我有一个用于 ( com
) 区域的 DNS 服务器。我在 Ubuntu 中使用 BIND 9.10.3。我想使用 DNSSEC 对该服务器进行 DNS 查询。我已经创建了 ZSK 和 KSK,并且我有一个名为forward.com.signed
.
文件内容如下:(注意:我将forward.com.signed
签名剪成一行以使帖子简短):
; File written on Thu May 24 02:13:50 2018
; dnssec_signzone version 9.10.3-P4-Ubuntu
com. 604800 IN SOA dns1.com. admin.com. (
33 ; serial
604820 ; refresh (1 week 20 seconds)
86600 ; retry (1 day 3 minutes 20 seconds)
2419600 ; expire (4 weeks 6 minutes 40 seconds)
604600 ; minimum (6 days 23 hours 56 minutes 40 seconds)
)
604800 RRSIG SOA 7 1 604800 (
20180623001350 20180524001350 12410 com.
Qfd9i1AndX/dmyQuksOo2CRXH5RyM7i52c3P
)
604800 NS dns1.com.
604800 RRSIG NS 7 1 604800 (
20180623001350 20180524001350 12410 com.
Qj1DMmEhfkU5KI9MVrIlgKmQ5DxTjGuRNJ8i
)
604800 DNSKEY 256 3 7 (
AwEAAfZWrsuiFoAAGcOTDWyVlDoZjQC8CZc6
) ; ZSK; alg = NSEC3RSASHA1; key id = 12410
604800 DNSKEY 257 3 7 (
AwEAAbc92MYUBPIs1L6lNAbubqRmZCfgv1h7
) ; KSK; alg = NSEC3RSASHA1; key id = 62649
604800 RRSIG DNSKEY 7 1 604800 (
20180623001350 20180524001350 12410 com.
MuNVIE6oWV03+dXnXu+VufPQqfIgQvNIBODh
)
604800 RRSIG DNSKEY 7 1 604800 (
20180623001350 20180524001350 62649 com.
HxKx8nsyZ/qtrAvhsFJ9r7EBBwhSCGh0FJfM
)
0 NSEC3PARAM 1 0 10 1C5A91FD094B6845
0 RRSIG NSEC3PARAM 7 1 0 (
20180623001350 20180524001350 12410 com.
qXpHn0q2GG/BK71mMYqCELsoHiFT6Oel82Jv
)
dns1.com. 604800 IN A 192.168.56.3
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
aHB7ZCD8dDV4jMHJsUg23jjcm48tTnUvS8hy
wYPPhwqjjYr/holMmg== )
a.com. 604800 IN A 192.168.56.7
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
0V7mUWUOuru41Rkp+RFp6eV13AHOdPnEanrV
)
604800 TXT "some-random-text"
604800 RRSIG TXT 7 2 604800 (
20180623001350 20180524001350 12410 com.
Uta2/oGszVJAhm/DlGd7vnD+irg/GzyXlKHp
)
b.com. 604800 IN A 192.168.56.8
604800 RRSIG A 7 2 604800 (
20180623001350 20180524001350 12410 com.
2ui9x3SjrrEvFkcPbfcfC/NQW0MQOv2jy/Bd
)
604800 TXT ""
604800 RRSIG TXT 7 2 604800 (
20180623001350 20180524001350 12410 com.
etX8lM00XXK9hUMM4FVsc51zuYOCz2+6qNLM
)
8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO
A TXT RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
0qFfv4wr6WYSb4JlrtOlmPWykmCUKNdADlH8
)
QNU3FGJ5VOCSBIP3N93ITKLM4OP6GMCO.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5
A RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
qZCi11tgJWJwjK2NI9KTVkcaJ0Eln0NVDsjM
)
TVQJ9TFT4DPK7IGFE32TKLFG6EH2CUH5.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7
NS SOA RRSIG DNSKEY NSEC3PARAM )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
gud9iAHIRi4vR6eCgwOe6Xz0fR5F1qksJz6x
)
0J67JF0QNUUEKT5VF6FQPCRR9T8I8RT7.com. 604600 IN NSEC3 1 1 10 1C5A91FD094B6845 (
8NRLOA7UP8TGKLFJ7A6KPTIS503NJ4NB
A TXT RRSIG )
604600 RRSIG NSEC3 7 2 604600 (
20180623001350 20180524001350 12410 com.
8ZowNBjQXgaAx89kjTmgCu/9lYLk14L+xTWr
)
我使用dnspython库使用以下客户端 python 脚本:
import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype
# get nameservers for target domain
response = dns.resolver.query('com.',dns.rdatatype.NS)
# we'll use the first nameserver in this example
nsname = response.rrset[0] # name
response = dns.resolver.query(nsname,dns.rdatatype.A)
print("DONE")
但我得到了这个错误:
Traceback (most recent call last):
File "test-3-dnssec.py", line 13, in <module>
response = dns.resolver.query(nsname,dns.rdatatype.A)
File "C:\Python36\lib\site-packages\dns\resolver.py", line 1132, in query
raise_on_no_answer, source_port)
File "C:\Python36\lib\site-packages\dns\resolver.py", line 907, in query
if qname.is_absolute():
AttributeError: 'NS' object has no attribute 'is_absolute'
客户端的完整代码来自此答案:
import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype
# get nameservers for target domain
response = dns.resolver.query('example.com.',dns.rdatatype.NS)
# we'll use the first nameserver in this example
nsname = response.rrset[0] # name
response = dns.resolver.query(nsname,dns.rdatatype.A)
nsaddr = response.rrset[0].to_text() # IPv4
# get DNSKEY for zone
request = dns.message.make_query('example.com.',
dns.rdatatype.DNSKEY,
want_dnssec=True)
# send the query
response = dns.query.udp(request,nsaddr)
if response.rcode() != 0:
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
answer = response.answer
if len(answer) != 2:
# SOMETHING WENT WRONG
# the DNSKEY should be self signed, validate it
name = dns.name.from_text('example.com.')
try:
dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})
except dns.dnssec.ValidationFailure:
# BE SUSPICIOUS
else:
# WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
我无法确定问题所在。你能帮我吗?