Pseudo second level domain Basics: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 2: | Zeile 2: | ||
;Erstellen eines Nameservers laut Plan | ;Erstellen eines Nameservers laut Plan | ||
;Name ns.it1XX.int | ;Name ns.it1XX.int | ||
| − | ; | + | ;Vorläufiger DNS ist der 192.168.X.88 |
| + | ;Der Server ist autoritativ UND rekursiv validierend | ||
=Installation= | =Installation= | ||
| − | *apt install bind9 | + | *apt install bind9 bind9-utils |
| + | |||
=Auf den Nameservern= | =Auf den Nameservern= | ||
| − | + | ||
| + | ==Optionen== | ||
| + | *cat /etc/bind/named.conf.options | ||
| + | <pre> | ||
| + | options { | ||
| + | directory "/var/cache/bind"; | ||
forwarders { 192.168.X.88; }; | forwarders { 192.168.X.88; }; | ||
empty-zones-enable no; | empty-zones-enable no; | ||
| − | * | + | recursion yes; |
| + | dnssec-validation auto; | ||
| + | |||
| + | allow-query { any; }; | ||
| + | }; | ||
| + | </pre> | ||
| + | |||
| + | ==Trust-Anker für Fake Root (.int)== | ||
| + | ;KSK der Zone int vom Fake Root ermitteln | ||
| + | *dig DNSKEY int @192.168.X.88 +short | ||
| + | |||
| + | ;Nur der Key mit Kennung 257 3 13 wird verwendet | ||
| + | |||
| + | ;Eintragen in /etc/bind/named.conf.options | ||
<pre> | <pre> | ||
| − | zone it113.int IN { | + | managed-keys { |
| + | int. initial-key 257 3 13 "BASE64-KSK-VON-INT-HIER-EINFÜGEN"; | ||
| + | }; | ||
| + | </pre> | ||
| + | |||
| + | *systemctl restart bind9 | ||
| + | |||
| + | ==Zonenfestlegung== | ||
| + | *cat /etc/bind/named.conf.local | ||
| + | <pre> | ||
| + | zone "it113.int" IN { | ||
type master; | type master; | ||
| − | file "it113.int"; | + | file "it113.int.signed"; |
}; | }; | ||
| − | zone 113.88.10.in-addr.arpa IN { | + | zone "113.88.10.in-addr.arpa" IN { |
type master; | type master; | ||
| − | file "113.88.10.in-addr.arpa"; | + | file "113.88.10.in-addr.arpa.signed"; |
}; | }; | ||
</pre> | </pre> | ||
| + | =Zonen selbst (unsigniert)= | ||
| − | *cat | + | *cat /var/cache/bind/it113.int |
<pre> | <pre> | ||
$TTL 300 | $TTL 300 | ||
| − | @ | + | @ IN SOA ns.it113.int. technik.xinux.de. ( |
| − | 2011090204 | + | 2011090204 |
| − | 14400 | + | 14400 |
| − | 3600 | + | 3600 |
| − | 3600000 | + | 3600000 |
| − | 86400 | + | 86400 |
) | ) | ||
IN NS ns | IN NS ns | ||
| Zeile 41: | Zeile 72: | ||
</pre> | </pre> | ||
| − | *cat | + | *cat /var/cache/bind/113.88.10.in-addr.arpa |
<pre> | <pre> | ||
| − | |||
$TTL 300 | $TTL 300 | ||
| − | @ | + | @ IN SOA ns.it113.int. technik.xinux.de. ( |
| − | 2011090204 | + | 2011090204 |
| − | 14400 | + | 14400 |
| − | 3600 | + | 3600 |
| − | 3600000 | + | 3600000 |
| − | 86400 | + | 86400 |
) | ) | ||
IN NS ns.it113.int. | IN NS ns.it113.int. | ||
| − | 21 IN PTR ns.it113.int. | + | 21 IN PTR ns.it113.int. |
| − | 22 IN PTR www.it113.int. | + | 22 IN PTR www.it113.int. |
</pre> | </pre> | ||
| + | |||
| + | =DNSSEC Schlüssel erzeugen= | ||
| + | |||
| + | ;Forward Zone | ||
| + | *dnssec-keygen -a RSASHA256 -b 2048 -n ZONE it113.int | ||
| + | *dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE it113.int | ||
| + | |||
| + | ;Reverse Zone | ||
| + | *dnssec-keygen -a RSASHA256 -b 2048 -n ZONE 113.88.10.in-addr.arpa | ||
| + | *dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE 113.88.10.in-addr.arpa | ||
| + | |||
| + | =DNSKEY einbinden= | ||
| + | |||
| + | ;Forward | ||
| + | *for k in Kit113.int*.key ; do echo "\$INCLUDE /var/cache/bind/$k" >> /var/cache/bind/it113.int; done | ||
| + | |||
| + | ;Reverse | ||
| + | *for k in K113.88.10.in-addr.arpa*.key ; do echo "\$INCLUDE /var/cache/bind/$k" >> /var/cache/bind/113.88.10.in-addr.arpa; done | ||
| + | |||
| + | =Zonen signieren= | ||
| + | |||
| + | *dnssec-signzone -A -N INCREMENT -o it113.int -t /var/cache/bind/it113.int | ||
| + | *dnssec-signzone -A -N INCREMENT -o 113.88.10.in-addr.arpa -t /var/cache/bind/113.88.10.in-addr.arpa | ||
