Benutzer-Werkzeuge

Webseiten-Werkzeuge


tachtler:dns_isc_bind_centos_7

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
tachtler:dns_isc_bind_centos_7 [2018/12/23 07:33]
klaus [/etc/named.conf]
tachtler:dns_isc_bind_centos_7 [2019/10/29 05:48] (aktuell)
klaus [Nützlich Befehle]
Zeile 676: Zeile 676:
 :!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!** :!: **HINWEIS** - **Ein optimiertes Vorgehen, soll nachfolgend dargestellt werden!**
  
-==== /etc/myrndc.key ====+==== /etc/rndc.key ====
  
 nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter nach der Installation des DNS-Servers ist eine Datei mit einem Schlüssel unter
Zeile 693: Zeile 693:
 </​code>​ </​code>​
  
-Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/​etc/​myrndc.key''​ beinhaltet ist, erstellt werden, was mit nachfolgendem Befehl durchgeführt werden kann:+Um die Sicherheit zu erhöhen, sollte ein eigener Schlüssel, welcher in der Datei ''/​etc/​rndc.key''​ beinhaltet ist, erstellt werden, was mit nachfolgendem Befehl durchgeführt werden kann:
 <​code>​ <​code>​
-# rndc-confgen -a -b 512 -c /etc/myrndc.key -k rndc-key -r "​keyboard"​ -u named+# rndc-confgen -a -b 512 -c /etc/rndc.key -k rndc-key -r "​keyboard"​ -u named
 start typing: start typing:
 ............................... ...............................
Zeile 720: Zeile 720:
 ........................... ...........................
 stop typing. stop typing.
-wrote key file "/etc/myrndc.key"+wrote key file "/etc/rndc.key"
 </​code>​ </​code>​
  
-Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/​etc/​myrndc.key''​ erfolgreich war:+Anschließend kann mit nachfolgendem Befehl überprüft werden, ob die Generierung einer neuen Datei mit dem Namen ''/​etc/​rndc.key''​ erfolgreich war:
 <code ini> <code ini>
-# cat /etc/myrndc.key +# cat /etc/rndc.key 
-key "rndc-key" {+key "ns1.tachtler.net-key" {
  algorithm hmac-md5;  algorithm hmac-md5;
         secret "​NvVzfoFWdyDHvca87zRuMu+x49VzfyaKDiDHvca87zkRe8YoEhzfoFWdyDHvca87zkRu9v5DQpEzfoFWdyDHvc==";​         secret "​NvVzfoFWdyDHvca87zRuMu+x49VzfyaKDiDHvca87zkRe8YoEhzfoFWdyDHvca87zkRu9v5DQpEzfoFWdyDHvc==";​
Zeile 734: Zeile 734:
 Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann: Abschließend sollten die **Besitz**recht noch einmal verschärft werden, was mit nachfolgendem Befehl durchgeführt werden kann:
 <​code>​ <​code>​
-# chown root:named /etc/myrndc.key+# chown root:named /etc/rndc.key
 </​code>​ </​code>​
  
 Ein Überprüfung,​ ob die **Besitz**rechte korrekt gesetzt wurden, kann mit nachfolgendem Befehl durchgeführt werden: Ein Überprüfung,​ ob die **Besitz**rechte korrekt gesetzt wurden, kann mit nachfolgendem Befehl durchgeführt werden:
 <​code>​ <​code>​
-# ll /etc/myrndc.key +# ll /etc/rndc.key 
--rw-r----- 1 root named 153 Oct 17 13:06 /etc/myrndc.key+-rw-r----- 1 root named 153 Oct 17 13:06 /etc/rndc.key
 </​code>​ </​code>​
  
Zeile 750: Zeile 750:
 Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen: Der Inhalt der Datei sollte, wie nachfolgend darstellt, aussehen:
 <code ini> <code ini>
-include "/etc/myrndc.key";+include "/etc/rndc.key";
  
 options { options {
- default-key "rndc-key";+ default-key "ns1.tachtler.net-key";
  default-server 127.0.0.1;  default-server 127.0.0.1;
  default-port 953;  default-port 953;
Zeile 938: Zeile 938:
 // ================================================================================ // ================================================================================
 acl primary { acl primary {
-        ​192.168.0.20/​32;​+ 192.168.0.20/​32;​
 }; };
  
 // Without unbound as resolver in front of bind // Without unbound as resolver in front of bind
 acl interfaces { acl interfaces {
-      ​192.168.0.20/​32;​ + 192.168.0.20/​32;​ 
-      192.168.1.20/​32;​+ 192.168.1.20/​32;​
 }; };
  
 // With unbound as resolver in front of bind // With unbound as resolver in front of bind
 //acl interfaces { //acl interfaces {
 +//​ 192.168.1.20/​32;​
 //}; //};
  
 acl pdmz { acl pdmz {
-        ​88.217.171.167/​32;​+ 88.217.171.167/​32;​
 }; };
  
 acl edmz { acl edmz {
-        ​192.168.1.0/​24;​+ 192.168.1.0/​24;​
 }; };
  
 acl idmz { acl idmz {
-        ​192.168.0.0/​24;​+ 192.168.0.0/​24;​
 }; };
  
 acl home { acl home {
-        ​192.168.2.0/​24;​+ 192.168.2.0/​24;​
 }; };
  
Zeile 970: Zeile 971:
 // Keys. // Keys.
 // ================================================================================ // ================================================================================
-include "/etc/myrndc.key";+include "/etc/rndc.key";
  
 // ================================================================================ // ================================================================================
Zeile 977: Zeile 978:
 controls { controls {
         inet 127.0.0.1 port 953         inet 127.0.0.1 port 953
-                allow { 127.0.0.1; } keys { "rndc-key"; };+                allow { 127.0.0.1; } keys { "ns1.tachtler.net-key"; };
 }; };
  
