DNS子域授权

当一个域很大时，而且还有上，下层关系，如果所有的记录变更都由某一台服务器来管理的话，那将会是什么样子？就好比一个公司的总经理直接管理公司1000个人的所有事项，恐怕会被累死。所以会在总经理下面设科室，科室下面又分班组，这样一层管理一层会比较好管理些。

同样道理，DNS中也分域和子域，上层DNS可以将子域的管理授权给子域中的DNS服务器来管理记录的变更，这种做法就叫子域授权。

子域授权配置

假设父域为：frank.com,NS地址：master.frank.com 子域为：mf.frank.com,NS地址：sub.mf.frank.com

父域服务器配置

只需在区域解析库文件中添加下层DNS服务器的NS与A记录即可。

# vi /var/named/frank.com.zone

$TTL 1D

frank.com.  IN SOA  master.frank.com.    admin.frank.com. (

        201802002   ;序列号

        3H          ;刷新时间

        10M         ;重试时间间隔

        1W          ;过期时间

        1D          ;无法解析时否定答案的TTL值

        )

frank.com.           IN  NS  master.frank.com.

mf.frank.com.        IN  NS  sub.mf.frank.com.

master.frank.com.    IN  A   192.168.138.200

sub.mf.frank.com.    IN  A   192.168.138.201

frank.com.           IN  MX 10  mx1.frank.com.

                     IN  MX 20  mx2.frank.com.

mx1.frank.com.       IN  A   192.168.138.200

mx2.frank.com.       IN  A   192.168.138.200

www                  IN  A   192.168.138.200

master               IN  CNAME   www.frank.com.

web                  IN  CNAME   www.frank.com.

子域服务器配置

子域需要有完整的区域相关的配置，配置内容和主，从配置相同。

• 在/etc/named.rfc1912.zones中加入子域区域定义。

# vi /etc/named.conf

...

zone "mf.frank.com" IN {

	type master;

	file "mf.frank.com.zone";

};

• 创建mf.frank.com.zone区域解析库文件

# vi /var/named/mf.frank.com.zone

$TTL 600

@   IN SOA  sub.mf.frank.com.   admin.sub.mf.frank.com. (

        201802001

        2H

        15M

        1W

        1D )

@   IN  NS  sub.mf.frank.com.

sub IN  A   192.168.138.201

www IN  A   192.168.138.201

配置完成重载配置文件

# rndc reload

server reload successful

在父域测试解析子域名www.mf.frank.com的A记录

# dig -t A www.mf.frank.com @192.168.138.200

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.mf.frank.com @192.168.138.200

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17968

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.mf.frank.com.		IN	A

;; ANSWER SECTION:

www.mf.frank.com.	600	IN	A	192.168.138.201

;; AUTHORITY SECTION:

mf.frank.com.		600	IN	NS	sub.mf.frank.com.

;; ADDITIONAL SECTION:

sub.mf.frank.com.	600	IN	A	192.168.138.201

;; Query time: 19 msec

;; SERVER: 192.168.138.200#53(192.168.138.200)

;; WHEN: Sat Feb 24 22:27:22 CST 2018

;; MSG SIZE  rcvd: 95

在子域DNS服务器添加指向父域的转发器

# vi /etc/named.rfc1912.conf

...

zone "mf.frank.com" IN {

    type    master;

    file "mf.frank.com.zone";

};

//将查询父域的请求转发给父域DNS

zone "frank.com" IN {

    type    forward;

    forward only;

    forwarders { 192.168.138.200; };

};

配置完成重载配置文件

# rndc reload

server reload successful

在子域服务器上使用自己的DNS解析父域www.frank.com的A记录

# dig -t A www.frank.com @192.168.138.201

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.frank.com @192.168.138.201

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63485

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;www.frank.com.			IN	A

;; ANSWER SECTION:

www.frank.com.		142	IN	A	192.168.138.200

;; AUTHORITY SECTION:

frank.com.		142	IN	NS	master.frank.com.

;; ADDITIONAL SECTION:

master.frank.com.	142	IN	A	192.168.138.200

;; Query time: 0 msec

;; SERVER: 192.168.138.201#53(192.168.138.201)

;; WHEN: Sat Feb 24 22:46:24 CST 2018

;; MSG SIZE  rcvd: 95