DNSSEC mit BIND 9.14

named.conf


options {   .....
  dnssec-validation auto;
  dnssec-enable yes;
  key-directory "/usr/local/etc/namedb/key";
};

Zonendefinition anpassen:


zone "example.ch" {
  type master;
  file "/usr/local/etc/namedb/master/example.ch";
  allow-query { any; };
  allow-transfer { slaves; };
  notify yes;
  update-policy local; auto-dnssec maintain; dnssec-secure-to-insecure yes; inline-signing yes;
};

Keys erstellen


mkdir /usr/local/etc/namedb/key
cd /usr/local/etc/namedb/key
dnssec-keygen -a RSASHA256 -b 2048 -a ECDSAP256SHA256 -3 example.ch
dnssec-keygen -a RSASHA256 -b 2048 -a ECDSAP256SHA256 -3 -fk example.ch
chown -R bind:bind /usr/local/etc/namedb/key
rndc loadkeys example.ch
rndc signing -nsec3param 1 0 10 `od -Anone -tx4 -N4 /dev/urandom` example.ch

Keys anzeigen


rndc signing -list example.ch # Show signing status
Done signing with key 65481/NSEC3RSASHA1
Done signing with key 58725/ECDSAP256SHA256

Zonen ändern


rndc freeze example.ch
edit /usr/local/etc/namedb/master/example.ch
rndc thaw example.ch
DNSSEC mit BIND 9.14