Linux下搭建DNSServer的软件首选Bind,其有不同的版本,WindowDNS是从Bind4.x改进过来的,另外Bind8.x和Bind9.x从安全性及扩充性方面做了很多改进,为了实现对IPv6DNS的支持,采用Bindv9来实现,bind9.x提供IPv6socket的DNS查询,支持IPv6资源记录?关于Bind9.x的详细特性建议到Bind的Web站点查阅,Bind的最新版本可以到去下载?
#wget
#tar-xzfbind-9.2.1.tar.gz
#cdbind-9.2.1
#./configure-enable-ipv6-with-openssl
#make&&makeinstall
Bind软件安装后,会产生几个固有文件,分为两类?一类是配置文件在/etc目录下,一类是DNS记录文件在/var/named目录下?加上其他相关文件,共同设置DNS服务器?named.conf为默认的主配置文件(须手动建立),设置一般的named参数,指向该服务器使用的域数据库信息的源,这类源可以是本地磁盘文件或远程服务器?
named.ca:指向根域名服务器
named.1ocal:用于在本地转换回送地址
named.hosts:将主机名映射为IP地址
下面以笔者实验建立的纯IPv6实验网的域名secv6.your.domain为例说明如何配置支持AAAA及A6记录的IPv6域名服务器。
文件清单1/etc/named.conf
options...{
directory"/var/named";
//acachingonlynameserverconfig
zone"."IN...{
typehint;
file"named.ca";
};
//thisdefinestheloopbacknamelookup
zone"localhost"IN...{
typemaster;
file"master/localhost.zone";
allow-update...{none;};
};
//thisdefinestheloopbackreversenamelookup
zone"0.0.127.in-addr.arpa"IN...{
typemaster;
file"master/localhost.rev";
allow-update...{none;};
};
//Thisdefinesthesecv6domainnamelookup
//Secure(signed)zonefileis
//secv6.your.domain.signed
//Regularzonefileissecv6.your.domain
zone"secv6.your.domain"IN...{
typemaster;
file"master/secv6.your.domain.signed";
//file"master/secv6.your.domain";
};
//thisdefinesthesecv6domainreverse
//namelookup(AAAA)
zone"secv6.int"IN...{
typemaster;
file"master/secv6.int";
};
//thisdefinesthesecv6domainreverse
//namelookup(A6)
zone"secv6.arpa"IN...{
typemaster;
file"master/secv6.rev";
};
//secretkeytruncatedtofit
key"key"...{
algorithmhmac-md5;
secret"HxbmAnSO0quVxcxBDjmAmjrmhgDUVFcFNcfmHC";
};
文件清单2/var/named/master/secv6.your.domain
$TTL86400
$ORIGINsecv6.your.domain.
@INSOAsecv6.your.domain.hostmaster.your.domain.(
2002011442;Serialnumber(yyyymmdd-num)
3H;Refresh
15M;Retry
1W;Expire
1D);Minimum
INMX10noah.your.domain.
INNSns.secv6.your.domain.
$ORIGINsecv6.your.domain.
ns1DINAAAAfec0::1:250:b7ff:fe14:35d0
1DINA60fec0::1:250:b7ff:fe14:35d0
secv6.your.domain.1DINAAAAfec0::1:250:b7ff:fe14:35d01DINA60
fec0::1:250:b7ff:fe14:35d0
pc21DINAAAAfec0::1:250:b7ff:fe14:35d01DINA60
fec0::1:250:b7ff:fe14:35d0
pc31DINA60fec0::1:250:b9ff:fe00:1311DINAAAA
fec0::1:250:b9ff:fe00:131
pc61DINA60fec0::1:250:b7ff:fe14:36171DINAAAA
fec0::1:250:b7ff:fe14:3617
pc41DINA60fec0::1:250:b7ff:fe14:35c41DINAAAA
fec0::1:250:b7ff:fe14:35c4
pc51DINA60fec0::1:250:b7ff:fe14:361b1DINAAAA
fec0::1:250:b7ff:fe14:361b
pc71DINA60fec0::1:250:b7ff:fe14:365a1DINAAAA
fec0::1:250:b7ff:fe14:365a
pc11DINA60fec0::1:250:b9ff:fe00:12e1DINAAAA
fec0::1:250:b9ff:fe00:12e
pc11DINA60fec0:0:0:1::11DINAAAAfec0:0:0:1::1
$INCLUDE"/var/named/master/Ksecv6.your.domain.+003+27034.key"
Dnssec配置命令:
dnssec-keygen-aDSA-b768-nZONEsecv6.your.domain
dnssec-signzone-osecv6.your.domainsecv6.your.domain
说明:DNSSEC主要依靠公钥技术对于包含在DNS中的信息创建密码签名。密码签名通过计算出一个密码hash数来提供DNS中数据的完整性,并将该hash数封装进行保护。私/公钥对中的私钥用来封装hash数,然后可以用公钥把hash数译出来。如果这个译出的hash值匹配接收者刚刚计算出来的hash树,那么表明数据是完整的。不管译出来的hash数和计算出来的hash数是否匹配,对于密码签名这种认证方式都是绝对正确的,因为公钥仅仅用于解密合法的hash数,所以只有拥有私钥的拥有者可以加密这些信息。
文件清单3var/named/master/localhost.zone
//localhost.zoneAllowsforlocalcommunications
//usingtheloopbackinterface
$TTL86400
$ORIGINlocalhost.
@1DINSOA@root(
42;serial(d.adams)
3H;refresh
15M;retry
1W;expire
1D);minimum
1DINNS@
1DINA127.0.0.1
文件清单4/var/named/master/localhost.rev
//localhost.revDefinesreverseDNSlookupon
//loopbackinterface
$TTL86400
$ORIGIN0.0.127.in-addr.arpa.
@INSOA0.0.127.in-addr.arpa.hostmaster.secv6.your.domain.(
42;Serialnumber(d.adams)
3H;Refresh
15M;Retry
1W;Expire
1D);Minimum
NSns.secv6.your.domain.
MX10noah.ip6.your.domain.
PTRlocalhost.
文件清单5/var/named/master/secv6.rev
//secv6.revDefinesreverselookupforsecv6
//domaininA6format
$TTL86400