Benutzer-Werkzeuge

Webseiten-Werkzeuge


tachtler:dns_isc_bind_centos_7

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
Nächste ÜberarbeitungBeide Seiten der Revision
tachtler:dns_isc_bind_centos_7 [2018/12/23 07:25] – [/etc/named.conf] klaustachtler:dns_isc_bind_centos_7 [2019/10/29 05:48] – [Nützlich Befehle] klaus
Zeile 676: Zeile 676:
 :!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!** :!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!**
  
-==== /etc/myrndc.key ====+==== /etc/rndc.key ====
  
 nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter
Zeile 693: Zeile 693:
 </code> </code>
  
-Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/etc/myrndc.key'' beinhaltet ist, erstellt werden, was mit nachfolgendem Befehl durchgeführt werden kann:+Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/etc/rndc.key'' beinhaltet ist, erstellt werden, was mit nachfolgendem Befehl durchgeführt werden kann:
 <code> <code>
-# rndc-confgen -a -b 512 -c /etc/myrndc.key -k rndc-key -r "keyboard" -u named+# rndc-confgen -a -b 512 -c /etc/rndc.key -k rndc-key -r "keyboard" -u named
 start typing: start typing:
 ............................... ...............................
Zeile 720: Zeile 720:
 ........................... ...........................
 stop typing. stop typing.
-wrote key file "/etc/myrndc.key"+wrote key file "/etc/rndc.key"
 </code> </code>
  
-Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/etc/myrndc.key'' erfolgreich war:+Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/etc/rndc.key'' erfolgreich war:
 <code ini> <code ini>
-# cat /etc/myrndc.key +# cat /etc/rndc.key 
-key "rndc-key" {+key "ns1.tachtler.net-key" {
  algorithm hmac-md5;  algorithm hmac-md5;
         secret "NvVzfoFWdyDHvca87zRuMu+x49VzfyaKDiDHvca87zkRe8YoEhzfoFWdyDHvca87zkRu9v5DQpEzfoFWdyDHvc==";         secret "NvVzfoFWdyDHvca87zRuMu+x49VzfyaKDiDHvca87zkRe8YoEhzfoFWdyDHvca87zkRu9v5DQpEzfoFWdyDHvc==";
Zeile 734: Zeile 734:
 Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann: Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann:
 <code> <code>
-# chown root:named /etc/myrndc.key+# chown root:named /etc/rndc.key
 </code> </code>
  
 Ein Überprüfung, ob die **Besitz**rechte korrekt gesetzt wurden, kann mit nachfolgendem Befehl durchgeführt werden: Ein Überprüfung, ob die **Besitz**rechte korrekt gesetzt wurden, kann mit nachfolgendem Befehl durchgeführt werden:
 <code> <code>
-# ll /etc/myrndc.key +# ll /etc/rndc.key 
--rw-r----- 1 root named 153 Oct 17 13:06 /etc/myrndc.key+-rw-r----- 1 root named 153 Oct 17 13:06 /etc/rndc.key
 </code> </code>
  
Zeile 750: Zeile 750:
 Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen: Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen:
 <code ini> <code ini>
-include "/etc/myrndc.key";+include "/etc/rndc.key";
  
 options { options {
- default-key "rndc-key";+ default-key "ns1.tachtler.net-key";
  default-server 127.0.0.1;  default-server 127.0.0.1;
  default-port 953;  default-port 953;
Zeile 938: Zeile 938:
 // ================================================================================ // ================================================================================
 acl primary { acl primary {
-        192.168.0.20/32;+ 192.168.0.20/32;
 }; };
  
 // Without unbound as resolver in front of bind // Without unbound as resolver in front of bind
 acl interfaces { acl interfaces {
-      192.168.0.20/32; + 192.168.0.20/32; 
-      192.168.1.20/32;+ 192.168.1.20/32;
 }; };
  
 // With unbound as resolver in front of bind // With unbound as resolver in front of bind
 //acl interfaces { //acl interfaces {
 +// 192.168.1.20/32;
 //}; //};
  
 acl pdmz { acl pdmz {
-        88.217.171.167/32;+ 88.217.171.167/32;
 }; };
  
 acl edmz { acl edmz {
-        192.168.1.0/24;+ 192.168.1.0/24;
 }; };
  
 acl idmz { acl idmz {
-        192.168.0.0/24;+ 192.168.0.0/24;
 }; };
  
 acl home { acl home {
-        192.168.2.0/24;+ 192.168.2.0/24;
 }; };
  
Zeile 970: Zeile 971:
 // Keys. // Keys.
 // ================================================================================ // ================================================================================
-include "/etc/myrndc.key";+include "/etc/rndc.key";
  
 // ================================================================================ // ================================================================================
Zeile 977: Zeile 978:
 controls { controls {
         inet 127.0.0.1 port 953         inet 127.0.0.1 port 953
-                allow { 127.0.0.1; } keys { "rndc-key"; };+                allow { 127.0.0.1; } keys { "ns1.tachtler.net-key"; };
 }; };
  
Zeile 985: Zeile 986:
 logging { logging {
  
-        // Channels. -------------------------------------------------------------+ // Channels. -------------------------------------------------------------
  
