高速缓存dns
第三单元
高速缓存dns
一 dns
1 权威名称服务器
存储并提供某区域 ( 整个 DNS 域或 DNS 域的一部分 ) 的实际数据。权威名称服
务器的类型包括
Master : 包含原始区域数据。有时称作 " 主要 " 名称服务器
Slave : 备份服务器 , 通过区域传送从 Master 服务器获得的区域数据的副本。有时称作 " 次要 "名称服务器
2 非权威/递归名称服务器
客户端通过其查找来自权威名称服务器的数据
3 DNS 查找
二 DNS 资源记录
DNS 区域采用资源记录的形式存储信息。每条资源记录均具有一个类型 , 表明其保留的数据类型:
A : 名称至 IPv4 地址
AAAA : 名称至 IPv6 地址
CNAME : 名称至 " 规范名称 " ( 包含 A/AAAA 记录的另一个名称 )
PTR : IPv4/IPv6 地址至名称
MX : 用于名称的邮件交换器 ( 向何处发送其电子邮件 )
NS : 域名的名称服务器
SOA :" 授权起始 " , DNS 区域的信息 ( 管理信息 )
三 DNS 排错
它显示来自 DNS 查找的详细信息 , 其中包括为什么查询失败 :
NOERROR : 查询成功
NXDOMAIN : DNS 服务器提示不存在这样的名称
SERVFAIL : DNS 服务器停机或 DNSSEC 响应验证失败
REFUSED : DNS 服务器拒绝回答 ( 也许是出于访问控制原因 )
四 缓存dns服务器
服务端:
1 yum install bind.x86_64 -y ###安装dns###
2 systemctl stop firewalld.service ###关闭防火墙###
3 systemctl start named ###开启服务,若是许久没有开启可能是字符不够,在虚拟机上随便输入几个字符####
4 vim /etc/named.conf ###编辑主配置文件###
修改其中几行为:
listen-on port 53 { any; }; ###回环接口不与外界交互,改成any###
allow-query { any; }; ###允许任何人连###
forwarders {172.25.254.250;}; ####如果高速缓存dns找不到就到172.25.254.250(权威名称服务器)找####
5 systemctl restart named ###重启服务###
客户端:
1 vim /etc/resolv.conf ###在里面指明dns服务器###
2 测试:dig www.baidu.com ###dig指出关于查询和答案的信息###
过程如下:
[root@localhost ~]# yum search dns
[root@localhost ~]# yum install bind.x86_64 -y
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# ll /etc/rndc.key ###在没有开启named服务的时候,该文件不存在#####
ls: cannot access /etc/rndc.key: No such file or directory
[root@localhost ~]# systemctl start named ###开启服务,若是许久没有开启可能是字符不够,在虚拟机上随便输入几个字符####
[root@localhost ~]# ll /etc/rndc.key
-rw-r-----. 1 root named 77 May 5 22:13 /etc/rndc.key
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# systemctl restart named ###重启服务###
客户端:
[root@localhost ~]# vim /etc/resolv.conf ###在里面指明dns服务器###
[root@localhost ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47262 ###NOERROR表示查询成功#######
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: #####要查询什么####
;www.baidu.com.INA
;; ANSWER SECTION: ####响应######
www.baidu.com.376INCNAMEwww.a.shifen.com. ###CNAME : 名称至 " 规范名称 "####
www.a.shifen.com.300INA183.232.231.172 ###A : 名称至 IPv4 地址####
www.a.shifen.com.300INA183.232.231.173
;; AUTHORITY SECTION:
.513219INNSk.root-servers.net.
.513219INNSc.root-servers.net.
.513219INNSa.root-servers.net.
.513219INNSg.root-servers.net.
.513219INNSi.root-servers.net.
.513219INNSh.root-servers.net.
.513219INNSm.root-servers.net.
.513219INNSe.root-servers.net.
.513219INNSf.root-servers.net.
.513219INNSb.root-servers.net.
.513219INNSl.root-servers.net.
.513219INNSd.root-servers.net.
.513219INNSj.root-servers.net.