Zeile 985: Zeile 986:
 logging { logging {
  
-        ​// Channels. -------------------------------------------------------------+ // Channels. -------------------------------------------------------------
  
-        ​// Default startup messages.+ // Default startup messages.
         channel default_debug {         channel default_debug {
                 file "​data/​named.run";​                 file "​data/​named.run";​
                 severity dynamic;                 severity dynamic;
-                ​print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes;+ print-time yes;
         };         };
-        ​// Approval and denial of requests. + // Approval and denial of requests. 
-        channel custom_security { + channel custom_security { 
-                file "​data/​named.security";​+ file "​data/​named.security";​
                 severity info;                 severity info;
-                ​print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes; + print-time yes; 
-        }; + }; 
-        // Lame servers. These are misconfigurations in remote servers, discovered + // Lame servers. These are misconfigurations in remote servers, discovered 
-        // by BIND 9 when trying to query those servers during resolution. + // by BIND 9 when trying to query those servers during resolution. 
-        channel custom_lame-servers { + channel custom_lame-servers { 
-                file "​data/​named.lame-servers";​+ file "​data/​named.lame-servers";​
                 severity info;                 severity info;
-                ​print-category yes; + print-category yes; 
-                print-severity yes; + print-severity yes; 
-                print-time yes; + print-time yes; 
-        };+ };
  
-        ​// Categories. -----------------------------------------------------------+ // Categories. -----------------------------------------------------------
  
-        ​category security { + category security { 
-                custom_security;​ + custom_security;​ 
-                default_syslog;​ + default_syslog;​ 
-                default_debug;​ + default_debug;​ 
-        }; + }; 
-        category lame-servers { + category lame-servers { 
-                custom_lame-servers ; + custom_lame-servers ; 
-                default_syslog;​ + default_syslog;​ 
-                default_debug;​ + default_debug;​ 
-        };+ };
 }; };
  
Zeile 1031: Zeile 1032:
 // ================================================================================ // ================================================================================
 options { options {
-        ​// The working directory of the server. + // The working directory of the server. 
-        directory "/​var/​named";​ + directory "/​var/​named";​ 
-        // The directory where the public and private DNSSEC key files should be + // The directory where the public and private DNSSEC key files should be 
-        // found. + // found. 
-        key-directory "/​var/​named";​ + key-directory "/​var/​named";​ 
-        // The directory which to store the files that track managed DNSSEC keys. + // The directory which to store the files that track managed DNSSEC keys. 
-        managed-keys-directory "/​var/​named/​dynamic";​ + managed-keys-directory "/​var/​named/​dynamic";​ 
-        // The pathname of the file the server dumps the database to when + // The pathname of the file the server dumps the database to when 
-        // instructed. + // instructed. 
-        dump-file "/​var/​named/​data/​cache_dump.db";​ + dump-file "/​var/​named/​data/​cache_dump.db";​ 
-        // The pathname of the file the server writes memory usage statistics to + // The pathname of the file the server writes memory usage statistics to 
-        // on exit. + // on exit. 
-        memstatistics-file "/​var/​named/​data/​named_mem_stats.txt"; ​      + memstatistics-file "/​var/​named/​data/​named_mem_stats.txt";​ 
-        // The pathname of the file the server writes its process ID in. + // The pathname of the file the server writes its process ID in. 
-        pid-file "/​run/​named/​named.pid";​ + pid-file "/​run/​named/​named.pid";​ 
-        // The pathname of the file the server dumps the queries that are currently + // The pathname of the file the server dumps the queries that are currently  
-        // recursing when instructed + // recursing when instructed. 
-        recursing-file "/​var/​named/​data/​named_recursing.db";​ + recursing-file "/​var/​named/​data/​named_recursing.db";​ 
-        // The pathname of the file the server ​appends statistics ​to when + // The pathname of the file the server ​dumps security roots to when 
-        // instructed. + // instructed ​to do so with rndc secroots 
-        statistics-file "/​var/​named/​data/​named_stats.txt";​ + statistics-file "/​var/​named/​data/​named_stats.txt";​ 
-        // The pathname of a file to override the built-in trusted keys provided + // The pathname of a file to override the built-in trusted keys provided 
-        // by named. Path to ISC DLV key. + // by named. Path to ISC DLV key. 
-        bindkeys-file "/​etc/​named.iscdlv.key";​ + bindkeys-file "/​etc/​named.root.key";​ 
-        // The pathname of the file the server dumps security roots to when + // The pathname of the file the server dumps security roots to when 
-        // instructed. + // instructed. 
-        secroots-file "/​var/​named/​data/​named_secroots.db";​ + secroots-file "/​var/​named/​data/​named_secroots.db";​ 
-        // The pathname of the file into which to write a TSIG session key + // The pathname of the file into which to write a TSIG session key 
-        // generated by named for use by nsupdate -l. + // generated by named for use by nsupdate -l. 
-        session-keyfile "/​run/​named/​session.key";​+ session-keyfile "/​run/​named/​session.key";​
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Boolean options. + // Boolean options. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// If yes, then when generating responses the server will only add records + // If yes, then when generating responses the server will only add records  
-        // to the authority and additional data sections when they are required. + // to the authority and additional data sections when they are required. 
-        minimal-responses no; + // Tachtler - default: minimal-responses no; 
-        // If yes, and a DNS query requests recursion, then the server will attempt + minimal-responses no; 
-        // to do all the work required to answer the query. If recursion is off and + // If yes, and a DNS query requests recursion, then the server will attempt 
-        // the server does not already know the answer, it will return a referral + // to do all the work required to answer the query. If recursion is off and 
-        // response. The default is yes. Note that setting recursion no does not + // the server does not already know the answer, it will return a referral  
-        // prevent clients from getting data from the serverâs ​cache; it only + // response. The default is yes. Note that setting recursion no does not  
-        // prevents new data from being cached as an effect of client queries. + // prevent clients from getting data from the server’s ​cache; it only  
-        /* + // prevents new data from being cached as an effect of client queries. 
-         ​- If your recursive DNS server has a public IP address, you MUST enable + /*  
-           ​access control to limit queries to your legitimate users. Failing to do +  - If your recursive DNS server has a public IP address, you MUST enable 
-           ​so will cause your server to become part of large scale DNS +    access control to limit queries to your legitimate users. Failing to do 
-           ​amplification attacks. Implementing BCP38 within your network would +    so will cause your server to become part of large scale DNS 
-           ​greatly reduce such attack surface . +    amplification attacks. Implementing BCP38 within your network would 
-        */ +    greatly reduce such attack surface . 
-        // IMPORTANT: Use of access control: allow-recursion is required! + */ 
-        recursion yes;+ // IMPORTANT: Use of access control: allow-recursion is required! 
 + recursion yes;
  