-        // Default startup messages.+ // Default startup messages.
         channel default_debug {         channel default_debug {
                 file "data/named.run";                 file "data/named.run";
                 severity dynamic;                 severity dynamic;
-                print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes;+ print-time yes;
         };         };
-        // Approval and denial of requests. + // Approval and denial of requests. 
-        channel custom_security { + channel custom_security { 
-                file "data/named.security";+ file "data/named.security";
                 severity info;                 severity info;
-                print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes; + print-time yes; 
-        }; + }; 
-        // Lame servers. These are misconfigurations in remote servers, discovered + // Lame servers. These are misconfigurations in remote servers, discovered 
-        // by BIND 9 when trying to query those servers during resolution. + // by BIND 9 when trying to query those servers during resolution. 
-        channel custom_lame-servers { + channel custom_lame-servers { 
-                file "data/named.lame-servers";+ file "data/named.lame-servers";
                 severity info;                 severity info;
-                print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes; + print-time yes; 
-        };+ };
  
-        // Categories. -----------------------------------------------------------+ // Categories. -----------------------------------------------------------
  
-        category security { + category security { 
-                custom_security; + custom_security; 
-                default_syslog; + default_syslog; 
-                default_debug; + default_debug; 
-        }; + }; 
-        category lame-servers { + category lame-servers { 
-                custom_lame-servers ; + custom_lame-servers ; 
-                default_syslog; + default_syslog; 
-                default_debug; + default_debug; 
-        };+ };
 }; };
  
Zeile 1031: Zeile 1032:
 // ================================================================================ // ================================================================================
 options { options {
-        // The working directory of the server. + // The working directory of the server. 
-        directory "/var/named"; + directory "/var/named"; 
-        // The directory where the public and private DNSSEC key files should be + // The directory where the public and private DNSSEC key files should be 
-        // found. + // found. 
-        key-directory "/var/named"; + key-directory "/var/named"; 
-        // The directory which to store the files that track managed DNSSEC keys. + // The directory which to store the files that track managed DNSSEC keys. 
-        managed-keys-directory "/var/named/dynamic"; + managed-keys-directory "/var/named/dynamic"; 
-        // The pathname of the file the server dumps the database to when + // The pathname of the file the server dumps the database to when 
-        // instructed. + // instructed. 
-        dump-file "/var/named/data/cache_dump.db"; + dump-file "/var/named/data/cache_dump.db"; 
-        // The pathname of the file the server writes memory usage statistics to + // The pathname of the file the server writes memory usage statistics to 
-        // on exit. + // on exit. 
-        memstatistics-file "/var/named/data/named_mem_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; 
-        // The pathname of the file the server dumps the queries that are currently + // The pathname of the file the server writes its process ID in. 
-        // recursing when instructed to do so with rndc recursing. + pid-file "/run/named/named.pid"; 
-        recursing-file  "/var/named/data/named.recursing"; + // The pathname of the file the server dumps the queries that are currently  
-        // The pathname of the file the server dumps security roots to when + // recursing when instructed. 
-        // instructed to do so with rndc secroots + recursing-file "/var/named/data/named_recursing.db"; 
-        secroots-file   "/var/named/data/named.secroots";         + // The pathname of the file the server dumps security roots to when 
-        // The pathname of the file the server writes its process ID in. + // instructed to do so with rndc secroots 
-        pid-file "/run/named/named.pid"; + statistics-file "/var/named/data/named_stats.txt"; 
-        // The pathname of the file the server dumps the queries that are currently + // The pathname of a file to override the built-in trusted keys provided 
-        // recursing when instructed + // by named. Path to ISC DLV key. 
-        recursing-file "/var/named/data/named_recursing.db"; + bindkeys-file "/etc/named.root.key"; 
-        // The pathname of the file the server appends statistics to when + // The pathname of the file the server dumps security roots to when 
-        // instructed. + // instructed. 
-        statistics-file "/var/named/data/named_stats.txt"; + secroots-file "/var/named/data/named_secroots.db"; 
-        // The pathname of a file to override the built-in trusted keys provided + // The pathname of the file into which to write a TSIG session key 
-        // by named. Path to ISC DLV key. + // generated by named for use by nsupdate -l. 
-        bindkeys-file "/etc/named.iscdlv.key"; + session-keyfile "/run/named/session.key";
-        // The pathname of the file the server dumps security roots to when +
-        // instructed. +
-        secroots-file "/var/named/data/named_secroots.db"; +
-        // The pathname of the file into which to write a TSIG session key +
-        // generated by named for use by nsupdate -l. +
-        session-keyfile "/run/named/session.key";+
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Boolean options. + // Boolean options. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // If yes, then when generating responses the server will only add records + // If yes, then when generating responses the server will only add records  
-        // to the authority and additional data sections when they are required. + // to the authority and additional data sections when they are required. 
-        minimal-responses no; + // Tachtler - default: minimal-responses no; 
-        // If yes, and a DNS query requests recursion, then the server will attempt + minimal-responses no; 
-        // to do all the work required to answer the query. If recursion is off and + // If yes, and a DNS query requests recursion, then the server will attempt 
-        // the server does not already know the answer, it will return a referral + // to do all the work required to answer the query. If recursion is off and 
-        // response. The default is yes. Note that setting recursion no does not + // the server does not already know the answer, it will return a referral  
-        // prevent clients from getting data from the serverâs cache; it only + // response. The default is yes. Note that setting recursion no does not  
-        // prevents new data from being cached as an effect of client queries. + // prevent clients from getting data from the server’s cache; it only  
-        /* + // prevents new data from being cached as an effect of client queries. 
-         - If your recursive DNS server has a public IP address, you MUST enable + /*  
-           access control to limit queries to your legitimate users. Failing to do +  - If your recursive DNS server has a public IP address, you MUST enable 
-           so will cause your server to become part of large scale DNS +    access control to limit queries to your legitimate users. Failing to do 
-           amplification attacks. Implementing BCP38 within your network would +    so will cause your server to become part of large scale DNS 
-           greatly reduce such attack surface . +    amplification attacks. Implementing BCP38 within your network would 
-        */ +    greatly reduce such attack surface . 
-        // IMPORTANT: Use of access control: allow-recursion is required! + */ 
-        recursion yes;+ // IMPORTANT: Use of access control: allow-recursion is required! 
 + recursion yes;
  
