{"id":110,"date":"2017-06-30T05:51:04","date_gmt":"2017-06-30T05:51:04","guid":{"rendered":"https:\/\/oimi.me\/?p=110"},"modified":"2017-06-30T05:51:04","modified_gmt":"2017-06-30T05:51:04","slug":"%e6%90%ad%e5%bb%ba%e4%b8%80%e5%a5%97%e6%9d%83%e5%a8%81-dns-%e6%9c%8d%e5%8a%a1%e6%9e%b6%e6%9e%84","status":"publish","type":"post","link":"https:\/\/myya.net\/index.php\/2017\/06\/30\/%e6%90%ad%e5%bb%ba%e4%b8%80%e5%a5%97%e6%9d%83%e5%a8%81-dns-%e6%9c%8d%e5%8a%a1%e6%9e%b6%e6%9e%84\/","title":{"rendered":"\u642d\u5efa\u4e00\u5957\u6743\u5a01 DNS \u670d\u52a1\u67b6\u6784"},"content":{"rendered":"<p>\u6709\u4e00\u4e2a\u80fd\u652f\u6301 Let\u2019s Encrypt \u7684 DNS \u670d\u52a1\uff0c\u51b3\u5b9a\u6682\u65f6\u820d\u5f03 GeoDNS \u529f\u80fd\uff0c\u4f7f\u7528\u4e00\u5957\u66f4\u52a0\u6210\u719f\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\u670d\u52a1\u3002<!--more--><\/p>\n<p>\u642d\u914d\u65b9\u6848\u5982\u4e0b\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/www.powerdns.com\/\" target=\"_blank\" rel=\"external noopener\">PowerDNS<\/a><\/li>\n<li>MySQL<\/li>\n<li><a href=\"https:\/\/github.com\/ngoduykhanh\/PowerDNS-Admin\" target=\"_blank\" rel=\"external noopener\">PowerDNS-Admin<\/a><\/li>\n<li>NGINX, Let\u2019s Encrypt<\/li>\n<li>Supervisor, VirtualEnv, Gunicorn, \u2026<\/li>\n<\/ul>\n<p>\u670d\u52a1\u5668\u90e8\u7f72\uff1a<\/p>\n<ul>\n<li>\u7ba1\u7406\u670d\u52a1\u5668 x1\n<ul>\n<li>MySQL Master<\/li>\n<li>PowerDNS<\/li>\n<li>PowerDNS-Admin, supervisor, virtualenv, gunicorn\u2026<\/li>\n<li>NGINX, Let\u2019s Encrypt<\/li>\n<\/ul>\n<\/li>\n<li>DNS \u670d\u52a1\u5668 x4\n<ul>\n<li>MySQL Slave<\/li>\n<li>PowerDNS<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>\u5728\u7ba1\u7406\u670d\u52a1\u5668\u4e0a\u5b89\u88c5 PowerDNS \u548c MySQL Master \u7684\u8003\u91cf\u662f\u7531\u4e8e PowerDNS-Admin \u4f7f\u7528 PowerDNS HTTP API\uff0c\u5728\u7ba1\u7406\u670d\u52a1\u5668\uff08\u6216\u7ba1\u7406\u79c1\u7f51\u4e2d\uff09\u542f\u52a8\u4e00\u4e2a\u4ec5\u7528\u4e8e\u63d0\u4f9b API \u548c\u64cd\u4f5c\u4e3b\u6570\u636e\u5e93\u7684 PowerDNS \u5b9e\u4f8b\u80fd\u591f\u51cf\u8f7b Primary NS Server \u7684\u538b\u529b\u5e76\u63d0\u5347\u5b89\u5168\u6027\u3002\u6574\u5957\u67b6\u6784\u4f7f\u7528 Ansible \u8fdb\u884c\u81ea\u52a8\u5316\u90e8\u7f72\uff0c\u4e0d\u8fc7\u597d\u4e45\u6ca1\u7528\u4e86\u5404\u79cd\u751f\u758f\uff0c\u7167\u7740\u6587\u6863\u6298\u817e\u597d\u4e45\u7684\u914d\u7f6e\u2026<\/p>\n<p>\u4e8e\u662f\u8fd9\u91cc\u6682\u4e14\u8bb0\u5f55\u4e0b\u6574\u4e2a\u8fc7\u7a0b\u3002\u6709\u4e9b\u5751\u53ea\u662f\u4f5c\u8005\u4e00\u65f6\u758f\u5ffd\u6216\u8005\u6709\u522b\u7684\u8003\u91cf\u4f46\u6ca1\u6709\u660e\u786e\u8bb0\u5f55\uff0c\u4e5f\u8bb8\u5728\u672a\u6765\u7684\u7248\u672c\u4e2d\u4f1a\u4fee\u590d\u3002<\/p>\n<h3 id=\"\u5b89\u88c5-PowerDNS\">\u5b89\u88c5 PowerDNS<\/h3>\n<p>\u6240\u6709\u670d\u52a1\u5668\u5747\u4f7f\u7528 Ubuntu 16.04\uff0c\u9700\u8981 PowerDNS 4.0 \u4ee5\u4e0a\u7684\u7248\u672c\u3002\u6309\u7167<a href=\"https:\/\/repo.powerdns.com\/\" target=\"_blank\" rel=\"external noopener\">\u6b64\u9875\u9762<\/a>\u7684\u8bf4\u660e\u6dfb\u52a0 PowerDNS \u5b98\u65b9\u7684\u4ed3\u5e93\u5373\u53ef\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"meta\"># apt install pdns-server pdns-backend-mysql mysql-server<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u7531 dpkg \u81ea\u52a8\u914d\u7f6e PowerDNS \u7684\u6570\u636e\u5e93\uff0c\u7136\u540e\u5220\u9664 <code>\/etc\/powerdns\/pdns.d<\/code> \u4e0b<strong>\u65e0\u5173<\/strong>\u7684\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"># <span class=\"keyword\">rm<\/span> \/etc\/powerdns\/pdns.