;; Query time: 349 msec ####指出发送查询的递归名称服务器以及获得响应所花费的时间###
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 22:17:05 EDT 2017
;; MSG SIZE rcvd: 312
五 编写A记录文件
服务端:
1 vim /etc/named.conf
2 vim /etc/named.rfc1912.zones
3 cd /var/named/
4 cp -p named.localhost westos.com.zone ####用模板生成A记录配置文件,一定要-p,不然可能会出现权限错误#####
5 vim westos.com.zone ###编写A记录文件####
6 systemctl restart named ####重启服务###
客户端:
1 vim /etc/resolv.conf
2 测试: dig www.westos.com
过程如下:
服务端:
[root@server ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
[root@server ~]# vim /etc/named.rfc1912.zones
zone "westos.com" IN { ###指定要维护的域名###
type master;
file "westos.com.zone"; ###指定A记录文件名###
allow-update { none; };
};
[root@server ~]# cd /var/named/
[root@server named]# ll
total 20
drwxrwx---. 2 named named 22 May 5 22:13 data
drwxrwx---. 2 named named 30 May 5 23:30 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
-rw-r-----. 1 root named 349 May 5 23:29 westos.com.zone
[root@server named]# cp -p named.localhost westos.com.zone
[root@server named]# vim westos.com.zone ###编写A记录文件####
$TTL 1D ###指缓存一天###
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com. ###指定dns主机###
dns A 172.25.254.112 ###指定dns主机的A记录###
www A 172.25.254.212 ###要添加的A记录###
###第一个@符指zone"..."双引号的内容,此处指westo.com;dns.westos.com.指dns服务器的名称,结尾.不能少,不然会自动补齐@符的内容###
[root@server named]# systemctl restart named
客户端:
[root@localhost ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.112
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.254.212
;; AUTHORITY SECTION: ####负责域(区域)的名称服务器###
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION: ###提供的其他信息 , 通常是关于名称服务器#####
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:14:27 EDT 2017
;; MSG SIZE rcvd: 93
六 在A记录文件中添加CNAME和MX
服务端:
vim /var/named/westos.com.zone ###编辑A记录文件###
systemctl restart named ###重启服务###
客户端:
测试:dig music.westos.com
dig -t mx westos.com
过程如下:
服务器:
[root@server ~]# vim /var/named/westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.112
www A 172.25.254.212
music CNAME music.a.westos.com.
music.a A 172.25.254.111
music.a A 172.25.254.222
westos.com. MX 1 172.25.254.100.
~
[root@server ~]# systemctl restart named
[root@server ~]#
客户端:
[root@localhost ~]# dig music.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> music.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14025
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;music.westos.com.INA
;; ANSWER SECTION:
music.westos.com.86400INCNAMEmusic.a.westos.com.
music.a.westos.com.86400INA172.25.254.111
music.a.westos.com.86400INA172.25.254.222
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:30:33 EDT 2017
;; MSG SIZE rcvd: 133
[root@localhost ~]# dig -t mx westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33372
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;westos.com.INMX
;; ANSWER SECTION:
westos.com.86400INMX1 172.25.254.100.
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Fri May 05 23:30:46 EDT 2017
;; MSG SIZE rcvd: 103
七 不同的网段使用不同的dns
服务端:
1 cp /etc/named.rfc1912.zones /etc/named.rfc1912.inter -p
2 vim /etc/named.rfc1912.inter
3 cp /var/named/westos.com.zone /var/named/westos.com.inter -p
4 vim /var/named/westos.com.inter
5 vim /etc/named.conf
6 systemctl restart named
客户端:
测试:dig www.westos.com ###ip为172.25.254.212的客户端####
dig www.westos.com ###ip为172.25.12.101的客户端###
过程如下:
[root@server ~]# cp /etc/named.rfc1912.zones /etc/named.rfc1912.inter -p
[root@server ~]# vim /etc/named.rfc1912.inter
zone "westos.com" IN {
type master;
file "westos.com.inter";
allow-update { none; };
};
[root@server ~]# cp /var/named/westos.com.zone /var/named/westos.com.inter -p
[root@server ~]# vim /var/named/westos.com.inter
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.12.112
www A 172.25.12.212
music CNAME music.a.westos.com.
music.a A 172.25.12.111
music.a A 172.25.12.222
westos.com. MX 1 172.25.12.100.
