На главную страницу  
+7 (499) 124-62-26
О компании Продукты Демо-версии Купить Цены Контакты Решения
OpenVPN-ГОСТ
КриптоСервер
КриптоТуннель
Защита RDP
КриптоПакет
"Вьюга"

MAGPRO DNS.

USING BIND AS DNS-SERVER OR RESOLVER WITH DNSSEC AND GOST CRYPTOALGORITHMS SUPPORT

The source code of BIND 9.7.0-P2 is available here: ftp://ftp.isc.org/isc/bind9/9.7.0-P2/bind-9.7.0-P2.tar.gz
The GOST support patch is available here: bind97_gost.diff.gz


Installation

You should install BIND 9.7.0-P2 from sources with GOST support patch applied.
The version number is important because the patch is designed only for this version.

First of all make sure that OpenSSL 1.0.0 is installed with GOST support and configured properly.
You can find info about how to do this on the page:
Installing and configuring OpenSSL 1.0.0.

You'll need perl modules for building BIND. In Debian GNU\Linux lenny they are available through pearl-modules package:

$ sudo apt-get install perl-modules

To install BIND with GOST support you should do it this way (we assume that OpenSSL 1.0.0 is installed to /usr/local directory):

$ wget ftp://ftp.isc.org/isc/bind9/9.7.0-P2/bind-9.7.0-P2.tar.gz
$ tar xzf bind-9.7.0-P2.tar.gz
$ cd bind-9.7.0-P2
$ wget http://cryptocom.ru/dns/bind97_gost.diff.gz
$ gunzip bind97_gost.diff.gz
$ patch -p0 < bind97_gost.diff
$ ./configure --with-openssl=/usr/local --prefix=/usr/local LDFLAGS=-Wl,-rpath,/usr/local/lib
$ make
$ sudo make install

Please note that when installing BIND from sources no init-script for the daemon will be created. And no new user will be created.


Using in «chroot» environment

We assume that BIND and OpenSSL 1.0.0 are installed in the /usr/local directory and the chroot directory is /var/chroot.
In chroot environment BIND will need OpenSSL config files and shared libraries to be placed in standard places inside chroot.
This is the way to prepare them:

$ mkdir -p /var/chroot/usr/local/openssl
$ mkdir -p /var/chroot/usr/local/lib/engines
$ mkdir -p /var/chroot/var/log/bind
$ cp /usr/local/openssl/openssl.cnf /var/chroot/usr/local/openssl
$ cp /usr/local/lib/engines/libgost.so /var/chroot/usr/local/lib/engines
$ cp -r /usr/local/etc /var/chroot/usr/local/

You need to place other files into chroot environment if they are needed by BIND.


A DNS-server config file sample (not serving as a resolver)

This sample shows how to enable DNSSEC and include signed zones in BIND config.
The key options are:
dnssec-enable yes;
logging { […] };

options {
        directory       "/usr/local/etc";

                listen-on{
                         127.0.0.1;
                         10.51.24.198;
                        };
allow-query { 10.51.0.0/16; };
allow-transfer { any; };
dnssec-enable yes;
recursion no;
};

acl "trusted-dns"{
                 127.0.0.1;
                 10.51.0.0/16;
};

logging {
        channel dnssec_ch {
                file "/var/log/bind/dnssec.log" versions 3 size 8000k;
                severity debug 3;
                print-time yes;
                print-category yes;
        };
        category dnssec { dnssec_ch; };
        };

zone "example.com" {
type master;
file "/usr/local/etc/example.com";
allow-query { any; };
allow-transfer { any; };

};

key "rndc-key" {
      algorithm hmac-md5;
      secret "qquxnvB2qzY915EkE52vVg==";
};

controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};

Resolver config file sample

The key options are:

dnssec-enable yes;
dnssec-validation yes;
recursion yes;
trusted-keys { […] };
logging { […] };

trusted-keys {
"com." 257 3 12 "ZottC9UQiYanvu7rC6R/MNhTgZEdMOk7MUXBrIZt/9d+XX/CV315X3sP GWVJ3/i2ynYxnsnTqkKNVYQsqRrvSw==";
};

options {
        directory       "/usr/local/etc";

                listen-on{
                         127.0.0.1;
                         10.51.24.184;
                        };
allow-query { any; };
allow-transfer { any; };
dnssec-enable yes;
dnssec-validation yes;
recursion yes;
};

acl "trusted-dns"{
                 127.0.0.1;
		 10.51.0.0/16;
};

logging {
        channel dnssec_ch {
                file "/var/log/bind/dnssec.log" versions 3 size 8000k;
                severity debug 3;
                print-time yes;
                print-category yes;
        };
	category dnssec { dnssec_ch; };
        };

zone "." {
type hint;
file "/usr/local/etc/root.servers";
};

key "rndc-key" {
      algorithm hmac-md5;
      secret "qquxnvB2qzY915EkE52vVg==";
};

controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "rndc-key"; };
};

Reload configuration

After changing configuration of BIND or zone files you should use this command:

$ sudo rndc reload

MagPro DNS

Installing and configuring OpenSSL 1.0.0

Installing and using BIND with DNSSEC and GOST support

Signing a zone with «dnssec-signzone»

Checking DNSSEC with the «dig» utility

Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support

Signing a zone with «ldns-signzone»

Checking DNSSEC with the «drill» utility

DNSSEC FAQ

 
Copyright © ООО "Криптоком". 2001-2016. All Rights Reserved.