CHRooted DNS/bind-9.2.0 for FreeBSD 4.5
H.S. Mok
hsmok@sv.co.kr
2002/1/21
¼öÁ¤: 2002/4/30
¹öÀü
FreeBSD 4.5
bind 9.2.0
1. Domain Name System(DNS) °ü·Ã ¹®¼
RFC ¹®¼(http://www.ietf.org/rfc.html)
- RFC-1033: DOMAIN ADMINISTRATORS OPERATIONS GUIDE
- RFC-1034: DOMAIN NAMES - CONCEPTS AND FACILITIES
- RFC-1035: Domain Names - Implementation and Specification
2. CHRooted DNS/BIND?
CHRooted DNS/BIND´Â bind¸¦ '/somewhere/bind'µîÀÇ µð·ºÅ丮¸¦ chrooted µÇ°Ô ¼³Ä¡Çؼ bind·Î ÇÏ¿©±Ý ±× µð·ºÅ丮¸¦ ·çÆ® µð·ºÅ丮·Î ÀνÄÇÏ°Ô Çؼ chroot µð·ºÅ丮 ¿ÜÀÇ µð·ºÅ丮´Â Á¢±ÙÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. ¸¸¾à bind°¡ ¾ÇÀÇÀÇ »ç¿ëÀÚ¿¡ ÀÇÇØ °ø°Ý ´çÇÏ´õ¶óµµ bind µð·ºÅ丮 ¹ÛÀ¸·Î Á¢±ÙÇÏÁö ¸øÇÏ°Ô ÇÑ´Ù. ¶ÇÇÑ bind¸¦ root°¡ ¾Æ´Ñ nobody ¶Ç´Â bind ±ÇÇÑÀ¸·Î ½ÇÇà ½ÃÄѼ º¸´Ù ¾ÈÀüÇÑ DNS ¼ºñ½º°¡ °¡´ÉÇØÁø´Ù.
3. ¼³Ä¡ Áغñ
FreeBSD 4.4 ½Ã½ºÅÛÀº bind 8.2.4 ¹öÀüÀÌ /usr ¿¡ ¼³Ä¡µÇ¾î ÀÖ´Ù. bind 8.2.2p7ÀÌÀü ¹öÀü »ç¿ëÀÚ¶ó¸é º¸¾È¹ö±×°¡ ¹ß°ß µÇ¾ú±â ¶§¹®¿¡ ¹Ýµå½Ã ÃֽŹöÀüÀ¸·Î ¾÷±×·¹À̵å ÇؾߵȴÙ. ÇöÀç ÃֽŠ¹öÀüÀº bind 8.3.0, bind 9.2.0 ÀÌ´Ù. Æ÷Æ®¿¡¼´Â bind 8.2.5, bind 9.1.3ÀÌ Áö¿øµÈ´Ù. FreeBSD Æ÷Æ® ¹öÀüÀÌ ÃֽŠ¹öÀüº¸´Ù ³·¾Æ¼ ¼Ò½º¸¦ ´Ù¿î¹Þ¾Æ ¼³Ä¡ ÇÏ°íÀÚ ÇÑ´Ù. http ³ª ftp·Î bind-9.2.0.tar.gz ÆÄÀÏÀ» ÄÄÆÄÀÏÇÒ µð·ºÅ丮·Î ´Ù¿î·Îµå ¹Þ´À´Ù.
4. ¼³Ä¡
configure
- --prefix=/usr/local
bind°¡ ¼³Ä¡ µÉ µð·ºÅ丮¸¦ ÁöÁ¤ÇÒ ¶§ »ç¿ëÇÏ°í ±âº»°ªÀº /usr/local ÀÌ´Ù.
- --sysconfdir=/usr/local/bind9/etc
¼³Á¤ÆÄÀÏ(named.conf)ÀÌ ¼³Ä¡µÉ µð·ºÅ丮¸¦ º¯°æÇÑ´Ù. ±âº»°ªÀº ÀÌÀü ¹öÀü°ú ȣȯÀ» ¹®Á¦·Î /etc ÀÌ´Ù. prefix¸¦ ÁöÁ¤Çß´Ù¸é $prefix/etc°¡ µÈ´Ù.
