Cenário:
[root@ns1 ~]# yum install bind bind-utils
[root@ns1 ~]# yum list installed | grep ^bind bind.x86_64 32:9.9.4-29.el7_2.3 @updates bind-libs.x86_64 32:9.9.4-29.el7_2.3 @updates bind-libs-lite.x86_64 32:9.9.4-29.el7_2.3 @updates bind-license.noarch 32:9.9.4-29.el7_2.3 @updates bind-utils.x86_64 32:9.9.4-29.el7_2.3 @updates
[root@ns1 ~]# echo "nameserver 127.0.0.1" > /etc/resolv.conf
[root@ns1 ~]# chattr +i /etc/resolv.conf
[root@ns1 ~]# systemctl enable named.service Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@ns1 ~]# systemctl start named.service
[root@ns1 ~]# systemctl list-unit-files --type=service | grep -e ^named.service named.service enabled
[root@ns1 ~]# systemctl status named.service -l ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Ter 2016-09-20 17:47:06 BRT; 1min 31s ago Process: 2237 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2235 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 2240 (named) CGroup: /system.slice/named.service └─2240 /usr/sbin/named -u named Set 20 17:47:06 ns1 named[2240]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Set 20 17:47:06 ns1 named[2240]: zone localhost.localdomain/IN: loaded serial 0 Set 20 17:47:06 ns1 named[2240]: zone localhost/IN: loaded serial 0 Set 20 17:47:06 ns1 named[2240]: all zones loaded Set 20 17:47:06 ns1 named[2240]: running Set 20 17:47:06 ns1 named[2240]: error (network unreachable) resolving './DNSKEY/IN': 2001:dc3::35#53 Set 20 17:47:06 ns1 named[2240]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53 Set 20 17:47:06 ns1 named[2240]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:2f::f#53 Set 20 17:47:06 ns1 named[2240]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53 Set 20 17:47:06 ns1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
[root@ns1 ~]# ps -eZ | grep named system_u:system_r:named_t:s0 2240 ? 00:00:00 named
[root@ns1 ~]# ls -Zd /etc/named.conf /etc/named.rfc1912.zones /var/named/ -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.conf -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.rfc1912.zones drwxr-x---. root named system_u:object_r:named_zone_t:s0 /var/named/
[root@ns1 ~]# semanage port -l | grep dns_ dns_port_t tcp 53 dns_port_t udp 53
[root@ns1 ~]# getsebool -a | grep ^named named_tcp_bind_http_port --> off named_write_master_zones --> off
[root@ns1 ~]# cat /etc/named.conf acl master { 127.0.0.1; 203.0.113.200; }; acl lan { 203.0.113.0/24; }; options { listen-on port 53 { master; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion { master; lan; }; allow-query-cache { master; lan; }; //recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.com" IN { type master; file "master/db.example.com"; }; zone "113.0.203.in-addr.arpa" IN { type master; file "master/db.113-0-203"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@ns1 ~]# mkdir /var/named/master
[root@ns1 ~]# cat /var/named/master/db.example.com $TTL 1D @ IN SOA ns1.example.com. hostmaster.example.com. ( 2016092001 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS example.com. example.com. IN TXT "v=spf1 a mx ip4:203.0.113.240 -all" example.com. IN SPF "v=spf1 a mx ip4:203.0.113.240 -all" ; NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. ; ns1 IN A 203.0.113.200 ns2 IN A 203.0.113.201 mx1 IN A 203.0.113.240 imap IN CNAME mx1 pop IN CNAME mx1 smtp IN CNAME mx1 webmail IN CNAME mx1 @ IN A 203.0.113.80
[root@ns1 ~]# cat /var/named/master/db.113-0-203 $TTL 1D @ IN SOA ns1.example.com. hostmaster.example.com. ( 2016192001 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.example.com. IN NS ns2.example.com. 200 IN PTR ns1.example.com. 201 IN PTR ns2.example.com. 240 IN PTR mx1.example.com.
