4月 212013
 

注意:启用DNSSec只能验证dns记录是否被篡改,并不能加密你的dns查询传输数据;如果你需要加密dns查询,还是需要用opendns推出的dnscrypt工具。
http://www.opendns.com/technology/dnscrypt/ 和 http://dnscrypt.org/

1. 获得trust anchor
trust anchor和根证书的意思类似。unbound-anchor 可以创建和更新 trust anchor。用下面的命令来下载和立即检查trust anchor的完整性,这个检查是使用 unbound-anchor 内建的 ICANN 证书进行的,如果不确认的话,还应检查它的完整性,包括 unbound-anchor -l 和检验源代码,不过源码包一般都经过校验,可以认为没有问题。

ubuntu系统的root.key一般在/var/lib/unbound/root.key路径
$ sudo -u unbound unbound-anchor -a "/var/lib/unbound/root.key"
如果一切正常,则系统不会给出任何提示。

当然如果root.key的路径指定错误了,就会有提示。比如我一开始在 /etc/unbound/目录下直接执行下面的命令,就提示错误了。
:/etc/unbound$ sudo -u unbound unbound-anchor
libunbound[3186:0] error: unable to open /etc/unbound/root.key for reading: No such file or directory
libunbound[3186:0] error: error reading auto-trust-anchor-file: /etc/unbound/root.key
libunbound[3186:0] error: validator: error in trustanchors config
libunbound[3186:0] error: validator: could not apply configuration settings.
libunbound[3186:0] error: module init for module validator failed

为了方便上面的unbound-anchor工具仅仅是提供了一个初始值,我们自己必须要验证和获得根签名验证
(under the terms of our LICENSE,
来源:http://unbound.net/documentation/howto_anchor.html)

我们可以通过https加密连接从IANA下载根签名验证: root-anchors.xml
下载地址:https://data.iana.org/root-anchors/root-anchors.xml
得到的内容如下:

< TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="https://data.iana.org/root-anchors/root-anchors.xml">
< Zone>.< /Zone>
< KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
< KeyTag>19036< /KeyTag>
< Algorithm>8< /Algorithm>
< DigestType>2< /DigestType>
< Digest>
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
< /Digest>
< /KeyDigest>
< /TrustAnchor>

然后将上面的内容,按照下面的格式添加到/var/lib/unbound/root.key文件的最后一行
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
编辑root.key文件时记得用 sudo -u unbound nano /var/lib/unbound/root.key,保持这个文件的所有权属于unbound用户。

2.在unbound中启用
配置 unbound 使用 DNSSEC 验证只需在 server 小节增加一行:
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
然后重启 unbound 即可。

3.验证是否启用成功(方法一)
用 dig com. SOA +dnssec 应该可以看到 DNSSEC 验证成功(flags: ad):

$ dig com. SOA +dnssec

; <<>> DiG 9.8.1-P1 <<>> com. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com. IN SOA

;; ANSWER SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1366543272 1800 900 604800 86400
com. 900 IN RRSIG SOA 8 1 900 20130428112112 20130421101112 35519 com. cfaBU/Ygqt5ATC8Wn94c9ILZQcw1kYWkcTKDgHnVOSvSU5n+WBJoVO08 3jwDABVVLx5VUON+uygspq10YWW5PBy7HdCeRNLJ1QK4qyWtPVICHkIv HugvKEEAwYAP6kZPcI/Ogi0J1O80fA2hNZ65Wrhm8ZG5hScOariNqXz7 V7s=

;; AUTHORITY SECTION:
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN RRSIG NS 8 1 172800 20130428041929 20130421030929 35519 com. uIBGqbhLKX4AyXiZuHWEq2csMba1STfqGca7ta9OB5VItaGEYhCf5NB9 fG5GHjtZGO8tQSKcqs4qifT+cVkjoVkqmU+03n1uwK8QgJ6R18cTU78L khMtqtYaqiWjalrSuQCH5B6Tq549neGWC9H284ICGRU62jSdc16oNHIj F5A=

;; Query time: 3949 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr 21 19:21:33 2013
;; MSG SIZE rcvd: 637

4.验证是否启用成功(方法二)

也可以用浏览器访问 http://dnssectest.sidn.nl/ 来测试。

目前美国联邦政府的许多网站都已经启用了 DNSSEC,但在大家的缓存服务器以及更多的商业站点支持 DNSSEC 之前,这样做并不能显著改善安全性。

  5 条评论 到 “unbound启用DNSSec,该如何配置?”