- --localstatedir=/usr/local/bind9/var
run/named.pidÀÇ »óÀ§ µð·ºÅ丮ÀÌ°í ±âº»°ªÀº /var ÀÌ´Ù. prefix¸¦ ÁöÁ¤Çß´Ù¸é $prefix/var°¡ µÈ´Ù.
- --enable-openssl=/usr
bind9¿¡¼ Á¦°øÇÏ´Â DNSSECÀ» Áö¿øÇÏ°Ô ÇÑ´Ù. DNSSECÀº OpenSSL 0.9.5a ÀÌ»óÀÇ ¹öÀüÀÌ ÇÊ¿äÇÏ´Ù. FreeBSD 4.4 ½Ã½ºÅÛ¿¡´Â "/usr"¿¡ OpenSSL 0.9.6 ÀÌ ¼³Ä¡µÇ¾î ÀÖ´Ù. OpenSSLÀÇ ¹öÀü È®ÀÎÀº ´ÙÀ½°ú °°ÀÌÇÑ´Ù.
# /usr/bin/openssl version OpenSSL 0.9.6 24 Sep 2000
- --enable-threads
¸ÖƼ½º·¹µå¸¦ Áö¿øÇϱâ À§ÇÑ ¿É¼ÇÀÌ°í, ¸ÖƼ ÇÁ·Î¼¼¼ ½Ã½ºÅÛ¿¡¼ ¼º´ÉÀÇ Çâ»óÀÌ ÀÖ´Ù.
- --with-kame=/somewhere
IPv6 Áö¿ø¿¡ ´ëÇÑ ¿É¼ÇÀÌ´Ù. ½Ã½ºÅÛ¿¡ IPv6°¡ ±âº»ÀûÀ¸·Î Áö¿ø µÇ¸é ¼³Ä¡½Ã ÀÚµ¿À¸·Î ÀνÄÇÑ´Ù.
- --help
Á»´õ ÀÚ¼¼ÇÑ configureÀÇ µµ¿ò¸»À» º¸¿©ÁØ´Ù.
FreeBSD 4.4 ½Ã½ºÅÛÀº ±âº»ÀûÀ¸·Î bind 8.2.4 ¹öÀüÀÌ /usr¿¡ ¼³Ä¡ µÇ¾î ÀÖ´Ù. »õ·Î¿î ¹öÀüÀ» /usr ¿¡ ¼³Ä¡Çؼ ÀÌÀü ¹öÀüÀ» µ¤¾î ¾´´Ù. prefix¸¦ ÁöÁ¤ÇÏ°Ô µÇ¸é sysconfdir°ú localstatedirÀÌ $prefix/etc, $prefix/var·Î µÇ¹Ç·Î ½Ã½ºÅÛ¿¡ ¸Â°Ô Ãß°¡ÀûÀ¸·Î ÁöÁ¤ÇØÁÖ´Â °ÍÀÌ ÁÁ´Ù. ÄÄÆÄÀÏ°ú ¼³Ä¡°¡ ³¡³ª¸é »õ·Î¿î ¹öÀüÀ¸·Î dns ¼¹ö¸¦ ¿î¿µÇÒ ¼ö ÀÖ´Ù. chroot ¼ºñ½º¸¦ ¿øÇÏÁö ¾Ê´Â ´Ù¸é ¿©±â±îÁö ¼³Ä¡ÇÏ¸é µÈ´Ù.