~
[root@server ~]# vim /etc/named.conf
[root@server ~]# systemctl restart named
客户端:
[root@localhost ~]# dig www.westos.com ###ip为172.25.254.212的客户端####
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20946
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.254.212
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 02:31:35 EDT 2017
;; MSG SIZE rcvd: 93
[root@localhost ~]# vim /etc/resolv.conf ###ip为172.25.12.101的客户端###
# Generated by NetworkManager
search example.com
nameserver 172.25.12.100
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51552
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.INA
;; ANSWER SECTION:
www.westos.com.86400INA172.25.12.212
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.12.112
;; Query time: 0 msec
;; SERVER: 172.25.12.100#53(172.25.12.100)
;; WHEN: Sat May 06 02:40:07 EDT 2017
;; MSG SIZE rcvd: 93
八 反向解析
服务端:
1 vim /etc/named.rfc1912.zones
2 cd /var/named/
3 cp -p named.loopback /var/named/westos.comNaNr
4 vim /var/named/westos.comNaNr
5 systemctl restart named
客户端:
测试:dig -x 172.25.254.111
过程如下:
服务端:
[root@server ~]# vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN { ###将dns服务器所在网段反着写####
type master;
file "westos.comNaNr";
allow-update { none; };
};
[root@server ~]# cd /var/named/
[root@server named]# ll
total 28
drwxrwx---. 2 named named 22 May 5 22:13 data
drwxrwx---. 2 named named 4096 May 6 03:07 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
-rw-r-----. 1 root named 344 May 6 01:57 westos.com.inter
-rw-r-----. 1 root named 349 May 5 23:29 westos.com.zone
[root@server named]# cp -p named.loopback /var/named/westos.comNaNr
[root@server named]# vim /var/named/westos.comNaNr
[root@server named]# systemctl restart namede
客户端:
[root@localhost ~]# dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34839
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 INPTRwww.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:27:08 EDT 2017
;; MSG SIZE rcvd: 118
[root@localhost ~]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 INPTRbbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 1 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:30:35 EDT 2017
;; MSG SIZE rcvd: 118
[root@localhost ~]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 INPTRbbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 03:30:39 EDT 2017
;; MSG SIZE rcvd: 118
九 更新dns
服务端:
1 cp -p /var/named/westos.com.zone /mnt/
2 vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.212; }; ###允许谁去更新###
};
3 systemctl restart named
4 chmod 770 /var/named/
5 setsebool -P named_write_master_zones 1
客户端:
测试:
1 nsupdate ###添加###
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.222
> send
2 dig hello.westos.com ###查看###
3 nsupdate ###删除####
> server 172.25.254.112
> update delete hello.westos.com
> send
过程如下:
服务端:
[root@server named]# cp -p /var/named/westos.com.zone /mnt/
[root@server named]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.212; };
};
[root@server named]# systemctl restart named
[root@server named]# chmod 770 /var/named/
[root@server named]# setsebool -P named_write_master_zones 1
客户端:
[root@localhost ~]# nsupdate
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.222
> send
> ^C[root@localhost ~]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12735
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com.INA
;; ANSWER SECTION:
hello.westos.com.86400INA172.25.254.222
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sat May 06 04:05:37 EDT 2017
;; MSG SIZE rcvd: 95
###但重启服务时,westos.com.zone文件内容就变了,与缓存文件westos.com.zone.jnl同步####
恢复westos.com.zone文件:
cd /var/named
rm -fr westos.com.zone westos.com.zone.jnl ###将缓存文件和变了的文件删除###
cp -p /mnt/westos.com.zone . ###将之前的文件复制过来###
过程如下:
[root@server named]# systemctl restart named
[root@server named]# vim /var/named/westos.com.zone
######改变后的文件内容####
$ORIGIN .
