Benutzer-Werkzeuge

Webseiten-Werkzeuge


freebsd:bind

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
freebsd:bind [2016/03/04 17:39]
127.0.0.1 Externe Bearbeitung
freebsd:bind [2020/05/01 10:40] (aktuell)
Zeile 126: Zeile 126:
 </​code>​ </​code>​
  
-To get the fingerprint of your signing key we can execute this:+The KSK has ID 257 and ZSK has 256. 
 +<​code>​ 
 +dig +multi fechner.net DNSKEY 
 +... 
 +fechner.net. ​           3600 IN DNSKEY 256 3 13 ( 
 +                                yZQLC3g4RnT2knGmQBJABr9PxjnhcIZuY2mpFT+mb2M2 
 +                                VVWWP+EY//​A/​fbqCoqfZMneUmVCz+6rzSRCg7xPNlg== 
 +                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31203 
 +fechner.net. ​           3600 IN DNSKEY 257 3 13 ( 
 +                                /​W0+wjfR0nKcRiyL3tYYjz1QHffK0ynn5/​b2N6oYDbE8 
 +                                zRzoU11XkeQ8pX8lok66EcRFUQtkyRySw65G8Bbsdg== 
 +                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = 15520 
 +... 
 +</​code>​ 
 + 
 +So the keyid for the KSK 15520. We use this keyid in the next command to get the DS which is required for the parent for the chain of trust. 
 + 
 +To get the fingerprint of your signing key we can execute ​one of the following command ​this:
 <​code>​ <​code>​
 dig @localhost dnskey fechner.net | dnssec-dsfromkey -f - fechner.net dig @localhost dnskey fechner.net | dnssec-dsfromkey -f - fechner.net
 +# or (13 is the algo, 15520 is the keyid)
 +dnssec-dsfromkey Kfechner.net.+013+15520.key ​
 +</​code>​
 +
 +===== Example for INWX =====
 +For INWX go in the webinterface to Nameserver->​DNSSEC and click on `DNSSEC hinzufügen`.
 +Remove checkbox for `automatischer Modus`.
 +
 +Fill your domain: fmdata.net.
 +
 +To get the keyid for the KSK you can use:
 +<​code>​
 +dig dnskey fmdata.net. +multi
 +;; ANSWER SECTION:
 +fmdata.net. ​            3411 IN DNSKEY 256 3 13 (
 +                                WcoWkUyFAX+51FQGPI70nyTHPWagCJZZq/​GmhKg8sxK2
 +                                ZPQh6Cu+dpfLrAWxr8udthyJeFCscaPsv1+3mMVT2A==
 +                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 38157
 +fmdata.net. ​            3411 IN DNSKEY 257 3 13 (
 +                                sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVe
 +                                wQwvbdb9Ah9Si9mV6lSLqJOPvews+ytYoICE/​7MmbQ==
 +                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = 7947
 +</​code>​
 +So the keyid we need here for the KSK is 7947.
 +You have now two possibilities to get the record (I suggest both and make sure they match):
 +From your keys directory
 +<​code>​
 +cat Kfmdata.net.+013+07947.key
 +...
 +fmdata.net. 3600 IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/​7MmbQ==
 +</​code>​
 +Using dig (make sure you take the 257!):
 +<​code>​
 +dig dnskey fmdata.net. +dnssec
 +...
 +fmdata.net. ​            ​3201 ​   IN      DNSKEY ​ 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/​7MmbQ==
 +...
 +</​code>​
 +Make sure you remove the TTL so use the following line:
 +<​code>​
 +fmdata.net. IN DNSKEY 257 3 13 sd2MViZMwa7hpKUMCKlZWFMwUJVYO31q+Fzte9IFUHVewQwvbdb9Ah9S i9mV6lSLqJOPvews+ytYoICE/​7MmbQ==
 +</​code>​
 +Put this line into the first field (DNSKEY RR:).
 +
 +To get the DS:
 +<​code>​
 +dnssec-dsfromkey Kfmdata.net.+013+07947.key
 +fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6
 +</​code>​
 +
 +Compare this with:
 +<​code>​
 +dig dnskey fmdata.net. +dnssec | dnssec-dsfromkey -f - fmdata.net.
 +fmdata.net. IN DS 7947 13 2 05F14B98499079F564FA8DFAAAC06051F9929B8AB3921F2FA354E17C39F9CBA6
 </​code>​ </​code>​
 +If the match, insert this line into the second field in the webinterface (DS Record:).
 +
 +===== Check =====
  
 Missing step is now to add anchor of trust. Missing step is now to add anchor of trust.
freebsd/bind.1457109587.txt.gz · Zuletzt geändert: 2016/03/04 17:39 von 127.0.0.1