# fetch ftp://ftp.isc.org/isc/bind9/9.2.0/bind-9.2.0.tar.gz
# tar xvzf bind-9.2.0.tar.gz
# cd bind-9.2.0
# ./configure --prefix=/usr --sysconfdir=/etc/namedb --localstatedir=/var
# make
# make install
# mv /usr/sbin/nslookup /usr/sbin/nslookup.old
# ln -s /usr/bin/nslookup /usr/sbin/nslookup
5. chroot ¼³Á¤
chroot µð·¹Å丮¿Í ¼ºêµð·ºÅ丮¸¦ ¸¸µç´Ù. dev ¼ºêµð·ºÅ丮¿¡´Â null µð¹ÙÀ̽º¿Í random µð¹ÙÀ̽º¸¦ ¸¸µç´Ù. etc ¼ºêµð·ºÅ丮´Â bind ¼³Á¤ÆÄÀÏ(named.conf)°ú localtimeÀ» À§ÇÑ °ÍÀÌ´Ù. ·ÎĿŸÀÓÀº sysinstll ¸Þ´º³ª tzsetup ¸í·ÉÀ¸·Î ŸÀÓÁ¸À» ¼³Á¤Çϸé /etc/localtime ÀÌ »ý±â¹Ç·Î º¹»çÇؼ ¾²¸é µÇ°í, /usr/share/zoneinfo/Asia/Seoul ŸÀÓÁ¸ ÆÄÀÏÀ» º¹»çÇؼ ¾´´Ù. sbin ¼ºêµð·ºÅ丮¿¡´Â /usr/sbin/named ¹ÙÀ̳ʸ®¸¦ º¹»çÇÏ°í strip À¸·Î ½Éº¼¸¯À» »èÁ¦ÇØÁØ´Ù.
# mkdir /usr/local/bind
# cd /usr/local/bind
# mkdir -p dev etc/namedb sbin var/run var/log
#
# mknod dev/null c 2 2
# mknod dev/random c 2 3
# chmod a+w dev
#
# cp /etc/localtime etc/localtime
# cp /usr/sbin/named sbin/named
# strip sbin/named
#
# chown -R bind.bind etc/namedb var/run var/log
³×ÀÓ¼¹öÀÇ ·Î±×¸¦ ¼³Á¤Çϱâ À§Çؼ´Â ·Î±×ÆÄÀÏÀ» ¸¸µé¾î ÁØ´Ù.
# touch var/log/named.log
# chown bind.bind var/log/named.log
6. Name Server ¼³Á¤
Caching-only Nameserver ¼³Á¤
cache only server´Â Caching Name Server ¶Ç´Â Recursive Server ¶ó°í Çϸç Ŭ¶óÀ̾ðÆ®¿¡ ´ëÇÑ recursive rookup¸¸À» ¼öÇàÇÑ´Ù. Áï ÀÎÅÍ³Ý µµ¸ÞÀÎ ³×ÀÓ ¿µ¿ªÀ» µî·ÏÇÏ°í °ü¸®ÇÏÁö ¾Ê´Â´Ù. ¿¹¸¦ µé¾î À©µµ¿ì »ç¿ëÀÚ°¡ ³×Æ®¿öÅ© ȯ°æ¿¡¼ dns server ip¸¦ caching server ip ÁÖ¼Ò·Î ¼³Á¤ÇÑ °æ¿ì »ç¿ëÀÚ ºê¶ó¿ìÀú¿¡¼ www.sv.co.kr À̶ó´Â µµ¸ÞÀÎÀ» ¿äûÇÏ¸é µµ¸ÞÀγ×ÀÓ¿¡ ´ëÇÑ IP ÁÖ¼Ò Àü´ÞÇØ ÁÖ¾î »ç¿ëÀÚ°¡ ¿øÇÏ´Â À¥ ÆäÀÌÁö¸¦ ã¾Æ °¥ ¼ö ÀÖ°Ô ÇØÁÖ´Â ¿ªÇÒÀ» ÇÑ´Ù.
ÇÊ¿äÇÑ ÆÄÀÏÀº etc/namedb/named.conf, etc/namedb/localhost.rev, etc/namedb/named.root ÀÌ°í ¼³Á¤ ¿¹´Â ´ÙÀ½°ú °°´Ù.