-        ​// DNSSEC. ---------------------------------------------------------------+ // DNSSEC. ---------------------------------------------------------------
  
-        ​// Enable DNSSEC support in named. + // Enable DNSSEC support in named. 
-        dnssec-enable yes; + dnssec-enable yes; 
-        // Enable DNSSEC validation in named and compare to root-certs (auto). + // Enable DNSSEC validation in named and compare to root-certs (auto). 
-        // yes: DNSSEC validation is enabled, but a trust anchor must be manually+ // yes: DNSSEC validation is enabled, but a trust anchor must be manually
         // configured. No validation will actually take place until you have          // configured. No validation will actually take place until you have 
         // manually configured at least one trusted key. This is the default.         // manually configured at least one trusted key. This is the default.
Zeile 1097: Zeile 1099:
         // auto: DNSSEC validation is enabled, and a default trust anchor ​         // auto: DNSSEC validation is enabled, and a default trust anchor ​
         // (included as part of BIND) for the DNS root zone is used.         // (included as part of BIND) for the DNS root zone is used.
-        ​dnssec-validation auto; + // Tachtler - DISABLED - 
-        // When set, dnssec-lookaside provides the validator with an alternate + // dnssec-validation auto; 
-        // method to validate DNSKEY records at the top of a zone. + dnssec-validation yes; 
-        // If dnssec-lookaside is set to auto, then built-in default values for the + // When set, dnssec-lookaside provides the validator with an alternate 
-        // DLV domain and trust anchor will be used, along with a built-in key for + // method to validate DNSKEY records at the top of a zone. 
-        // validation. + // If dnssec-lookaside is set to auto, then built-in default values for the 
-        dnssec-lookaside auto; + // DLV domain and trust anchor will be used, along with a built-in key for 
- + // validation. 
-        // Checks. ---------------------------------------------------------------+ // Tachtler - DEPRECATED - Service was shutdown. 
 + //dnssec-lookaside auto;
  
-        ​// This option is used to restrict the character set and syntax of certain + // Checks. ---------------------------------------------------------------
-        // domain names in master files and/or DNS responses received from the +
-        // network. +
-        // Tachtler ​Warn only, if names not correct, like DKIM for e-mail. +
-        check-names master warn;+
  
-        ​// ------------------------------------------------------------------------ + // This option is used to restrict the character set and syntax of certain 
-        // Forwarding. + // domain names in master files and/or DNS responses received from the  
-        // ------------------------------------------------------------------------+ // network. 
 + // Tachtler - Warn only, if names not correct, like DKIM for e-mail. 
 + check-names master warn; 
 +  
 + // ------------------------------------------------------------------------  
 + // Forwarding. 
 + // ------------------------------------------------------------------------ ​
  
