Dnssec bind9: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(16 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 13: Zeile 13:
 
=Key Signing Key (KSK) generieren=
 
=Key Signing Key (KSK) generieren=
 
*'''cd  /etc/bind/keys/'''
 
*'''cd  /etc/bind/keys/'''
*'''dnssec-keygen -3 -a RSASHA512 -b 4096 -n ZONE -r /dev/urandom -f KSK kit.lab'''
+
*'''dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -f KSK -n ZONE kit.lab'''
 +
{| class="wikitable"
 +
|-
 +
! style="text-decoration:underline;" | Option
 +
! Wirkung
 +
|-
 +
| -3
 +
|aktiviert das gewünschte NSEC3
 +
|-
 +
| -a
 +
|bestimmt den Typ der Signatur
 +
|-
 +
| -b
 +
|gibt die gewünschte Blockgröße an
 +
|-
 +
| -n  
 +
|spezifiziert den Nametyp wie ZONE, HOST, USER
 +
|-
 +
| -f
 +
|speziell für KSK muss diese Flag gesetzt werden
 +
|}
 +
 
 +
=Zone Signing Key (ZSK) generieren=
 +
Den Zone Signing Key erzeugt man im Anschluß daran wie folgt, gefolgt von einer Neuzuordnung der Dateiattribute.
 +
*'''dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -n ZONE kit.lab'''
 +
*'''chown -R bind:bind /etc/bind/keys/'''
 +
=/etc/bind/named.conf.local=
 +
*'''cat /etc/bind/named.conf.local'''
 +
zone "kit.lab" {
 +
        type master;
 +
        file "kit.lab";
 +
};
 +
=/var/cache/bind/kit.lab=
 +
<pre>
 +
$TTL 300        ; 5 minutes
 +
@                      IN SOA  leroy.kit.lab. technik.xunix.de. (
 +
                              2023021401 ; serial
 +
                              14400      ; refresh (4 hours)
 +
                              3600      ; retry (1 hour)
 +
                              3600000    ; expire (5 weeks 6 days 16 hours)
 +
                              86400      ; minimum (1 day)
 +
                              )
 +
                      NS      leroy.kit.lab.
 +
leroy.kit.lab.          IN      A      10.0.11.109
 +
</pre>
 +
=Die Keys der Zonendatei hinzufügen=
 +
*for key in Kkit.lab.*.key; do echo "\$INCLUDE /etc/bind/keys/$key" >> /var/cache/bind/kit.lab; done
 +
*/etc/bind/keys# cat /var/cache/bind/kit.lab
 +
=Die Zone signieren=
 +
*dnssec-signzone -3 -  -H 50 -A -N INCREMENT -o kit.lab -t /var/cache/bind/kit.lab
 +
<pre>
 +
 