- etc/namedb/named.conf
// etc/named.conf -----------------------------------------------------------
//
acl "my_net" { localhost; 192.168.1.0/24; 192.168.2.5/28; };
options {
directory "/etc/namedb"; // µµ¸ÞÀÎ ¿µ¿ªÆÄÀÏ À§Ä¡
pid-file "/var/run/named.pid"; // named pid ÆÄÀÏ À§Ä¡
allow-query { "my_net"; }; // acl¿¡¼ Á¤ÀÇÇÑ Çã¿ë ¸®½ºÆ®
};
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "localhost.rev"; notify no; };
// --------------------------------------------------------------------------
- etc/namedb/localhost.rev
- TTL: Ÿ ³×ÀÓ¼¹ö°¡ ÀÌ zone µ¥ÀÌÅ͸¦ °¡Áö°í °¬À» °æ¿ì °¡Á®°£ µ¥ÀÌÅÍÀÇ À¯È¿±â°£À» Á¤ÇÑ´Ù.(ÃÊ)
- Serial: zone ÆÄÀÏ ¼öÁ¤½Ã À̹øÈ£¸¦ ³¯Â¥ ±âÁØ Áõ°¡ ½ÃÄÑÁØ´Ù. slave ¼¹ö¿¡¼´Â serialÀÇ º¯°æ ¿©ºÎ¸¦ ÀÌ ¹øÈ£¸¦ ÂüÁ¶ÇÏ°í zone ¹é¾÷À» ¾÷µ¥ÀÌÆ® ÇÑ´Ù.
- Refresh: slave server°¡ primaryÀÇ ¼öÁ¤ ¿©ºÎ¸¦ °Ë»çÇÏ´Â ÁÖ±â(ÃÊ)
- Retry: slave server°¡ masert server¿Í ¿¬°áÀÌ ¾ÊµÉ °æ¿ì Àç½Ãµµ ÁÖ±â(ÃÊ)
- Expire: master server¿Í ¼³Á¤ ±â°£µ¿¾È ¿¬°á ¾ÊµÉ ¶§ zone ¹é¾÷ Ä«ÇÇÀÇ ¹«È¿È ÇÑ´Ù.
- Minimum: Ÿ ³×ÀÓ¼¹ö°¡ ÀÌ zone µ¥ÀÌÅ͸¦ °¡Áö°í °¬À» °æ¿ì °¡Á®°£ µ¥ÀÌÅÍÀÇ À¯È¿±â°£À» Á¤ÇÑ´Ù. TTL°ªÀÌ ¸í½Ã µÇÁö ¾Ê¾ÒÀ» ¶§ ÀÌ °ªÀ» °¡Áø´Ù. ¼³Á¤À» 0À¸·Î ÇßÀ» ¶§ ij½Ì ÇÏÁö ¾Êµµ·Ï ÇÑ´Ù.
// etc/namedb/localhost.rev -o------------------------------------------------------
//
$TTL 3600
@ IN SOA ns.sv.co.kr. root.ns.sv.co.kr. (
2002012201 ; Serial
3600 ; Refresh ( 1 hour)
900 ; Retry ( 15 min )
3600000 ; Expire (1000 hours)
3600 ) ; Minimum ( 1 hour)
IN NS ns.sv.co.kr.
1 IN PTR localhost.sv.co.kr.
// --------------------------------------------------------------------------
- etc/namedb/named.root
ÀÌ ÆÄÀÏÀº ·çÆ® ³×ÀÓ¼¹öÀÇ Á¤º¸¸¦ °¡Áö°í ÀÖ´Â ÆÄÀÏÀÌ´Ù. Á÷Á¢ ¸¸µå´Â °ÍÀÌ ¾Æ´Ï¶ó /etc/namedb/named.root ¿¡ Á¸ÀçÇϸç ÀÌ ÆÄÀÏÀ» ÇÊ¿äÇÑ °÷À¸·Î º¹»çÇؼ ¾´´Ù. Á÷Á¢ internic(ftp://rs.internic.net/domain/named.root) ¿¡¼ ´Ù¿î·ÎµåÇصµ µÈ´Ù.