         /* Tachtler - DISABLED -         /* Tachtler - DISABLED -
Zeile 1125: Zeile 1130:
          * forward first;          * forward first;
          * // DNS-Server which will asked when local answers not found.          * // DNS-Server which will asked when local answers not found.
-         * forwarders { none; };+         * forwarders { 212.18.3.5; 212.18.0.5; };
          */          */
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Dual-stack servers. + // Dual-stack servers. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Access control. + // Access control. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// Specifies which hosts are allowed to notify this server, a slave, of + // Specifies which hosts are allowed to notify this server, a slave, of 
-        // zone changes in addition to the zone masters. + // zone changes in addition to the zone masters. 
-        allow-notify { 127.0.0.1; }; + allow-notify { 127.0.0.1; }; 
-        // Specifies which hosts are allowed to ask ordinary DNS questions. + // Specifies which hosts are allowed to ask ordinary DNS questions. 
-        allow-query { 127.0.0.1; edmz; idmz; home; }; + allow-query { 127.0.0.1; tdmz; edmz; idmz; home; }; 
-        // Specifies which hosts are allowed to make recursive queries through this + // Specifies which hosts are allowed to make recursive queries through this 
-        // server. + // server. 
-        allow-recursion { 127.0.0.1; edmz; idmz; home; }; + allow-recursion { 127.0.0.1; tdmz; edmz; idmz; home; }; 
-        // Specifies which hosts are allowed to receive zone transfers from the + // Specifies which hosts are allowed to receive zone transfers from the 
-        // server. + // server. 
-        allow-transfer { 127.0.0.1; primary; }; + allow-transfer { 127.0.0.1; primary; }; 
-        // Specifies a list of addresses that the server will not accept queries + // Specifies a list of addresses that the server will not accept queries 
-        // from or use to resolve a query. Queries from these addresses will not + // from or use to resolve a query. Queries from these addresses will not  
-        // be responded to. + // be responded to. 
-        blackhole { none; };+ blackhole { none; };
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Interfaces. + // Interfaces. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// The interfaces and ports that the server will answer queries from may + // The interfaces and ports that the server will answer queries from may 
-        // be specified using the listen-on option. + // be specified using the listen-on option. 
-        listen-on port 53 { 127.0.0.1; interfaces; };+ listen-on port 53 { 127.0.0.1; interfaces; };
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Query address. + // Query address. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// If the server ​doesnât ​know the answer to a question, it will query other + // If the server ​doesn’t ​know the answer to a question, it will query other 
-        // name servers. query-source specifies the address and port used for such + // name servers. query-source specifies the address and port used for such 
-        // queries. + // queries. 
-        /* + /* 
-         ​* If there is a firewall between you and nameservers you want +  * If there is a firewall between you and nameservers you want 
-         ​* to talk to, you might need to use the query-source directive. +  * to talk to, you might need to use the query-source directive. 
-        */ + */ 
-        query-source address * port *;+ query-source address * port *;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Zone transfer. + // Zone transfer. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // UDP port lists. + // UDP port lists. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // OS resource limits. + // OS resource limits. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// The maximum size of a core dump. + // The maximum size of a core dump.  
-        coresize default; + coresize default; 
-        // The maximum amount of data memory the server may use. + // The maximum amount of data memory the server may use. 
-        datasize default; + datasize default; 
-        // The maximum number of files the server may have open concurrently. + // The maximum number of files the server may have open concurrently.  
-        files unlimited;​ + files unlimited;​ 
-        // The maximum amount of stack memory the server may use. + // The maximum amount of stack memory the server may use.  
-        stacksize default;+ stacksize default;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Server resource limits. + // Server resource limits. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// Sets a maximum size for each journal file. + // Sets a maximum size for each journal file.  
-        // The default is unlimited, which also means 2 gigabytes. + // The default is unlimited, which also means 2 gigabytes. 
-        max-journal-size unlimited;​ + max-journal-size unlimited;​ 
-        // he maximum number of simultaneous recursive lookups the server will + // he maximum number of simultaneous recursive lookups the server will  
-        // perform on behalf of clients. The default is 1000. + // perform on behalf of clients. The default is 1000. 
-        recursive-clients 1000; + recursive-clients 1000; 
-        // The maximum number of simultaneous client TCP connections that the + // The maximum number of simultaneous client TCP connections that the 
-        // server will accept. The default is 100. + // server will accept. The default is 100. 
-        tcp-clients 100; + tcp-clients 100; 
-        // The maximum amount of memory to use for the serverâs ​cache, in bytes. + // The maximum amount of memory to use for the server’s ​cache, in bytes. 
-        // A value of 0 is special, meaning that records are purged from the cache + // A value of 0 is special, meaning that records are purged from the cache 
-        // only when their TTLs expire. Another special keyword unlimited means + // only when their TTLs expire. Another special keyword unlimited means 
-        // the maximum value of 32-bit unsigned integers (0xffffffff),​ which may + // the maximum value of 32-bit unsigned integers (0xffffffff),​ which may  
-        // not have the same effect as 0 on machines that support more than 32 bits + // not have the same effect as 0 on machines that support more than 32 bits 
-        // of memory space. Any positive values less than 2MB will be ignored reset + // of memory space. Any positive values less than 2MB will be ignored reset 
-        // to 2MB. In a server with multiple views, the limit applies separately to + // to 2MB. In a server with multiple views, the limit applies separately to 
-        // the cache of each view. The default is 0. + // the cache of each view. The default is 0. 
-        max-cache-size 0; + max-cache-size 0; 
-        // The listen queue depth. The default and minimum is 10. If the kernel + // The listen queue depth. The default and minimum is 10. If the kernel 
-        // supports the accept filter connections that will be queued in kernel + // supports the accept filter connections that will be queued in kernel 
-        // space waiting for some data before being passed to accept. Nonzero + // space waiting for some data before being passed to accept. Nonzero 
-        // values less than 10 will be silently raised. A value of 0 may also be + // values less than 10 will be silently raised. A value of 0 may also be 
-        // used; on most platforms this sets the listen queue length to a + // used; on most platforms this sets the listen queue length to a 
-        // system-defined default value. + // system-defined default value. 
-        tcp-listen-queue 10;+ tcp-listen-queue 10;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Periodic task intervals. + // Periodic task intervals. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// The server will scan the network interface list every interface-interval + // The server will scan the network interface list every interface-interval 
-        // minutes. The default is 60 minutes. The maximum value is 28 days + // minutes. The default is 60 minutes. The maximum value is 28 days  
-        // (40320 minutes). If set to 0, interface scanning will only occur when + // (40320 minutes). If set to 0, interface scanning will only occur when 
-        // the configuration file is loaded. After the scan, the server will begin + // the configuration file is loaded. After the scan, the server will begin 
-        // listening for queries on any newly discovered interfaces (provided they + // listening for queries on any newly discovered interfaces (provided they 
-        // are allowed by the listen-on configuration),​ and will stop listening on + // are allowed by the listen-on configuration),​ and will stop listening on 
-        // interfaces that have gone away. + // interfaces that have gone away. 
-        // Tachtler - NOT default - + // Tachtler - NOT default - 
-        interface-interval 0;+ interface-interval 0;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Topology. + // Topology. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // The sortlist statement. + // The sortlist statement. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // RRset ordering. + // RRset ordering. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Tuning. + // Tuning. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// Sets the number of seconds to cache a lame server indication. 0 disables + // Sets the number of seconds to cache a lame server indication. 0 disables 
