<\/p>\n
<\/iframe><\/p>\n<h3 style=\"text-align: justify;\">1 - Gerar a chave e assinar<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7]# cd \/var\/named\r\n[root@centos7]# dnssec-keygen -r \/dev\/urandom -f KSK -a RSASHA1 -b 1024 -n ZONE labs.eti.br\r\n[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br\r\nFetching KSK\/ZSK 14212\/RSASHA1 from key repository.\r\nVerifying the zone using the following algorithms: RSASHA1.\r\nZone fully signed:\r\nAlgorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked\r\n ZSKs: 0 active, 0 stand-by, 0 revoked\r\ndb.labs.eti.br.signed\r\n\r\n[root@centos7 named]# ll *eti.br*\r\n-rw-r--r-- 1 root root 543 Feb 19 06:57 db.labs.eti.br\r\n-rw-r--r-- 1 root root 7569 Feb 25 10:17 db.labs.eti.br.signed\r\n-rw-r--r-- 1 root root 167 Feb 25 10:17 dsset-labs.eti.br.\r\n-rw-r--r-- 1 root root 430 Feb 18 21:12 Klabs.eti.br.+005+14212.key\r\n-rw------- 1 root root 1010 Feb 18 21:12 Klabs.eti.br.+005+14212.private<\/pre>\n<h3>Observa\u00e7\u00e3o<\/h3>\n<p>Toda altera\u00e7\u00e3o feita no db.labs.eti.br deve ap\u00f3s ser assinada e reiniciar o bind para a altera\u00e7\u00e3o entrar em vigor, caso contr\u00e1rio ir\u00e1 notar que toda altera\u00e7\u00e3o\u00a0 n\u00e3o ir\u00e1 entrar em vigor<\/p>\n<pre class=\"lang:sh decode:true \">[root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br\r\ndnssec-signzone: warning: dns_dnssec_findmatchingkeys: error reading key file Klabs.eti.br.+157+38276.private: bad key type\r\nFetching KSK\/ZSK 14212\/RSASHA1 from key repository.\r\nVerifying the zone using the following algorithms: RSASHA1.\r\nZone fully signed:\r\nAlgorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked\r\n ZSKs: 0 active, 0 stand-by, 0 revoked\r\ndb.labs.eti.br.signed\r\n\r\n[root@centos7]# systemctl restart named<\/pre>\n<p> <\/p>\n<h3 style=\"text-align: justify;\">2 - Adicionar os parametros no named.conf e alterar o file<\/h3>\n<pre class=\"lang:sh decode:true \">[root@centos7]# vim \/etc\/named.conf\r\n\r\n \/* DNSSEC *\/\r\n dnssec-enable yes;\r\n dnssec-validation yes;\r\n dnssec-lookaside auto;\r\n\r\nzone \"labs.eti.br\" {\r\n type master;\r\n# file \"db.labs.eti.br\";\r\n file \"db.labs.eti.br.signed\";\r\n allow-update { key rndc-key; };\r\n allow-transfer { 35.196.13.28; 10.142.0.3; };\r\n};\r\n\r\n[root@centos7]# systemctl restart named<\/pre>\n<h3 style=\"text-align: justify;\">3 - Adicionar a chave no REGISTRO.BR<\/h3>\n<pre class=\"lang:sh decode:true\">[root@centos7]# cat dsset-labs.eti.br.\r\nlabs.eti.br. IN DS 14212 5 1 EB7B6984519AE99BF11A664D2863A09C4777E283\r\nlabs.eti.br. IN DS 14212 5 2 F2B8BE2A85D49CF7AF798B86385D8716F3CF7D5B93818D790F275983 0B285162<\/pre>\n<p style=\"text-align: justify;\"><a href=\"http:\/\/wordpress.jpcorp.eti.br\/?attachment_id=1228\" rel=\"attachment wp-att-1228\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1228\" src=\"http:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind.png\" alt=\"\" width=\"707\" height=\"536\" srcset=\"https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind.png 707w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind-300x227.png 300w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind-644x488.png 644w\" sizes=\"auto, (max-width: 707px) 100vw, 707px\" \/><\/a><\/p>\n<h3 style=\"text-align: justify;\">4 -\u00a0Validar DNSKEY e RRSIG<\/h3>\n<pre class=\"lang:sh decode:true \">[root@centos7]# dig DNSKEY labs.eti.br. @localhost +multiline\r\n[root@centos7]# dig A labs.eti.br. @localhost +noadditional +dnssec +multiline\r\n[root@centos7]# dig +trace +noadditional DS labs.eti.br. @8.8.8.8 | grep DS<\/pre>\n<h3 style=\"text-align: justify;\">5 - Por padr\u00e3o a assinatura vence em 30 dias, portanto cabe reassinar a chave, ent\u00e3o um script pra rodar a cada 30 dias no crontab<\/h3>\n<pre class=\"lang:sh decode:true \">[root@centos7]# vim signzone.sh\r\n\r\n#!