# cp /etc/namedb/named.root /usr/local/bind/namedb/.
¶Ç´Â
# cd /usr/local/bind/etc/namedb
# fetch ftp://rs.internic.net/domain/named.root
Authoritative Nameserver ¼³Á¤
µµ¸ÞÀÎ ¿µ¿ª¿¡ ´ëÇÑ ¼ºñ½º¸¦ ¼öÇàÇÏ´Â ³×ÀÓ¼¹ö¸¦ ¸»ÇÑ´Ù.
Authoritative Server¿¡ ÇÊ¿äÇÑ ÆÄÀÏ
- etc/namedb/named.conf
// etc/namedb/named.conf -----------------------------------------------------------
//
options {
directory "/etc/namedb"; // µµ¸ÞÀÎ ¿µ¿ªÆÄÀÏ À§Ä¡
pid-file "/var/run/named.pid"; // named pid ÆÄÀÏ À§Ä¡
allow-query { any; }; // Äõ¸® Çã¿ë
allow-transfer { 192.168.1.2 }; // secondary name server
//recursion no; // recursive ¼ºñ½º¸¦ »ç¿ë ¾ÊÇÒ ¶§
//auth-nxdomain yes; // ³×Æ®¿÷¿¡ ¿À·¡µÈ DNS°¡ ÀÖÀ» °æ¿ì
};
logging {
channel bind_log { file "/var/log/named.log"; severity info; };
category xfer-out { bind_log; };
category default { bind_log; }; // ±âº» ·Î±×¸¦ bind_log·Î Ãâ·Â
//category default { default_syslog; }; // ±âº» ·Î±×¸¦ ½Ã½ºÅÛÀÇ syslog·Î Ãâ·Â
};
zone "." { type hint; file "named.root"; };
zone "0.0.127.in-addr.arpa" { type master; file "localhost.rev"; notify no; };
zone "1.168.192.in-addr.arpa" { type master; file "1.168.192.rev"; notify no; };
zone "systemadmin.co.kr" { // master ¿µ¿ª ¼³Á¤ ¿¹
type master;
file "systemadmin.co.kr.db";
};
zone "sv.co.kr" { // slave ¿µ¿ª ¼³Á¤ ¿¹
type slave;
file "sv.co.kr.bk";
masters { 192.168.4.12; }; // master server IP
};
// --------------------------------------------------------------------------
- etc/namedb/localhost.rev
caching serverÀÇ localhost.rev¿Í °°À½.
- etc/namedb/1.1678.192.rev
¸®¹öµå µµ¸ÞÀοµ¿ªÀº Àü»ê¿ø¿¡ ¸®¹ö½ºµµ¸ÞÀÎÀÌ µî·ÏµÇ¾î¾ß Á¤»óÀûÀ¸·Î ÀÛµ¿ÇÑ´Ù. Àü»ê¿ø¿¡ µî·ÏµÇÁö ¾Ê´õ¶óµµ ISP¾÷ü¿¡ ÇØ´ç ¾ÆÀÌÇÇ ÁÖ¼ÒÀÇ ¸®¹ö½º ¿µ¿ªÀ» ¸ÅÇÎÇØ ´Þ¶ó°í ÇÏ¸é µÈ´Ù.
$TTL 3600
@ IN SOA ns.systemadmin.co.kr. root.ns.systemadmin.co.kr. (
2002012201 ; Serial
3600 ; Refresh ( 1 hour)
900 ; Retry ( 15 min )
3600000 ; Expire (1000 hours)
3600 ) ; Minimum ( 1 hour)
IN NS ns.systemadmin.co.kr.
1 IN PTR ns.systemadmin.co.kr.
- etc/namedb/named.root
caching serverÀÇ named.root¿Í °°À½.