<span class=\"keyword\">d<\/span>\/pdns.<span class=\"keyword\">local<\/span>.<span class=\"keyword\">conf<\/span><\/span>\n<span class=\"line\"># <span class=\"keyword\">rm<\/span> \/etc\/powerdns\/pdns.<span class=\"keyword\">d<\/span>\/pdns.simplebind.<span class=\"keyword\">conf<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u914d\u7f6e MySQL Replication\uff0c\u7ba1\u7406\u670d\u52a1\u5668\u4f5c\u4e3a Master\uff0c\u5176\u4ed6 DNS \u670d\u52a1\u5668\u4f5c\u4e3a Slave\u3002\u7ec6\u8282\u4e0d\u591a\u8bb2\uff0c<a href=\"http:\/\/dev.mysql.com\/doc\/refman\/5.7\/en\/replication-howto.html\" target=\"_blank\" rel=\"external noopener\">\u5b98\u65b9\u6587\u6863<\/a>\u6216\u8005 <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-master-slave-replication-in-mysql\" target=\"_blank\" rel=\"external noopener\">DigitalOcean Tutorial<\/a>\u3002<\/p>\n<p>\u7ba1\u7406\u670d\u52a1\u5668 (MySQL Master) PowerDNS \u914d\u7f6e\u6587\u4ef6 <code>\/etc\/powerdns\/pdns.conf<\/code><\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"attr\">api<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">api-key<\/span>=yourapisecretkey<\/span>\n<span class=\"line\"><span class=\"attr\">api-logfile<\/span>=\/var\/log\/pdns-api.log<\/span>\n<span class=\"line\"><span class=\"attr\">config-dir<\/span>=\/etc\/powerdns<\/span>\n<span class=\"line\"><span class=\"attr\">guardian<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">include-dir<\/span>=\/etc\/powerdns\/pdns.d<\/span>\n<span class=\"line\"><span class=\"attr\">launch<\/span>=<\/span>\n<span class=\"line\"><span class=\"attr\">local-address<\/span>=<span class=\"number\">127.0<\/span>.<span class=\"number\">0.1<\/span>  # \u4e0d\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1<\/span>\n<span class=\"line\"><span class=\"attr\">local-ipv6<\/span>=::<span class=\"number\">1<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">security-poll-suffix<\/span>=<\/span>\n<span class=\"line\"><span class=\"attr\">setgid<\/span>=pdns<\/span>\n<span class=\"line\"><span class=\"attr\">setuid<\/span>=pdns<\/span>\n<span class=\"line\"><span class=\"attr\">webserver<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">webserver-address<\/span>=<span class=\"number\">127.0<\/span>.<span class=\"number\">0.1<\/span>  # \u4ec5\u5411\u672c\u673a\u7684 PowerDNS-Admin \u8c03\u7528\u3002\u5982\u679c\u914d\u7f6e\u5728\u5185\u7f51\uff0c\n\u8bf7\u4f7f\u7528\u5185\u7f51 IP<\/span>\n<span class=\"line\"><span class=\"attr\">webserver-allow-from<\/span>=<span class=\"number\">127.0<\/span>.<span class=\"number\">0.1<\/span>\/<span class=\"number\">32<\/span>  # \u540c\u4e0a\uff0c\u5982\u679c\u4f7f\u7528\u5185\u7f51\u5219\u5199 \nPowerDNS-Admin \u5728\u5185\u7f51\u7684 IP<\/span>\n<span class=\"line\"><span class=\"attr\">webserver-port<\/span>=<span class=\"number\">8081<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">default-soa-name<\/span>=ns1.example.com  # \u6539\u4e3a Primary NS \u7684\u5730\u5740<\/span>\n<span class=\"line\"><span class=\"attr\">default-soa-edit<\/span>=INCEPTION-INCREMENT<\/span>\n<span class=\"line\"><span class=\"attr\">default-soa-mail<\/span>=hostmaster.example.com  # \u6539\u4e3a\u9ed8\u8ba4\u670d\u52a1\u5668\u7ba1\u7406\u5458\u7684\u90ae\u7bb1\u5730\u5740\uff0c\n\u5e76\u5c06 <span class=\"string\">'@'<\/span> \u66ff\u6362\u4e3a <span class=\"string\">'.'