Pseudo second level domain von Basics zu DNSEC: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 51: | Zeile 51: | ||
*systemctl restart named | *systemctl restart named | ||
| + | =DS Record für Fake Root erzeugen= | ||
| + | |||
| + | ;DS aus signierter Zone erzeugen | ||
| + | *dnssec-dsfromkey -f /var/cache/bind/it2XX.int.signed it2XX.int | ||
| + | |||
| + | ;DS Eintrag an Fake Root weitergeben | ||
| + | ;Im Fake Root in Zone int einfügen | ||
| + | |||
| + | ;Beispiel: | ||
| + | ;it2XX IN NS ns.it2XX.int. | ||
| + | ;ns.it2XX.int. IN A 10.88.2XX.21 | ||
| + | ;it2XX.int. IN DS 12345 8 2 ABCDEF123456.... | ||
| + | |||
| + | ;Danach Fake Root neu signieren | ||
| + | *cd /var/cache/bind | ||
| + | *dnssec-signzone -A -N INCREMENT -o int int | ||
| + | *rndc reload | ||
| + | |||
| + | =Handling und Logging= | ||
| + | *systemctl restart bind9 | ||
| + | *journalctl -fu bind9 | ||
| + | *journalctl -u bind9 -g it2XX.int | ||
| + | |||
| + | =Validierungstest= | ||
| + | |||
| + | ;Forward Validierung | ||
| + | *dig www.it2XX.int +dnssec | ||
| + | |||
| + | ;Antwort muss AD-Flag enthalten | ||
| + | |||
| + | =Status= | ||
| + | *systemctl status named | ||
| + | |||
| + | =Logs= | ||
| + | ;Aktualisierte Log von named | ||
| + | *journalctl -fu named | ||
| + | ;Die letzten 20 Log Zeilen vom named | ||
| + | *journalctl -n 20 -u named | ||
| + | ;Aktualisierte Log von named plus grepen nach it2XX | ||
| + | *journalctl -fu named -g it2XX | ||
| + | |||
| + | =Sind die Ports geöffnet= | ||
| + | *ss -lntpu | grep named | ||
| + | |||
| + | =Tests= | ||
| + | *[[host]] | ||
| + | *[[dig]] | ||
| + | *[[nslookup]] | ||
Version vom 2. Juni 2026, 14:30 Uhr
Trust Anker einfügen
- cd /etc/bind/
- wget http://192.168.X.88/trust-anchors.conf
- echo 'include "/etc/bind/trust-anchors.conf";' >> named.conf
/etc/bind/named.conf.options
Berechtigungen und Einschränkungen
options {
directory "/var/cache/bind";
forwarders { <DNSGW>; };
allow-query { 0.0.0.0/0; };
allow-recursion { 10.88.2XX.0/24; 172.26.2XX.0/24; 10.2XX.1.0/24; 172.20.2XX.0; 127.0.0.1; };
allow-transfer {127.0.0.1; };
dnssec-validation yes;
empty-zones-enable no;
listen-on-v6 { none; };
listen-on { any; };
};
/etc/bind/named.conf.local
//Standardmässig leer
//Hier werden die sogenanten Zonen angelegt.
zone "it2XX.int" {
type master;
file "it2XX.int.signed";
};
zone "2XX.88.10.in-addr.arpa" {
type master;
file "2XX.88.10.in-addr.arpa";
};
DNSSEC Schlüssel erzeugen
- Forward Zone
- dnssec-keygen -a RSASHA256 -b 2048 -n ZONE it2XX.int
- dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE it2XX.int
DNSKEY einbinden
- Forward
- for k in Kit2XX.int.+*.key ; do echo "\$INCLUDE $k" >> /var/cache/bind/it2XX.int; done
Zonen signieren
- dnssec-signzone -A -N INCREMENT -o it2XX.int -t /var/cache/bind/it2XX.int
- Erzeugt
/var/cache/bind/it2XX.int.signed
- systemctl restart named
DS Record für Fake Root erzeugen
- DS aus signierter Zone erzeugen
- dnssec-dsfromkey -f /var/cache/bind/it2XX.int.signed it2XX.int
- DS Eintrag an Fake Root weitergeben
- Im Fake Root in Zone int einfügen
- Beispiel
- it2XX IN NS ns.it2XX.int.
- ns.it2XX.int. IN A 10.88.2XX.21
- it2XX.int. IN DS 12345 8 2 ABCDEF123456....
- Danach Fake Root neu signieren
- cd /var/cache/bind
- dnssec-signzone -A -N INCREMENT -o int int
- rndc reload
Handling und Logging
- systemctl restart bind9
- journalctl -fu bind9
- journalctl -u bind9 -g it2XX.int
Validierungstest
- Forward Validierung
- dig www.it2XX.int +dnssec
- Antwort muss AD-Flag enthalten
Status
- systemctl status named
Logs
- Aktualisierte Log von named
- journalctl -fu named
- Die letzten 20 Log Zeilen vom named
- journalctl -n 20 -u named
- Aktualisierte Log von named plus grepen nach it2XX
- journalctl -fu named -g it2XX
Sind die Ports geöffnet
- ss -lntpu | grep named