Bind: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) (Die Seite wurde neu angelegt: ==dnssec-key erstellen== dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/> um dynam...) |
Cbs (Diskussion | Beiträge) |
||
Zeile 2: | Zeile 2: | ||
dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com | dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com | ||
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/> | dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/> | ||
− | um dynamische zone-updates zu erlauben | + | um dynamische zone-updates zu erlauben.<br/> |
+ | die keys werden nach /etc/bind/ kopiert<br/> | ||
+ | dann muss man dann noch folgendes<br/> | ||
+ | '''ausserhalb''' der options-section in die named.conf eintragen: | ||
+ | <pre> | ||
+ | [...] | ||
+ | |||
+ | key foo22.bar44.com. { | ||
+ | algorithm HMAC-MD5; | ||
+ | secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; | ||
+ | }; | ||
+ | |||
+ | [...] | ||
+ | |||
+ | zone "foo22.bar44.com." { | ||
+ | [...] | ||
+ | allow-update { | ||
+ | key foo22.bar44.com.; | ||
+ | }; | ||
+ | [...] | ||
+ | }; | ||
+ | |||
+ | [...] | ||
+ | </pre> | ||
+ | # secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key) | ||
+ | |||
+ | ==complete named.conf== | ||
+ | <pre> | ||
+ | controls { | ||
+ | unix "/var/run/bind/named.ctl" | ||
+ | perm 0600 owner <BIND-UID> group <BIND-GID> | ||
+ | keys { "rndc-key"; }; | ||
+ | }; | ||
+ | |||
+ | |||
+ | // key for zone foo22.bar44.com | ||
+ | key foo22.bar44.com. { | ||
+ | algorithm HMAC-MD5; | ||
+ | secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; | ||
+ | }; | ||
+ | |||
+ | // i have an acl defining the openNIC root-servers | ||
+ | // these servers are responsible for domains like: | ||
+ | // .null, .geek, .indy, ... | ||
+ | // this is because i will not use openNIC root servers for general root-servers | ||
+ | // only forward-only zones will redirect the requests to these root's | ||
+ | // but you will have to add new zones for every new top-level domain | ||
+ | // openNIC will serve... | ||
+ | acl "openNICroots" { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | |||
+ | |||
+ | |||
+ | options { | ||
+ | pid-file "/var/run/bind/run/named.pid"; | ||
+ | directory "/var/cache/bind"; | ||
+ | statistics-file "/var/log/named.stats"; | ||
+ | dump-file "/var/log/named.dump"; | ||
+ | zone-statistics yes; | ||
+ | |||
+ | /* | ||
+ | // comment in if you run official zones only!!!! | ||
+ | blackhole { | ||
+ | 10/8; | ||
+ | 172.16/12; | ||
+ | 192.168/16; | ||
+ | }; | ||
+ | */ | ||
+ | |||
+ | auth-nxdomain no; | ||
+ | allow-query { none; }; | ||
+ | |||
+ | allow-transfer { | ||
+ | 127.0.0.1; | ||
+ | 62.116.129.129; // ns9.schlundtech.de | ||
+ | 62.116.163.100; // ns10.schlundtech.de | ||
+ | 62.116.162.121; // ns10.schlundtech.de | ||
+ | }; | ||
+ | |||
+ | max-transfer-time-in 10; | ||
+ | max-transfer-idle-in 5; | ||
+ | max-transfer-time-out 10; | ||
+ | max-transfer-idle-out 5; | ||
+ | serial-query-rate 20; | ||
+ | transfer-format many-answers; | ||
+ | transfers-in 80; | ||
+ | transfers-out 80; | ||
+ | transfers-per-ns 30; | ||
+ | tcp-clients 200; | ||
+ | max-cache-size unlimited; | ||
+ | cleaning-interval 60; | ||
+ | lame-ttl 1200; | ||
+ | version "Herr 2.7"; | ||
+ | }; | ||
+ | |||
+ | |||
+ | |||
+ | // MY Zones here... | ||
+ | |||
+ | zone "huetzelgruetzel.com" { | ||
+ | [....] | ||
+ | also-notify { | ||
+ | // notify my slaves explicily! | ||
+ | 11.12.13.14; | ||
+ | 11.12.13.15; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | |||
+ | |||
+ | // openNIC zones | ||
+ | // sadly my ACL openNICroots is not usable in | ||
+ | // 'forwarders {};' definition!!! :-( | ||
+ | zone "geek" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "glue" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | //"openNICroots"; | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "indy" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "null" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "oss" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "parody" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "ing" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "bbs" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "fur" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "free" { | ||
+ | type forward; | ||
+ | forward only; | ||
+ | forwarders { | ||
+ | 82.229.244.191; | ||
+ | 88.191.51.140; | ||
+ | 216.67.98.38; | ||
+ | 216.87.84.209; | ||
+ | 71.170.11.156; | ||
+ | 58.6.115.42; | ||
+ | 58.6.115.43; | ||
+ | }; | ||
+ | }; | ||
+ | </pre> |
Version vom 22. Oktober 2009, 08:23 Uhr
dnssec-key erstellen
dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden
um dynamische zone-updates zu erlauben.
die keys werden nach /etc/bind/ kopiert
dann muss man dann noch folgendes
ausserhalb der options-section in die named.conf eintragen:
[...] key foo22.bar44.com. { algorithm HMAC-MD5; secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; }; [...] zone "foo22.bar44.com." { [...] allow-update { key foo22.bar44.com.; }; [...] }; [...]
- secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key)
complete named.conf
controls { unix "/var/run/bind/named.ctl" perm 0600 owner <BIND-UID> group <BIND-GID> keys { "rndc-key"; }; }; // key for zone foo22.bar44.com key foo22.bar44.com. { algorithm HMAC-MD5; secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; }; // i have an acl defining the openNIC root-servers // these servers are responsible for domains like: // .null, .geek, .indy, ... // this is because i will not use openNIC root servers for general root-servers // only forward-only zones will redirect the requests to these root's // but you will have to add new zones for every new top-level domain // openNIC will serve... acl "openNICroots" { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; options { pid-file "/var/run/bind/run/named.pid"; directory "/var/cache/bind"; statistics-file "/var/log/named.stats"; dump-file "/var/log/named.dump"; zone-statistics yes; /* // comment in if you run official zones only!!!! blackhole { 10/8; 172.16/12; 192.168/16; }; */ auth-nxdomain no; allow-query { none; }; allow-transfer { 127.0.0.1; 62.116.129.129; // ns9.schlundtech.de 62.116.163.100; // ns10.schlundtech.de 62.116.162.121; // ns10.schlundtech.de }; max-transfer-time-in 10; max-transfer-idle-in 5; max-transfer-time-out 10; max-transfer-idle-out 5; serial-query-rate 20; transfer-format many-answers; transfers-in 80; transfers-out 80; transfers-per-ns 30; tcp-clients 200; max-cache-size unlimited; cleaning-interval 60; lame-ttl 1200; version "Herr 2.7"; }; // MY Zones here... zone "huetzelgruetzel.com" { [....] also-notify { // notify my slaves explicily! 11.12.13.14; 11.12.13.15; }; }; // openNIC zones // sadly my ACL openNICroots is not usable in // 'forwarders {};' definition!!! :-( zone "geek" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "glue" { type forward; forward only; forwarders { //"openNICroots"; 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "indy" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "null" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "oss" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "parody" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "ing" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "bbs" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "fur" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "free" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; };