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">default-ttl<\/span>=<span class=\"number\">3600<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>DNS \u670d\u52a1\u5668 (MySQL Slaves) PowerDNS \u914d\u7f6e\u6587\u4ef6 <code>\/etc\/powerdns\/pdns.conf<\/code><\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"attr\">config-dir<\/span>=\/etc\/powerdns<\/span>\n<span class=\"line\"><span class=\"attr\">daemon<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">disable-axfr<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">guardian<\/span>=<span class=\"literal\">yes<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">include-dir<\/span>=\/etc\/powerdns\/pdns.d<\/span>\n<span class=\"line\"><span class=\"attr\">launch<\/span>=<\/span>\n<span class=\"line\"><span class=\"attr\">security-poll-suffix<\/span>=<\/span>\n<span class=\"line\"><span class=\"attr\">server-id<\/span>=ns1.example.com  # \u6539\u4e3a\u5f53\u524d\u670d\u52a1\u5668\u7684 ID\uff0cns1\/ns2\/ns3\/etc...<\/span>\n<span class=\"line\"><span class=\"attr\">setgid<\/span>=pdns<\/span>\n<span class=\"line\"><span class=\"attr\">setuid<\/span>=pdns<\/span>\n<span class=\"line\"><span class=\"attr\">version-string<\/span>=anonymous  # \u53ef\u4ee5\u5199\u4efb\u610f\u5b57\u7b26\u4e32\u6076\u641e_(:\u0437\u300d\u2220)_<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"\u5b89\u88c5-PowerDNS-Admin\">\u5b89\u88c5 PowerDNS-Admin<\/h3>\n<p>\u4f5c\u8005\u6709\u63d0\u4f9b\u8be6\u7ec6\u7684<a href=\"https:\/\/github.com\/ngoduykhanh\/PowerDNS-Admin\/wiki\/Install-PowerDNS-Admin-in-Ubuntu-14.04-LTS-or-16.04-LTS\" target=\"_blank\" rel=\"external noopener\">\u6559\u7a0b<\/a>\u4f46\u662f\u8fd8\u662f<a href=\"https:\/\/github.com\/ngoduykhanh\/PowerDNS-Admin\/issues\/126\" target=\"_blank\" rel=\"external noopener\">\u6709\u5751<\/a>\u3002<\/p>\n<p>\u5b89\u88c5\u4f9d\u8d56\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"># apt install git python-pip supervisor virtualenv python-<span class=\"built_in\">dev<\/span> \nlibmysqlclient-<span class=\"built_in\">dev<\/span> libsasl2-<span class=\"built_in\">dev<\/span> libldap2-<span class=\"built_in\">dev<\/span> libssl-<span class=\"built_in\">dev<\/span> letsencrypt<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/github.com\/ngoduykhanh\/PowerDNS-Admin\/wiki\/Prepare-MySQL-or-MariaDB-Database-for-PowerDNS-Admin\" target=\"_blank\" rel=\"external noopener\">\u521b\u5efa\u6570\u636e\u5e93<\/a>\uff0c\u5207\u6362\u5230\u666e\u901a\u7528\u6237\u6743\u9650\uff0cclone \u4ed3\u5e93\u5230\u672c\u5730\uff0c\u7136\u540e\u4e00\u6b65\u4e00\u6b65\u64cd\u4f5c\u5373\u53ef\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"symbol\">$<\/span> git clone https:<span class=\"comment\">\/\/github.com\/ngoduykhanh\/PowerDNS-Admin.git<\/span><\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> cd PowerDNS-Admin<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> virtualenv flask<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> source .\/flask\/bin\/activate<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> pip install -r requirements.txt<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> pip install mysql gunicorn<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> cp config_template.py config.py<\/span>\n<span class=\"line\"><span class=\"symbol\">$<\/span> vim config.py<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u914d\u7f6e\u6587\u4ef6 <code>config.py<\/code> \u4e2d\u9700\u8981\u66f4\u6539\u7684\u5730\u65b9\uff1a<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"attr\">SECRET_KEY<\/span> = <span