[root@hat3 ~]# cat /etc/redhat-release
CentOS release 5.4 (Final)
9.7からこんなオプションができたんだ。。
managed-keys オプション
For BIND 9.7 and later versions, using a managed-key allows automatic tracking of the key using a protocol known as RFC-5011.
https://www.isc.org/software/bind/new-features/9.7
The new managed-keys statement provides named with trusted keys which are automatically kept up to date using RFC 5011. It differs from the trusted-keys statement with an additional field (second field) containing initial-key keyword which means only use this key the first time.named stores keys in a managed keys database.
[root@hat3 ~]# /usr/local/sbin/named -v
BIND 9.7.1-P2
適当な手段で鍵を登録。
[root@hat3 ~]# dig @127.1 . dnskey | grep 257 > dnskey
[root@hat3 ~]# cat dnskey
. 86056 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
[root@hat3 ~]# cat /etc/named.conf
options {
directory "/var/named";
max-cache-size 10M;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." in {
type hint;
file "named.ca";
};
key "rndckey" {
algorithm hmac-md5;
secret "3dpawGP95zWKVzj8SDhX1w==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};
managed-keys {
"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
[root@hat3 ~]#
[root@hat3 ~]# /usr/local/sbin/named
パーミッションのエラーが。
hat3 named[10171]: could not open file '/var/run/named/named.pid': Permission denied
hat3 named[10171]: could not open file '/var/run/named/session.key': Permission denied
hat3 named[10171]: could not create /var/run/named/session.key
named.pid , session.key の保存場所を変更
[root@hat3 ~]# egrep '(pid|session)' /etc/named.conf
pid-file "/var/named/named.pid";
session-keyfile "/var/named/session.key";
[root@hat3 ~]# /usr/local/sbin/named
ワーキングディレクトリ ( /var/named ) に managed* と session.key ができた。
[root@hat3 named]# pwd
/var/named
[root@hat3 named]#
[root@hat3 named]# ls
managed-keys.bind managed-keys.bind.jnl named.ca named.pid session.key
[root@hat3 named]#
managed* は named stores keys in a managed keys database. のことかな。
[root@hat3 named]# cat managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
2 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20100813181024 20100813061024 19700101000000 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
[root@hat3 named]#
[root@hat3 named]# cat managed-keys.bind.jnl
;BIND LOG V9
8[root@hat3 named]#
session.key は DDNS 用っぽい。
Simplified configuration of Dynamic DNS
For easier automatic re-signing, you just need to have the zone be dynamic and have the keys accessible.
The update-policy zone option has been extended to add a local setting to enable Dynamic DNS for a zone. named will generate a TSIG session key known as local-ddns at startup which will be used for these updates. The session key file defaults to /var/run/named/session.key or can be defined using the session-keyfile option.
[root@hat3 named]# cat session.key
key "local-ddns" {
algorithm hmac-sha256;
secret "kD4PsVav+kw3X/vOyEeLZnfCQQjeEE0q/wMERmD+X2M=";
};
[root@hat3 named]#
適当に時間が経過して 鍵のアップデートが必要になったら、鍵更新を自動でしてくれるのかなー。
うーん、BIND 9.7 さわってないのでチェックせねば。。。
RFC5011でググったら、こんなコメントが。ふーん。
http://jpinfo.jp/mail/backnumber/event/0082.html
Trust AnchorとはDNSSECによる検証を行う場合に最初の手がかりとなる情報で
あり、DNSSECによる名前検証を行うにあたり、必須となるものです。DNSSECの 仕様では、Trusted AnchorがすべてのDNSキャッシュサーバに設定され、かつ適 切な間隔で更新され続ける必要があります。 Trusted Anchorの更新を自動的に行うためのプロトコル仕様は、RFC 5011によ り規定されています。しかし、RFC 5011で規定されているのは自動更新のプロ トコル仕様のみであり、実際のインターネットにおいて自動更新を具体的にど のように運用するかについては規定されていません。
CentOS release 5.4 (Final)
9.7からこんなオプションができたんだ。。
managed-keys オプション
For BIND 9.7 and later versions, using a managed-key allows automatic tracking of the key using a protocol known as RFC-5011.
