네트워크 및 서버/서버
DNSSec
잉여토끼
2024. 12. 10. 17:57
전자서명 복호화 값과 원본 데이터의 해시값이 일치한지 여부를 확인하여 무결성을 확인한다.
DNS서버와 DNS서버간의 데이터 전달에서 위변조를 막기 위한 방법
zone 키 생성
zsk(zone 서명 키) -- 공개키 / 비밀키. (공개키를 외부에 배포하여 zsk/ksk 공개키를 존파일에 반영) --> 해시값
ksk (key 서명 키) -- 공개키 / 비밀키
public key 존 반영
개인키
zone 서명
dnssec-dignzone(개인키에 의해 서명됨_
kaya.com.zone.signed
Name Server에 Zone 반영
스마트 샤이닝 : bind의 서명 도구(dnssec-signed)의 옵션
public key 존 반영 : 절차없이 서명처리가 가능
설정
1. zone key 생성
dnssec-keygen -a RSASHA256 -b 1024 -n zone kaya.com
[root@rocky-9 named]# dnssec-keygen -a RSASHA256 -b 1024 -n zone kaya.com
Generating key pair................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Kkaya.com.+008+42928Kkaya.com.+008+42928.key : zsk 공개키
Kkaya.com.+008+42928.private : ksk 비밀키
dnssec-keygen -a RSASHA256 -b 2048 -n zone -f KSK kaya.com
[root@rocky-9 named]# dnssec-keygen -a RSASHA256 -b 2048 -n zone -f KSK kaya.com
Generating key pair...+.+......+........+.+.........+.....+.+...+.....+...+...+......+.........+......+.+..+...............+...+....+........+.+.....+.+.....+....+...........+.........+.+...+...+..+.............+...+...........+++++++++++++++++++++++++++++++++++++++*.....+...+...............+.......+...+...........+++++++++++++++++++++++++++++++++++++++*.+....+...........+......+.........+.+............+...+........+.........+.+......+.....+......+....+...........+...+.+....................+...+.+...........+.+.....+..........+..............+...+.+.........+...........+.+........+.......+..............+.+........+..........+..+..........+.........+.....+....+...+..............+....+.....+...............+......+....+......+......+.....+............+......+.+...+........+.......+...+.......................+.+.........+..+...+.+.....+.+...+............+..+.+..+.......+..+...+......+.+......+........+.........................+..+....+........+..........+...+.........+......+..+.......+...+...+..+..........+..+....++++++ .+..+...+++++++++++++++++++++++++++++++++++++++*....+...+...........+.+++++++++++++++++++++++++++++++++++++++*............+..+.......+..+.........+.+......+.....+...+................+...+.....++++++
Kkaya.com.+008+41476Kkaya.com.+008+41476.key : ksk 공개키
Kkaya.com.+008+41476.private : zsk 비밀키
2. zone파일에 내용 추가
$INCLUDE "/var/named/Kkaya.com.+008+42928.private "
$INCLUDE "/var/named/Kkaya.com.+008+41476.private "
3. 기존 zone 파일과 zsk를 결합.
dnssec-signzone -k Kkaya.com.+008+41476.key -o kaya.com.zone Kkaya.com.+008+42928.key
signed파일생성됨
해당 해시값으로 무결성 검증.
cat kaya.com.zone.signed
w22.kaya.com. 86400 IN A 172.16.20.3
86400 RRSIG A 8 3 86400 (
20250109072822 20241210072822 42928 kaya.com.
BM5cyoNpfbF+uNDRRjfZMzchg2V9Jzi+CArx
gzv0f+6gPyH8A73bShBoVBNddTTxQrLoKkAP
e1GiBUY749Ln6ugiJZm0efVKGuJst2psAjHG
DXUJv6izf/FY23UOb56MJCH7+ASn0Sf8PkXO
n+oCkA9wiCRDFpQxA5YLK5K76vs= )
10800 NSEC kaya.com. A RRSIG NSEC
10800 RRSIG NSEC 8 3 10800 (
20250109072822 20241210072822 42928 kaya.com.
S7UugYAftNSwpGHIkWePkO05jd0+UGnwlOq2
7VylsZcqDHMUh2JPMRlomq1USWmtdvvOkCWY
o4N8txBKbjO8X77mC74A7my9+gPPQ5dL312P
WGtyooz4bH0O/YqKEDoJM3PD/oupJCYb78b1
JqI1gkX+tkERJb9ts5fj7x/trmw= )
ub.kaya.com. 86400 IN A 172.16.20.9
86400 RRSIG A 8 3 86400 (
20250109072822 20241210072822 42928 kaya.com.