\/bin\/bash\r\n\r\ncd \/var\/named\r\n$(which dnssec-signzone) -n INCREMENT labs.eti.br\r\n$(which systemctl) restart named<\/pre>\n<h3 style=\"text-align: justify;\">6 - Alterar no DNS Secund\u00e1rio<\/h3>\n<pre class=\"lang:sh decode:true\">root@debina9# vim \/etc\/bind\/named.conf.options\r\n\r\n# dnssec-validation auto;\r\n dnssec-enable yes;\r\n dnssec-validation yes;\r\n dnssec-lookaside auto;<\/pre>\n<pre class=\"lang:sh decode:true\">root@debina9# vim \/etc\/bind\/named.conf.local\r\n\r\nzone \"labs.eti.br\" {\r\n type slave;\r\n# file \"db.labs.eti.br\";\r\n file \"db.labs.eti.br.signed\";\r\n masters { 10.142.0.2; 35.190.128.157; };\r\n allow-notify { 10.142.0.2; 35.190.128.157; };\r\n};\r\n\r\nroot@debina9# systemctl restart bind9<\/pre>\n<h3><\/h3>\n<h3>7 - Valida\u00e7\u00e3o<\/h3>\n<p><a href=\"https:\/\/registro.br\/cgi-bin\/nicbr\/dscheck\">https:\/\/registro.br\/cgi-bin\/nicbr\/dscheck<\/a><\/p>\n<p><a href=\"http:\/\/dnsviz.net\/d\/labs.eti.br\/dnssec\/\">http:\/\/dnsviz.net\/d\/labs.eti.br\/dnssec\/<\/a><\/p>\n<p> <\/p>\n<p><a href=\"http:\/\/wordpress.jpcorp.eti.br\/?attachment_id=1241\" rel=\"attachment wp-att-1241\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1241\" src=\"http:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind2.png\" alt=\"\" width=\"859\" height=\"440\" srcset=\"https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind2.png 859w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind2-300x154.png 300w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind2-768x393.png 768w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/dnssec-bind2-644x330.png 644w\" sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/a><\/p>\n<p> <\/p>\n<p><a href=\"http:\/\/wordpress.jpcorp.eti.br\/?attachment_id=1232\" rel=\"attachment wp-att-1232\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1232\" src=\"http:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/labs.eti_.br-2018-02-25-14_03_33-UTC.png\" alt=\"\" width=\"749\" height=\"1493\" srcset=\"https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/labs.eti_.br-2018-02-25-14_03_33-UTC.png 749w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/labs.eti_.br-2018-02-25-14_03_33-UTC-151x300.png 151w, https:\/\/wordpress.jpcorp.eti.br\/wp-content\/uploads\/2018\/02\/labs.eti_.br-2018-02-25-14_03_33-UTC-644x1284.png 644w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/a><\/p>\n<p> <\/p>\n<h3 style=\"text-align: justify;\">Refer\u00eancias<\/h3>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.crc.id.au\/configuring-dnssec-on-el6-and-bind-9\">https:\/\/www.crc.id.au\/configuring-dnssec-on-el6-and-bind-9<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2\">https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"ftp:\/\/ftp.registro.br\/pub\/doc\/configuracao_dnssec_dominio.pdf\">ftp:\/\/ftp.registro.br\/pub\/doc\/configuracao_dnssec_dominio.pdf<\/a><\/p>\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p> 1 – Gerar a chave e assinar [root@centos7]# cd \/var\/named [root@centos7]# dnssec-keygen -r \/dev\/urandom -f KSK -a RSASHA1 -b 1024 -n ZONE labs.eti.br [root@centos7]# dnssec-signzone -S -z -o labs.eti.br db.labs.eti.br Fetching KSK\/ZSK 14212\/RSASHA1 from key repository. Verifying the zone using the following algorithms: RSASHA1. Zone fully signed: Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[124,127],"class_list":["post-1225","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bind","tag-dnssec"],"_links":{"self":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/1225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1225"}],"version-history":[{"count":12,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/1225\/revisions"}],"predecessor-version":[{"id":1250,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=\/wp\/v2\/posts\/1225\/revisions\/1250"}],"wp:attachment":[{"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.jpcorp.eti.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}