Bind软件安装后,会产生几个固有文件,分为两类。一类是配置文件在/etc目录下,一类是DNS记录文件在/var/named目录下。加上其他相关文件,共同设置DNS服务器。named.conf为默认的主配置文件(须手动建立),设置一般的named参数,指向该服务器使用的域数据库信息的源,这类源可以是本地磁盘文件或远程服务器。#wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz # tar -xzf bind-9.2.1.tar.gz # cd bind-9.2.1 #./configure -enable-ipv6 -with-openssl # make && make install
named .ca :指向根域名服务器
named .1ocal :用于在本地转换回送地址
named .hosts :将主机名映射为IP地址
下面以笔者实验建立的纯IPv6实验网的域名secv6.your.domain为例说明如何配置支持AAAA及A6记录的IPv6 域名服务器。
文件清单1 /etc/named.conf
文件清单2 /var/named/master/secv6.your.domainoptions ...{ directory "/var/named"; // a caching only nameserver config zone "." IN ...{ type hint; file "named.ca"; }; // this defines the loopback name lookup zone "localhost" IN ...{ type master; file "master/localhost.zone"; allow-update ...{ none; }; }; // this defines the loopback reverse name lookup zone "0.0.127.in-addr.arpa" IN ...{ type master; file "master/localhost.rev"; allow-update ...{ none; }; }; // This defines the secv6 domain name lookup // Secure (signed) zone file is // secv6.your.domain.signed // Regular zone file is secv6.your.domain zone "secv6.your.domain" IN ...{ type master; file "master/secv6.your.domain.signed"; // file "master/secv6.your.domain"; }; // this defines the secv6 domain reverse // name lookup (AAAA) zone "secv6.int" IN ...{ type master; file "master/secv6.int"; }; // this defines the secv6 domain reverse // name lookup (A6) zone "secv6.arpa" IN ...{ type master; file "master/secv6.rev"; }; // secret key truncated to fit key "key" ...{ algorithm hmac-md5; secret "HxbmAnSO0quVxcxBDjmAmjrmhgDUVFcFNcfmHC"; };
Dnssec配置命令:$TTL 86400 $ORIGIN secv6.your.domain. @ IN SOA secv6.your.domain. hostmaster.your.domain. ( 2002011442 ; Serial number (yyyymmdd-num) 3H ; Refresh 15M ; Retry 1W ; Expire 1D ) ; Minimum IN MX 10 noah.your.domain. IN NS ns.secv6.your.domain. $ORIGIN secv6.your.domain. ns 1D IN AAAA fec0::1:250:b7ff:fe14:35d0 1D IN A6 0 fec0::1:250:b7ff:fe14:35d0 secv6.your.domain. 1D IN AAAA fec0::1:250:b7ff:fe14:35d0 1D IN A6 0 fec0::1:250:b7ff:fe14:35d0 pc2 1D IN AAAA fec0::1:250:b7ff:fe14:35d0 1D IN A6 0 fec0::1:250:b7ff:fe14:35d0 pc3 1D IN A6 0 fec0::1:250:b9ff:fe00:131 1D IN AAAA fec0::1:250:b9ff:fe00:131 pc6 1D IN A6 0 fec0::1:250:b7ff:fe14:3617 1D IN AAAA fec0::1:250:b7ff:fe14:3617 pc4 1D IN A6 0 fec0::1:250:b7ff:fe14:35c4 1D IN AAAA fec0::1:250:b7ff:fe14:35c4 pc5 1D IN A6 0 fec0::1:250:b7ff:fe14:361b 1D IN AAAA fec0::1:250:b7ff:fe14:361b pc7 1D IN A6 0 fec0::1:250:b7ff:fe14:365a 1D IN AAAA fec0::1:250:b7ff:fe14:365a pc1 1D IN A6 0 fec0::1:250:b9ff:fe00:12e 1D IN AAAA fec0::1:250:b9ff:fe00:12e pc1 1D IN A6 0 fec0:0:0:1::1 1D IN AAAA fec0:0:0:1::1 $INCLUDE "/var/named/master/Ksecv6.your.domain.+003+27034.key"
dnssec-keygen -a DSA -b 768 -n ZONE secv6.your.domain
dnssec-signzone -o secv6.your.domain secv6.your.domain
说明:DNSSEC主要依靠公钥技术对于包含在DNS中的信息创建密码签名。密码签名通过计算出一个密码hash数来提供DNS中数据的完整性,并将该hash 数封装进行保护。私/公钥对中的私钥用来封装hash数,然后可以用公钥把hash数译出来。如果这个译出的hash值匹配接收者刚刚计算出来的hash树,那么表明数据是完整的。不管译出来的hash数和计算出来的hash数是否匹配,对于密码签名这种认证方式都是绝对正确的,因为公钥仅仅用于解密合法的hash数,所以只有拥有私钥的拥有者可以加密这些信息。
文件清单3 var/named/master/localhost.zone
文件清单4 /var/named/master/localhost.rev// localhost.zone Allows for local communications // using the loopback interface $TTL 86400 $ORIGIN localhost. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expire 1D ) ; minimum 1D IN NS @ 1D IN A 127.0.0.1
文件清单5 /var/named/master/secv6.rev// localhost.rev Defines reverse DNS lookup on // loopback interface $TTL 86400 $ORIGIN 0.0.127.in-addr.arpa. @ IN SOA 0.0.127.in-addr.arpa. hostmaster.secv6.your.domain. ( 42 ; Serial number (d. adams) 3H ; Refresh 15M ; Retry 1W ; Expire 1D ) ; Minimum NS ns.secv6.your.domain. MX 10 noah.ip6.your.domain. PTR localhost.