class=\"string\">'yoursessionencryptkey'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">SQLA_DB_USER<\/span> = <span class=\"string\">'yourdbusername'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">SQLA_DB_PASSWORD<\/span> = <span class=\"string\">'yourdbpassword'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">SQLA_DB_HOST<\/span> = <span class=\"string\">'localhost'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">SQLA_DB_NAME<\/span> = <span class=\"string\">'yourdbname'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">PDNS_STATS_URL<\/span> = <span class=\"string\">'http:\/\/localhost:8081\/'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">PDNS_API_KEY<\/span> = <span class=\"string\">'yourapisecretkey'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">PDNS_VERSION<\/span> = <span class=\"string\">'4.0.0'<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">RECORDS_ALLOW_EDIT<\/span> = [<span class=\"string\">'A'<\/span>, <span class=\"string\">'AAAA'<\/span>, <span class=\"string\">'CNAME'<\/span>, <span class=\"string\">'SPF'<\/span>,\n <span class=\"string\">'PTR'<\/span>, <span class=\"string\">'MX'<\/span>, <span class=\"string\">'TXT'<\/span>, <span class=\"string\">'SRV'<\/span>, <span class=\"string\">'NS'<\/span>, <span class=\"string\">'SOA'<\/span>]<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u7136\u540e\u6267\u884c <code>.\/create_db.py<\/code>\u3002\u5982\u679c\u6ca1\u6709\u62a5\u9519\u8bf4\u660e\u6570\u636e\u5e93\u5b89\u88c5\u6210\u529f\uff0c\u6267\u884c <code>.\/run.py<\/code> \u5373\u53ef\u8bbf\u95ee <code>http:\/\/127.0.0.1:9393<\/code> \u770b\u5230\u767b\u9646\u9875\u9762\u4e86\u3002<\/p>\n<h3 id=\"\u90e8\u7f72-Web-\u670d\u52a1\">\u90e8\u7f72 Web \u670d\u52a1<\/h3>\n<p>\u76f4\u63a5\u8dd1 <code>run.py<\/code> \u5f53\u7136\u4e0d\u79d1\u5b66\u3002Supervisor \u914d\u7f6e\u6587\u4ef6 <code>\/etc\/supervisor\/conf.d\/pdnsadmin.conf<\/code><\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"section\">[program:pdnsadmin]<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">command<\/span>=\/home\/pdns\/PowerDNS-Admin\/flask\/bin\/gunicorn run:app<\/span>\n<span class=\"line\"><span class=\"attr\">directory<\/span>=\/home\/pdns\/PowerDNS-Admin\/<\/span>\n<span class=\"line\"><span class=\"attr\">user<\/span>=pdns<\/span>\n<span class=\"line\"><span class=\"attr\">autostart<\/span>=<span class=\"literal\">true<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">stdout_logfile<\/span>=\/var\/log\/supervisor\/pdns-stdout.log<\/span>\n<span class=\"line\"><span class=\"attr\">stdout_logfile_maxbytes<\/span>=<span class=\"number\">1<\/span>MB<\/span>\n<span class=\"line\"><span class=\"attr\">stdout_logfile_backups<\/span>=<span class=\"number\">2<\/span><\/span>\n<span class=\"line\"><span class=\"attr\">stderr_logfile<\/span>=\/var\/log\/supervisor\/pdns-stderr.log<\/span>\n<span class=\"line\"><span class=\"attr\">stderr_logfile_maxbytes<\/span>=<span class=\"number\">1<\/span>MB<\/span>\n<span class=\"line\"><span class=\"attr\">stderr_logfile_backups<\/span>=<span class=\"number\">2<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u521b\u5efa DHParam<\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"meta\"># cd \/etc\/ssl\/certs<\/span><\/span>\n<span class=\"line\"><span class=\"meta\"># openssl dhparam -out dhparam.pem 4096 # \u5982\u679c\u6027\u80fd\u4e0d\u591f\u8bf7\u4f7f\u7528 2048<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>NGINX \u914d\u7f6e\u6587\u4ef6 <code>\/etc\/nginx\/site-enabled\/pdnsadmin.conf<\/code><\/p>\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"section\">server<\/span> {<\/span>\n<span class=\"line\">    <span class=\"attribute\">listen<\/span> <span class=\"number\">80<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">server_name<\/span> dns.example.com;<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">location<\/span> \/.well-known {<\/span>\n<span class=\"line\">        <span class=\"attribute\">default_type<\/span> <span class=\"string\">\"text\/plain\"<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">root<\/span> \/var\/www\/html;<\/span>\n<span class=\"line\">    }<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">location<\/span> \/ {<\/span>\n<span class=\"line\">        <span class=\"attribute\">return<\/span> <span class=\"number\">301<\/span> https:\/\/dns.example.com<span class=\"variable\">$request_uri<\/span>;<\/span>\n<span class=\"line\">    }<\/span>\n<span class=\"line\">}<\/span>\n\n<span class=\"line\"><span class=\"section\">server<\/span> {<\/span>\n<span class=\"line\">    <span class=\"attribute\">listen<\/span> <span class=\"number\">443<\/span> ssl;<\/span>\n<span class=\"line\">    <span class=\"attribute\">listen<\/span> [::]:<span class=\"number\">443<\/span> ssl;<\/span>\n<span class=\"line\">    <span class=\"attribute\">server_name<\/span> dns.example.com;<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">ssl<\/span> <span class=\"literal\">on<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_certificate<\/span> \/etc\/letsencrypt\/live\/dns.example.com\/fullchain.pem;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_certificate_key<\/span> \/etc\/letsencrypt\/dns.example.com\/privkey.pem;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_protocols<\/span> TLSv1 TLSv1.<span class=\"number\">1<\/span> TLSv1.<span class=\"number\">2<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_prefer_server_ciphers<\/span> <span class=\"literal\">on<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_ciphers<\/span> <span class=\"string\">\"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM \nEECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 \nEECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL\n !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4\"<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">keepalive_timeout<\/span>    <span class=\"number\">70<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_session_cache<\/span>    shared:SSL:<span class=\"number\">10m<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">ssl_session_timeout<\/span>  <span class=\"number\">10m<\/span>;<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">ssl_dhparam<\/span> \/etc\/ssl\/certs\/dhparam.pem;<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">add_header<\/span> Strict-Transport-Security max-age=<span class=\"number\">63072000<\/span>;<\/span>\n<span class=\"line\">    <span class=\"attribute\">add_header<\/span> X-Frame-Options SAMEORIGIN;<\/span>\n<span class=\"line\">    <span class=\"attribute\">add_header<\/span> X-Content-Type-Options nosniff;<\/span>\n\n\n<span class=\"line\">    <span class=\"attribute\">access_log<\/span> \/var\/log\/nginx\/dns.example.com.access.log;<\/span>\n<span class=\"line\">    <span class=\"attribute\">error_log<\/span> \/var\/log\/nginx\/dns.example.com.