[root@ns1 ~]# chown named:named /var/named/master [root@ns1 ~]# chown root:named /var/named/master/db.* [root@ns1 ~]# chcon -t named_zone_t /var/named/master/db.* [root@ns1 ~]# semanage fcontext -a -t named_zone_t "/var/named/master(/.*)?"
[root@ns1 ~]# named-checkzone example.com /var/named/master/db.example.com zone example.com/IN: loaded serial 2016092001 OK
[root@ns1 ~]# named-checkzone 113.0.203.in-addr.arpa /var/named/master/db.113-0-203 zone 113.0.203.in-addr.arpa/IN: loaded serial 2016192001 OK
[root@ns1 ~]# systemctl restart named.service
[root@ns1 ~]# systemctl status named.service -l ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Ter 2016-09-20 18:09:35 BRT; 30s ago Process: 2321 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 2332 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2330 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 2335 (named) CGroup: /system.slice/named.service └─2335 /usr/sbin/named -u named Set 20 18:09:35 ns1 named[2335]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Set 20 18:09:35 ns1 named[2335]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Set 20 18:09:35 ns1 named[2335]: zone localhost.localdomain/IN: loaded serial 0 Set 20 18:09:35 ns1 named[2335]: zone example.com/IN: loaded serial 2016092001 Set 20 18:09:35 ns1 named[2335]: zone localhost/IN: loaded serial 0 Set 20 18:09:35 ns1 named[2335]: all zones loaded Set 20 18:09:35 ns1 named[2335]: running Set 20 18:09:35 ns1 systemd[1]: Started Berkeley Internet Name Domain (DNS). Set 20 18:09:36 ns1 named[2335]: zone example.com/IN: sending notifies (serial 2016092001) Set 20 18:09:36 ns1 named[2335]: zone 113.0.203.in-addr.arpa/IN: sending notifies (serial 2016192001)
[root@ns1 ~]# host -a example.com Trying "example.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9329 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com. 86400 IN A 203.0.113.80 example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2016092001 86400 3600 604800 10800 example.com. 86400 IN NS example.com. example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com. example.com. 86400 IN TXT "v=spf1 a mx ip4:203.0.113.240 -all" example.com. 86400 IN SPF "v=spf1 a mx ip4:203.0.113.240 -all" example.com. 86400 IN MX 10 mx1.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 86400 IN A 203.0.113.200 ns2.example.com. 86400 IN A 203.0.113.201 mx1.example.com. 86400 IN A 203.0.113.240 Received 304 bytes from 127.0.0.1#53 in 1 ms
[root@ns2 ~]# yum install bind bind-utils
[root@ns2 ~]# yum list installed | grep ^bind bind.x86_64 32:9.9.4-29.el7_2.3 @updates bind-libs.x86_64 32:9.9.4-29.el7_2.3 @updates bind-libs-lite.x86_64 32:9.9.4-29.el7_2.3 @updates bind-license.noarch 32:9.9.4-29.el7_2.3 @updates bind-utils.x86_64 32:9.9.4-29.el7_2.3 @updates
[root@ns2 ~]# echo "nameserver 127.0.0.1" > /etc/resolv.conf
[root@ns2 ~]# chattr +i /etc/resolv.conf
[root@ns2 ~]# systemctl enable named.service Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@ns2 ~]# systemctl start named.service
[root@ns2 ~]# systemctl list-unit-files --type=service | grep -e ^named.service named.service enabled
[root@ns2 ~]# systemctl status named.service -l ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Ter 2016-09-20 17:46:59 BRT; 2min 21s ago Process: 2214 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2212 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 2217 (named) CGroup: /system.slice/named.service └─2217 /usr/sbin/named -u named Set 20 17:46:59 ns2 named[2217]: managed-keys-zone: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: zone 0.in-addr.arpa/IN: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: zone localhost.localdomain/IN: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: zone localhost/IN: loaded serial 0 Set 20 17:46:59 ns2 named[2217]: all zones loaded Set 20 17:46:59 ns2 named[2217]: running Set 20 17:46:59 ns2 systemd[1]: Started Berkeley Internet Name Domain (DNS). Set 20 17:46:59 ns2 named[2217]: error (network unreachable) resolving './DNSKEY/IN': 2001:7fe::53#53
