Linux – Bind DNSSEC

25/02/2018 / jhonespetter

1 – Gerar a chave e assinar

[root@centos7]# cd /var/named
[root@centos7]# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 1024 -n ZONE labs.eti.br
[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br
Fetching KSK/ZSK 14212/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 0 active, 0 stand-by, 0 revoked
db.labs.eti.br.signed

[root@centos7 named]# ll *eti.br*
-rw-r--r-- 1 root root  543 Feb 19 06:57 db.labs.eti.br
-rw-r--r-- 1 root root 7569 Feb 25 10:17 db.labs.eti.br.signed
-rw-r--r-- 1 root root  167 Feb 25 10:17 dsset-labs.eti.br.
-rw-r--r-- 1 root root  430 Feb 18 21:12 Klabs.eti.br.+005+14212.key
-rw------- 1 root root 1010 Feb 18 21:12 Klabs.eti.br.+005+14212.private

[root@centos7]# cd /var/named

[root@centos7]# dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 1024 -n ZONE labs.eti.br

[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br

Fetching KSK/ZSK 14212/RSASHA1 from key repository.

Verifying the zone using the following algorithms: RSASHA1.

Zone fully signed:

Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked

ZSKs: 0 active, 0 stand-by, 0 revoked

db.labs.eti.br.signed

[root@centos7 named]# ll *eti.br*

-rw-r--r-- 1 root root 543 Feb 19 06:57 db.labs.eti.br

-rw-r--r-- 1 root root 7569 Feb 25 10:17 db.labs.eti.br.signed

-rw-r--r-- 1 root root 167 Feb 25 10:17 dsset-labs.eti.br.

-rw-r--r-- 1 root root 430 Feb 18 21:12 Klabs.eti.br.+005+14212.key

-rw------- 1 root root 1010 Feb 18 21:12 Klabs.eti.br.+005+14212.private

Observação Toda alteração feita no db.labs.eti.br deve após ser assinada e reiniciar o bind para a alteração entrar em vigor, caso contrário irá notar que toda alteração não irá entrar em vigor

[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br
dnssec-signzone: warning: dns_dnssec_findmatchingkeys: error reading key file Klabs.eti.br.+157+38276.private: bad key type
Fetching KSK/ZSK 14212/RSASHA1 from key repository.
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 0 active, 0 stand-by, 0 revoked
db.labs.eti.br.signed

[root@centos7]# systemctl restart named

[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br

dnssec-signzone: warning: dns_dnssec_findmatchingkeys: error reading key file Klabs.eti.br.+157+38276.private: bad key type

Fetching KSK/ZSK 14212/RSASHA1 from key repository.

Verifying the zone using the following algorithms: RSASHA1.

Zone fully signed:

Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked

ZSKs: 0 active, 0 stand-by, 0 revoked

db.labs.eti.br.signed

[root@centos7]# systemctl restart named

2 – Adicionar os parametros no named.conf e alterar o file

[root@centos7]# vim /etc/named.conf

        /* DNSSEC */
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

zone "labs.eti.br" {
        type master;
#       file "db.labs.eti.br";
        file "db.labs.eti.br.signed";
        allow-update { key rndc-key; };
        allow-transfer { 35.196.13.28; 10.142.0.3; };
};

[root@centos7]# systemctl restart named

[root@centos7]# vim /etc/named.conf

/* DNSSEC */

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

zone "labs.eti.br" {

type master;

# file "db.labs.eti.br";

file "db.labs.eti.br.signed";

allow-update { key rndc-key; };

allow-transfer { 35.196.13.28; 10.142.0.3; };

};