<span class=\"literal\">error<\/span>.log;<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">location<\/span> \/.well-known {<\/span>\n<span class=\"line\">        <span class=\"attribute\">default_type<\/span> <span class=\"string\">\"text\/plain\"<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">root<\/span> \/var\/www\/html;<\/span>\n<span class=\"line\">    }<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">location<\/span> \/static {<\/span>\n<span class=\"line\">        <span class=\"attribute\">alias<\/span> \/home\/pdns\/PowerDNS-Admin\/app\/static;<\/span>\n<span class=\"line\">    }<\/span>\n\n<span class=\"line\">    <span class=\"attribute\">location<\/span> \/ {<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_pass<\/span> http:\/\/127.0.0.1:8000;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_redirect<\/span> default;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_set_header<\/span> Host <span class=\"variable\">$host<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_set_header<\/span> X-Real-IP <span class=\"variable\">$remote_addr<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_set_header<\/span> X-Forwarded-For <span class=\"variable\">$proxy_add_x_forwarded_for<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_set_header<\/span> X-Forward-IP <span class=\"variable\">$remote_addr<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">port_in_redirect<\/span>    <span class=\"literal\">on<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">server_name_in_redirect<\/span> <span class=\"literal\">off<\/span>;<\/span>\n<span class=\"line\">        <span class=\"attribute\">proxy_connect_timeout<\/span> <span class=\"number\">300<\/span>;<\/span>\n<span class=\"line\">    }<\/span>\n<span class=\"line\">}<\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u8bb0\u5f97\u628a <code>dns.example.com<\/code> \u6362\u6210\u81ea\u5df1\u7684\u57df\u540d\u3002<\/p>\n<p>\u7b7e\u53d1 Let\u2019s Encrypt\u3002\u4e5f\u4e0d\u591a\u8bb2\u3002NGINX \u914d\u7f6e\u4e2d\u5df2\u7ecf\u6709\u4e86\u9488\u5bf9 Let\u2019s Encrypt \u7684\u7eed\u671f\u8bbe\u7f6e\u3002<\/p>\n<p>\u7136\u540e\u91cd\u542f\u5404\u9879\u670d\u52a1<\/p>\n<figure class=\"highlight vala\">\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre><span class=\"line\"><span class=\"meta\"># systemctl restart supervisor<\/span><\/span>\n<span class=\"line\"><span class=\"meta\"># systemctl restart nginx<\/span><\/span><\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>\u67e5\u770b PowerDNS-Admin \u7684\u8fd0\u884c\u72b6\u6001\uff0c\u4f7f\u7528 <code>supervisorctl status<\/code>\u3002<\/p>\n<h3 id=\"\u6dfb\u52a0-GLUE-\u8bb0\u5f55\">\u6dfb\u52a0 GLUE \u8bb0\u5f55<\/h3>\n<p>\u8981\u4f7f\u81ea\u5df1\u7684 NS \u751f\u6548\uff0c\u5fc5\u987b\u6709\u4fdd\u5b58\u5728\u4e0a\u7ea7 NS \u4e2d\u7684\u8bb0\u5f55\u3002\u5f88\u591a\u57df\u540d\u6ce8\u518c\u5546\u90fd\u63d0\u4f9b\u4e86\u914d\u7f6e GLUE \u8bb0\u5f55\u7684\u529f\u80fd\uff0c\u4f8b\u5982 Hexonet (1API):<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-111\" src=\"https:\/\/cdn.oimi.me\/wp-content\/uploads\/2017\/06\/2017063013485141.jpg\" alt=\"\" width=\"1555\" height=\"836\" srcset=\"https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013485141.jpg 1555w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013485141-300x161.jpg 300w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013485141-1024x551.jpg 1024w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013485141-768x413.jpg 768w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013485141-1536x826.jpg 1536w\" sizes=\"auto, (max-width: 1555px) 100vw, 1555px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\u7b80\u8a00\u4e4b\uff0c\u9700\u8981\u628a\u81ea\u5df1\u7684 