-        // DNSSEC. ---------------------------------------------------------------+ // DNSSEC. ---------------------------------------------------------------
  
-        // Enable DNSSEC support in named. + // Enable DNSSEC support in named. 
-        dnssec-enable yes; + dnssec-enable yes; 
-        // Enable DNSSEC validation in named and compare to root-certs (auto). + // Enable DNSSEC validation in named and compare to root-certs (auto). 
-        // yes: DNSSEC validation is enabled, but a trust anchor must be manually+ // yes: DNSSEC validation is enabled, but a trust anchor must be manually
         // configured. No validation will actually take place until you have          // configured. No validation will actually take place until you have 
         // manually configured at least one trusted key. This is the default.         // manually configured at least one trusted key. This is the default.
Zeile 1103: Zeile 1099:
         // auto: DNSSEC validation is enabled, and a default trust anchor          // auto: DNSSEC validation is enabled, and a default trust anchor 
         // (included as part of BIND) for the DNS root zone is used.         // (included as part of BIND) for the DNS root zone is used.
-        dnssec-validation auto; + // Tachtler - DISABLED - 
-        // When set, dnssec-lookaside provides the validator with an alternate + // dnssec-validation auto; 
-        // method to validate DNSKEY records at the top of a zone. + dnssec-validation yes; 
-        // If dnssec-lookaside is set to auto, then built-in default values for the + // When set, dnssec-lookaside provides the validator with an alternate 
-        // DLV domain and trust anchor will be used, along with a built-in key for + // method to validate DNSKEY records at the top of a zone. 
-        // validation. + // If dnssec-lookaside is set to auto, then built-in default values for the 
-        dnssec-lookaside auto; + // DLV domain and trust anchor will be used, along with a built-in key for 
- + // validation. 
-        // Checks. ---------------------------------------------------------------+ // Tachtler - DEPRECATED - Service was shutdown. 
 + //dnssec-lookaside auto;
  
-        // This option is used to restrict the character set and syntax of certain + // Checks. ---------------------------------------------------------------
-        // domain names in master files and/or DNS responses received from the +
-        // network. +
-        // Tachtler Warn only, if names not correct, like DKIM for e-mail. +
-        check-names master warn;+
  
-        // ------------------------------------------------------------------------ + // This option is used to restrict the character set and syntax of certain 
-        // Forwarding. + // domain names in master files and/or DNS responses received from the  
-        // ------------------------------------------------------------------------+ // network. 
 + // Tachtler - Warn only, if names not correct, like DKIM for e-mail. 
 + check-names master warn; 
 +  
 + // ------------------------------------------------------------------------  
 + // Forwarding. 
 + // ------------------------------------------------------------------------ 
  