- etc/namedb/systemadmin.co.kr.db
$TTL 86400
@ IN SOA ns.systemadmin.co.kr. hsmok.systemadmin.co.kr. (
2002012201 ; Serial
3600 ; Refresh ( 1 hour )
900 ; Retry ( 15 min )
3600000 ; Expire (1000 hours)
3600 ) ; Minimum ( 1 hour )
IN NS ns.systemadmin.co.kr.
IN NS ns2.systemadmin.co.kr.
IN A 192.168.1.1
IN MX 10 mail
ns IN CNAME @
www IN CNAME @
ftp IN CNAME @
mail IN A 192.168.1.1
ns2 IN A 192.168.1.2
7. named ½ÇÇà
bind ¹öÀüÈ®ÀÎ
# /usr/local/bind/sbin/named -v
BIND 9.2.0
#
chrooted ½ÇÇà
/usr/local/bind/sbin/named -t /usr/local/bind -c /etc/namedb/named.conf -u bind
named µ¥¸ó È®ÀÎ
ps ¸í·ÉÀ¸·Î named µ¥¸óÀ» È®ÀÎÇϸé bind ±ÇÇÑÀ¸·Î ½ÇÇàµÇ¾î ÀÖÀ» °ÍÀÌ´Ù.
#
# ps aux | grep named
bind 84931 0.0 6.7 2372 1996 ?? Is 3:32PM \
0:00.24 /usr/local/bind/sbin/named -t /usr/local/bind \
-c /etc/namedb/named.conf -u bind
#
# cat var/run/named.pid
84931
·Î±×È®ÀÎ
·Î±× ¸Þ½ÃÁö¸¦ È®ÀÎÇØ º¸¸é ´ÙÀ½°ú °°ÀÌ ÀÛµ¿ÇÒ °ÍÀÌ´Ù. rndc¿Í 127.0.0.1 Ä¿¸Çµå ä³ÎÀ» Ãß°¡ ÇÒ ¼ö ¾ø´Ù´Â ¿¡·¯°¡ ³ªÁö¸¸ ÀÌ°ÍÀº rndc¸¦ ¼³Á¤ÇÏ¸é µÈ´Ù. named.conf¿¡¼ rndc Å°¿Í controlÀ» ¼³Á¤ÇÏ°Ô µÈ´Ù. rndc¸¦ »ç¿ëÇÏÁö ¾Ê´Â´Ù¸é ±»ÀÌ ¼³Á¤ÇÒ ÇÊ¿ä´Â ¾ø´Ù.
# cat /usr/local/bind/var/log/named.log
zone 0.0.127.in-addr.arpa/IN: loaded serial 2002012201
zone 1.168.192.in-addr.arpa/IN: loaded serial 2002012201
zone systemadmin.co.kr/IN: loaded serial 2002043001
running
zone systemadmin.co.kr/IN: sending notifies (serial 2002043001)
loading configuration from '/etc/namedb/named.conf'
no IPv6 interfaces found
none:0: open: /etc/namedb/rndc.key: file not found
couldn't add command channel 127.0.0.1#953: file not found
#
#
# cat /var/log/messages
....................
Apr 30 12:18:25 ns1 named[8114]: none:0: open: /etc/namedb/rndc.key: file not found
Apr 30 12:18:25 ns1 named[8114]: couldn't add command channel 127.0.0.1#953: file not found
named query È®ÀÎ
dig ¸í·ÉÀ¸·Î ¼³Á¤µÈ µµ¸ÞÀÎÀ» È®ÀÎÇØ º»´Ù.
ns3# dig @localhost mail.systemadmin.co.kr
; <<>> DiG 9.2.0 <<>> @localhost mail.systemadmin.co.kr
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.systemadmin.co.kr. IN A
;; ANSWER SECTION:
mail.systemadmin.co.kr. 86400 IN A 211.192.187.216
;; AUTHORITY SECTION:
systemadmin.co.kr. 86400 IN NS ns.systemadmin.co.kr.
systemadmin.co.kr. 86400 IN NS ns2.systemadmin.co.kr.
