Bind
Aus SchnallIchNet
Version vom 22. Oktober 2009, 08:23 Uhr von Cbs (Diskussion | Beiträge)
dnssec-key erstellen
dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com
dieser key kann z.b. fuer die dns-zone foo22.bar44.com verwendet werden
um dynamische zone-updates zu erlauben.
die keys werden nach /etc/bind/ kopiert
dann muss man dann noch folgendes
ausserhalb der options-section in die named.conf eintragen:
[...] key foo22.bar44.com. { algorithm HMAC-MD5; secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; }; [...] zone "foo22.bar44.com." { [...] allow-update { key foo22.bar44.com.; }; [...] }; [...]
- secret = der wert aus Kfoo22.bar44.com.+157+06098.key (pub-key)
complete named.conf
controls { unix "/var/run/bind/named.ctl" perm 0600 owner <BIND-UID> group <BIND-GID> keys { "rndc-key"; }; }; // key for zone foo22.bar44.com key foo22.bar44.com. { algorithm HMAC-MD5; secret "1Yjjw072uaYWq1eehnA/xtbXOB6Ul3Q/5FFv9//2I4UUm6yscXIFuDp8 nmRQ2QFRfrsU+R1R2zIpJjZ4pFJOrw=="; }; // i have an acl defining the openNIC root-servers // these servers are responsible for domains like: // .null, .geek, .indy, ... // this is because i will not use openNIC root servers for general root-servers // only forward-only zones will redirect the requests to these root's // but you will have to add new zones for every new top-level domain // openNIC will serve... acl "openNICroots" { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; options { pid-file "/var/run/bind/run/named.pid"; directory "/var/cache/bind"; statistics-file "/var/log/named.stats"; dump-file "/var/log/named.dump"; zone-statistics yes; /* // comment in if you run official zones only!!!! blackhole { 10/8; 172.16/12; 192.168/16; }; */ auth-nxdomain no; allow-query { none; }; allow-transfer { 127.0.0.1; 62.116.129.129; // ns9.schlundtech.de 62.116.163.100; // ns10.schlundtech.de 62.116.162.121; // ns10.schlundtech.de }; max-transfer-time-in 10; max-transfer-idle-in 5; max-transfer-time-out 10; max-transfer-idle-out 5; serial-query-rate 20; transfer-format many-answers; transfers-in 80; transfers-out 80; transfers-per-ns 30; tcp-clients 200; max-cache-size unlimited; cleaning-interval 60; lame-ttl 1200; version "Herr 2.7"; }; // MY Zones here... zone "huetzelgruetzel.com" { [....] also-notify { // notify my slaves explicily! 11.12.13.14; 11.12.13.15; }; }; // openNIC zones // sadly my ACL openNICroots is not usable in // 'forwarders {};' definition!!! :-( zone "geek" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "glue" { type forward; forward only; forwarders { //"openNICroots"; 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "indy" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "null" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "oss" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "parody" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "ing" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "bbs" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "fur" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; }; zone "free" { type forward; forward only; forwarders { 82.229.244.191; 88.191.51.140; 216.67.98.38; 216.87.84.209; 71.170.11.156; 58.6.115.42; 58.6.115.43; }; };