         /* Tachtler - DISABLED -         /* Tachtler - DISABLED -
Zeile 1131: Zeile 1130:
          * forward first;          * forward first;
          * // DNS-Server which will asked when local answers not found.          * // DNS-Server which will asked when local answers not found.
-         * forwarders { none; };+         * forwarders { 212.18.3.5; 212.18.0.5; };
          */          */
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Dual-stack servers. + // Dual-stack servers. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Access control. + // Access control. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // Specifies which hosts are allowed to notify this server, a slave, of + // Specifies which hosts are allowed to notify this server, a slave, of 
-        // zone changes in addition to the zone masters. + // zone changes in addition to the zone masters. 
-        allow-notify { 127.0.0.1; }; + allow-notify { 127.0.0.1; }; 
-        // Specifies which hosts are allowed to ask ordinary DNS questions. + // Specifies which hosts are allowed to ask ordinary DNS questions. 
-        allow-query { 127.0.0.1; edmz; idmz; home; }; + allow-query { 127.0.0.1; tdmz; edmz; idmz; home; }; 
-        // Specifies which hosts are allowed to make recursive queries through this + // Specifies which hosts are allowed to make recursive queries through this 
-        // server. + // server. 
-        allow-recursion { 127.0.0.1; edmz; idmz; home; }; + allow-recursion { 127.0.0.1; tdmz; edmz; idmz; home; }; 
-        // Specifies which hosts are allowed to receive zone transfers from the + // Specifies which hosts are allowed to receive zone transfers from the 
-        // server. + // server. 
-        allow-transfer { 127.0.0.1; primary; }; + allow-transfer { 127.0.0.1; primary; }; 
-        // Specifies a list of addresses that the server will not accept queries + // Specifies a list of addresses that the server will not accept queries 
-        // from or use to resolve a query. Queries from these addresses will not + // from or use to resolve a query. Queries from these addresses will not  
-        // be responded to. + // be responded to. 
-        blackhole { none; };+ blackhole { none; };
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Interfaces. + // Interfaces. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // The interfaces and ports that the server will answer queries from may + // The interfaces and ports that the server will answer queries from may 
-        // be specified using the listen-on option. + // be specified using the listen-on option. 
-        listen-on port 53 { 127.0.0.1; interfaces; };+ listen-on port 53 { 127.0.0.1; interfaces; };
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Query address. + // Query address. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // If the server doesnât know the answer to a question, it will query other + // If the server doesn’t know the answer to a question, it will query other 
-        // name servers. query-source specifies the address and port used for such + // name servers. query-source specifies the address and port used for such 
-        // queries. + // queries. 
-        /* + /* 
-         * If there is a firewall between you and nameservers you want +  * If there is a firewall between you and nameservers you want 
-         * to talk to, you might need to use the query-source directive. +  * to talk to, you might need to use the query-source directive. 
-        */ + */ 
-        query-source address * port *;+ query-source address * port *;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Zone transfer. + // Zone transfer. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // UDP port lists. + // UDP port lists. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // OS resource limits. + // OS resource limits. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // The maximum size of a core dump. + // The maximum size of a core dump.  
-        coresize default; + coresize default; 
-        // The maximum amount of data memory the server may use. + // The maximum amount of data memory the server may use. 
-        datasize default; + datasize default; 
-        // The maximum number of files the server may have open concurrently. + // The maximum number of files the server may have open concurrently.  
-        files unlimited; + files unlimited; 
-        // The maximum amount of stack memory the server may use. + // The maximum amount of stack memory the server may use.  
-        stacksize default;+ stacksize default;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Server resource limits. + // Server resource limits. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // Sets a maximum size for each journal file. + // Sets a maximum size for each journal file.  
-        // The default is unlimited, which also means 2 gigabytes. + // The default is unlimited, which also means 2 gigabytes. 
-        max-journal-size unlimited; + max-journal-size unlimited; 
-        // he maximum number of simultaneous recursive lookups the server will + // he maximum number of simultaneous recursive lookups the server will  
-        // perform on behalf of clients. The default is 1000. + // perform on behalf of clients. The default is 1000. 
-        recursive-clients 1000; + recursive-clients 1000; 
-        // The maximum number of simultaneous client TCP connections that the + // The maximum number of simultaneous client TCP connections that the 
-        // server will accept. The default is 100. + // server will accept. The default is 100. 
-        tcp-clients 100; + tcp-clients 100; 
-        // The maximum amount of memory to use for the serverâs cache, in bytes. + // The maximum amount of memory to use for the server’s cache, in bytes. 
-        // A value of 0 is special, meaning that records are purged from the cache + // A value of 0 is special, meaning that records are purged from the cache 
-        // only when their TTLs expire. Another special keyword unlimited means + // only when their TTLs expire. Another special keyword unlimited means 
-        // the maximum value of 32-bit unsigned integers (0xffffffff), which may + // the maximum value of 32-bit unsigned integers (0xffffffff), which may  
-        // not have the same effect as 0 on machines that support more than 32 bits + // not have the same effect as 0 on machines that support more than 32 bits 
-        // of memory space. Any positive values less than 2MB will be ignored reset + // of memory space. Any positive values less than 2MB will be ignored reset 
-        // to 2MB. In a server with multiple views, the limit applies separately to + // to 2MB. In a server with multiple views, the limit applies separately to 
-        // the cache of each view. The default is 0. + // the cache of each view. The default is 0. 
-        max-cache-size 0; + max-cache-size 0; 
-        // The listen queue depth. The default and minimum is 10. If the kernel + // The listen queue depth. The default and minimum is 10. If the kernel 
-        // supports the accept filter connections that will be queued in kernel + // supports the accept filter connections that will be queued in kernel 
-        // space waiting for some data before being passed to accept. Nonzero + // space waiting for some data before being passed to accept. Nonzero 
-        // values less than 10 will be silently raised. A value of 0 may also be + // values less than 10 will be silently raised. A value of 0 may also be 
-        // used; on most platforms this sets the listen queue length to a + // used; on most platforms this sets the listen queue length to a 
-        // system-defined default value. + // system-defined default value. 
-        tcp-listen-queue 10;+ tcp-listen-queue 10;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Periodic task intervals. + // Periodic task intervals. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // The server will scan the network interface list every interface-interval + // The server will scan the network interface list every interface-interval 
-        // minutes. The default is 60 minutes. The maximum value is 28 days + // minutes. The default is 60 minutes. The maximum value is 28 days  
-        // (40320 minutes). If set to 0, interface scanning will only occur when + // (40320 minutes). If set to 0, interface scanning will only occur when 
-        // the configuration file is loaded. After the scan, the server will begin + // the configuration file is loaded. After the scan, the server will begin 
-        // listening for queries on any newly discovered interfaces (provided they + // listening for queries on any newly discovered interfaces (provided they 
-        // are allowed by the listen-on configuration), and will stop listening on + // are allowed by the listen-on configuration), and will stop listening on 
-        // interfaces that have gone away. + // interfaces that have gone away. 
-        // Tachtler - NOT default - + // Tachtler - NOT default - 
-        interface-interval 0;+ interface-interval 0;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Topology. + // Topology. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // The sortlist statement. + // The sortlist statement. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // RRset ordering. + // RRset ordering. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Tuning. + // Tuning. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // Sets the number of seconds to cache a lame server indication. 0 disables + // Sets the number of seconds to cache a lame server indication. 0 disables 
