Dies ist eine alte Version des Dokuments!
Aktuelle root-keys herunterladen:
dig . DNSKEY | egrep -v '^($|;)' > root.keys
Nameserver abfragen:
dig +sigchase +trusted-key=./root.keys www.isc.org A @127.0.0.1
dig org. SOA +dnssec
→ flags: ad
dig test.dnssec-or-not.net TXT @localhost
→ „Yes, you are using DNSSEC“
Debian:
cd /var/lib/named
Centos:
cd /var/named
mkdir keys chown named keys
zone-signing key erzeugen: 1)
dnssec-keygen -a RSASHA512 -b 1536 -n ZONE example.com -K keys ls keys/Kexample.com.* less keys/Kexample.com.*.key
key-signing key erzeugen:
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com -K keys ls keys/Kexample.com.*
Öffentliche Schlüssel zu Zone hinzufügen:
cat keys/Kexample.com.+008+*.key >> example.com
Signierte Zonendatei erzeugen: (30 Tage gültig)
dnssec-signzone -o example.com -k keys/Kexample.com.+008+52216.private example.com keys/Kexample.com.+008+12678.private less example.com.signed
Todo:
Debian:
cd /var/lib/named
Centos: 2)
cd /var/named setenforce Permissive
mkdir keys chown named keys master
zone-signing key erzeugen: 3)
dnssec-keygen -a RSASHA512 -b 1536 -n ZONE example.com -K keys ls keys/Kexample.com.* less keys/Kexample.com.*.key
key-signing key erzeugen:
dnssec-keygen -a RSASHA256 -b 4096 -f KSK -n ZONE example.com -K keys ls keys/Kexample.com.*
Zone signieren:
rndc sign
dig dnskey @127.0.0.1 test +short dig rrsig @127.0.0.1 test +short