 +
Verifying the zone using the following algorithms:
 +
- NSEC3RSASHA1
 +
Zone fully signed:
 +
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
 +
                        ZSKs: 1 active, 0 stand-by, 0 revoked
 +
/var/cache/bind/kit.lab.signed
 +
Signatures generated:                        8
 +
Signatures retained:                        0
 +
Signatures dropped:                          0
 +
Signatures successfully verified:            0
 +
Signatures unsuccessfully verified:          0
 +
Signing time in seconds:                0.039
 +
Signatures per second:                200.005
 +
Runtime in seconds:                      0.071
 +
</pre>
 +
=Konfiguration anpassen=
 +
*'''cat /etc/bind/named.conf.options'''  
 +
<pre>
 +
options {
 +
directory "/var/cache/bind";
 +
        key-directory "/var/bind/keys";
 +
dnssec-enable yes;
 +
dnssec-validation yes;
 +
dnssec-lookaside auto;
 +
};
 +
</pre>
 +
=Zonenverweis anpassen=
 +
*cat /etc/bind/named.conf.local
 +
zone "kit.lab" {
 +
        type master;
 +
        file "kit.lab.signed";
 +
};
 +
=Neustarten=
 +
*systemctl restart bind9
 +
=Checken=
 +
==Logdatei==
 +
*grep kit.lab /var/log/syslog
 +
Feb 14 21:48:02 debian named[18295]: zone kit.lab/IN: loaded serial 2023021402 (DNSSEC signed)
 +
==dig==
 +
*dig @127.0.0.1 kit.lab dnskey +noall +answer +multiline
 +
<pre>
 +
kit.lab. 300 IN DNSKEY 257 3 7 (
 +
AwEAAdNJqnVniG3n6D1d83Eitz2xlc1QCGxFfZm9Sfyn
 +
4rM7S1UhcmFEQLz2Yi5kydOWVycxtHzQBvlg4FYUXX2M
 +
vqQwiRRboj25kDeOPpoDffLVf2+EeUgPGLLsjzG8hCGt
 +
zOQDvHiomBard+90lKjUKyoxkT0ZPIq2LSVi6KXazXHs
 +
razsMG2qC23eioFwSTeRQB5hYs6IzBcYvzxQJYmm+OHH
 +
5an+8iNb2IieNsX0v3xfZG+sqgawSU5JiP1S63Oc7O4M
 +
5Urucbl6RJNR12gziZdsUjOeXuV0mYblJ8rKIcfq6TWW
 +
aeLuT9XxCHwtNMpBoZahMluUB78RuhaIu+aQ7Ms=
 +
) ; KSK; alg = NSEC3RSASHA1 ; key id = 32178
 +
kit.lab. 300 IN DNSKEY 256 3 7 (
 +
AwEAAa9m+o7OWmpwWTTLAK08Xb9hjm5Xy3rTk8RjXkix
 +
pXs60SRzGWlcstJi3fIHqiw91ZjstN6olHY3u8uVk3DZ
 +
CY3pC7SzHpwFvuhA66x3aHGshKScXafav9YBtR1hLDdu
 +
kDDDwDaWfpV/AbPQIV8Ej26iQ/r6kfl6Cmiwt6iwWSnf
 +
bD+yciAsvs3LPrbaypUeLByoqkCrYp1M0avXE2Eq4qyK
 +
4F7MxDkjFasdblfqIOlRKR3WdaVoRJ1X2mG77oZ/KD8b
 +
fJIrf/R1aFmNxcaG0CzxdwKvjd4yNOdGFsuUtw88/nMJ
 +
6ADq7w5TxWBPGjl8z7LuepKucnIPp/lLWcMj1Pk=
 +
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 65282
 +
</pre>
 +
 
 +
=Quellen=
 +
*https://www.linuxmaker.com/linux/bind9-mit-dnssec-absichern/konfiguration-von-dnssec.html
 +
*https://bind9.readthedocs.io/en/latest/dnssec-guide.html
 +
*https://www.scip.ch/?labs.20140911

Aktuelle Version vom 14. Februar 2023, 21:08 Uhr

Grundkonfiguration

  • cat /etc/bind/named.conf.options
options {
	directory "/var/cache/bind";
        key-directory "/var/bind/keys";
	dnssec-validation auto;
};

Verzeichnis erstellen

  • mkdir -p /etc/bind/keys/
  • chown -R bind:bind /etc/bind/keys/

Key Signing Key (KSK) generieren

  • cd /etc/bind/keys/
  • dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -f KSK -n ZONE kit.lab
Option Wirkung
-3 aktiviert das gewünschte NSEC3
-a bestimmt den Typ der Signatur
-b gibt die gewünschte Blockgröße an
-n spezifiziert den Nametyp wie ZONE, HOST, USER
-f speziell für KSK muss diese Flag gesetzt werden

Zone Signing Key (ZSK) generieren

Den Zone Signing Key erzeugt man im Anschluß daran wie folgt, gefolgt von einer Neuzuordnung der Dateiattribute.