[root@centos7]# systemctl restart named

…

Continue reading →

Linux – Bind externo primário CentOS7 e secundário Debian9

18/02/2018 / jhonespetter

Ambiente 1 – Preparar ambiente

[root@centos7]# yum -y update
[root@centos7]# firewall-cmd --add-port=53/udp --permanent && firewall-cmd --reload && firewall-cmd --list-port
[root@centos7]# firewall-cmd --add-port=53/tcp --permanent && firewall-cmd --reload && firewall-cmd --list-port
[root@centos7]# setenforce Permissive
[root@centos7]# vim /etc/selinux/config
[root@centos7]# yum -y install bind bind-chroot bind-utils net-tools
[root@centos7]# systemctl start named
[root@centos7]# systemctl enable named

[root@centos7]# yum -y update

[root@centos7]# firewall-cmd --add-port=53/udp --permanent && firewall-cmd --reload && firewall-cmd --list-port

[root@centos7]# firewall-cmd --add-port=53/tcp --permanent && firewall-cmd --reload && firewall-cmd --list-port

[root@centos7]# setenforce Permissive

[root@centos7]# vim /etc/selinux/config

[root@centos7]# yum -y install bind bind-chroot bind-utils net-tools

[root@centos7]# systemctl start named

[root@centos7]# systemctl enable named

2 – Configurar o /etc/named.conf

[root@centos7]# vim /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 35.190.128.157; 10.142.0.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";

zone "labs.eti.br" {
        type master;
        file "db.labs.eti.br";
        allow-update { key rndc-key; };
        allow-transfer { 35.196.13.28; 10.142.0.3; };
};

zone "128.190.35.in-addr.arpa" {
        type master;
        file "db.128.190.35.in-addr.arpa";
        allow-update { key rndc-key; };
        allow-transfer { 35.196.13.28; 10.142.0.3; };
};

zone "13.196.35.in-addr.arpa" {
        type master;
        file "db.13.196.35.in-addr.arpa";
        allow-update { key rndc-key; };
        allow-transfer { 35.196.13.28; 10.142.0.3; };
};

[root@centos7]# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone labs.eti.br/IN: loaded serial 2018021802
zone 128.190.35.in-addr.arpa/IN: loaded serial 2018021802
zone 13.196.35.in-addr.arpa/IN: loaded serial 2018021801

[root@centos7]# vim /etc/named.conf

// named.conf

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

// See /usr/share/doc/bind*/sample/ for example named configuration files.

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {

listen-on port 53 { 127.0.0.1; 35.190.128.157; 10.142.0.2; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { localhost; any; };

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

include "/etc/rndc.key";

zone "labs.eti.br" {

type master;

file "db.labs.eti.br";

allow-update { key rndc-key; };

allow-transfer { 35.196.13.28; 10.142.0.3; };

};

zone "128.190.35.in-addr.arpa" {

type master;

file "db.128.190.35.in-addr.arpa";

allow-update { key rndc-key; };

allow-transfer { 35.196.13.28; 10.142.0.3; };

};

zone "13.196.35.in-addr.arpa" {

type master;

file "db.13.196.35.in-addr.arpa";

allow-update { key rndc-key; };

allow-transfer { 35.196.13.28; 10.142.0.3; };

};

[root@centos7]# named-checkconf -z

zone localhost.localdomain/IN: loaded serial 0

zone localhost/IN: loaded serial 0

zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

zone 0.in-addr.arpa/IN: loaded serial 0

zone labs.eti.br/IN: loaded serial 2018021802

zone 128.190.35.in-addr.arpa/IN: loaded serial 2018021802

zone 13.196.35.in-addr.arpa/IN: loaded serial 2018021801

3 – Configurar /var/named/db.labs.eti.br

root@centos7]# vim /var/named/db.labs.eti.br

$ORIGIN .
$TTL 86400 ; 1 dia
labs.eti.br     IN SOA  ns1.labs.eti.br. root.labs.eti.br. (
                                2018021803      ; serial
                                3600            ; refresh 1 hora
                                1800            ; retry 30 minutos
                                604800          ; expire 1 semana
                                86400           ; minimum 1 dia
                                )
                        NS      ns1.labs.eti.br.
                        NS      ns2.labs.eti.br.
$ORIGIN                 labs.eti.br.
@               IN TXT "v= spf1 a mx ip4 :35.190.128.157 -all "
                IN      MX      10 mail
ns1                     A       35.190.128.157
ns2                     A       35.196.13.28
mail                    A       35.190.128.157
www                     A       35.190.128.157
ftp                     CNAME   www
site2           CNAME   www
webmail         CNAME   mail


