|
¸®´ª½º Tech °Ô½ÃÆÇ
|
2024. 04. 26. |
|
|
|
|
|
|
|
[Tip] bind_9.x_¼³Á¤ |
|
|
|
|
|
³¯Â¥: 2002.05.28. 14:04:37 Á¶È¸: 412 |
|
|
|
|
|
|
|
|
|
|
|
|
9.1.3rc1À» ¼³Ä¡ÇÏ°í DNSSECÀ» ½ÃÇèÇغýÀ´Ï´Ù. ÀÏ´Ü ÀÛµ¿ÇÏ°í ÀÖ´Ù´Â °Í¸¸ È®ÀÎÇß½À´Ï´Ù. ¾Æ·¡¿Í °°ÀÌ Çß½À´Ï´Ù.(¼³Á¤ ¹æ¹ý¿¡ ´ëÇÑ ¾ð±ÞÀÌ ¹èÆ÷µÈ ¹®¼¿¡´Â ¾ø°í, <http://www.isc.org/>ÀÇ FAQ¿¡µµ 9.1.x ¹öÁ¯¿¡ ´ëÇÑ °ÍÀÌ ¾Æ´Ï¶ó 9.0.x ½ÃÀý¿¡ ÀÛ¼ºÇÑ °ÍÀ¸·Î º¸ÀÌ´Â ³»¿ëÀÌ Àִµ¥, ³°Àº °ÍÀÌÁö¸¸ À¯ÃßÇؼ®ÇÏ´Â µ¥ µµ¿òÀÌ µÇ¾ú½À´Ï´Ù.)
1. DNSSEC Å°¸¦ »ý¼ºÇÕ´Ï´Ù. Red HatÀº named¸¦ name À¯Àú¿¡ named ±×·ì¿¡
¼ÓÇÏ´Â °ÍÀ¸·Î ÇÏ°í Àֱ⠶§¹®¿¡, ¾Æ·¡¿Í °°ÀÌ ÇÏ¿´½À´Ï´Ù.
dnssec-keygen -a hmac-md5 -b 512 -n ZONE -r /dev/random named
ÀÌ·¸°Ô Çϸé, ÇöÀç ÀÛ¾÷ µð·ºÅ丮¿¡ Knamed.+157+61652.key,
Knamed.+157+61652.private¶ó´Â µÎ °¡Áö ÆÄÀÏÀÌ ¸¸µé¾îÁý´Ï´Ù.
2. ÀÇÀÇ key ÆÄÀÏ Áß Knamed.+157+61652.keyÀÇ ³»¿ë Áß base64·Î ÀÎÄÚµù
µÈ °ÍÀ» /etc/rndc.confÀÇ 'key' ¼³Á¤ Áß secure Ç׸ñ¿¡ º¹»çÇÕ´Ï´Ù.
keyÀÇ À̸§Àº Àû´çÈ÷ ºÙÀÔ´Ï´Ù. Àú´Â 'mykey'·Î ÇÏ¿´½À´Ï´Ù.
¿¹¸¦µé¸é, ¾Æ·¡¿Í °°½À´Ï´Ù.(Á¦°¡ ÇÑ °Í°ú´Â ¹°·Ð ´Ù¸£ÁÒ)
key "mykey" {
algorithm hmac-md5;
secret "JHAqThzehwRzCQjtBQdVR0pdKkXaIuiCAaVfzsRtLPeunsRyskWRbasvOOck";
};
3. ÀÌ°ÍÀ» ±×´ë·Î /etc/named.confÀÇ Àû´çÇÑ ´ë¸ñ¿¡ º¹»çÇÕ´Ï´Ù. ¸¶¿ì½º·Î
±Ü¾î¼ ¿Å±â¸é µÇÁÒ. ±× ´ÙÀ½ Áß¿äÇÑ °ÍÀε¥, ´ÙÀ½ÀÇ ³»¿ëÀ»
/etc/named.conf¿¡ ¼³Á¤ÇÏ¿©¾ß ÇÕ´Ï´Ù. ÀÌ°ÍÀº bind-9.x.xÀÇ CHANGES ÆÄÀÏ
¿¡ ³ª¿À´Âµ¥, ´Ù¸¥ ¾îµð¿¡¼µµ ¾ð±ÞÇÏÁö ¾Ê´Â ´ë¸ñÀÌ´õ±º¿ä. ³í¸®ÀûÀ¸·Î
ºÁ¼´Â ÀÌ ´ë¸ñÀÌ ¾Õ¼ÀÇ key ¼³Á¤ ´ë¸ñº¸´Ù À§·Î °¡´Â °Ô ÁÁ°ÚÁÒ.
