BIND 9.7.2 a overovani domen pomoci DNSSEC

Jan Kasprzak kas na fi.muni.cz
Pátek Leden 14 16:03:31 CET 2011 

Zdenek Janis wrote:
: Dobry den,
: cely den procitam internet a zkousim ruzne konfigurace BINDu (9.7.2), 
: aby mi overoval dotazy na domeny pres DNSSEC. Vecina navodu je pro cas, 
: kdy jeste nebyla podepsan koren. Parkrat se uz zdalo, ze to funguje, ale 
: po nekolika minutach (asi cache?!) to prestalo uplne prekladat.

	Ktera distribuce? Treba Fedora 14 ma v konfiguraci vsechno uz
pripravene a funkcni. Snazim se vykopirovat funkcni casti:

============== /etc/named.conf ==================

[...]
options {
[...]
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

include "/etc/named.root.key";
[...]

============== /etc/named.root.key ==============
managed-keys {
	# DNSKEY for the root zone.
	# Updates are published on root-dnssec-announce na icann.org
	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};

============= /etc/named.iscdlv.key =============
/* $Id: bind.keys,v 1.5.42.1 2010/06/20 07:32:24 marka Exp $ */
managed-keys {
        # NOTE: This key is current as of October 2009.
        # If it fails to initialize correctly, it may have expired;
        # see https://www.isc.org/solutions/dlv for a replacement.
	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};

# ls -ld /var/named/dynamic
drwxrwx---. 2 named named 4096 Nov 16 12:58 /var/named/dynamic

	Predpokladam ze ISC DLV je potreba jen pro zony ktere
maji klic v ISC DLV, ale jeste ne v korenove zone.

-Y.

-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list.     --Alan Cox

Další informace o konferenci Linux