[root@centos7]# named-checkzone labs.eti.br /var/named/db.labs.eti.br
zone labs.eti.br/IN: loaded serial 2018021803
OK

root@centos7]# vim /var/named/db.labs.eti.br

$ORIGIN .

$TTL 86400 ; 1 dia

labs.eti.br IN SOA ns1.labs.eti.br. root.labs.eti.br. (

2018021803 ; serial

3600 ; refresh 1 hora

1800 ; retry 30 minutos

604800 ; expire 1 semana

86400 ; minimum 1 dia

)

NS ns1.labs.eti.br.

NS ns2.labs.eti.br.

$ORIGIN labs.eti.br.

@ IN TXT "v= spf1 a mx ip4 :35.190.128.157 -all "

IN MX 10 mail

ns1 A 35.190.128.157

ns2 A 35.196.13.28

mail A 35.190.128.157

www A 35.190.128.157

ftp CNAME www

site2 CNAME www

webmail CNAME mail

[root@centos7]# named-checkzone labs.eti.br /var/named/db.labs.eti.br

zone labs.eti.br/IN: loaded serial 2018021803

4 – Configurar /var/named/db.128.190.35.in-addr.arpa

[root@centos7]# vim /var/named/db.128.190.35.in-addr.arpa

$TTL 86400      ; 1 dia
@               IN SOA  ns1.labs.eti.br. root.labs.eti.br. (
                                        2018021802      ; serial
                                        3600            ; refresh 1 hora
                                        1800            ; retry 30 minutos
                                        604800          ; expire 1 semana
                                        86400           ; minimum 1 dia
                                        )
                                IN NS   ns1.labs.eti.br.
157                             IN PTR  ns1.labs.eti.br.


[root@centos7]# named-checkzone 128.190.35.in-addr.arpa /var/named/db.128.190.35.in-addr.arpa
zone 128.190.35.in-addr.arpa/IN: loaded serial 2018021802
OK

[root@centos7]# vim /var/named/db.128.190.35.in-addr.arpa

$TTL 86400 ; 1 dia

@ IN SOA ns1.labs.eti.br. root.labs.eti.br. (

2018021802 ; serial

3600 ; refresh 1 hora

1800 ; retry 30 minutos

604800 ; expire 1 semana

86400 ; minimum 1 dia

)

IN NS ns1.labs.eti.br.

157 IN PTR ns1.labs.eti.br.

[root@centos7]# named-checkzone 128.190.35.in-addr.arpa /var/named/db.128.190.35.in-addr.arpa

zone 128.190.35.in-addr.arpa/IN: loaded serial 2018021802

5 – Configurar /var/named/db.13.196.35.in-addr.arpa

[root@centos7]# vim /var/named/db.13.196.35.in-addr.arpa

$TTL 86400      ; 1 dia
@               IN SOA  ns2.labs.eti.br. root.labs.eti.br. (
                                        2018021801      ; serial
                                        3600            ; refresh 1 hora
                                        1800            ; retry 30 minutos
                                        604800          ; expire 1 semana
                                        86400           ; minimum 1 dia
                                        )
                                IN NS   ns2.labs.eti.br.
28                              IN PTR  ns2.labs.eti.br.


