标签:dns
操作系统:CentOS 5.5
BIND 版本:bind-9.3.6-4.P1
Master DNS 地址:
192.168.190.174
Slave DNS 地址:
telecom区:192.168.184.241,192.168.184.242
unicom区:192.168.176.241,192.168.176.242
hangyou区:192.168.110.191,192.168.110.192
1)所有主从服务器上执行
yum install -y perl-Net-SSLeay rpm -ivh webmin-1.820-1.noarch.rpm yum -y install bind* caching-nameserver cd /var/named/chroot/etc cp -av named.caching-nameserver.conf named.conf chkconfig named on service named start
2)
在master和slaver上都加上所有服务器host解析
vim /etc/hosts 192.168.190.174 DNS-190174.ch.com DNS-190174 192.168.184.241 DNS-184241.ch.com DNS-184241 192.168.184.242 DNS-184242.ch.com DNS-184242 192.168.176.241 DNS-176241.ch.com DNS-176241 192.168.176.242 DNS-176242.ch.com DNS-176242 192.168.110.191 DNS-110191.ch.com DNS-110191 192.168.110.192 DNS-110192.ch.com DNS-110192
3)
访问主dns上的webmin:
https://192.168.190.174:10000/
注册slaver服务器:
https://192.168.190.174:10000/servers/
4)进入Cluster Slave Servers设置slaver服务器
5)将master服务器的named.conf的view之前的内容贴到所有slaver节点
options { listen-on port 53 { 192.168.190.174; //此处填主从各自的IP }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-query-cache { any; }; dnssec-enable yes; //也可以通过webmin上开启DNSSEC Verification,勾选启用yes forwarders { //也可以通过在webmin"转发和传输"里设置 180.76.76.76; 223.5.5.5; 114.114.114.114; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; include "/etc/dns.acl"; include "/etc/unicom.acl"; include "/etc/hangyou.acl"; key "unicom_key" { algorithm hmac-md5; secret "IpN2QloOKigDG0oOUbWdqA=="; }; key "hangyou_key" { algorithm hmac-md5; secret "rbzJeWvXUkFPIKb0kRwNOQ=="; }; key "any_key" { algorithm hmac-md5; secret "qdtTr5nLv90YURPio5WRVA=="; };
生成 TSIG-KEY
使用 BIND 自带的工具 ddns-confgen 生成 TSIG-KEY,每个 view 需要一个
TSIG-KEY。例如:
ddns-confgen -a hmac-md5
生成内容示例:
# To activate this key, place the following in named.conf, and # in a separate keyfile on the system or systems from which nsupdate # will be run: // 下边secret后的内容是我们需要的TSIG-KEY key "ddns-key" { algorithm hmac-md5; secret "O+DKeC059bYyNH6S6Nq7OA=="; }; # Then, in the "zone" statement for each zone you wish to dynamically # update, place an "update-policy" statement granting update permission # to this key. For example, the following statement grants this key # permission to update any name within the zone: update-policy { grant ddns-key zonesub ANY; }; # After the keyfile has been placed, the following command will # execute nsupdate using this key: nsupdate -k
bind9在多view情况下通过TSIG key实现主dns和多个辅DNS的同步传输
标签:dns
原文地址:http://leomars.blog.51cto.com/683246/1976077