$TTL 86400 ; 1 day
westos.com IN SOA dns.westos.com. root.westos.com. (
1 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns.westos.com.
MX 1 172.25.254.100.
$ORIGIN westos.com.
music.a A 172.25.254.111
A 172.25.254.222
dns A 172.25.254.112
hello A 172.25.254.222
music CNAME music.a
www A 172.25.254.212
[root@server named]# ls
data named.empty slaves westos.com.zone
dynamic named.localhost westos.com.inter westos.com.zone.jnl
named.ca named.loopback westos.comNaNr
[root@server named]# vim /var/named/westos.com.zone
[root@server named]# rm -fr westos.com.zone westos.com.zone.jnl ###将缓存文件和变了的文件删除###
[root@server named]# cp -p /mnt/westos.com.zone . ###将之前的文件复制过来###
[root@server named]# ls
data named.empty slaves westos.com.zone
dynamic named.localhost westos.com.inter
named.ca named.loopback westos.comNaNr
十 配置钥匙
服务器:
1 dnssec-keygen -a HMAC-MD5 -b 256 -n HOST westoskey ###产生钥匙,-a指加密方式,-b 指加密字符长度,-n指加密用途,HOST指域名解析,westoskey为钥匙名称###
2 cat Kwestoskey.+157+22331.key
3 cp -p /etc/rndc.key /etc/westos.key ###利用模版要制作配置文件###
4 vim /etc/westos.key
5 vim /etc/named.conf
6 vim /etc/named.rfc1912.zones
7 scp Kwestoskey.+157+23921.* root@172.25.254.212:/mnt/ ###把钥匙传给客户端###
客户端:
测试:
nsupdate -k Kwestoskey.+157+23921.private
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.111
> send
> quit
[root@localhost mnt]# dig hello.westos.com
过程如下:
服务端:
[root@server named]# dnssec-keygen --help
dnssec-keygen: invalid argument --
Usage:
dnssec-keygen [options] name
Version: 9.9.4-RedHat-9.9.4-29.el7
name: owner of the key
Options:
-K
-a
RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |
RSASHA256 | RSASHA512 | ECCGOST |
ECDSAP256SHA256 | ECDSAP384SHA384 |
DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |
HMAC-SHA384 | HMAC-SHA512
(default: RSASHA1, or NSEC3RSASHA1 if using -3)
-3: use NSEC3-capable algorithm
-b
RSAMD5:[512..4096]
RSASHA1:[512..4096]
NSEC3RSASHA1:[512..4096]
RSASHA256:[512..4096]
RSASHA512:[1024..4096]
DH:[128..4096]
DSA:[512..1024] and divisible by 64
NSEC3DSA:[512..1024] and divisible by 64
ECCGOST:ignored
ECDSAP256SHA256:ignored
ECDSAP384SHA384:ignored
HMAC-MD5:[1..512]
HMAC-SHA1:[1..160]
HMAC-SHA224:[1..224]
HMAC-SHA256:[1..256]
HMAC-SHA384:[1..384]
HMAC-SHA512:[1..512]
(if using the default algorithm, key size
defaults to 2048 for KSK, or 1024 for all others)
-n
(DNSKEY generation defaults to ZONE)
-c
-d
-E
name of an OpenSSL engine to use
-f
-g
-L
-p
-r
-s
-T
-t
-h: print usage and exit
-m
usage | trace | record | size | mctx
-v
Timing options:
-P date/[+-]offset/none: set key publication date (default: now)
-A date/[+-]offset/none: set key activation date (default: now)
-R date/[+-]offset/none: set key revocation date
-I date/[+-]offset/none: set key inactivation date
-D date/[+-]offset/none: set key deletion date
-G: generate key only; do not set -P or -A
-C: generate a backward-compatible key, omitting all dates
-S
-i
Output:
K
[root@server named]# cd /mnt/
[root@server mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westoskey
Kwestoskey.+157+23921
[root@server mnt]# ls
Kwestoskey.+157+23921.key Kwestoskey.+157+23921.private westos.com.zone
[root@server mnt]# cat Kwestoskey.+157+23921.key
westoskey. IN KEY 512 3 157 Af69mywNhRB8Vq88kiYpYw==
[root@server mnt]# cp -p /etc/rndc.key /etc/westos.key
[root@server mnt]# vim /etc/westos.key
[1]+ Stopped vim /etc/westos.key
[root@server mnt]# fg
vim /etc/westos.key
[root@server mnt]# vim /etc/westos.key
[1]+ Stopped vim /etc/westos.key
[root@server mnt]# fg
vim /etc/westos.key
[root@server mnt]# vim /etc/named.conf
[root@server mnt]# vim /etc/named.rfc1912.zones
[root@server mnt]# systemctl restart named
[root@server mnt]# scp Kwestoskey.+157+23921.* root@172.25.254.212:/mnt/
The authenticity of host '172.25.254.212 (172.25.254.212)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.212' (ECDSA) to the list of known hosts.