;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Tue Jan 22 16:21:14 2002
;; MSG SIZE rcvd: 82
½Ã½ºÅÛ ½ÃÀ۽à ÀÚµ¿ ½ÇÇà ¼³Á¤
/etc/rc.conf ÆÄÀÏÀ» ¿¡µðÅÍ·Î ¿¾î ´ÙÀ½ ³»¿ëÀ» Ãß°¡ÇÑ´Ù.
named_enable="YES"
named_program="/usr/local/bind/sbin/named"
named_flags="-t /usr/local/bind -c /etc/named.conf -u nobody"
** rndc ¼³Á¤**
rndc¸¦ chrooted¿¡¼ ¼³Á¤ÇÏ·Á¸é ¹®Á¦Á¡ÀÌ »ý±ä´Ù. rndc¸¦ ½ÇÇàÇÏ°Ô µÇ¸é rndc.conf¸¦ chrooted °¡ ¾Æ´Ñ /etc/named/¿¡¼ rndc.conf¸¦ ÂüÁ¶ÇÏ°Ô µÇ´Âµ¥ ÀÌ°ÍÀº º°µµ·Î ½Éº¼¸¯ ¸µÅ©¸¦ °É°Å³ª ÇÏ´Â ¹æ¹ýÀ¸·Î ÇØ°áÇØ¾ß ÇÑ´Ù.
rndc key ¸¸µé±â
Å°´Â °ø°³Å°(*.key)¿Í °³ÀÎÅ°(*.private)°¡ ¸¸µé¾î Áø´Ù. °ø°³Å°´Â °ø°³Å° ÆÄÀÏ¿¡¼ "bind. IN KEY 0 2 157 " µÞºÎºÐÀ» named.conf ÆÄÀÏ¿¡ ³Ö¾îÁØ´Ù. °³ÀÎÅ°´Â °³ÀÎÅ° ÆÄÀÏ¿¡¼ "Key: " µÞ ºÎºÐÀ» rndc.conf ÆÄÀÏ¿¡ ³Ö¾îÁÖ°Ô µÈ´Ù.
# dnssec-keygen -a hmac-md5 -r /dev/urandom -b 512 -n user bind
Kbind.+157+29280
#
# ls -al
-rw------- 1 root wheel 111 Apr 30 12:31 Kbind.+157+29280.key
-rw------- 1 root wheel 145 Apr 30 12:31 Kbind.+157+29280.private
etc/namedb/named.conf ÆÄÀÏ¿¡ ´ÙÀ½ ºÎºÐÀ» Ãß°¡ÇÑ´Ù.
key "rndc_key" {
algorithm hmac-md5;
secret "xPdYeSnIFS6+.......Áß°£»ý·«..........V0fEHGF3ll/uXJsA==";
};
controls {
//inet ::1 allow { ::1; } keys { "rndc_key"; };
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc_key"; };
};
etc/namedb/rndc.conf ÆÄÀÏÀ» ¸¸µç´Ù.
options {
default-server localhost;
default-key "rndc_key";
};
server localhost { key "rndc_key"; };
key "rndc_key" {
algorithm hmac-md5;
secret "xPdYeSn.........Áß°£»ý·«............YZJV0fEHGF3ll/uXJsA==";
};
bind¸¦ »õ·Î ½ÃÀÛÇÑ´Ù.
rndc°¡ Àß ¼³Á¤µÇ¾ú´Ù¸é º° ´Ù¸¥ ¿¡·¯ ¾øÀÌ ÀÛµ¿ÇÑ´Ù. rndc »ç¿ë¹ý¿¡ ´ëÇÑ ³»¿ëÀº ´ÙÀ½±âȸ¿¡...
# ln -s /usr/local/bind/etc/namedb/rndc.conf /etc/namedb/rndc.conf
# /usr/local/bind/sbin/named -t /usr/local/bind -c /etc/namedb/named.conf -u bind
#
# rndc reload
loading configuration from '/etc/namedb/named.conf'
|