NS \u670d\u52a1\u5668\u53ca\u5bf9\u5e94\u7684 IP \u8bb0\u5f55\u5230\u4e0a\u7ea7 NS\u3002\u5b8c\u6210\u4e4b\u540e\uff0c\u901a\u8fc7 PowerDNS-Admin \u6dfb\u52a0\u81ea\u5df1\u7684\u57df\u540d\uff0czone \u7c7b\u578b\u4e3a <code>NATIVE<\/code>\u3002\u7136\u540e\u6dfb\u52a0\u6240\u6709 NS \u670d\u52a1\u5668\u7684 A\/AAAA \u4ee5\u53ca\u6240\u6709\u7684 NS \u8bb0\u5f55\u2014\u2014\u4f60\u6ca1\u542c\u9519\uff0c\u8981\u81ea\u5df1\u5199 NS \u8bb0\u5f55\u3002\u5176\u4ed6\u57df\u540d\u4e5f\u9700\u8981\u6dfb\u52a0\u8fd9\u4e9b NS \u8bb0\u5f55\uff0c\u5426\u5219\u4e0d\u4f1a\u6258\u7ba1\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-112\" src=\"https:\/\/cdn.oimi.me\/wp-content\/uploads\/2017\/06\/2017063013491043.jpg\" alt=\"\" width=\"690\" height=\"1221\" srcset=\"https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013491043.jpg 690w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013491043-170x300.jpg 170w, https:\/\/myya.net\/wp-content\/uploads\/2017\/06\/2017063013491043-579x1024.jpg 579w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3 id=\"\u6536\u5c3e\">\u6536\u5c3e<\/h3>\n<p>\u5168\u90e8\u5b8c\u6210\u4e4b\u540e\u5c31\u662f\u4e00\u4e2a\u5b8c\u6574\u529f\u80fd\u7684 DNS \u670d\u52a1\u4e86\u3002\u5982\u679c\u5e0c\u671b\u542f\u7528 DNSSEC\uff0c\u9700\u8981\u5728\u7ba1\u7406\u670d\u52a1\u5668\u4e2d\u901a\u8fc7 <code>pdnsutil<\/code> \u6765\u6dfb\u52a0 key\u3002<\/p>\n<p>\u7531\u4e8e\u76ee\u524d PowerDNS-Admin \u6ca1\u6709\u9650\u5236\u4e0d\u80fd\u6dfb\u52a0\u63d0\u4f9b\u7684 NS \u4e4b\u5916\u7684\u540d\u79f0\u670d\u52a1\u5668\uff0c\u6240\u4ee5\u5176\u4ed6\u57df\u540d\u6309\u7167\u6dfb\u52a0 GLUE \u8bb0\u5f55\u7684\u65b9\u6cd5\uff0c\u4e5f\u53ef\u4ee5\u5c06\u8fd9\u4e9b NS \u670d\u52a1\u5668\u300c\u53d8\u6210\u300d\u81ea\u5df1\u7684 NS\u3002<\/p>\n<p>\u597d\u4e86\uff0c\u4e0d\u4f1a\u8bf4\u8bdd\u4e86\u3002\u8bb2\u6548\u679c\u2014\u2014<\/p>\n<p>\u4e00\u822c\u6765\u8bf4\uff0cDNS \u670d\u52a1\u90fd\u4f1a\u63d0\u4f9b\u591a\u53f0 NS \u670d\u52a1\u5668\u57df\u540d\uff0c\u5c06\u57df\u540d\u7684 DNS \u6539\u4e3a\u8fd9\u4e9b NS \u670d\u52a1\u5668\u624d\u80fd\u6258\u7ba1\u5230\u8be5 DNS \u670d\u52a1\u4e0a\u3002\u4f46\u662f\u73b0\u5728\u53ea\u9700\u8981\u77e5\u9053\u8fd9\u5957 DNS \u7684\u670d\u52a1\u5668 IP \u5730\u5740\uff0c\u5373\u53ef\u7ed9\u81ea\u5df1\u7684\u57df\u540d\u6dfb\u52a0 GLUE \u8bb0\u5f55\u3001NS \u8bb0\u5f55\u548c NS \u5bf9\u5e94\u7684 A\/AAAA \u8bb0\u5f55\u8fdb\u800c\u4f7f\u7528\u81ea\u5df1\u7684\u57df\u540d\u4f5c\u4e3a NS\uff0c\u800c\u4e0d\u9700\u8981\u7528 DNS \u670d\u52a1\u7684 NS \u57df\u540d\u3002\u5f53\u7136\u4e00\u822c\u5c31\u662f\u770b\u8d77\u6765\u4f1a\u6bd4\u8f83\u5389\u5bb3\u800c\u5df2\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6709\u4e00\u4e2a\u80fd\u652f\u6301 Let\u2019s Encrypt \u7684 DNS \u670d\u52a1\uff0c\u51b3\u5b9a\u6682\u65f6\u820d\u5f03 GeoDNS \u529f\u80fd\uff0c\u4f7f\u7528\u4e00\u5957\u66f4\u52a0\u6210\u719f [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"aside","meta":{"footnotes":""},"categories":[10],"tags":[166,201,245,246],"class_list":["post-110","post","type-post","status-publish","format-aside","hentry","category-hardware","tag-lets-encrypt","tag-nginx","tag-powerdns","tag-powerdns-admin","post_format-post-format-aside"],"_links":{"self":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":0,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"wp:attachment":[{"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myya.net\/index.php\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}