Bind: Unterschied zwischen den Versionen

Aus SchnallIchNet
Wechseln zu: Navigation, Suche
(Die Seite wurde neu angelegt: ==dnssec-key erstellen== dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/> um dynam...)
 
Zeile 2: Zeile 2:
 
  dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com
 
  dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com
 
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/>
 
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden<br/>
um dynamische zone-updates zu erlauben
+
um dynamische zone-updates zu erlauben.<br/>
 +
die keys werden nach /etc/bind/ kopiert<br/>
 +
dann muss man dann noch folgendes<br/>
 +
'''ausserhalb''' der options-section in die named.conf eintragen:
 +
<pre>
 +
[...]
 +
 
 +
key foo22.bar44.com. {
 +
      algorithm HMAC-MD5;
 +
      secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
 +
      };
 +
 
 +
[...]
 +
 
 +
zone "foo22.bar44.com." {
 +
      [...]
 +
      allow-update {
 +
        key foo22.bar44.com.;
 +
        };
 +
      [...]
 +
      };
 +
 
 +
[...]
 +
</pre>
 +
# secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key)
 +
 
 +
==complete named.conf==
 +
<pre>
 +
controls {
 +
        unix "/var/run/bind/named.ctl"
 +
        perm 0600 owner <BIND-UID> group <BIND-GID>
 +
        keys { "rndc-key"; };
 +
};
 +
 
 +
 
 +
// key for zone foo22.bar44.com
 +
key foo22.bar44.com. {
 +
      algorithm HMAC-MD5;
 +
      secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
 +
};
 +
 
 +
// i have an acl defining the openNIC root-servers
 +
// these servers are responsible for domains like:
 +
// .null, .geek, .indy, ...
 +
// this is because i will not use openNIC root servers for general root-servers
 +
// only forward-only zones will redirect the requests to these root's
 +
// but you will have to add new zones for every new top-level domain
 +
// openNIC will serve...
 +
acl "openNICroots" {
 +
    82.229.244.191;
 +
    88.191.51.140;
 +
    216.67.98.38;
 +
    216.87.84.209;
 +
    71.170.11.156;
 +
    58.6.115.42;
 +
    58.6.115.43;
 +
};
 +
 
 +
 
 +
 
 +
options {
 +
        pid-file                "/var/run/bind/run/named.pid";
 +
        directory              "/var/cache/bind";
 +
        statistics-file        "/var/log/named.stats";
 +
        dump-file              "/var/log/named.dump";
 +
        zone-statistics yes;
 +
 
 +
        /*
 +
        // comment in if you run official zones only!!!!
 +
        blackhole {
 +
                10/8;
 +
                172.16/12;
 +
                192.168/16;
 +
        };
 +
        */
 +
 
 +
        auth-nxdomain no;
 +
        allow-query { none; };
 +
 
 +
        allow-transfer {
 +
                127.0.0.1;
 +
                62.116.129.129;        // ns9.schlundtech.de
 +
                62.116.163.100;        // ns10.schlundtech.de
 +
                62.116.162.121;        // ns10.schlundtech.de
 +
        };
 +
 
 +
        max-transfer-time-in 10;
 +
        max-transfer-idle-in 5;
 +
        max-transfer-time-out 10;
 +
        max-transfer-idle-out 5;
 +
        serial-query-rate 20;
 +
        transfer-format many-answers;
 +
        transfers-in 80;
 +
        transfers-out 80;
 +
        transfers-per-ns 30;
 +
        tcp-clients 200;
 +
        max-cache-size unlimited;
 +
        cleaning-interval 60;
 +
        lame-ttl 1200;
 +
        version "Herr 2.7";
 +
};
 +
 
 +
 
 +
 
 +
// MY Zones here...
 +
 
 +
zone "huetzelgruetzel.com" {
 +
        [....]
 +
        also-notify {
 +
            // notify my slaves explicily!
 +
            11.12.13.14;
 +
            11.12.13.15;
 +
        };
 +
};
 +
 