-        // caching. (This is NOT recommended.) The default is 600 (10 minutes) and + // caching. (This is NOT recommended.) The default is 600 (10 minutes) and 
-        // the maximum value is 1800 (30 minutes). + // the maximum value is 1800 (30 minutes). 
-        lame-ttl 600; + lame-ttl 600; 
-        // To reduce network traffic and increase performance,​ the server stores + // To reduce network traffic and increase performance,​ the server stores 
-        // negative answers. max-ncache-ttl is used to set a maximum retention time + // negative answers. max-ncache-ttl is used to set a maximum retention time 
-        // for these answers in the server in seconds. The default max-ncache-ttl + // for these answers in the server in seconds. The default max-ncache-ttl 
-        // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will + // is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will 
-        // be silently truncated to 7 days if set to a greater value. + // be silently truncated to 7 days if set to a greater value. 
-        max-ncache-ttl 10800; + max-ncache-ttl 10800; 
-        // Sets the maximum time for which the server will cache ordinary + // Sets the maximum time for which the server will cache ordinary 
-        // (positive) answers. The default is one week (7 days). A value of zero + // (positive) answers. The default is one week (7 days). A value of zero  
-        // may cause all queries to return SERVFAIL, because of lost caches of + // may cause all queries to return SERVFAIL, because of lost caches of  
-        // intermediate RRsets (such as NS and glue AAAA/A records) in the + // intermediate RRsets (such as NS and glue AAAA/A records) in the 
-        // resolution process. + // resolution process. 
-        max-cache-ttl 604800; + max-cache-ttl 604800; 
-        // Sets the advertised EDNS UDP buffer size in bytes to control the size of + // Sets the advertised EDNS UDP buffer size in bytes to control the size of 
-        // packets received. Valid values are 512 to 4096 (values outside this + // packets received. Valid values are 512 to 4096 (values outside this 
-        // range will be silently adjusted). The default value is 4096. The usual + // range will be silently adjusted). The default value is 4096. The usual 
-        // reason for setting edns-udp-size to a non-default value is to get UDP + // reason for setting edns-udp-size to a non-default value is to get UDP 
-        // answers to pass through broken firewalls that block fragmented packets + // answers to pass through broken firewalls that block fragmented packets 
-        // and/or block UDP packets that are greater than 512 bytes. + // and/or block UDP packets that are greater than 512 bytes. 
-        // named will fallback to using 512 bytes if it get a series of timeout at + // named will fallback to using 512 bytes if it get a series of timeout at 
-        // the initial value. 512 bytes is not being offered to encourage sites to + // the initial value. 512 bytes is not being offered to encourage sites to 
-        // fix their firewalls. Small EDNS UDP sizes will result in the excessive + // fix their firewalls. Small EDNS UDP sizes will result in the excessive 
-        // use of TCP. + // use of TCP. 
-        edns-udp-size 4096; + edns-udp-size 4096; 
-        // Sets the maximum EDNS UDP message size named will send in bytes. Valid + // Sets the maximum EDNS UDP message size named will send in bytes. Valid 
-        // values are 512 to 4096 (values outside this range will be silently + // values are 512 to 4096 (values outside this range will be silently 
-        // adjusted). The default value is 4096. The usual reason for setting + // adjusted). The default value is 4096. The usual reason for setting 
-        // max-udp-size to a non-default value is to get UDP answers to pass + // max-udp-size to a non-default value is to get UDP answers to pass  
-        // through broken firewalls that block fragmented packets and/or block UDP + // through broken firewalls that block fragmented packets and/or block UDP 
-        // packets that are greater than 512 bytes. This is independent of the + // packets that are greater than 512 bytes. This is independent of the 
-        // advertised receive buffer (edns-udp-size). + // advertised receive buffer (edns-udp-size). 
-        // Setting this to a low value  will encourage additional TCP traffic to + // Setting this to a low value  will encourage additional TCP traffic to 
-        // the nameserver. + // the nameserver. 
-        max-udp-size 4096; + max-udp-size 4096; 
-        // Set the initial value (minimum) number of recursive simultaneous + // Set the initial value (minimum) number of recursive simultaneous 
-        // clients for any given query (<​qname,​qtype,​qclass>​) that the server will + // clients for any given query (<​qname,​qtype,​qclass>​) that the server will 
-        // accept before dropping additional clients. named will attempt to self + // accept before dropping additional clients. named will attempt to self 
-        // tune this value and changes will be logged. The default values are 10. + // tune this value and changes will be logged. The default values are 10. 
-        clients-per-query 10; + clients-per-query 10; 
-        // Set the initial value (maximum) number of recursive simultaneous + // Set the initial value (maximum) number of recursive simultaneous 
-        // clients for any given query (<​qname,​qtype,​qclass>​) that the server will + // clients for any given query (<​qname,​qtype,​qclass>​) that the server will 
-        // accept before dropping additional clients. named will attempt to self + // accept before dropping additional clients. named will attempt to self 
-        // tune this value and changes will be logged. The default values are 100. + // tune this value and changes will be logged. The default values are 100. 
-        max-clients-per-query 100;+ max-clients-per-query 100;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Build-in server information zones. + // Build-in server information zones. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// The version the server should report via a query of the name + // The version the server should report via a query of the name 
-        // version.bind with type TXT, class CHAOS. The default is the real version + // version.bind with type TXT, class CHAOS. The default is the real version 
-        // number of this server. Specifying version none disables processing of + // number of this server. Specifying version none disables processing of  
-        // the queries. + // the queries. 
-        version none; + version none; 
-        // The hostname the server should report via a query of the name + // The hostname the server should report via a query of the name 
-        // hostname.bind with type TXT, class CHAOS. This defaults to the hostname + // hostname.bind with type TXT, class CHAOS. This defaults to the hostname 
-        // of the machine hosting the name server as found by the gethostname() + // of the machine hosting the name server as found by the gethostname() 
-        // function. + // function. 
-        // Tachtler - NOT default - + // Tachtler - NOT default - 
-        // hostname "​ns1.tachtler.net";​ + // hostname "​ns1.tachtler.net";​ 
-        // The ID the server should report when receiving a Name Server Identifier + // The ID the server should report when receiving a Name Server Identifier 
-        // (NSID) query, or a query of the name ID.SERVER with type TXT, class + // (NSID) query, or a query of the name ID.SERVER with type TXT, class 
-        // CHAOS. The primary purpose of such queries is to identify which of a + // CHAOS. The primary purpose of such queries is to identify which of a 
-        // group of anycast servers is actually answering your queries. Specifying + // group of anycast servers is actually answering your queries. Specifying  
-        // server-id none; disables processing of the queries. Specifying server-id + // server-id none; disables processing of the queries. Specifying server-id 
-        // hostname; will cause named to use the hostname as found by the + // hostname; will cause named to use the hostname as found by the 
-        // gethostname() function. The default server-id is none. + // gethostname() function. The default server-id is none. 
-        server-id none;+ server-id none;
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Build-in empty zones. + // Build-in empty zones. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Additional section caching. + // Additional section caching. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Content filtering. + // Content filtering. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Response policy zone (RPZ) rewriting. + // Response policy zone (RPZ) rewriting. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
-        ​// ------------------------------------------------------------------------ + // ------------------------------------------------------------------------  
-        // Response rate limiting. + // Response rate limiting. 
-        // ------------------------------------------------------------------------+ // ------------------------------------------------------------------------ ​
  