[root@ns2 ~]# ps -eZ | grep named system_u:system_r:named_t:s0 2240 ? 00:00:00 named
[root@ns2 ~]# ls -Zd /etc/named.conf /etc/named.rfc1912.zones /var/named/ -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.conf -rw-r-----. root named system_u:object_r:named_conf_t:s0 /etc/named.rfc1912.zones drwxr-x---. root named system_u:object_r:named_zone_t:s0 /var/named/
[root@ns2 ~]# semanage port -l | grep dns_ dns_port_t tcp 53 dns_port_t udp 53
[root@ns2 ~]# getsebool -a | grep ^named named_tcp_bind_http_port --> off named_write_master_zones --> off
[root@ns2 ~]# cat /etc/named.conf acl slave { 127.0.0.1; 203.0.113.201; }; acl lan { 203.0.113.0/24; }; options { listen-on port 53 { slave; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion { slave; lan; }; allow-query-cache { slave; lan; }; //recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.com" IN { type slave; file "slaves/db.example.com"; masters { 203.0.113.200; }; }; zone "113.0.203.in-addr.arpa" IN { type slave; file "slaves/db.113-0-203"; masters { 203.0.113.200; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@ns2 ~]# systemctl restart named.service [root@ns2 ~]# systemctl status named.service -l ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Qua 2016-09-21 09:55:20 BRT; 7s ago Process: 12133 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 12143 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 12141 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 12146 (named) CGroup: /system.slice/named.service └─12146 /usr/sbin/named -u named Set 21 09:55:20 ns2 named[12146]: zone 113.0.203.in-addr.arpa/IN: loaded serial 2016192001 Set 21 09:55:20 ns2 named[12146]: zone localhost/IN: loaded serial 0 Set 21 09:55:20 ns2 named[12146]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Set 21 09:55:20 ns2 named[12146]: zone localhost.localdomain/IN: loaded serial 0 Set 21 09:55:20 ns2 named[12146]: zone example.com/IN: loaded serial 2016092001 Set 21 09:55:20 ns2 named[12146]: all zones loaded Set 21 09:55:20 ns2 named[12146]: running Set 21 09:55:20 ns2 named[12146]: zone example.com/IN: sending notifies (serial 2016092001) Set 21 09:55:20 ns2 named[12146]: zone 113.0.203.in-addr.arpa/IN: sending notifies (serial 2016192001) Set 21 09:55:20 ns2 systemd[1]: Started Berkeley Internet Name Domain (DNS).
[root@ns2 ~]# ls -l /var/named/slaves/ total 8 -rw-r--r--. 1 named named 414 Set 21 08:37 db.113-0-203 -rw-r--r--. 1 named named 798 Set 21 08:37 db.example.com
[root@ns2 ~]# host -a example.com Trying "example.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18340 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com. 86400 IN A 203.0.113.80 example.com. 86400 IN NS example.com. example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com. example.com. 86400 IN TXT "v=spf1 a mx ip4:203.0.113.240 -all" example.com. 86400 IN SPF "v=spf1 a mx ip4:203.0.113.240 -all" example.com. 86400 IN MX 10 mx1.example.com. example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 2016092001 86400 3600 604800 10800 ;; ADDITIONAL SECTION: ns1.example.com. 86400 IN A 203.0.113.200 ns2.example.com. 86400 IN A 203.0.113.201 mx1.example.com. 86400 IN A 203.0.113.240 Received 304 bytes from 127.0.0.1#53 in 1 ms
[root@ns1 ~]# cd /etc/named
[root@ns1 named]# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n HOST example.com Kexample.com.+157+17778