¾Æ·¡¿¡ ¿¹¸¦µì´Ï´Ù.
controls {
inet * port 1500
allow { any; } keys { "mykey"; };
};
key "mykey" {
algorithm hmac-md5;
secret "JHAqThzehwRzCQjtBQdVR0pdKkXaIuiCAaVfzsRtLPeunsRyskWRbasvOOck";
};
À§ 'controls' ¼³Á¤¿¡¼ port ¹øÈ£´Â, CHANGES ÆÄÀÏ¿¡¼´Â 1024·Î µÇ¾î
ÀÖ½À´Ï´Ù. Á¦ ½Ã½ºÅÛ¿¡¼´Â ·ÎÄ®¿¡¼ NFS¸¦ »ç¿ëÇϴµ¥, rpc.statd°¡ ÀÌ
Æ÷Æ®¸¦ ¾²°í Àֱ⠶§¹®¿¡ 1500À¸·Î ¼öÁ¤ÇÏ¿´½À´Ï´Ù. ÀÚ½ÅÀÇ ½Ã½ºÅÛ¿¡¼
ÀÓÀÇ·Î Á¤ÇÑ Æ÷Æ®¸¦ ´Ù¸¥ ÇÁ·Î±×·¥ÀÌ ÀÌ¹Ì »ç¿ëÇÏ°í ÀÖ´Â Áö ¿©ºÎ¸¦ ¾Ë·Á
¸é, 'fuser -n tcp 1024'Çؼ ÆÄ¾ÇµÈ ÇÁ·Î¼¼½º ID¿¡ ±Ù°ÅÇÏ¿©
'ps ax | grep PID' ÇÏ¸é µË´Ï´Ù.
4. ÀÌÁ¦ /etc/named.conf¿¡¼ °¢ zone, reverse zone ¼³Á¤ *Àüü*¿¡ ¾Æ·¡¿Í
°°Àº ³»¿ëÀ» Ãß°¡ÇÕ´Ï´Ù.(root cache¿Í localhost zoneÀº ÇÒ ÇÊ¿ä°¡ ¾ø°ÚÁÒ)
allow-update { key "mykey"; };
Çϳª¸¸ ¿¹¸¦µé¸é ¾Æ·¡¿Í °°½À´Ï´Ù.
zone "plw.net" {
type master;
file "plw.net.zone";
notify no;
allow-update { key "mykey"; };
};
5. ÀÌÁ¦ 1¿¡¼ »ý¼ºÇÑ 2°³ÀÇ key ÆÄÀÏÀ» /var/named·Î º¹»çÇÕ´Ï´Ù.(namedÀÇ
FAQ¿¡ ÀÇÇϸé Ŭ¶óÀ̾ðÆ® È£½ºÆ®ÀÇ /var/named¶ó°í ¸»ÇÏ°í Àִµ¥, Àú´Â
±×³É bind9°¡ ¼³Ä¡µÈ Á¦ pcÀÇ °Å±â¿¡ ½ÃÇè»ï¾Æ ¿Å°Üº¸°í Çϴµ¥, Àß µÇ´Â±º
¿ä)
6. '/etc/rc.d/init.d/named restart'Çؼ named¸¦ Àç½ÇÇàÇÕ´Ï´Ù.
Á¦´ë·Î µÇ¸é /var/log/messages¿¡ ¾Æ·¡¿Í °°Àº ³»¿ëÀÌ º¸¿©¾ß ÇÕ´Ï´Ù.
±×´ë·Î ¿Å±â´Ï ÇàÀÌ ³Ê¹« ±æ¾îÁ® ¿¬µµ, ³¯Â¥, ½Ã°¢Àº »ý·«ÇÏ¿´½À´Ï´Ù.
