linux中BIND服务程序安全的加密传输TSIG机制

安全的加密传输（TISG机制）要解决的问题：

     服务器之间数据配置文件传输的安全性，比如从服务器从主服务器同步数据，防止数据配置文件传输过程中遭到篡改。

整体逻辑：

    主服务器中生成公钥和秘钥，从服务器中只有提供正确的秘钥，才可以从主服务器中备份数据。

以下实验中主服务器为PC1，IP为192.168.10.10. 从服务器为PC2，IP为192.168.10.20.

1、在主服务器中生成公钥私钥对

[root@PC1 named]# ls
192.168.10.arpa  data     linuxprobe.com.zone  named.empty      named.loopback
chroot           dynamic  named.ca             named.localhost  slaves
[root@PC1 named]# dnssec-keygen -a HMAC-MD5 -b 128 -n  HOST master-slave  ## -a 指定加密算法，-b 指定秘钥长度 ，-n 指定主机类型， 执行命令后会在当前目录生成公钥和私钥文件
Kmaster-slave.+157+26932
[root@PC1 named]# ls
192.168.10.arpa  dynamic                           linuxprobe.com.zone  named.localhost
chroot           Kmaster-slave.+157+26932.key      named.ca             named.loopback
data             Kmaster-slave.+157+26932.private  named.empty          slaves
[root@PC1 named]# cat Kmaster-slave.+157+26932.key 
master-slave. IN KEY 512 3 157 tZMuUo9wgs9epnNSGRGCZw==
[root@PC1 named]# cat Kmaster-slave.+157+26932.private   ## 查看秘钥字符串
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: tZMuUo9wgs9epnNSGRGCZw==
Bits: AAA=
Created: 20201212114316
Publish: 20201212114316
Activate: 20201212114316

2、在主服务器中创建秘钥验证文件

[root@PC1 named]# cd /var/named/chroot/etc/
[root@PC1 etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "tZMuUo9wgs9epnNSGRGCZw==";
};

[root@PC1 etc]# ll transfer.key  ## 查看权限、所属组
-rw-r--r--. 1 root root 79 Dec 12 20:02 transfer.key
[root@PC1 etc]# chown root:named transfer.key  ## 修改所属组
[root@PC1 etc]# ll transfer.key 
-rw-r--r--. 1 root named 79 Dec 12 20:02 transfer.key
[root@PC1 etc]# chmod 640 transfer.key   ## 修改权限
[root@PC1 etc]# ln transfer.key /etc/transfer.key  ## 在/etc 目录下创建硬链接

3、修改主服务器的主配置文件，开启并加载bind服务的秘钥验证功能

[root@PC1 etc]# vim /etc/named.conf
  1 //
  2 // named.conf
  3 //
  4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
  5 // server as a caching only nameserver (as a localhost DNS resolver only).
  6 //
  7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  9 include "/etc/transfer.key";  ## 加载秘钥验证文件
 10 options {
 11         listen-on port 53 { any; };
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.txt";
 17         allow-query     { any; };
 18         allow-transfer { key master-slave; }; ## 指定秘钥验证名称
 19         /* 
 20          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 21          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 22            recursion. 
 23          - If your recursive DNS server has a public IP address, you MUST enable access 
 24            control to limit queries to your legitimate users. Failing to do so will
 25            cause your server to become part of large scale DNS amplification 
 26            attacks. Implementing BCP38 within your network would greatly
 27            reduce such attack surface 
 28         */
 29         recursion yes;
 30 
 31         dnssec-enable yes;
 32         dnssec-validation yes;
 33         dnssec-lookaside auto;
………………

4、重启主服务器bind服务

[root@PC1 etc]# systemctl restart named

5、进入从服务器/var/named/slave目录，清空该目录，重启bind服务，验证是否可以从主服务器备份数据

[root@PC2 slaves]# ls
192.168.10.arpa  linuxprobe.com.zone
[root@PC2 slaves]# pwd
/var/named/slaves
[root@PC2 slaves]# rm -f *
[root@PC2 slaves]# ls
[root@PC2 slaves]# systemctl restart named
[root@PC2 slaves]# ls
## 以上说明在从服务器中重启bind服务，已经不能从主服务器中备份域名解析数据了（原因是没有提供秘钥及进行相关的配置）

6、在从服务器中创建秘钥认证文件

[root@PC2 slaves]# cd /var/named/chroot/etc/
[root@PC2 etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "tZMuUo9wgs9epnNSGRGCZw==";
};

[root@PC2 etc]# chown root:named transfer.key 
[root@PC2 etc]# chmod 640 transfer.key 
[root@PC2 etc]# ln transfer.key /etc/transfer.key

7、加载并开启从服务器的秘钥验证功能

 [root@PC2 etc]# vim /etc/named.conf
  1 //
  2 // named.conf
  3 //
  4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
  5 // server as a caching only nameserver (as a localhost DNS resolver only).
  6 //
  7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  9 include "/etc/transfer.key";
 10 options {
 11         listen-on port 53 { any; };
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.txt";
 17         allow-query     { any; };
…………
 38         managed-keys-directory "/var/named/dynamic";
 39 
 40         pid-file "/run/named/named.pid";
 41         session-keyfile "/run/named/session.key";
 42 };
 43 server 192.168.10.10
 44 {
 45 keys { master-slave; };
 46 };
 47 logging {
 48         channel default_debug {
 49                 file "data/named.run";
 50                 severity dynamic;
 51         };
 52 };
…………

8、重启从服务器的bind服务，观察是否可以实现从主服务器备份域名解析数据

[root@PC2 ~]# cd /var/named/slaves/
[root@PC2 slaves]# ls
[root@PC2 slaves]# systemctl restart named
[root@PC2 slaves]# ls    ## 可以实现备份
192.168.10.arpa linuxprobe.com.zone

9、测试DNS服务功能

[root@PC2 slaves]# nslookup    ## 可以提供域名解析功能
> www.linuxprobe.com
Server:        192.168.10.20
Address:    192.168.10.20#53

Name:    www.linuxprobe.com
Address: 192.168.10.10
> xxx.linuxprobe.com
Server:        192.168.10.20
Address:    192.168.10.20#53

Name:    xxx.linuxprobe.com
Address: 111.123.145.23
> 192.168.10.10
Server:        192.168.10.20
Address:    192.168.10.20#53

10.10.168.192.in-addr.arpa    name = www.linuxprobe.com.
> 192.168.10.20
Server:        192.168.10.20
Address:    192.168.10.20#53

20.10.168.192.in-addr.arpa    name = mmm.xxxxxxxx.com.