Pseudo second level domain DNSSEC: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (29 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | = | + | =Klonen des Templates= |
| − | *cat /etc/bind/named.conf.options | + | ;Erstellen eines Nameservers laut Plan |
| + | ;Name ns.it213.int | ||
| + | ;Vorläufiger DNS ist der 192.168.X.88 | ||
| + | ;Der Server ist autoritativ UND rekursiv validierend | ||
| + | |||
| + | =Installation= | ||
| + | *apt update | ||
| + | *apt install bind9 bind9-utils | ||
| + | |||
| + | =Auf den Nameservern= | ||
| + | |||
| + | ==Trust Anker einfügen== | ||
| + | *cd /etc/bind/ | ||
| + | *wget http://192.168.X.88/trust-anchors.conf | ||
| + | *echo 'include "/etc/bind/trust-anchors.conf";' >> named.conf | ||
| + | |||
| + | ==Optionen== | ||
| + | *cat /etc/bind/named.conf.options | ||
<pre> | <pre> | ||
options { | options { | ||
| − | + | directory "/var/cache/bind"; | |
| − | + | forwarders { 192.168.X.88; }; | |
| − | + | empty-zones-enable no; | |
| − | + | recursion yes; | |
| − | + | allow-query { any; }; | |
| − | + | allow-transfer { 127.0.0.1; }; | |
| − | + | dnssec-validation yes; | |
}; | }; | ||
| + | |||
</pre> | </pre> | ||
| + | |||
| + | ==Zonenfestlegung== | ||
| + | *cat /etc/bind/named.conf.local | ||
<pre> | <pre> | ||
| − | + | zone "it213.int" IN { | |
| − | |||
| − | zone | ||
type master; | type master; | ||
| − | file " | + | file "it213.int.signed"; |
}; | }; | ||
| − | zone | + | zone "213.88.10.in-addr.arpa" IN { |
type master; | type master; | ||
| − | file " | + | file "213.88.10.in-addr.arpa"; |
}; | }; | ||
</pre> | </pre> | ||
| − | *cat | + | |
| + | =Zonen selbst (unsigniert)= | ||
| + | |||
| + | *cat /var/cache/bind/it213.int | ||
<pre> | <pre> | ||
| − | |||
$TTL 300 | $TTL 300 | ||
| − | @ | + | @ IN SOA ns.it213.int. technik.xinux.de. ( |
| − | + | 2026031701 | |
| − | 14400 | + | 14400 |
| − | 3600 | + | 3600 |
| − | 3600000 | + | 3600000 |
| − | 86400 | + | 86400 |
) | ) | ||
IN NS ns | IN NS ns | ||
| − | ns IN A 10.88. | + | IN MX 10 mail |
| − | + | ||
| + | ns IN A 10.88.213.21 | ||
| + | www IN A 10.88.213.11 | ||
| + | mail IN A 10.88.213.3 | ||
| + | fw IN A 10.88.213.1 | ||
| + | proxy IN A 10.88.213.4 | ||
| + | checkmk IN A 10.88.213.5 | ||
| + | revproxy IN A 10.88.213.41 | ||
| + | nextcloud IN A 10.88.213.8 | ||
| + | docker IN A 10.88.213.9 | ||
</pre> | </pre> | ||
| − | *cat | + | *cat /var/cache/bind/213.88.10.in-addr.arpa |
<pre> | <pre> | ||
| − | |||
$TTL 300 | $TTL 300 | ||
| − | @ | + | @ IN SOA ns.it213.int. technik.xinux.de. ( |
| − | + | 2026031701 | |
| − | 14400 | + | 14400 |
| − | 3600 | + | 3600 |
| − | 3600000 | + | 3600000 |
| − | 86400 | + | 86400 |
) | ) | ||
| − | IN NS ns. | + | IN NS ns.it213.int. |
| − | + | ||
| − | + | 1 IN PTR fw.it213.int. | |
| + | 21 IN PTR ns.it213.int. | ||
| + | 11 IN PTR www.it213.int. | ||
| + | 3 IN PTR mail.it213.int. | ||
| + | 4 IN PTR proxy.it213.int. | ||
| + | 5 IN PTR checkmk.it213.int. | ||
| + | 8 IN PTR nextcloud.it213.int. | ||
| + | 9 IN PTR docker.it213.int. | ||
| + | 41 IN PTR revproxy.it213.int. | ||
| + | |||
</pre> | </pre> | ||
| − | = DNSSEC | + | ==Verzeichnis wechseln== |
| + | *cd /var/cache/bind/ | ||
| + | |||
| + | =DNSSEC Schlüssel erzeugen= | ||
| − | + | ;Forward Zone | |
| − | * | + | *dnssec-keygen -a RSASHA256 -b 2048 -n ZONE it213.int |
| − | + | *dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE it213.int | |
| − | * | ||
| − | == | + | =DNSKEY einbinden= |
| − | |||
| − | |||
| − | + | ;Forward | |
| − | + | *for k in Kit213.int.+*.key ; do echo "\$INCLUDE $k" >> /var/cache/bind/it213.int; done | |
| − | = | + | =Zonen signieren= |
| − | |||
| − | + | *dnssec-signzone -A -N INCREMENT -o it213.int -t /var/cache/bind/it213.int | |
| − | + | ;Erzeugt | |
| − | |||
<pre> | <pre> | ||