  1. $ dig net. SOA +dnssec

    ; < <>> DiG 9.8.1-P1 < <>> net. SOA +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 581 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;net. IN SOA ;; ANSWER SECTION: net. 895 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1366543871 1800 900 604800 86400 net. 895 IN RRSIG SOA 8 1 900 20130428113111 20130421102111 3317 net. Vec+vlIetKuh0c0MKNmLcZYBE04SvVXKj6gwhFqD4+n9wDyF4jzkAh4l A/kNJFn+HAwEeGosyss2YNtxt94I+apUVLX0tWdoS6FrlQDpidActeKk lK3mEB2I9o1niZHEyRWhMg22SdYrILmqCbTkztJeu3oyrfjHjkmJd/fk SsI= ;; AUTHORITY SECTION: net. 172795 IN NS i.gtld-servers.net. net. 172795 IN NS f.gtld-servers.net. net. 172795 IN NS g.gtld-servers.net. net. 172795 IN NS m.gtld-servers.net. net. 172795 IN NS a.gtld-servers.net. net. 172795 IN NS b.gtld-servers.net. net. 172795 IN NS j.gtld-servers.net. net. 172795 IN NS e.gtld-servers.net. net. 172795 IN NS k.gtld-servers.net. net. 172795 IN NS h.gtld-servers.net. net. 172795 IN NS c.gtld-servers.net. net. 172795 IN NS l.gtld-servers.net. net. 172795 IN NS d.gtld-servers.net. net. 172795 IN RRSIG NS 8 1 172800 20130426041528 20130419030528 3317 net. LoVPAV6Y2DA29LKvyJK73Fpm7XzH2K2fsDzcu6GB3HZhp1KNHXhyDYKP P5DzW/mgnKmsgjek7lXRIoFR7pOLj/PX3BcBt8/rz0tWUKILzDewnv5f pQL68T6q2bvrnvjehD74hFE/J4oWmoEhBXVDu7B1kbu5iiySv+eWrn12 Be8= ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Apr 21 19:31:39 2013 ;; MSG SIZE rcvd: 637

  2. $ dig org. SOA +dnssec

    ; < <>> DiG 9.8.1-P1 < <>> org. SOA +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13429 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;org. IN SOA ;; ANSWER SECTION: org. 797 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2010490890 1800 900 604800 86400 org. 797 IN RRSIG SOA 7 1 900 20130512113011 20130421103011 31380 org. VOZTX2VuQukGBstVQoao4l15TNqeCLO8FM61jkHfxifdoRJ4ATIe2E5w cTogb0rdSc5HeqymUVGgviZ4rgx6t5gxRrIA+qX4LzCan8l+hgJ4D/ML YcnG74Cj5YsdqRe2YyA09GL6eaWS/XxAhaajDiU7FgwB+H1/WfzTTZz7 xDU= ;; AUTHORITY SECTION: org. 86297 IN NS a0.org.afilias-nst.info. org. 86297 IN NS b2.org.afilias-nst.org. org. 86297 IN NS c0.org.afilias-nst.info. org. 86297 IN NS d0.org.afilias-nst.org. org. 86297 IN NS a2.org.afilias-nst.info. org. 86297 IN NS b0.org.afilias-nst.org. org. 86297 IN RRSIG NS 7 1 86400 20130508155535 20130417145535 31380 org. W6hg2NbLAd4fpXwOZ22B580xFvBhx6B/mMhwW22MJYW/Kqt47Zu3QTw8 uPqJHZTJVCVzA67gvuwbhm39eLjeewNQNH6z9rcUlFdRWHMGZDxxE3Hs C3r0M4rEQczUpY7sWnyqcDxgJ/bmO3oG/H6y2tpMIb6lOIxzvCSFQnZy Lss= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Apr 21 19:32:36 2013 ;; MSG SIZE rcvd: 536