-        ​// - empty -+ // - empty - 
  
 }; };
Zeile 1378: Zeile 1383:
 // //
 view "​home"​ IN { view "​home"​ IN {
-        ​// Match for the client IP address. + // Match for the client IP address. 
-        match-clients { home; };+ match-clients { home; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        ​// reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "​allow-update"​ option, you + // enabled dynamic update for a zone using the "​allow-update"​ option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        ​// Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "​."​ IN { + zone "​."​ IN { 
-                type hint; + type hint; 
-                file "​named.ca";​ + file "​named.ca";​ 
-        };+ };
  
-        ​// Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/​etc/​named.rfc1912.zones";​+ include "/​etc/​named.rfc1912.zones"; 
 + include "/​etc/​named.root.key";
  
-        ​// Zone: home.tachtler.net ------------------------------------------------ + // Zone: home.tachtler.net ------------------------------------------------ 
-        zone "​home.tachtler.net"​ IN { + zone "​home.tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​home.tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_home/​home.tachtler.net.view_home.zone.db";​  
 + // nsupdate 
 + allow-update { key "​home.tachtler.net";​ }; 
 + };
  
-        ​zone "​2.168.192.in-addr.arpa"​ in { + zone "​2.168.192.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​2.168.192.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_home/0.168.192.in-addr.arpa.view_home.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​0.168.192.in-addr.arpa";​ }; 
 + }; 
 + 
 + // Zone: idmz.tachtler.net ------------------------------------------------ 
 + zone "​idmz.tachtler.net"​ IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_home/​idmz.tachtler.net.view_home.zone.db";​  
 + // nsupdate 
 + allow-update { key "​idmz.tachtler.net";​ }; 
 + }; 
 + 
 + zone "​0.168.192.in-addr.arpa"​ in { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_home/​0.7.10.in-addr.arpa.view_home.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​0.7.10.in-addr.arpa";​ }; 
 + }; 
 + 
 + // Zone: tachtler.net (HOME) ---------------------------------------------- 
 + zone "​tachtler.net"​ IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_home/​tachtler.net.idmz.view_home.zone.db";​  
 + // nsupdate 
 + allow-update { key "​tachtler.net.idmz";​ }; 
 + };
  
-        // Zone: tachtler.net (HOME) ---------------------------------------------- 
-        zone "​tachtler.net"​ IN { 
-                type master; 
-                file "​master/​tachtler.net.home.zone.db";​ 
-        }; 
 }; };
  
 view "​idmz"​ IN { view "​idmz"​ IN {
-        ​// Match for the client IP address. + // Match for the client IP address. 
-        match-clients { 127.0.0.1localhost; idmz; };+ match-clients { localhost; idmz; key "​tachtler.net.idmz"; !key "​tachtler.net"!key "​tachtler.net.edmz"​; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        ​// reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "​allow-update"​ option, you + // enabled dynamic update for a zone using the "​allow-update"​ option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        ​// Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "​."​ IN { + zone "​."​ IN { 
-                type hint; + type hint; 
-                file "​named.ca";​ + file "​named.ca";​ 
-        };+ };
  
-        ​// Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/​etc/​named.rfc1912.zones";​+ include "/​etc/​named.rfc1912.zones"; 
 + include "/​etc/​named.root.key";
  
-        ​// Zone: home.tachtler.net ------------------------------------------------ + // Zone: home.tachtler.net ------------------------------------------------ 
-        zone "​home.tachtler.net"​ IN { + zone "​home.tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​home.tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_idmz/​home.tachtler.net.view_idmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​home.tachtler.net";​ }; 
 + };
  
-        ​zone "​2.168.192.in-addr.arpa"​ in { + zone "​2.168.192.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​2.168.192.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_idmz/0.168.192.in-addr.arpa.view_idmz.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​0.168.192.in-addr.arpa";​ }; 
 + };
  