| − | + | /var/cache/bind/it213.int.signed | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
| − | + | *systemctl restart named | |
| − | * | ||
| − | = | + | =DS Record für Fake Root erzeugen= |
| − | |||
| − | + | ;DS aus signierter Zone erzeugen | |
| + | *dnssec-dsfromkey -f /var/cache/bind/it213.int.signed it213.int | ||
| − | + | ;DS Eintrag an Fake Root weitergeben | |
| − | + | ;Im Fake Root in Zone int einfügen | |
| − | + | ||
| − | + | ;Beispiel: | |
| − | + | ;it213 IN NS ns.it213.int. | |
| + | ;ns.it213.int. IN A 10.88.213.21 | ||
| + | ;it213.int. IN DS 12345 8 2 ABCDEF123456.... | ||
| + | |||
| + | ;Danach Fake Root neu signieren | ||
| + | *cd /var/cache/bind | ||
| + | *dnssec-signzone -A -N INCREMENT -o int int | ||
| + | *rndc reload | ||
| − | == | + | =Handling und Logging= |
| − | * | + | *systemctl restart bind9 |
| + | *journalctl -fu bind9 | ||
| + | *journalctl -u bind9 -g it213.int | ||
| − | + | =Validierungstest= | |
| − | |||
| − | + | ;Forward Validierung | |
| − | * | + | *dig www.it213.int +dnssec |
| − | |||
| − | + | ;Antwort muss AD-Flag enthalten | |
| − | |||
Aktuelle Version vom 18. März 2026, 07:14 Uhr
Klonen des Templates
- Erstellen eines Nameservers laut Plan
- Name ns.it213.int
- Vorläufiger DNS ist der 192.168.X.88
- Der Server ist autoritativ UND rekursiv validierend
Installation
- apt update
- apt install bind9 bind9-utils
Auf den Nameservern
Trust Anker einfügen
- cd /etc/bind/
- wget http://192.168.X.88/trust-anchors.conf
- echo 'include "/etc/bind/trust-anchors.conf";' >> named.conf
Optionen
- cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders { 192.168.X.88; };
empty-zones-enable no;
recursion yes;
allow-query { any; };
allow-transfer { 127.0.0.1; };
dnssec-validation yes;
};
Zonenfestlegung
- cat /etc/bind/named.conf.local
zone "it213.int" IN {
type master;
file "it213.int.signed";
};
zone "213.88.10.in-addr.arpa" IN {
type master;
file "213.88.10.in-addr.arpa";
};
Zonen selbst (unsigniert)
- cat /var/cache/bind/it213.int
$TTL 300
@ IN SOA ns.it213.int. technik.xinux.de. (
2026031701
14400
3600
3600000
86400
)
IN NS ns
IN MX 10 mail
ns IN A 10.88.213.21
www IN A 10.88.213.11
mail IN A 10.88.213.3
fw IN A 10.88.213.1
proxy IN A 10.88.213.4
checkmk IN A 10.88.213.5
revproxy IN A 10.88.213.41
nextcloud IN A 10.88.213.8
docker IN A 10.88.213.9
- cat /var/cache/bind/213.88.10.in-addr.arpa
$TTL 300
@ IN SOA ns.it213.int. technik.xinux.de. (
2026031701
14400
3600
3600000
86400
)
IN NS ns.it213.int.
1 IN PTR fw.it213.int.
21 IN PTR ns.it213.int.
11 IN PTR www.it213.int.
3 IN PTR mail.it213.int.
4 IN PTR proxy.it213.int.
5 IN PTR checkmk.it213.int.
8 IN PTR nextcloud.it213.int.
9 IN PTR docker.it213.int.
41 IN PTR revproxy.it213.int.
Verzeichnis wechseln
- cd /var/cache/bind/
DNSSEC Schlüssel erzeugen
- Forward Zone
- dnssec-keygen -a RSASHA256 -b 2048 -n ZONE it213.int
- dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE it213.int
DNSKEY einbinden
- Forward
- for k in Kit213.int.+*.key ; do echo "\$INCLUDE $k" >> /var/cache/bind/it213.int; done
Zonen signieren
- dnssec-signzone -A -N INCREMENT -o it213.int -t /var/cache/bind/it213.int
- Erzeugt
/var/cache/bind/it213.int.signed
- systemctl restart named
DS Record für Fake Root erzeugen
- DS aus signierter Zone erzeugen
- dnssec-dsfromkey -f /var/cache/bind/it213.int.signed it213.int
- DS Eintrag an Fake Root weitergeben
- Im Fake Root in Zone int einfügen
- Beispiel
- it213 IN NS ns.it213.int.
- ns.it213.int. IN A 10.88.213.21
- it213.int. IN DS 12345 8 2 ABCDEF123456....
- Danach Fake Root neu signieren
- cd /var/cache/bind
- dnssec-signzone -A -N INCREMENT -o int int
- rndc reload
Handling und Logging
- systemctl restart bind9
- journalctl -fu bind9
- journalctl -u bind9 -g it213.int
Validierungstest
- Forward Validierung
- dig www.it213.int +dnssec
- Antwort muss AD-Flag enthalten