-        // caching. (This is NOT recommended.) The default is 600 (10 minutes) and + // caching. (This is NOT recommended.) The default is 600 (10 minutes) and 
-        // the maximum value is 1800 (30 minutes). + // the maximum value is 1800 (30 minutes). 
-        lame-ttl 600; + lame-ttl 600; 
-        // To reduce network traffic and increase performance, the server stores + // To reduce network traffic and increase performance, the server stores 
-        // negative answers. max-ncache-ttl is used to set a maximum retention time + // negative answers. max-ncache-ttl is used to set a maximum retention time 
-        // for these answers in the server in seconds. The default max-ncache-ttl + // for these answers in the server in seconds. The default max-ncache-ttl 
-        // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will + // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will 
-        // be silently truncated to 7 days if set to a greater value. + // be silently truncated to 7 days if set to a greater value. 
-        max-ncache-ttl 10800; + max-ncache-ttl 10800; 
-        // Sets the maximum time for which the server will cache ordinary + // Sets the maximum time for which the server will cache ordinary 
-        // (positive) answers. The default is one week (7 days). A value of zero + // (positive) answers. The default is one week (7 days). A value of zero  
-        // may cause all queries to return SERVFAIL, because of lost caches of + // may cause all queries to return SERVFAIL, because of lost caches of  
-        // intermediate RRsets (such as NS and glue AAAA/A records) in the + // intermediate RRsets (such as NS and glue AAAA/A records) in the 
-        // resolution process. + // resolution process. 
-        max-cache-ttl 604800; + max-cache-ttl 604800; 
-        // Sets the advertised EDNS UDP buffer size in bytes to control the size of + // Sets the advertised EDNS UDP buffer size in bytes to control the size of 
-        // packets received. Valid values are 512 to 4096 (values outside this + // packets received. Valid values are 512 to 4096 (values outside this 
-        // range will be silently adjusted). The default value is 4096. The usual + // range will be silently adjusted). The default value is 4096. The usual 
-        // reason for setting edns-udp-size to a non-default value is to get UDP + // reason for setting edns-udp-size to a non-default value is to get UDP 
-        // answers to pass through broken firewalls that block fragmented packets + // answers to pass through broken firewalls that block fragmented packets 
-        // and/or block UDP packets that are greater than 512 bytes. + // and/or block UDP packets that are greater than 512 bytes. 
-        // named will fallback to using 512 bytes if it get a series of timeout at + // named will fallback to using 512 bytes if it get a series of timeout at 
-        // the initial value. 512 bytes is not being offered to encourage sites to + // the initial value. 512 bytes is not being offered to encourage sites to 
-        // fix their firewalls. Small EDNS UDP sizes will result in the excessive + // fix their firewalls. Small EDNS UDP sizes will result in the excessive 
-        // use of TCP. + // use of TCP. 
-        edns-udp-size 4096; + edns-udp-size 4096; 
-        // Sets the maximum EDNS UDP message size named will send in bytes. Valid + // Sets the maximum EDNS UDP message size named will send in bytes. Valid 
-        // values are 512 to 4096 (values outside this range will be silently + // values are 512 to 4096 (values outside this range will be silently 
-        // adjusted). The default value is 4096. The usual reason for setting + // adjusted). The default value is 4096. The usual reason for setting 
-        // max-udp-size to a non-default value is to get UDP answers to pass + // max-udp-size to a non-default value is to get UDP answers to pass  
-        // through broken firewalls that block fragmented packets and/or block UDP + // through broken firewalls that block fragmented packets and/or block UDP 
-        // packets that are greater than 512 bytes. This is independent of the + // packets that are greater than 512 bytes. This is independent of the 
-        // advertised receive buffer (edns-udp-size). + // advertised receive buffer (edns-udp-size). 
-        // Setting this to a low value  will encourage additional TCP traffic to + // Setting this to a low value  will encourage additional TCP traffic to 
-        // the nameserver. + // the nameserver. 
-        max-udp-size 4096; + max-udp-size 4096; 
-        // Set the initial value (minimum) number of recursive simultaneous + // Set the initial value (minimum) number of recursive simultaneous 
-        // clients for any given query (<qname,qtype,qclass>) that the server will + // clients for any given query (<qname,qtype,qclass>) that the server will 
-        // accept before dropping additional clients. named will attempt to self + // accept before dropping additional clients. named will attempt to self 
-        // tune this value and changes will be logged. The default values are 10. + // tune this value and changes will be logged. The default values are 10. 
-        clients-per-query 10; + clients-per-query 10; 
-        // Set the initial value (maximum) number of recursive simultaneous + // Set the initial value (maximum) number of recursive simultaneous 
-        // clients for any given query (<qname,qtype,qclass>) that the server will + // clients for any given query (<qname,qtype,qclass>) that the server will 
-        // accept before dropping additional clients. named will attempt to self + // accept before dropping additional clients. named will attempt to self 
-        // tune this value and changes will be logged. The default values are 100. + // tune this value and changes will be logged. The default values are 100. 
-        max-clients-per-query 100;+ max-clients-per-query 100;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Build-in server information zones. + // Build-in server information zones. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // The version the server should report via a query of the name + // The version the server should report via a query of the name 
-        // version.bind with type TXT, class CHAOS. The default is the real version + // version.bind with type TXT, class CHAOS. The default is the real version 
-        // number of this server. Specifying version none disables processing of + // number of this server. Specifying version none disables processing of  
-        // the queries. + // the queries. 
-        version none; + version none; 
-        // The hostname the server should report via a query of the name + // The hostname the server should report via a query of the name 
-        // hostname.bind with type TXT, class CHAOS. This defaults to the hostname + // hostname.bind with type TXT, class CHAOS. This defaults to the hostname 
-        // of the machine hosting the name server as found by the gethostname() + // of the machine hosting the name server as found by the gethostname() 
-        // function. + // function. 
-        // Tachtler - NOT default - + // Tachtler - NOT default - 
-        // hostname "ns1.tachtler.net"; + // hostname "ns1.tachtler.net"; 
-        // The ID the server should report when receiving a Name Server Identifier + // The ID the server should report when receiving a Name Server Identifier 
-        // (NSID) query, or a query of the name ID.SERVER with type TXT, class + // (NSID) query, or a query of the name ID.SERVER with type TXT, class 
-        // CHAOS. The primary purpose of such queries is to identify which of a + // CHAOS. The primary purpose of such queries is to identify which of a 
-        // group of anycast servers is actually answering your queries. Specifying + // group of anycast servers is actually answering your queries. Specifying  
-        // server-id none; disables processing of the queries. Specifying server-id + // server-id none; disables processing of the queries. Specifying server-id 
-        // hostname; will cause named to use the hostname as found by the + // hostname; will cause named to use the hostname as found by the 
-        // gethostname() function. The default server-id is none. + // gethostname() function. The default server-id is none. 
-        server-id none;+ server-id none;
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Build-in empty zones. + // Build-in empty zones. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Additional section caching. + // Additional section caching. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Content filtering. + // Content filtering. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Response policy zone (RPZ) rewriting. + // Response policy zone (RPZ) rewriting. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
-        // ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Response rate limiting. + // Response rate limiting. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ 
  
