用下列命令重新啟動named:

# service named restart

或重新載入組態即可:

# rndc reconfig

# rndc flush

現在您的BIND DNS已經提供了區域簽章功能了。

伍. 註冊DNSKEY為DS記錄

最後,您需要向上層註冊DNSKEY成為DS記錄,以便可以完成驗證時的信任鏈,而根據全球DNSSEC佈署狀況報告,至2012年八月為止,目前一共有 313 個頂級域名(TLD),包括281個國碼頂級域名(ccTLD)、22個通用頂級域名(gTLD)、以及10個測試用頂級域名,而已經佈署 DNSSEC 的 TLDs 共有 89 個,包括最重要的12個通用頂級域名(gTLD),如.com、.net、.org、.tw。

即使很多TLD均已部署DNSSEC,但申請、註冊及更新DS連結的服務並不普及且不方便,為了解決這個問題,ISC創造DLV (Domain Lookaside Validation) RR及註冊方式,當驗證時,如無法在上層找到區域的DS記錄,將會向DLV註冊區域查詢DLV記錄,如果查詢成功,將會將DLV RR做為區域的DS,例如驗證 lij.com的區域時,由於某些原因並未能夠.com註冊DS記錄,所以驗證時將無法執行,但如果lij.com區域管理員有向dlv.isc.org註冊(免費簡單)DNSKEY,則將會自動轉送到lij.com.dlv.isc.org. 查詢 DLV RR並且使用它做為lij.com的DS而成功的完成驗證鏈。

若您需要註冊dlv.isc.org請連結至網址 : http://www.isc.org/ops/dlv/

然後,您需要在named.conf檔案中將DLV 金鑰新增為信任金鑰,不過 BIND DNS新舊版(9.7版)的寫法稍有不同。

//9.7版以前
options {
...
dnssec-enable yes; # only on BIND 9.3
dnssec-validation yes; # BIND 9.4 or greater
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
trusted-keys {
...
dlv.isc.org. 257 3 5
"BEAAAAPp1USu3BecNerrrd78zxJIslqFaJ9csRkxd9LCMzvk9Z0wFzoF
kWAHMmMhWFpSLjPLX8UL6zDg85XE55hzqJKoKJndRqtncUwHkjh6zERN
uymtKZSCZvkg5mG6Q9YORkcfkQD2GIRxGwx9BW7y3ZhyEf7ht/jEh01N
ibG/uAhj4qkzBM6mgAhSGuaKdDdo40vMrwdv0CHJ74JYnYqU+vsTxEIw
c/u+5VdA0+ZOA1+X3yk1qscxHC24ewPoiASE7XlzFqIyuKDlOcFySchT
Ho/UhNyDra2uAYUH1onUa7ybtdtQclmYVavMplcay4aofVtjU9NqhCtv
f/dbAtaWguDB";
};

// 9.8版後
options {
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};

陸. 測試

測試 BIND DNSSEC是否正常,主要使用dig工具,測試的主要工作有二:

測試 DNSSEC記錄查詢
(dig +dnssec ...)
# dig @localhost  +dnssec dlv.isc.org soa (看ad旗標是否被設定,代表驗證通過,記住您需要已 向上層或DLV成功註冊DS記錄,即使未註冊而無ad旗標代表已驗證,仍會顯示出相關RRSIG記錄)
------------------------------------------------------------------------------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63475 ;;
flags: qr rd ra
ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
----------------------------------------------------------------------------------
# dig +dnssec +multi lij.com dnskey (查看 lij.com的金鑰)
# dig +norec @a.gtld-servers.net lij.com ds (查看上層是否有DS記錄,如無DS記錄,您需要向DLV註冊,否則無法驗證)
-----------------------------------------------------------------------------------------
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20558 ;;
flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
-----------------------------------------------------------------------------------------
測試信任鏈驗證是否成功
(dig +sigchase ....)
dig @localhost +sigchase www.lij.com a (看最後一行是否出現SUCCESS)
-----------------------------------------------------------------------
< td>
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
--------------------------------------------------------------------------------

柒. 基本維護

DNSSEC部署完成後,仍需要定期維護。

  • 為了避免區域資料過時,只要您有修改過區域資料,或每隔三十天(減掉TTL),您需要使用dnssec-signzone工具重新區域簽署。
  • 為了避免一把金鑰使用過久而被破解,KSK與ZSK也需要定期輸替(rollover),一般建議,KSK一年輸替一次,而ZSK三個月輸替一次,當輸替KSK時需要向上層更新DS記錄。

結語

BIND 9.3版開始有效的支援DNSSEC後,於爾後的每一個新版本,有關於DNSSEC的支援與設定方式上均會有所變動,而有關於DNSSEC的RFC相關文件目前也持續修改中,其實資訊安全環境中使用數位簽章技術來確保資料來源的正確性與避免不被篡改的做法並不少見,但大多採用PKI架構由可信任第三者CA來建立其信任來源,例如電子郵件安全性協定S/MIME即是,但DNSSEC並非PKI,不使用憑證的信任來源設計,而採用向上層註冊的DS記錄所形成信任鏈,不僅不方便亦難以推廣普及,況且KSK還有要定期更新而重新註冊DS記錄的問題,若再加上DNSEC實現後,整個區域大小將膨脹數倍,查詢的過程也將更為耗時耗資源,如此一來,導入DNSSEC雖可解決DNS資料易被偽裝假造和篡改的安全性問題,但DNS的安全性問題並不僅於此,卻反而會造成DNS較嚴重的效率問題、額外管理負荷問題,作者認為在安全性與效率、管理性的平衡取捨考量下,企業組織目前是否值得導入DNSSEC實在令人質疑。

相關文章

讀者回響 (aohongchen@yahoo.com)