root@172.25.254.212's password:
Kwestoskey.+157+23921.key 100% 53 0.1KB/s 00:00
Kwestoskey.+157+23921.private 100% 165 0.2KB/s 00:00
####把钥匙传给客户端###
客户端:
[root@localhost mnt]# nsupdate -k Kwestoskey.+157+23921.private
> server 172.25.254.112
> update add hello.westos.com 86400 A 172.25.254.111
> send
> quit
[root@localhost mnt]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com.INA
;; ANSWER SECTION:
hello.westos.com.86400INA172.25.254.111
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sun May 07 21:14:53 EDT 2017
;; MSG SIZE rcvd: 95
十一 dhcp更新dns
服务端:
1 yum install dhcp -y ###安装dhcp###
2 cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf ##利用模版制作dhcp配置文件###
3 vim /etc/dhcp/dhcpd.conf
内容:
6 option domain-name "westos.com"; ###域名###
7 option domain-name-servers 172.25.254.112; ###dns###
8
9 default-lease-time 600;
10 max-lease-time 7200;
11 ddns-update-style interim; ###开启dhcp上传数据功能###
12 log-facility local7;
13 subnet 172.25.254.0 netmask 255.255.255.0 {
14 range 172.25.254.180 172.25.254.190; ##分配ip的范围###
15 option routers 172.25.254.250; ###网关####
16 }
17 key westoskey {
18 algorithm hmac-md5;
19 secret Af69mywNhRB8Vq88kiYpYw==;
20 };
21 zone westos.com. {
22 primary 127.0.0.1; ###dns,因为现在dns和dhcp在一台主机上,故用回环接口会提高效率####
23 key westoskey;
24 }
4 systemctl restart dhcpd
5 vim /etc/named.conf
6 systemctl restart named
客户端:
测试:
1 vim /etc/sysconfig/network-scripts/ifcfg-eth0
2 hostnamectl set-hostname helo.westos.com
3 vim /etc/resolv.conf
4 dig www.westos.com
过程如下:
服务端:
[root@server ~]# yum install dhcp -y
[root@server ~]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y
[root@server ~]# vim /etc/dhcp/dhcpd.conf
[root@server ~]# cd /mnt/
[root@server mnt]# ls
Kwestoskey.+157+23921.key Kwestoskey.+157+23921.private westos.com.zone
[root@server mnt]# cat Kwestoskey.+157+23921.key
westoskey. IN KEY 512 3 157 Af69mywNhRB8Vq88kiYpYw==
[root@server mnt]# vim /etc/dhcp/dhcpd.conf
[root@server mnt]# systemctl restart dhcpd
[root@server mnt]# vim /etc/named.conf
[root@server mnt]# systemctl restart named
客户端:
[root@test ~]# hostname
test.westos.com
[root@test ~]# dig test.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> test.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4253
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.westos.com.INA
;; ANSWER SECTION:
test.westos.com.300INA172.25.254.180
;; AUTHORITY SECTION:
westos.com.86400INNSdns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com.86400INA172.25.254.112
;; Query time: 0 msec
;; SERVER: 172.25.254.112#53(172.25.254.112)
;; WHEN: Sun May 07 22:31:20 EDT 2017
;; MSG SIZE rcvd: 94