-        // - empty -+ // - empty - 
  
 }; };
Zeile 1384: Zeile 1383:
 // //
 view "home" IN { view "home" IN {
-        // Match for the client IP address. + // Match for the client IP address. 
-        match-clients { home; };+ match-clients { home; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        // reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "allow-update" option, you + // enabled dynamic update for a zone using the "allow-update" option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        // Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "." IN { + zone "." IN { 
-                type hint; + type hint; 
-                file "named.ca"; + file "named.ca"; 
-        };+ };
  
-        // Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/etc/named.rfc1912.zones";+ include "/etc/named.rfc1912.zones"; 
 + include "/etc/named.root.key";
  
-        // Zone: home.tachtler.net ------------------------------------------------ + // Zone: home.tachtler.net ------------------------------------------------ 
-        zone "home.tachtler.net" IN { + zone "home.tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/home.tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_home/home.tachtler.net.view_home.zone.db";  
 + // nsupdate 
 + allow-update { key "home.tachtler.net"; }; 
 + };
  
-        zone "2.168.192.in-addr.arpa" in { + zone "2.168.192.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/2.168.192.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_home/0.168.192.in-addr.arpa.view_home.zone.db"; 
 + // nsupdate 
 + allow-update { key "0.168.192.in-addr.arpa"; }; 
 + }; 
 + 
 + // Zone: idmz.tachtler.net ------------------------------------------------ 
 + zone "idmz.tachtler.net" IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_home/idmz.tachtler.net.view_home.zone.db";  
 + // nsupdate 
 + allow-update { key "idmz.tachtler.net"; }; 
 + }; 
 + 
 + zone "0.168.192.in-addr.arpa" in { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_home/0.7.10.in-addr.arpa.view_home.zone.db"; 
 + // nsupdate 
 + allow-update { key "0.7.10.in-addr.arpa"; }; 
 + }; 
 + 
 + // Zone: tachtler.net (HOME) ---------------------------------------------- 
 + zone "tachtler.net" IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_home/tachtler.net.idmz.view_home.zone.db";  
 + // nsupdate 
 + allow-update { key "tachtler.net.idmz"; }; 
 + };
  
-        // Zone: tachtler.net (HOME) ---------------------------------------------- 
-        zone "tachtler.net" IN { 
-                type master; 
-                file "master/tachtler.net.home.zone.db"; 
-        }; 
 }; };
  
 view "idmz" IN { view "idmz" IN {
-        // Match for the client IP address. + // Match for the client IP address. 
-        match-clients { 127.0.0.1localhost; idmz; };+ match-clients { localhost; idmz; key "tachtler.net.idmz"; !key "tachtler.net"!key "tachtler.net.edmz"; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        // reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "allow-update" option, you + // enabled dynamic update for a zone using the "allow-update" option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        // Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "." IN { + zone "." IN { 
-                type hint; + type hint; 
-                file "named.ca"; + file "named.ca"; 
-        };+ };
  
-        // Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/etc/named.rfc1912.zones";+ include "/etc/named.rfc1912.zones"; 
 + include "/etc/named.root.key";
  