  3. $ dig cn. SOA +dnssec

    ; < <>> DiG 9.8.1-P1 < <>> cn. SOA +dnssec
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;cn. IN SOA ;; ANSWER SECTION: cn. 21535 IN SOA a.dns.cn. root.cnnic.cn. 2014240883 7200 3600 2419200 21600 ;; AUTHORITY SECTION: cn. 21535 IN NS e.dns.cn. cn. 21535 IN NS ns.cernet.net. cn. 21535 IN NS a.dns.cn. cn. 21535 IN NS b.dns.cn. cn. 21535 IN NS c.dns.cn. cn. 21535 IN NS d.dns.cn. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Apr 21 19:32:23 2013 ;; MSG SIZE rcvd: 189

  4. $ dig +dnssec http://www.unbound.net

    ; <> DiG 9.8.1-P1 <> +dnssec http://www.unbound.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46429
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;www.unbound.net. IN A

    ;; ANSWER SECTION:
    http://www.unbound.net. 7084 IN A 213.154.224.1
    http://www.unbound.net. 7084 IN A 213.248.242.16
    http://www.unbound.net. 7084 IN RRSIG A 8 3 7200 20130513005007 20130415005007 33999 unbound.net. bDXcOJH4QmH6DP12Y/RzoHLufUHcBePl00wRZ0I8X24zLMMXt1Pbq6YO Qc+CywEdCsevhuIyVCGnZqlHCRWHBfJOrfmq3otiCHA5uaWyabs+e1PL 2uOYVk5BrX+A81cQ3o5fj6SvP7FgUaleyxjRK8DiGEBBBewUpGmvYUwW cmo=

    ;; AUTHORITY SECTION:
    unbound.net. 7074 IN NS ns.secret-wg.org.
    unbound.net. 7074 IN NS open.nlnetlabs.nl.
    unbound.net. 7074 IN NS mcvax.nlnet.nl.
    unbound.net. 7074 IN NS nom-ns1.nominet.org.uk.
    unbound.net. 7074 IN RRSIG NS 8 2 7200 20130513005007 20130415005007 33999 unbound.net. nVVMAEpQOObZ0xL40qoDL8XOCWEvqgn96nJbhYVM4GmlmPLopKuuflsr gYfQOPnu0ccD75pIJ9qXLtoSsw6bvvqdzT7MxkIGpQ9NV4jigJRJ83yk TNbuFH4MBGCJMf1vT/85NHEmjN5SdQGe4xZ7echA2Ze6GThUQTMQXcGU tjE=

    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Apr 21 20:00:46 2013
    ;; MSG SIZE rcvd: 541

  5. $ dig +dnssec www.iana.org

    ; < <>> DiG 9.8.1-P1 < <>> +dnssec www.iana.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 59424 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.iana.org. IN A ;; ANSWER SECTION: www.iana.org. 585 IN CNAME ianawww.vip.icann.org. www.iana.org. 585 IN RRSIG CNAME 8 3 600 20130428150042 20130421082520 7273 iana.org. pJ7H6Sxl9XKFvaHLogouVay3myKTVETzZct+7bT8VPoqYS5HizS62POO Pkxs1jYUlxJBSnkp8FkxIwkBICz8G8OEUeR2PGfKWCr67WuwA1jcv/LI wmigcNBh9n9koUpIoZ2exiPe7Yy6AcdifZbJmtSwpNLR+GSPmd10BGuC Ioo= ianawww.vip.icann.org. 18 IN A 192.0.32.8 ianawww.vip.icann.org. 18 IN RRSIG A 7 4 30 20130426041644 20130419041644 31004 vip.icann.org. osBM3CoV6io4dWqzTaJu8Us3h67p5qOlHLwRZ/f37df+3mGtXzcPyjY7 nNN49iAQ59k+oG5XGa0E5A1Q92sKUDdqyOGM+SkH3QEQ5ymUSuHzBu/H 8eFCgt1DEdlBMjiGTxDX5vAk8cUoPBTCC/oDa4h8oa54VoRaZ8f5c5bV mnA= ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Apr 21 20:18:59 2013 ;; MSG SIZE rcvd: 430

回复ocean 取消回复

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>