[root@ns1 named]# ls -l total 8 -rw-------. 1 root root 55 Set 21 10:03 Kexample.com.+157+17778.key -rw-------. 1 root root 165 Set 21 10:03 Kexample.com.+157+17778.private
[root@ns1 named]# cat Kexample.com.+157+17778.key example.com. IN KEY 512 3 157 13cf4dANsf6pVJLs/AeOJg==
[root@ns1 named]# cat Kexample.com.+157+17778.private Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: 13cf4dANsf6pVJLs/AeOJg== Bits: AAA= Created: 20160921130334 Publish: 20160921130334 Activate: 20160921130334
[root@ns1 ~]# cat /etc/named.conf acl master { 127.0.0.1; 203.0.113.200; }; acl lan { 203.0.113.0/24; }; options { listen-on port 53 { master; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion { master; lan; }; allow-query-cache { master; lan; }; allow-transfer { key example.com; }; //recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; # Transferencia de zona TSIG key "example.com" { algorithm hmac-md5; secret "13cf4dANsf6pVJLs/AeOJg=="; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.com" IN { type master; file "master/db.example.com"; }; zone "113.0.203.in-addr.arpa" IN { type master; file "master/db.113-0-203"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Alterações realizadas:
[...] allow-transfer { key example.com; }; [...] # Transferencia de zona TSIG key "example.com" { algorithm hmac-md5; secret "13cf4dANsf6pVJLs/AeOJg=="; }; [...]
[root@ns2 ~]# cat /etc/named.conf acl slave { 127.0.0.1; 203.0.113.201; }; acl lan { 203.0.113.0/24; }; options { listen-on port 53 { slave; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-recursion { slave; lan; }; allow-query-cache { slave; lan; }; //recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; # Transferencia de zona TSIG key "example.com" { algorithm hmac-md5; secret "13cf4dANsf6pVJLs/AeOJg=="; }; server 203.0.113.200 { keys { example.com; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.com" IN { type slave; file "slaves/db.example.com"; masters { 203.0.113.200; }; }; zone "113.0.203.in-addr.arpa" IN { type slave; file "slaves/db.113-0-203"; masters { 203.0.113.200; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Alterações:
[...] # Transferencia de zona TSIG key "example.com" { algorithm hmac-md5; secret "13cf4dANsf6pVJLs/AeOJg=="; }; server 203.0.113.200 { keys { example.com; }; }; [...]
[root@ns1 ~]# cat /var/named/master/db.example.com $TTL 1D @ IN SOA ns1.example.com. hostmaster.example.com. ( 2016092102 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS example.com. example.com. IN TXT "v=spf1 a mx ip4:203.0.113.240 -all" example.com. IN SPF "v=spf1 a mx ip4:203.0.113.240 -all" ; NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. ; ns1 IN A 203.0.113.200 ns2 IN A 203.0.113.201 mx1 IN A 203.0.113.240 imap IN CNAME mx1 pop IN CNAME mx1 smtp IN CNAME mx1 webmail IN CNAME mx1 @ IN A 203.0.113.80 ldap IN A 203.0.113.89
Alterações:
[...] 2016092102 ; serial [...] ldap IN A 203.0.113.89
[root@ns1 ~]# systemctl restart named.service [root@ns2 ~]# systemctl restart named.service
[root@ns1 ~]# cat /var/log/messages | egrep -i tsig Sep 21 10:19:12 ns1 named[12279]: client 203.0.113.201#37465/key example.com (example.com): transfer of 'example.com/IN': AXFR-style IXFR started: TSIG example.com
Caso a transferência não ocorra, seguir os seguintes passos:
Sincronizar o ntp
[root@ns1 ~]# ntpdate -u a.ntp.br [root@ns2 ~]# ntpdate -u a.ntp.br
Verificar o SElinux no Slave
[root@ns2 ~]# getsebool -a | grep named named_tcp_bind_http_port --> off named_write_master_zones --> off
[root@ns2 ~]# setsebool -P named_write_master_zones 1
[root@ns2 ~]# getsebool -a | grep named named_tcp_bind_http_port --> off named_write_master_zones --> on