SuRqxfiKkPAFprR4DdJYadM5PeIG4ya5EFvR
vxk38DkrQzk1lRji946qK2Xd7pKrpAjl0yTR
rggDY59AV6AR7mami7I3ceepuvjF8j5fNuQ8
86lkPiDf2kCn4tb+5I6wNfhIC3xeuFDybwb5
O/hDvP6RzFlBuX0eZjLYo03zmW4= )
10800 NSEC w22.kaya.com. A RRSIG NSEC
10800 RRSIG NSEC 8 3 10800 (
20250109072822 20241210072822 42928 kaya.com.
ZaNepBOOJK5npAb/aJIKCwCNstoPdGYMQqzI
qIgr0fl7OhTCdwIruiYleI3gS6tHAdmQ8EY0
BQykOp45VD2qZbv8THht9H+BF8foaJkD8u+7
RdPwXKEuW+ckwtSPJDctgw7daN/bThACRMSN
jqIazQ45VSruYvDm85gOH4aQe34= )
4. dnssec 설정
dnssec-validation yes;
cat /etc/named.root.key 주석을 참조하여 설정
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
};
/etc/named.rfc1912.zones 수정
zone "kaya.com" IN{
type master;
file "kaya.com.zone.signed";
#key-directory "key";
auto-dnssec maintain;
#inline-signing yes;
allow-update { any; };
};
dig @172.16.20.6 nk.kaya.com SOA a +dnssec +norecurse +multiline
flags에 ad가 나오면 검증이 된 것임. 다만 클라이언트는 이를 검증할 방법이 없음. 서버-서버관계만 유효.
[root@rocky-9 named]# dig @172.16.20.6 nk.kaya.com SOA a +dnssec +norecurse +multiline
;; Warning, extra type option
; <<>> DiG 9.16.23-RH <<>> @172.16.20.6 nk.kaya.com SOA a +dnssec +norecurse +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46524
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 6922ce70da9cee7301000000675802305c68841eaf424899 (good)
;; QUESTION SECTION:
;nk.kaya.com. IN A
;; ANSWER SECTION:
nk.kaya.com. 86400 IN A 172.16.20.7
nk.kaya.com. 86400 IN RRSIG A 8 3 86400 (
20250109072822 20241210072822 42928 kaya.com.
CkKLf+dFBgiv6kAP88/T+KcxvSGFSnBjucFjVS981M7a
OFiCf4aNfOHUdk0Ald6VfT1JgrFdzc4lo1jVNqRZq46o
bOM0MXeWv62ZwaRC0/QU96/9S1v87f3CP1R32xzIPt+N
ooQPjK40754aw7//JX8SQfjvIaz8Q/85B8jINFU= )
;; AUTHORITY SECTION:
kaya.com. 86400 IN NS ns.kaya.com.
kaya.com. 86400 IN RRSIG NS 8 2 86400 (
20250109072822 20241210072822 42928 kaya.com.
VnzOB52JQOqzkTp3jFsH1oFl5j2BMaAiuuerzGU/mDCG
bG+bmu4SPfvX3xTdOrg4vG/gsi0J0HUqbM4kVtDLm7LX
NBu+ffYbAtWFM04IVqRlL76GwBacUjCWpJ1/XEeoAyNB
/pg02NTEExw/02w+G/BqSrvF4kP3QlnQRZ3GMbs= )
;; ADDITIONAL SECTION:
ns.kaya.com. 86400 IN A 172.16.20.6
ns.kaya.com. 86400 IN RRSIG A 8 3 86400 (
20250109072822 20241210072822 42928 kaya.com.
N0ICvCB8PvHxdPzBCz3WmI/8FXRP0n1ldKjSNuUSdfA+
4HvhwffyaiMhDlg0cr0kNEs7IgPGU4adF6ZujUgGiVaB
q3UVP3FDG21Z++87TExo3lr7+Hh57bfBxAlha/1oalod
m+9oQvk+X4ar2n6E49RFduO5Jx3/rW6LuI1lCwc= )
;; Query time: 0 msec
;; SERVER: 172.16.20.6#53(172.16.20.6)
;; WHEN: Tue Dec 10 17:56:16 KST 2024
;; MSG SIZE rcvd: 621