 +
 
 +
 
 +
// openNIC zones
 +
// sadly my ACL openNICroots is not usable in
 +
// 'forwarders {};' definition!!! :-(
 +
zone "geek" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "glue" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                //"openNICroots";
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "indy" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "null" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "oss" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "parody" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "ing" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "bbs" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "fur" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
 
 +
zone "free" {
 +
        type forward;
 +
        forward only;
 +
        forwarders {
 +
                82.229.244.191;
 +
                88.191.51.140;
 +
                216.67.98.38;
 +
                216.87.84.209;
 +
                71.170.11.156;
 +
                58.6.115.42;
 +
                58.6.115.43;
 +
        };
 +
};
 +
</pre>

Version vom 22. Oktober 2009, 08:23 Uhr

dnssec-key erstellen

dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com

dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden
um dynamische zone-updates zu erlauben.
die keys werden nach /etc/bind/ kopiert
dann muss man dann noch folgendes
ausserhalb der options-section in die named.conf eintragen: 

[...]

key foo22.bar44.com. {
      algorithm HMAC-MD5;
      secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
      };

[...]

zone "foo22.bar44.com." {
      [...]
      allow-update {
         key foo22.bar44.com.;
         };
      [...]
      };

[...]
  1. secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key)

complete named.conf

controls {
        unix "/var/run/bind/named.ctl"
        perm 0600 owner <BIND-UID> group <BIND-GID>
        keys { "rndc-key"; };
};


// key for zone foo22.bar44.com
key foo22.bar44.com. {
      algorithm HMAC-MD5;
      secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw==";
};

// i have an acl defining the openNIC root-servers
// these servers are responsible for domains like:
// .null, .geek, .indy, ...
// this is because i will not use openNIC root servers for general root-servers
// only forward-only zones will redirect the requests to these root's
// but you will have to add new zones for every new top-level domain 
// openNIC will serve...
acl "openNICroots" {
     82.229.244.191;
     88.191.51.140;
     216.67.98.38;
     216.87.84.209;
     71.170.11.156;
     58.6.115.42;
     58.6.115.43;
};



options {
        pid-file                "/var/run/bind/run/named.pid";
        directory               "/var/cache/bind";
        statistics-file         "/var/log/named.stats";
        dump-file               "/var/log/named.dump";
        zone-statistics yes;

        /*
        // comment in if you run official zones only!!!!
        blackhole {
                10/8;
                172.16/12;
                192.168/16;
        };
        */

        auth-nxdomain no;
        allow-query { none; };

        allow-transfer {
                127.0.0.1;
                62.116.129.129;         // ns9.schlundtech.de
                62.116.163.100;         // ns10.schlundtech.de
                62.116.162.121;         // ns10.schlundtech.de
        };

        max-transfer-time-in 10;
        max-transfer-idle-in 5;
        max-transfer-time-out 10;
        max-transfer-idle-out 5;
        serial-query-rate 20;
        transfer-format many-answers;
        transfers-in 80;
        transfers-out 80;
        transfers-per-ns 30;
        tcp-clients 200;
        max-cache-size unlimited;
        cleaning-interval 60;
        lame-ttl 1200;
        version "Herr 2.7";
};



// MY Zones here...

zone "huetzelgruetzel.com" {
        [....]
        also-notify {
            // notify my slaves explicily!
            11.12.13.14;
            11.12.13.15;
        };
};



// openNIC zones
// sadly my ACL openNICroots is not usable in
// 'forwarders {};' definition!!! :-(
zone "geek" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "glue" {
        type forward;
        forward only;
        forwarders {
                //"openNICroots";
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "indy" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "null" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "oss" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "parody" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "ing" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "bbs" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "fur" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};

zone "free" {
        type forward;
        forward only;
        forwarders {
                82.229.244.191;
                88.191.51.140;
                216.67.98.38;
                216.87.84.209;
                71.170.11.156;
                58.6.115.42;
                58.6.115.43;
        };
};
Von „https://schnallich.net/index.php?title=Bind&oldid=459