  • dnssec-keygen -3 -a NSEC3RSASHA1 -b 2048 -n ZONE kit.lab
  • chown -R bind:bind /etc/bind/keys/

/etc/bind/named.conf.local

  • cat /etc/bind/named.conf.local
zone "kit.lab" {
        type master;
        file "kit.lab";
};

/var/cache/bind/kit.lab

$TTL 300        ; 5 minutes
@                       IN SOA  leroy.kit.lab. technik.xunix.de. (
                               2023021401 ; serial
                               14400      ; refresh (4 hours)
                               3600       ; retry (1 hour)
                               3600000    ; expire (5 weeks 6 days 16 hours)
                               86400      ; minimum (1 day)
                               )
                       NS      leroy.kit.lab.
leroy.kit.lab.          IN      A       10.0.11.109

Die Keys der Zonendatei hinzufügen

  • for key in Kkit.lab.*.key; do echo "\$INCLUDE /etc/bind/keys/$key" >> /var/cache/bind/kit.lab; done
  • /etc/bind/keys# cat /var/cache/bind/kit.lab

Die Zone signieren

  • dnssec-signzone -3 - -H 50 -A -N INCREMENT -o kit.lab -t /var/cache/bind/kit.lab

Verifying the zone using the following algorithms:
- NSEC3RSASHA1
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
/var/cache/bind/kit.lab.signed
Signatures generated:                        8
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.039
Signatures per second:                 200.005
Runtime in seconds:                      0.071

Konfiguration anpassen

  • cat /etc/bind/named.conf.options
options {
	directory "/var/cache/bind";
        key-directory "/var/bind/keys";
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;
};

Zonenverweis anpassen

  • cat /etc/bind/named.conf.local
zone "kit.lab" {
        type master;
        file "kit.lab.signed";
};

Neustarten

  • systemctl restart bind9

Checken

Logdatei

  • grep kit.lab /var/log/syslog
Feb 14 21:48:02 debian named[18295]: zone kit.lab/IN: loaded serial 2023021402 (DNSSEC signed)

dig

  • dig @127.0.0.1 kit.lab dnskey +noall +answer +multiline
kit.lab.		300 IN DNSKEY 257 3 7 (
				AwEAAdNJqnVniG3n6D1d83Eitz2xlc1QCGxFfZm9Sfyn
				4rM7S1UhcmFEQLz2Yi5kydOWVycxtHzQBvlg4FYUXX2M
				vqQwiRRboj25kDeOPpoDffLVf2+EeUgPGLLsjzG8hCGt
				zOQDvHiomBard+90lKjUKyoxkT0ZPIq2LSVi6KXazXHs
				razsMG2qC23eioFwSTeRQB5hYs6IzBcYvzxQJYmm+OHH
				5an+8iNb2IieNsX0v3xfZG+sqgawSU5JiP1S63Oc7O4M
				5Urucbl6RJNR12gziZdsUjOeXuV0mYblJ8rKIcfq6TWW
				aeLuT9XxCHwtNMpBoZahMluUB78RuhaIu+aQ7Ms=
				) ; KSK; alg = NSEC3RSASHA1 ; key id = 32178
kit.lab.		300 IN DNSKEY 256 3 7 (
				AwEAAa9m+o7OWmpwWTTLAK08Xb9hjm5Xy3rTk8RjXkix
				pXs60SRzGWlcstJi3fIHqiw91ZjstN6olHY3u8uVk3DZ
				CY3pC7SzHpwFvuhA66x3aHGshKScXafav9YBtR1hLDdu
				kDDDwDaWfpV/AbPQIV8Ej26iQ/r6kfl6Cmiwt6iwWSnf
				bD+yciAsvs3LPrbaypUeLByoqkCrYp1M0avXE2Eq4qyK
				4F7MxDkjFasdblfqIOlRKR3WdaVoRJ1X2mG77oZ/KD8b
				fJIrf/R1aFmNxcaG0CzxdwKvjd4yNOdGFsuUtw88/nMJ
				6ADq7w5TxWBPGjl8z7LuepKucnIPp/lLWcMj1Pk=
				) ; ZSK; alg = NSEC3RSASHA1 ; key id = 65282

Quellen

Abgerufen von „http://wiki.ixheim.de/index.php?title=Dnssec_bind9&oldid=41430