¸¶Áö¸·ÀÇ 'running'ÀÌ º¸¿©¾ß Á¦´ë·Î ½ÇÇàµÈ °ÍÀÔ´Ï´Ù. À§ÀÇ named
½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¶§´Â ¼º°ø ¿©ºÎ¸¦ Àß ¸ð¸£´Â ¼ö°¡ ¸¹½À´Ï´Ù.
progress named: named shutdown succeeded
progress named: named startup succeeded
progress named[3842]: starting BIND 9.1.3rc1 -u named
progress named[3842]: using 1 CPU
progress named[3846]: loading configuration from '/etc/named.conf'
progress named[3846]: no IPv6 interfaces found
progress named[3846]: listening on IPv4 interface lo, 127.0.0.1#53
progress named[3846]: listening on IPv4 interface eth0, 192.168.2.1#53
progress named[3846]: listening on IPv4 interface eth1, 192.168.1.1#53
progress named[3846]: listening on IPv4 interface ppp0, 211.58.12.247#53
progress named[3846]: command channel listening on 0.0.0.0#1500
progress named[3846]: running
7. rndc, nsupdate ¸í·ÉÀÌ µè´Â Áö ½ÃÇèÇÑ´Ù.
7-1) /usr/sbin/rndc -p 1500 reload
ÇöÀç rndc´Â 8.x.x ÀÌÀü ¹öÁ¯ÀÇ ndcd¿¡ ºñÇØ ±¸ÇöµÈ ±â´ÉÀÌ Àû½À
´Ï´Ù.
7-2) /us/nsupdate -d -k /var/named/Knamed.+157+61652.key
nsupdateÀÇ °æ¿ì´Â ¼º°øÀûÀÌ¸é ¼Ð ÇüÅ·Π¸í·ÉÀ» ³»·Á¾ß ÇÕ´Ï´Ù. ÀÚ
¼¼ÇÑ °ÍÀº 'man nsupdate'Çؼ »ìÆ캸½Ã±æ ...
Ã߽Š#1 :
bind-9.1.x rpm¿¡ °°ÀÌ ¹èÆ÷µÇ´Â À¯Æ¿¸®Æ¼ Áß name-checkconf´Â Àß
ÀÛµ¿Çϳª named-checkzoneÀº Á» ¹®Á¦°¡ ÀÖ´Â °Í°°±º¿ä. named°¡ ½ÇÇà
µÇ¸é¼ ¾Æ¹«·± °æ°í¸¦ ³»Áöµµ ¾Ê´Âµ¥(µð¹ö±ë ¿É¼ÇÀ» ÁØ »óÅ¿¡¼µµ),
ÀÌ°Ç °è¼Ó ¹º°¡°¡ À߸øµÇ¾ú´Ù°í °æ°í¸¦ ³»°í ÀÖ±º¿ä. °á°úÀûÀ¸·Î name
lookup µîÀº Àß ÀÛµ¿Çϴµ¥ ...
Ã߽Š#2:
¿À´Ã Áú¹® ´ö¿¡ ±× µ¿¾È, ½Å°æµµ ¾È ¾²°í ÀÖ´ø DNSSEC¿¡ »ìÆ캸°í ¾à
°£ÀÇ Á¤¸®¸¦ ÇÒ ±âȸ¸¦ °¡Á³½À´Ï´Ù. °¨»çÇÕ´Ï´Ù. :-)
---------------------------------------------------------------------------
--
.~. ¸®´ª½º ÇÑ±Û ÆÁ ÇÁ·ÎÁ§Æ® - <http://kltp.kldp.org/>
/V\ KorWeblog ´º½º/Æ÷·³ - <http://weblog.kldp.org/>
/( )\ Koru.org - ·¯½Ã¾Æ ÇÑÀÎÀÇ ÀÎÅÍ³Ý Ä¿¹Â´ÏƼ <http://Koru.org>
^^-^^ ÀÓ ÀºÀç mailto:eunjea@kldp.org <http://linux.koru.org/>
|
|
|
|
|