Forum » Operacijski sistemi » Postavitev DNSSEC (Debian, Bind9)
Postavitev DNSSEC (Debian, Bind9)
HotBurek ::
Navodila po korakih za DNSSEC na Debina in Bind9.
Če so kakšne napače in izboljšave, pa kr povedat.
#1 Init...
named -v
nano /etc/bind/named.conf.local
nano /etc/bind/example.si.zone
#2 Config options
nano /etc/bind/named.conf.options
#3 Keygen
cd /var/cache/bind/
Joža, požen:
ls -l
#4 Copy zone file
#5 Add DNSKEYs
nano /var/cache/bind/add-dnskey.sh and save:
Joža, požen:
nano /var/cache/bind/example.si.zone
#6 Sign zone
cd /var/cache/bind/
Joža, požen:
Output:
#7 Copy signed zone
#8 Reconfig zone file
nano /etc/bind/named.conf.local
#9 Add DS records to registrar
nano /var/cache/bind/dsset-example.si.
Oznaka ključa = 12345
Algoritem ključa = 7
Tip digitalnega izvlečka = 1, 2
Digitalni izvleček DS = dolgi string, od začetka do konca, brez presledkov (AAA BBB -> AAABBB)
Hitrost.com sample:
Če so kakšne napače in izboljšave, pa kr povedat.
#1 Init...
named -v
BIND 9.10.3-P4-Debian
nano /etc/bind/named.conf.local
# Direct zone | example.si
zone "example.si" IN {
type master;
file "/etc/bind/example.si.zone";
allow-update { none; };
};nano /etc/bind/example.si.zone
$TTL 60480
@ IN SOA ns1.example.si. hostmaster.example.si. (
2019022401 ; Serial
6048 ; Refresh
864 ; Retry
1209600 ; Expire
6048) ; Negative Cache TTL
;
@ IN NS ns1.example.si.
@ IN NS ns2.example.si.
@ IN A 1.2.3.4
ns1 IN A 1.2.3.4
ns2 IN A 1.2.3.4
@ IN CAA 128 issue "letsencrypt.org"#2 Config options
nano /etc/bind/named.conf.options
options {
//...
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
}#3 Keygen
cd /var/cache/bind/
Joža, požen:
dnssec-keygen -a NSEC3RSASHA1 -b 4096 -n ZONE example.si dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.si
ls -l
Kexample.si.+007+12345.key Kexample.si.+007+12345.privat Kexample.si.+007+12346.key Kexample.si.+007+12346.privat
#4 Copy zone file
cp /etc/bind/example.si.zone /var/cache/bind/
#5 Add DNSKEYs
nano /var/cache/bind/add-dnskey.sh and save:
#!/bin/sh for key in `ls /var/cache/bind/Kexample.si*.key` do echo "\$INCLUDE $key">> /var/cache/bind/example.si.zone done
Joža, požen:
/bin/sh /var/cache/bind/add-dnskey.sh
nano /var/cache/bind/example.si.zone
$TTL 60480
@ IN SOA ns1.example.si. hostmaster.example.si. (
2019022401 ; Serial
6048 ; Refresh
864 ; Retry
1209600 ; Expire
6048) ; Negative Cache TTL
;
@ IN NS ns1.example.si.
@ IN NS ns2.example.si.
@ IN A 1.2.3.4
ns1 IN A 1.2.3.4
ns2 IN A 1.2.3.4
@ IN CAA 128 issue "letsencrypt.org"
$INCLUDE Kexample.si.+007+12345.key
$INCLUDE Kexample.si.+007+12346.key#6 Sign zone
cd /var/cache/bind/
Joža, požen:
dnssec-signzone -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o example.si -t example.si.zone
Output:
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
example.si.zone.signed
Signatures generated: 12
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.211
Signatures per second: 56.756
Runtime in seconds: 0.239#7 Copy signed zone
cp /var/cache/bind/example.si.zone.signed /etc/bind
#8 Reconfig zone file
nano /etc/bind/named.conf.local
# Direct zone | example.si
zone "example.si" IN {
type master;
file "/etc/bind/example.si.zone.signed";
allow-update { none; };
};#9 Add DS records to registrar
nano /var/cache/bind/dsset-example.si.
example.si. IN DS 12345 7 1 C1958F1FF50FD18D9845629D8A4ABBFBA035223F example.si. IN DS 12345 7 2 7E45C686BBA075157AE7EE24AA047FF734512C5A789D4909001233FF 6A122DBF
Oznaka ključa = 12345
Algoritem ključa = 7
Tip digitalnega izvlečka = 1, 2
Digitalni izvleček DS = dolgi string, od začetka do konca, brez presledkov (AAA BBB -> AAABBB)
Hitrost.com sample:
DS DNSSEC Hitrost.com
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
jype ::
Kudos za še kar spodobna navodila. Na prvi pogled ne vidim napak.
Zgodovina sprememb…
- predlagalo izbris: 49106 ()
poweroff ::
O, super, ravno to sem rabil. Sem ravno pred kratkim začel gledati kako bi se tegale lotil.
sudo poweroff
HotBurek ::
Še dve malenkosti.
#1 Kako preverit remote verzijo bind-a:
Da se verzije ne vidi, se uredi v named.conf.options:
#2 Da se uredit tudi signign on the fly in je manj manual copy/past dela.
https://ftp.isc.org/isc/dnssec-guide/ht...
Opcija "4.3.2.3. inline-signing" in pa key-directory.
#1 Kako preverit remote verzijo bind-a:
dig CH TXT version.bind @ns.slo-tech.com
Da se verzije ne vidi, se uredi v named.conf.options:
options {
//...
version "Bind";
//ali version none;
}#2 Da se uredit tudi signign on the fly in je manj manual copy/past dela.
https://ftp.isc.org/isc/dnssec-guide/ht...
Opcija "4.3.2.3. inline-signing" in pa key-directory.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | [Alternatvni Firmware za router] Vprašanja in težaveOddelek: Operacijski sistemi | 1592 (862) | BivšiUser2 |
| » | Težave z DNS strežnikomOddelek: Omrežja in internet | 4620 (3812) | Bakunin |
| » | [UBUNTU 10.04] GRUB se ne postaviOddelek: Operacijski sistemi | 5978 (5762) | matijaz74 |
| » | Problem z DNS (non-improving refferal)Oddelek: Omrežja in internet | 5512 (5237) | SasoS |
| » | Problem z domenami na ApacheOddelek: Omrežja in internet | 1737 (1364) | Ice-Heki |