Master serevr
generate tsig key for interal and external view
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST extkey
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST INTKEY
vi named.tsig.key
key "extkey" {
algorithm hmac-md5;
secret "adb/g++GiG+N4";
};
key "INTKEY" {
algorithm hmac-md5;
secret "GQGBJWYP";
};vi named.config
acl INT_IP { 1.1.0.0/16; };
acl EXT_IP { !1.1.0.0/16; };
acl INT_SLAVE_IP { 1.1.1.1;1.1.1.2;1.1.2.1;1.1.2.2; };
acl EXT_SLAVE_IP { 3.3.3.3;3.3.3.34;1.1.1.2; };
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
zone-statistics yes;
recursion no;
version none;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
include "/etc/named.root.key";
include "/etc/named.tsig.key";
include "/etc/internal.conf";
include "/etc/external.conf";vi internal.conf
view INT_VIEW IN {
match-clients { key INTKEY; !1.1.1.2; INT_IP; };
recursion yes;
notify yes;
allow-query { any; };
allow-recursion { INT_IP; };
allow-transfer { key INTKEY; };
server 1.1.1.2 { keys INTKEY; };
server 1.1.2.1 { keys INTKEY; };
server 1.1.2.2 { keys INTKEY; };
allow-notify { INT_SLAVE_IP; };
zone "XXX.com.tw" {
type master;
file "/var/named/INT_VIEW/XXX.com.tw.zone";
};
}; 紅字 重點!!!!~~~~
vi external.conf
view EXT_VIEW IN {
match-clients { key extkey; any; };
notify yes;
recursion no;
allow-query { any; };
allow-recursion { none; };
server 3.3.3.3 { keys extkey; };
server 3.3.3.4 { keys extkey; };
server 1.1.1.2 { keys extkey; };
allow-notify { EXT_SLAVE_IP; };
allow-update { key extkey; };
zone "XXX.com.tw" {
type master;
allow-transfer { key extkey; };
file "/var/named/EXT_VIEW/XXX.com.tw.zone";
};
};
Slave server
copy tsig key form Master server to Slave server
vi named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
vi intenal.conf
view "INT_VIEW" IN {
match-clients { key INTKEY; INT_IP; };
recursion yes;
allow-recursion { INT_IP; };
allow-query { any; };
allow-transfer { none;};
server 1.1.1.1 { keys INTKEY; };
zone "XXX.com" {
type slave;
file "/var/named/INT_VIEW/xxx.com.tw.zone";
masters { 1.1.1.1; };
};
};
vi extenal.conf
view "EXT_VIEW" IN {
match-clients { key extkey; any; };
recursion no;
notify yes;
allow-query { any; };
allow-transfer { none;};
server 10.10.1.1 { keys extkey; };
zone "xxx.com.tw" {
type slave;
masters { 1.1.1.1; };
file "/var/named/EXT_VIEW/xxx.com.tw.zone";
};
};
張貼留言