| + | |||
| + | ;Erzeugt | ||
| + | <pre> | ||
| + | /var/cache/bind/it113.int.signed | ||
| + | /var/cache/bind/113.88.10.in-addr.arpa.signed | ||
| + | </pre> | ||
| + | |||
| + | *systemctl restart bind9 | ||
| + | |||
| + | =DS Record für Fake Root erzeugen= | ||
| + | |||
| + | ;KSK anzeigen | ||
| + | *dig DNSKEY it113.int @127.0.0.1 +short | ||
| + | |||
| + | ;DS erzeugen | ||
| + | *dnssec-dsfromkey Kit113.int.+008+XXXXX.key | ||
| + | |||
| + | ;DS Eintrag an Fake Root weitergeben | ||
| + | ;Im Fake Root in Zone int einfügen | ||
| + | ;Beispiel: | ||
| + | ;it113 IN DS 12345 13 2 ABCDEF123456.... | ||
=Handling und Logging= | =Handling und Logging= | ||
| − | *systemctl restart | + | *systemctl restart bind9 |
| − | + | *journalctl -fu bind9 | |
| − | + | *journalctl -u bind9 -g it113.int | |
| − | + | ||
| − | *journalctl -fu | + | =Validierungstest= |
| − | *journalctl - | + | |
| − | * | + | ;Forward Validierung |
| + | *dig www.it113.int +dnssec | ||
| − | + | ;Antwort muss AD-Flag enthalten | |
| − | |||
| − | |||
Version vom 24. Februar 2026, 15:10 Uhr
Klonen des Templates
- Erstellen eines Nameservers laut Plan
- Name ns.it1XX.int
- Vorläufiger DNS ist der 192.168.X.88
- Der Server ist autoritativ UND rekursiv validierend
Installation
- apt install bind9 bind9-utils
Auf den Nameservern
Optionen
- cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders { 192.168.X.88; };
empty-zones-enable no;
recursion yes;
dnssec-validation auto;
allow-query { any; };
};
Trust-Anker für Fake Root (.int)
- KSK der Zone int vom Fake Root ermitteln
- dig DNSKEY int @192.168.X.88 +short
- Nur der Key mit Kennung 257 3 13 wird verwendet
- Eintragen in /etc/bind/named.conf.options
managed-keys {
int. initial-key 257 3 13 "BASE64-KSK-VON-INT-HIER-EINFÜGEN";
};
- systemctl restart bind9
Zonenfestlegung
- cat /etc/bind/named.conf.local
zone "it113.int" IN {
type master;
file "it113.int.signed";
};
zone "113.88.10.in-addr.arpa" IN {
type master;
file "113.88.10.in-addr.arpa.signed";
};
Zonen selbst (unsigniert)
- cat /var/cache/bind/it113.int
$TTL 300
@ IN SOA ns.it113.int. technik.xinux.de. (
2011090204
14400
3600
3600000
86400
)
IN NS ns
ns IN A 10.88.113.21
www IN A 10.88.113.22
- cat /var/cache/bind/113.88.10.in-addr.arpa
$TTL 300
@ IN SOA ns.it113.int. technik.xinux.de. (
2011090204
14400
3600
3600000
86400
)
IN NS ns.it113.int.
21 IN PTR ns.it113.int.
22 IN PTR www.it113.int.
DNSSEC Schlüssel erzeugen
- Forward Zone
- dnssec-keygen -a RSASHA256 -b 2048 -n ZONE it113.int
- dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE it113.int
- Reverse Zone
- dnssec-keygen -a RSASHA256 -b 2048 -n ZONE 113.88.10.in-addr.arpa
- dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE 113.88.10.in-addr.arpa
DNSKEY einbinden
- Forward
- for k in Kit113.int*.key ; do echo "\$INCLUDE /var/cache/bind/$k" >> /var/cache/bind/it113.int; done
- Reverse
- for k in K113.88.10.in-addr.arpa*.key ; do echo "\$INCLUDE /var/cache/bind/$k" >> /var/cache/bind/113.88.10.in-addr.arpa; done
Zonen signieren
- dnssec-signzone -A -N INCREMENT -o it113.int -t /var/cache/bind/it113.int
- dnssec-signzone -A -N INCREMENT -o 113.88.10.in-addr.arpa -t /var/cache/bind/113.88.10.in-addr.arpa
- Erzeugt
/var/cache/bind/it113.int.signed /var/cache/bind/113.88.10.in-addr.arpa.signed
- systemctl restart bind9
DS Record für Fake Root erzeugen
- KSK anzeigen
- dig DNSKEY it113.int @127.0.0.1 +short
- DS erzeugen
- dnssec-dsfromkey Kit113.int.+008+XXXXX.key
- DS Eintrag an Fake Root weitergeben
- Im Fake Root in Zone int einfügen
- Beispiel
- it113 IN DS 12345 13 2 ABCDEF123456....
Handling und Logging
- systemctl restart bind9
- journalctl -fu bind9
- journalctl -u bind9 -g it113.int
Validierungstest
- Forward Validierung
- dig www.it113.int +dnssec
- Antwort muss AD-Flag enthalten