[root@centos7]# named-checkzone 13.196.35.in-addr.arpa /var/named/db.13.196.35.in-addr.arpa
zone 13.196.35.in-addr.arpa/IN: loaded serial 2018021801
OK

[root@centos7]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.142.0.2
nameserver 10.142.0.3
nameserver 35.190.128.157
nameserver 35.196.13.28

[root@centos7]# systemctl restart named

[root@centos7]# vim /var/named/db.13.196.35.in-addr.arpa

$TTL 86400 ; 1 dia

@ IN SOA ns2.labs.eti.br. root.labs.eti.br. (

2018021801 ; serial

3600 ; refresh 1 hora

1800 ; retry 30 minutos

604800 ; expire 1 semana

86400 ; minimum 1 dia

)

IN NS ns2.labs.eti.br.

28 IN PTR ns2.labs.eti.br.

[root@centos7]# named-checkzone 13.196.35.in-addr.arpa /var/named/db.13.196.35.in-addr.arpa

zone 13.196.35.in-addr.arpa/IN: loaded serial 2018021801

[root@centos7]# vim /etc/resolv.conf

# Generated by NetworkManager

nameserver 10.142.0.2

nameserver 10.142.0.3

nameserver 35.190.128.157

nameserver 35.196.13.28

[root@centos7]# systemctl restart named

6 – Preparar ambiente

[root@debina9]# apt-get install bind9 bind9-doc bind9utils
[root@debina9]# systemctl start bind9
[root@debina9]# systemctl enable bind9

[root@debina9]# apt-get install bind9 bind9-doc bind9utils

[root@debina9]# systemctl start bind9

[root@debina9]# systemctl enable bind9

7 – Configurar /etc/bind/named.conf.local

[root@debina9]# vim /etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


zone "labs.eti.br" {
        type slave;
        file "db.labs.eti.br";
        masters { 10.142.0.2; 35.190.128.157; };
};

zone "128.190.35.in-addr.arpa" {
        type slave;
        file "db.128.190.35.in-addr.arpa";
        masters { 10.142.0.2; 35.190.128.157; };
};

zone "13.196.35.in-addr.arpa" {
        type slave;
        file "db.13.196.35.in-addr.arpa";
        masters { 10.142.0.2; 35.190.128.157; };
};


[root@debina9]# systemctl restart bind9
[root@debina9]# systemctl status bind9

[root@debina9]# vim /etc/resolv.conf
nameserver 10.142.0.3
nameserver 10.142.0.2
nameserver 35.196.13.28
nameserver 35.190.128.157

[root@debina9]# vim /etc/bind/named.conf.local

// Do any local configuration here

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";

zone "labs.eti.br" {

type slave;

file "db.labs.eti.br";

masters { 10.142.0.2; 35.190.128.157; };

};

zone "128.190.35.in-addr.arpa" {

type slave;

file "db.128.190.35.in-addr.arpa";

masters { 10.142.0.2; 35.190.128.157; };

};

zone "13.196.35.in-addr.arpa" {

type slave;

file "db.13.196.35.in-addr.arpa";

masters { 10.142.0.2; 35.190.128.157; };

};

[root@debina9]# systemctl restart bind9

[root@debina9]# systemctl status bind9

[root@debina9]# vim /etc/resolv.conf

nameserver 10.142.0.3

nameserver 10.142.0.2

nameserver 35.196.13.28

nameserver 35.190.128.157

8 – Testes https://www.whatsmydns.net/#NS/labs.eti.br

[root@centos7]# host 35.190.128.157
157.128.190.35.in-addr.arpa domain name pointer ns1.labs.eti.br.

[root@centos7]# host 35.196.13.28
28.13.196.35.in-addr.arpa domain name pointer ns2.labs.eti.br.

[root@centos7]# host 35.190.128.157

157.128.190.35.in-addr.arpa domain name pointer ns1.labs.eti.br.

[root@centos7]# host 35.196.13.28

28.13.196.35.in-addr.arpa domain name pointer ns2.labs.eti.br.

Continue reading →

JPCorp – Jhones Petter

Tag: bind

Linux – Bind DNSSEC

Linux – Bind externo primário CentOS7 e secundário Debian9