-        ​// Zone: idmz.tachtler.net ------------------------------------------------ + // Zone: idmz.tachtler.net ------------------------------------------------ 
-        zone "​idmz.tachtler.net"​ IN { + zone "​idmz.tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​idmz.tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_idmz/​idmz.tachtler.net.view_idmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​idmz.tachtler.net";​ }; 
 + };
  
-        ​zone "​0.168.192.in-addr.arpa"​ in { + zone "​0.168.192.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​0.168.192.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_idmz/0.7.10.in-addr.arpa.view_idmz.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​0.7.10.in-addr.arpa";​ }; 
 + };
  
-        ​// Zone: edmz.tachtler.net ------------------------------------------------ + // Zone: edmz.tachtler.net ------------------------------------------------ 
-        zone "​edmz.tachtler.net"​ IN { + zone "​edmz.tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​edmz.tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_idmz/​edmz.tachtler.net.view_idmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​edmz.tachtler.net";​ }; 
 + };
  
-        ​zone "​1.168.192.in-addr.arpa"​ in { + zone "​1.168.192.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​1.168.192.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_idmz/1.7.10.in-addr.arpa.view_idmz.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​1.7.10.in-addr.arpa";​ }; 
 + }; 
 + 
 + // Zone: tachtler.net (IDMZ) ---------------------------------------------- 
 + zone "​tachtler.net"​ IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_idmz/​tachtler.net.idmz.view_idmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​tachtler.net.idmz";​ }; 
 + };
  
-        // Zone: tachtler.net (IDMZ) ---------------------------------------------- 
-        zone "​tachtler.net"​ IN { 
-                type master; 
-                file "​master/​tachtler.net.idmz.zone.db";​ 
-        }; 
 }; };
  
 view "​edmz"​ IN { view "​edmz"​ IN {
-        ​// Match for the client IP address. + // Match for the client IP address. 
-        match-clients { edmz; };+ match-clients { edmz; key "​tachtler.net.edmz";​ !key "​tachtler.net";​ !key "​tachtler.net.idmz"​; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        ​// reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "​allow-update"​ option, you + // enabled dynamic update for a zone using the "​allow-update"​ option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        ​// Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "​."​ IN { + zone "​."​ IN { 
-                type hint; + type hint; 
-                file "​named.ca";​ + file "​named.ca";​ 
-        };+ };
  
-        ​// Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/​etc/​named.rfc1912.zones";​+ include "/​etc/​named.rfc1912.zones"; 
 + include "/​etc/​named.root.key";
  
-        ​// Zone: edmz.tachtler.net ------------------------------------------------ + // Zone: edmz.tachtler.net ------------------------------------------------ 
-        zone "​edmz.tachtler.net"​ IN { + zone "​edmz.tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​edmz.tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_edmz/​edmz.tachtler.net.view_edmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​edmz.tachtler.net";​ }; 
 + };
  
-        ​zone "​1.168.192.in-addr.arpa"​ in { + zone "​1.168.192.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​1.168.192.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_edmz/1.7.10.in-addr.arpa.view_edmz.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​1.7.10.in-addr.arpa";​ }; 
 + }; 
 + 
 + // Zone: tachtler.net (EDMZ) ---------------------------------------------- 
 + zone "​tachtler.net"​ IN { 
 + inline-signing yes; 
 + auto-dnssec maintain; 
 + key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/​view_edmz/​tachtler.net.edmz.view_edmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​tachtler.net.edmz";​ }; 
 + };
  
-        // Zone: tachtler.net (EDMZ) ---------------------------------------------- 
-        zone "​tachtler.net"​ IN { 
-                type master; 
-                file "​master/​tachtler.net.edmz.zone.db";​ 
-        }; 
 }; };
  
 view "​pdmz"​ IN { view "​pdmz"​ IN {
-        ​// Match for the client IP address. + // Match for the client IP address. 
-        match-clients { any; };+ match-clients { any; key "​tachtler.net";​ !key "​tachtler.net.idmz";​ !key "​tachtler.net.edmz"​;};
  
-        ​// If recursion is off and the server does not already know the answer, + // If recursion is off and the server does not already know the answer, 
-        // it will return a referral response. + // it will return a referral response. 
-        recursion no;+ recursion no;
  
-        ​// Specifies which hosts are allowed to make recursive queries through this + // Specifies which hosts are allowed to make recursive queries through this 
-        // server. + // server. 
-        allow-recursion { none; };+ allow-recursion { none; };
  
         // IMPORTANT: A zone can be updated either by editing zone files and         // IMPORTANT: A zone can be updated either by editing zone files and
-        ​// reloading the server or by dynamic update, but not both. If you have + // reloading the server or by dynamic update, but not both. If you have 
-        // enabled dynamic update for a zone using the "​allow-update"​ option, you + // enabled dynamic update for a zone using the "​allow-update"​ option, you 
-        // are not supposed to edit the zone file by hand, and the server will not + // are not supposed to edit the zone file by hand, and the server will not 
-        // attempt to reload it.+ // attempt to reload it.
  