https://www.isc.org/software/bind/new-features/9.7
Automated trust anchor maintenance for DNSSEC (RFC 5011)
RFC 5011, Automated Updates of DNS Security (DNSSEC) Trust Anchors, documents a method for automated, authenticated, and authorized updating of DNSSEC "trust anchors" especially for the use of multiple islands of trust.The new managed-keys statement provides named with trusted keys which are automatically kept up to date using RFC 5011. It differs from the trusted-keys statement with an additional field (second field) containing initial-key keyword which means only use this key the first time.named stores keys in a managed keys database.
[root@hat3 ~]# /usr/local/sbin/named -v
BIND 9.7.1-P2
適当な手段で鍵を登録。
[root@hat3 ~]# dig @127.1 . dnskey | grep 257 > dnskey
[root@hat3 ~]# cat dnskey
. 86056 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
[root@hat3 ~]# cat /etc/named.conf
options {
directory "/var/named";
max-cache-size 10M;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
};
zone "." in {
type hint;
file "named.ca";
};
key "rndckey" {
algorithm hmac-md5;
secret "3dpawGP95zWKVzj8SDhX1w==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};
managed-keys {
"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
[root@hat3 ~]#
[root@hat3 ~]# /usr/local/sbin/named
パーミッションのエラーが。
hat3 named[10171]: could not open file '/var/run/named/named.pid': Permission denied
hat3 named[10171]: could not open file '/var/run/named/session.key': Permission denied
hat3 named[10171]: could not create /var/run/named/session.key
named.pid , session.key の保存場所を変更
[root@hat3 ~]# egrep '(pid|session)' /etc/named.conf
pid-file "/var/named/named.pid";
session-keyfile "/var/named/session.key";
[root@hat3 ~]# /usr/local/sbin/named
ワーキングディレクトリ ( /var/named ) に managed* と session.key ができた。
[root@hat3 named]# pwd
/var/named
[root@hat3 named]#
[root@hat3 named]# ls
managed-keys.bind managed-keys.bind.jnl named.ca named.pid session.key
[root@hat3 named]#
managed* は named stores keys in a managed keys database. のことかな。
[root@hat3 named]# cat managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
2 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20100813181024 20100813061024 19700101000000 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
[root@hat3 named]#
[root@hat3 named]# cat managed-keys.bind.jnl
;BIND LOG V9
8[root@hat3 named]#
session.key は DDNS 用っぽい。
Simplified configuration of Dynamic DNS
For easier automatic re-signing, you just need to have the zone be dynamic and have the keys accessible.
The update-policy zone option has been extended to add a local setting to enable Dynamic DNS for a zone. named will generate a TSIG session key known as local-ddns at startup which will be used for these updates. The session key file defaults to /var/run/named/session.key or can be defined using the session-keyfile option.
[root@hat3 named]# cat session.key
key "local-ddns" {
algorithm hmac-sha256;
secret "kD4PsVav+kw3X/vOyEeLZnfCQQjeEE0q/wMERmD+X2M=";
};
[root@hat3 named]#
適当に時間が経過して 鍵のアップデートが必要になったら、鍵更新を自動でしてくれるのかなー。
うーん、BIND 9.7 さわってないのでチェックせねば。。。
RFC5011でググったら、こんなコメントが。ふーん。
http://jpinfo.jp/mail/backnumber/event/0082.html
Trust AnchorとはDNSSECによる検証を行う場合に最初の手がかりとなる情報で
あり、DNSSECによる名前検証を行うにあたり、必須となるものです。DNSSECの 仕様では、Trusted AnchorがすべてのDNSキャッシュサーバに設定され、かつ適 切な間隔で更新され続ける必要があります。 Trusted Anchorの更新を自動的に行うためのプロトコル仕様は、RFC 5011によ り規定されています。しかし、RFC 5011で規定されているのは自動更新のプロ トコル仕様のみであり、実際のインターネットにおいて自動更新を具体的にど のように運用するかについては規定されていません。
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.