-        // Zone: home.tachtler.net ------------------------------------------------ + // Zone: home.tachtler.net ------------------------------------------------ 
-        zone "home.tachtler.net" IN { + zone "home.tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/home.tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/home.tachtler.net.view_idmz.zone.db";  
 + // nsupdate 
 + allow-update { key "home.tachtler.net"; }; 
 + };
  
-        zone "2.168.192.in-addr.arpa" in { + zone "2.168.192.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/2.168.192.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/0.168.192.in-addr.arpa.view_idmz.zone.db"; 
 + // nsupdate 
 + allow-update { key "0.168.192.in-addr.arpa"; }; 
 + };
  
-        // Zone: idmz.tachtler.net ------------------------------------------------ + // Zone: idmz.tachtler.net ------------------------------------------------ 
-        zone "idmz.tachtler.net" IN { + zone "idmz.tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/idmz.tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/idmz.tachtler.net.view_idmz.zone.db";  
 + // nsupdate 
 + allow-update { key "idmz.tachtler.net"; }; 
 + };
  
-        zone "0.168.192.in-addr.arpa" in { + zone "0.168.192.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/0.168.192.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/0.7.10.in-addr.arpa.view_idmz.zone.db"; 
 + // nsupdate 
 + allow-update { key "0.7.10.in-addr.arpa"; }; 
 + };
  
-        // Zone: edmz.tachtler.net ------------------------------------------------ + // Zone: edmz.tachtler.net ------------------------------------------------ 
-        zone "edmz.tachtler.net" IN { + zone "edmz.tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/edmz.tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/edmz.tachtler.net.view_idmz.zone.db";  
 + // nsupdate 
 + allow-update { key "edmz.tachtler.net"; }; 
 + };
  
-        zone "1.168.192.in-addr.arpa" in { + zone "1.168.192.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/1.168.192.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/1.7.10.in-addr.arpa.view_idmz.zone.db"; 
 + // nsupdate 
 + allow-update { key "1.7.10.in-addr.arpa"; }; 
 + }; 
 + 
 + // Zone: tachtler.net (IDMZ) ---------------------------------------------- 
 + zone "tachtler.net" IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_idmz/tachtler.net.idmz.view_idmz.zone.db";  
 + // nsupdate 
 + allow-update { key "tachtler.net.idmz"; }; 
 + };
  
-        // Zone: tachtler.net (IDMZ) ---------------------------------------------- 
-        zone "tachtler.net" IN { 
-                type master; 
-                file "master/tachtler.net.idmz.zone.db"; 
-        }; 
 }; };
  
 view "edmz" IN { view "edmz" IN {
-        // Match for the client IP address. + // Match for the client IP address. 
-        match-clients { edmz; };+ match-clients { edmz; key "tachtler.net.edmz"; !key "tachtler.net"; !key "tachtler.net.idmz"; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        // reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "allow-update" option, you + // enabled dynamic update for a zone using the "allow-update" option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        // Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "." IN { + zone "." IN { 
-                type hint; + type hint; 
-                file "named.ca"; + file "named.ca"; 
-        };+ };
  
-        // Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/etc/named.rfc1912.zones";+ include "/etc/named.rfc1912.zones"; 
 + include "/etc/named.root.key";
  
-        // Zone: edmz.tachtler.net ------------------------------------------------ + // Zone: edmz.tachtler.net ------------------------------------------------ 
-        zone "edmz.tachtler.net" IN { + zone "edmz.tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/edmz.tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_edmz/edmz.tachtler.net.view_edmz.zone.db";  
 + // nsupdate 
 + allow-update { key "edmz.tachtler.net"; }; 
 + };
  
-        zone "1.168.192.in-addr.arpa" in { + zone "1.168.192.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/1.168.192.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_edmz/1.7.10.in-addr.arpa.view_edmz.zone.db"; 
 + // nsupdate 
 + allow-update { key "1.7.10.in-addr.arpa"; }; 
 + }; 
 + 
 + // Zone: tachtler.net (EDMZ) ---------------------------------------------- 
 + zone "tachtler.net" IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_edmz/tachtler.net.edmz.view_edmz.zone.db";  
 + // nsupdate 
 + allow-update { key "tachtler.net.edmz"; }; 
 + };
  
-        // Zone: tachtler.net (EDMZ) ---------------------------------------------- 
-        zone "tachtler.net" IN { 
-                type master; 
-                file "master/tachtler.net.edmz.zone.db"; 
-        }; 
 }; };
  
 view "pdmz" IN { view "pdmz" IN {
-        // Match for the client IP address. + // Match for the client IP address. 
-        match-clients { any; };+ match-clients { any; key "tachtler.net"; !key "tachtler.net.idmz"; !key "tachtler.net.edmz";};
  
-        // If recursion is off and the server does not already know the answer, + // If recursion is off and the server does not already know the answer, 
-        // it will return a referral response. + // it will return a referral response. 
-        recursion no;+ recursion no;
  
-        // Specifies which hosts are allowed to make recursive queries through this + // Specifies which hosts are allowed to make recursive queries through this 
-        // server. + // server. 
-        allow-recursion { none; };+ allow-recursion { none; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        // reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "allow-update" option, you + // enabled dynamic update for a zone using the "allow-update" option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        // Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "." IN { + zone "." IN { 
-                type hint; + type hint; 
-                file "named.ca"; + file "named.ca"; 
-        };+ };
  