文件清单6. /var/named/master/secv6.int// secv6.rev Defines reverse lookup for secv6 // domain in A6 format $TTL 86400 $ORIGIN secv6.arpa. @ IN SOA secv6.arpa. hostmaster.secv6.your.domain. ( 2002011442 ; Serial number (yyyymmdd-num) 3H ; Refresh 15M ; Retry 1W ; Expire 1D ) ; Minimum NS ns.secv6.your.domain. MX 10 noah.your.domain. ; fec0:0:0:1::/64 $ORIGIN \[xfec0000000000001/64].secv6.arpa. \[x0250b7fffe1435d0/64] 1D IN PTR pc2.secv6.your.domain. \[x0250b9fffe000131/64] 1D IN PTR pc3.secv6.your.domain. \[x0250b7fffe143617/64] 1D IN PTR pc6.secv6.your.domain. \[x0250b7fffe1435c4/64] 1D IN PTR pc4.secv6.your.domain. \[x0250b7fffe14361b/64] 1D IN PTR pc5.secv6.your.domain. \[x0250b7fffe14365a/64] 1D IN PTR pc7.secv6.your.domain. \[x0250b9fffe00012e/64] 1D IN PTR pc1.secv6.your.domain.
DNS客户端的配置// secv6.int Defines reverse lookup for secv6 // domain in AAA format $TTL 86400 $ORIGIN secv6.int. @ IN SOA secv6.int. hostmaster.secv6.your.domain. ( 2002011442 ; Serial number (yyyymmdd-num) 3H ; Refresh 15M ; Retry 1W ; Expire 1D ) ; Minimum NS ns.secv6.your.domain. MX 10 noah.your.domain. ; fec0:0:0:1::/64 $ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.c.e.f.secv6.int. 0.d.5.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc2.secv6.your.domain. e.2.1.0.0.0.e.f.f.f.9.b.0.5.2.0 IN PTR pc1.secv6.your.domain. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR pc1.secv6.your.domain. 1.3.1.0.0.0.e.f.f.f.9.b.0.5.2.0 IN PTR pc3.secv6.your.domain. 7.1.6.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc6.secv6.your.domain. 4.c.5.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc4.secv6.your.domain. b.1.6.3.4.1.e.f.f.f.7.b.0.5.2.0 IN PTR pc5.secv6.your.domain.
/etc/hosts 是主机的一个列表文件。作用是如果系统的 IP 不是动态生成,就可以使用它。对于简单的主机名解析(点分表示法),在请求 DNS 或 NIS 网络名称服务器之前,/etc/hosts.conf 通常会告诉解析程序先查看这里。
search secv6.your.domain
nameserver fec0::1:250:b7ff:fe14:35d0
DNS服务器测试
使用dig命令重新:
A6 格式DNS 查询
至此,IPv6环境下DNS服务器搭建完毕。pc2% dig 0.0.0.0 secv6.your.domain a6 ; <<>> DiG 9.1.0 <<>> 0.0.0.0 secv6.your.domain A6 [...] ;secv6.your.domain. IN A6 ;; ANSWER SECTION: secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0 ;; AUTHORITY SECTION: secv6.your.domain. 86400 IN NS ns.secv6.your.domain. ;; ADDITIONAL SECTION: ns.secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0 ns.secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0 AAAA 格式DNS 查询 pc2% dig 0.0.0.0 secv6.your.domain aaaa ; <<>> DiG 9.1.0 <<>> 0.0.0.0 secv6.your.domain AAAA [...] ;secv6.your.domain. IN AAAA ;; ANSWER SECTION: secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0 ;; AUTHORITY SECTION: secv6.your.domain. 86400 IN NS ns.secv6.your.domain. ;; ADDITIONAL SECTION: ns.secv6.your.domain. 86400 IN A6 0 fec0::1:250:b7ff:fe14:35d0 ns.secv6.your.domain. 86400 IN AAAA fec0::1:250:b7ff:fe14:35d0