Dies ist eine alte Version des Dokuments!
Aktuelle root-keys herunterladen:
dig . DNSKEY | egrep -v '^($|;)' > root.keys
Nameserver abfragen:
dig +sigchase +trusted-key=./root.keys www.isc.org A @127.0.0.1
dig org. SOA +dnssec
→ flags: ad
dig test.dnssec-or-not.net TXT @localhost
→ „Yes, you are using DNSSEC“
Debian:
cd /var/cache/bind mkdir keys chown bind keys
Centos:
cd /var/named mkdir keys chown named keys
key-signing key (KSK) erzeugen: (grösserer Schlüssel und KSK-Flag) 1)
dnssec-keygen -a RSASHA256 -b 2560 -n ZONE -K keys/ -f KSK example.com ls keys/Kexample.com.*
→ Schlüssel ID-Nummer von KSK ZSK notieren (5-stellige Nummer)
zone-signing key erzeugen:
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -K keys/ example.com ls keys/Kexample.com.* less keys/Kexample.com.*.key
→ Schlüssel ID-Nummer von ZSK notieren (5-stellige Nummer)
Rechte auf den Schlüsseldateien anpassen:
chown bind keys/*
Öffentliche Schlüssel zu Zone hinzufügen:
cat keys/Kexample.com.+008+*.key >> master/example.com
Signierte Zonendatei erzeugen: (30 Tage gültig)
dnssec-signzone -o example.com -k keys/Kexample.com.+008+${KSK-ID}.private master/example.com keys/Kexample.com.+008+${ZSK-ID}.private
less master/example.com.signed
zone "example.com" { … file "master/example.com.signed"; … };
Todo:
Debian:
cd /var/lib/named
Centos: 2)
cd /var/named setenforce Permissive
mkdir keys chown named keys master
zone-signing key erzeugen: 3)
dnssec-keygen -a RSASHA512 -b 1536 -n ZONE example.com -K keys ls keys/Kexample.com.* less keys/Kexample.com.*.key
key-signing key erzeugen:
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com -K keys ls keys/Kexample.com.*
Zone signieren:
rndc sign
dig dnskey @127.0.0.1 test +short dig rrsig @127.0.0.1 test +short
zone "linuxhotel.de" { type master; file "master/linuxhotel.de"; key-directory "keys"; inline-signing yes; auto-dnssec maintain; }
rndc reconfig rndc sign linuxhotel.de ls -Rlrt /var/cache/bind rndc sync linuxhotel.de named-compilezone -f RAW -o - linuxhotel.de linuxhotel.de.signed | less