-        // Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/etc/named.rfc1912.zones";+ include "/etc/named.rfc1912.zones"; 
 + include "/etc/named.root.key";
  
-        // Zone: tachtler.net (PDMZ) ---------------------------------------------- + // Zone: tachtler.net (PDMZ) ---------------------------------------------- 
-        zone "tachtler.net" IN { + zone "tachtler.net" IN { 
-                type master; + inline-signing yes; 
-                file "master/tachtler.net.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_pdmz/tachtler.net.view_pdmz.zone.db";  
 + // nsupdate 
 + allow-update { key "tachtler.net"; }; 
 + };
  
-        zone "171.217.88.in-addr.arpa" in { + zone "171.217.88.in-addr.arpa" in { 
-                type master; + inline-signing yes; 
-                file "master/171.217.88.in-addr.arpa.zone.db"; + auto-dnssec maintain; 
-        };+ key-directory "/etc/pki/dnssec-keys"; 
 + type master; 
 + file "master/view_pdmz/171.217.88.in-addr.arpa.view_pdmz.zone.db"; 
 + // nsupdate 
 + allow-update { key "171.217.88.in-addr.arpa"; }; 
 + };
 }; };
  
Zeile 1558: Zeile 1660:
 // Includes. // Includes.
 // ================================================================================ // ================================================================================
-include "/etc/named.root.key"; 
  
 </code> </code>
Zeile 2231: Zeile 2332:
         // DLV domain and trust anchor will be used, along with a built-in key for         // DLV domain and trust anchor will be used, along with a built-in key for
         // validation.         // validation.
-        dnssec-lookaside auto;+        // Tachtler - DEPRECATED - Service was shutdown. 
 +        //dnssec-lookaside auto;
 ... ...
 </code> </code>
Zeile 2266: Zeile 2368:
         // Zone: localhost. -------------------------------------------------------         // Zone: localhost. -------------------------------------------------------
         include "/etc/named.rfc1912.zones";         include "/etc/named.rfc1912.zones";
 +        include "/etc/named.root.key";
    
         // Zone: tachtler.net (PDMZ) ----------------------------------------------         // Zone: tachtler.net (PDMZ) ----------------------------------------------
Zeile 2479: Zeile 2582:
 ==== /etc/named.root.key ==== ==== /etc/named.root.key ====
  
-Für den Inhalt des jeweiligen Zonen-Schlüssels, kann mit nachfolgendem Befehl der Schlüssel ausgegeben werden: +Der Inhalt der Datei sollte dann wie folgt **aussehen**:
-<code ini> +
-# cat /etc/Ktachtler.net.+157+19706.private  +
-Private-key-format: v1.3 +
-Algorithm: 157 (HMAC_MD5) +
-Key: K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg== +
-Bits: AAA= +
-Created: 20160217132139 +
-Publish: 20160217132139 +
-Activate: 20160217132139 +
-</code> +
- +
-Der Inhalt der Datei sollte dann wie folgt **erweitert** werden:+
 <code ini> <code ini>
 managed-keys { managed-keys {
Zeile 2497: Zeile 2588:
  # Updates are published on root-dnssec-announce@icann.org  # Updates are published on root-dnssec-announce@icann.org
  . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";  . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
-}; 
-key "tachtler.net" { 
-    algorithm hmac-md5; 
-    secret "K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg=="; 
-}; 
-</code> 
- 
-Neu ist hier der Bereich: 
-<code ini> 
-key "tachtler.net" { 
-    algorithm hmac-md5; 
-    secret "K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg=="; 
 }; };
 </code> </code>
Zeile 2536: Zeile 2615:
 <code ini> <code ini>
                 allow-update { key "tachtler.net"; }                 allow-update { key "tachtler.net"; }
 +</code>
 +
 +Für den Inhalt des jeweiligen Zonen-Schlüssels, kann mit nachfolgendem Befehl der Schlüssel ausgegeben werden:
 +<code ini>
 +# cat /etc/Ktachtler.net.+157+19706.private 
 +Private-key-format: v1.3
 +Algorithm: 157 (HMAC_MD5)
 +Key: K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg==
 +Bits: AAA=
 +Created: 20160217132139
 +Publish: 20160217132139
 +Activate: 20160217132139
 +</code>
 +
 +Der Inhalt der Datei sollte dann wie folgt **erweitert** werden:
 +
 +(**Nur relevanter Ausschnitt**)
 +<code ini>
 +...
 +// ================================================================================
 +// Includes.
 +// ================================================================================
 +
 +key "tachtler.net" {
 +    algorithm hmac-md5;
 +    secret "K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg==";
 +};
 +</code>
 +
 +Neu ist hier der Bereich:
 +<code ini>
 +key "tachtler.net" {
 +    algorithm hmac-md5;
 +    secret "K3EaOD3IysiC/D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/uS547TN5MHfwG5YvUkYE7gxMHCmCg==";
 +};
 </code> </code>
  
Zeile 2718: Zeile 2832:
 Debugging Befehl für ein Abfrage via ''dig'': Debugging Befehl für ein Abfrage via ''dig'':
 <code> <code>
-dig +trace +recurse +all +qr -t NS google.de+dig @127.0.0.1 +trace +recurse +all +qr -t NS google.de
 </code> </code>
  
tachtler/dns_isc_bind_centos_7.txt · Zuletzt geändert: 2021/11/14 14:51 von klaus