-        ​// Zone: root server. ----------------------------------------------------- + // Zone: root server. ----------------------------------------------------- 
-        zone "​."​ IN { + zone "​."​ IN { 
-                type hint; + type hint; 
-                file "​named.ca";​ + file "​named.ca";​ 
-        };+ };
  
-        ​// Zone: localhost. ------------------------------------------------------- + // Zone: localhost. ------------------------------------------------------- 
-        include "/​etc/​named.rfc1912.zones";​+ include "/​etc/​named.rfc1912.zones"; 
 + include "/​etc/​named.root.key";
  
-        ​// Zone: tachtler.net (PDMZ) ---------------------------------------------- + // Zone: tachtler.net (PDMZ) ---------------------------------------------- 
-        zone "​tachtler.net"​ IN { + zone "​tachtler.net"​ IN { 
-                type master; + inline-signing yes; 
-                file "​master/​tachtler.net.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_pdmz/​tachtler.net.view_pdmz.zone.db";​  
 + // nsupdate 
 + allow-update { key "​tachtler.net";​ }; 
 + };
  
-        ​zone "​171.217.88.in-addr.arpa"​ in { + zone "​171.217.88.in-addr.arpa"​ in { 
-                type master; + inline-signing yes; 
-                file "​master/​171.217.88.in-addr.arpa.zone.db";​ + auto-dnssec maintain; 
-        };+ key-directory "/​etc/​pki/​dnssec-keys";​ 
 + type master; 
 + file "​master/view_pdmz/​171.217.88.in-addr.arpa.view_pdmz.zone.db";​ 
 + // nsupdate 
 + allow-update { key "​171.217.88.in-addr.arpa";​ }; 
 + };
 }; };
  
Zeile 1552: Zeile 1660:
 // Includes. // Includes.
 // ================================================================================ // ================================================================================
-include "/​etc/​named.root.key";​ 
  
 </​code>​ </​code>​
Zeile 2225: Zeile 2332:
         // DLV domain and trust anchor will be used, along with a built-in key for         // DLV domain and trust anchor will be used, along with a built-in key for
         // validation.         // validation.
-        dnssec-lookaside auto;+        ​// Tachtler - DEPRECATED - Service was shutdown. 
 +        //dnssec-lookaside auto;
 ... ...
 </​code>​ </​code>​
Zeile 2260: Zeile 2368:
         // Zone: localhost. -------------------------------------------------------         // Zone: localhost. -------------------------------------------------------
         include "/​etc/​named.rfc1912.zones";​         include "/​etc/​named.rfc1912.zones";​
 +        include "/​etc/​named.root.key";​
    
         // Zone: tachtler.net (PDMZ) ----------------------------------------------         // Zone: tachtler.net (PDMZ) ----------------------------------------------
Zeile 2473: Zeile 2582:
 ==== /​etc/​named.root.key ==== ==== /​etc/​named.root.key ====
  
-Für den Inhalt des jeweiligen Zonen-Schlüssels,​ kann mit nachfolgendem Befehl der Schlüssel ausgegeben werden: +Der Inhalt der Datei sollte dann wie folgt **aussehen**:
-<code ini> +
-# cat /​etc/​Ktachtler.net.+157+19706.private  +
-Private-key-format:​ v1.3 +
-Algorithm: 157 (HMAC_MD5) +
-Key: K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg== +
-Bits: AAA= +
-Created: 20160217132139 +
-Publish: 20160217132139 +
-Activate: 20160217132139 +
-</​code>​ +
- +
-Der Inhalt der Datei sollte dann wie folgt **erweitert** werden:+
 <code ini> <code ini>
 managed-keys { managed-keys {
Zeile 2491: Zeile 2588:
  # Updates are published on root-dnssec-announce@icann.org  # Updates are published on root-dnssec-announce@icann.org
  . initial-key 257 3 8 "​AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/​RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/​VHL496M/​QZxkjf5/​Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";​  . initial-key 257 3 8 "​AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/​RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/​VHL496M/​QZxkjf5/​Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";​
-}; 
-key "​tachtler.net"​ { 
-    algorithm hmac-md5; 
-    secret "​K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg==";​ 
-}; 
-</​code>​ 
- 
-Neu ist hier der Bereich: 
-<code ini> 
-key "​tachtler.net"​ { 
-    algorithm hmac-md5; 
-    secret "​K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg==";​ 
 }; };
 </​code>​ </​code>​
Zeile 2530: Zeile 2615:
 <code ini> <code ini>
                 allow-update { key "​tachtler.net";​ }                 allow-update { key "​tachtler.net";​ }
 +</​code>​
 +
 +Für den Inhalt des jeweiligen Zonen-Schlüssels,​ kann mit nachfolgendem Befehl der Schlüssel ausgegeben werden:
 +<code ini>
 +# cat /​etc/​Ktachtler.net.+157+19706.private ​
 +Private-key-format:​ v1.3
 +Algorithm: 157 (HMAC_MD5)
 +Key: K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg==
 +Bits: AAA=
 +Created: 20160217132139
 +Publish: 20160217132139
 +Activate: 20160217132139
 +</​code>​
 +
 +Der Inhalt der Datei sollte dann wie folgt **erweitert** werden:
 +
 +(**Nur relevanter Ausschnitt**)
 +<code ini>
 +...
 +// ================================================================================
 +// Includes.
 +// ================================================================================
 +
 +key "​tachtler.net"​ {
 +    algorithm hmac-md5;
 +    secret "​K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg==";​
 +};
 +</​code>​
 +
 +Neu ist hier der Bereich:
 +<code ini>
 +key "​tachtler.net"​ {
 +    algorithm hmac-md5;
 +    secret "​K3EaOD3IysiC/​D7lIXp+4hrYGDLyIq6la9oDBSuH2FMlE4kZ3O1ZFxKS/​uS547TN5MHfwG5YvUkYE7gxMHCmCg==";​
 +};
 </​code>​ </​code>​
  
Zeile 2712: Zeile 2832:
 Debugging Befehl für ein Abfrage via ''​dig'':​ Debugging Befehl für ein Abfrage via ''​dig'':​
 <​code>​ <​code>​
-dig +trace +recurse +all +qr -t NS google.de+dig @127.0.0.1 ​+trace +recurse +all +qr -t NS google.de
 </​code>​ </​code>​
  
tachtler/dns_isc_bind_centos_7.1545546810.txt.gz · Zuletzt geändert: 2018/12/23 07:33 von klaus