Hello Chris, thank you for the "HOWTO"... now it is more clear.
OK, there are some stange things happen to my master DNS @home. Since I it seems I had a "nsupdate" from my Laptop, an update from my work- stations was working perfectly and now it comes: I have never used: Am 2009-02-05 16:58:27, schrieb Chris Buxton: > Create a key: > > dnssec-keygen -a hmac-md5 -b 512 -n host slave1.key > > (Note: Use something better than hmac-md5 if your BIND version supports > it.) This creates two files, with similar names. Extract the secret from > either of them (it is the same in both) and create a key statement: > > key "slave1.key" { > algorithm hmac-md5; > secret "put here the secret from the file"; > }; and this installed and was not looking into my local DNS since several weeks... Today I have found 1) a modified file /etc/bind/net.tamay-dogan.private 2) two new files /etc/bind/net.tamay-dogan.private.njl /etc/bind/rndc.key where the last one has the key enty above. Q: Does the "nsupdate" create/change this files? Note: The rndc.key file is not included in any files, hence I asume it is not alive and I have to include it into my. /etc/bind/named.conf.local (Debian System) > Put this statement into named.conf on both the master server and one of > your slaves. Then, put this into the master server's named.conf: > > server 192.0.2.1 { // use the actual IP address of the slave here > keys { slave1.key; }; > }; > > On the slave: > > server 192.0.2.2 { // this should be the IP address of the master > keys { slave1.key; }; > }; OK done. > This will then secure all communication (except forwarded updates) > between master and slave1. That includes notifies, SOA queries and > responses, and zone transfers. > > Repeat the above for each slave. Use a different key for each slave. > This means the master will have 5 keys defined (plus an RNDC key, > hopefully), and 5 server statements. You may also want to create > additional keys (and additional server statements) for use between > slaves, just in case you ever need to promote one. OK, now I have: key "rndc-key" { ... }; key "tdnet.key" { ... }; key "hetzner.key" { ... }; key "vallendor.key" { ... }; and 5 entries like server 192.168.0.194 { keys { tdnet.key; }; }; > Next, create yet another key for dynamic updates. Put that key's name > into your allow-update statement. Turn on update-forwarding on the Done but... > slaves, like this (in each slave zone): > > allow-update-forwarding { any; }; OK done. > Since the master will only permit signed updates, and since the slaves > will forward signed updates unmodified (signatures intact), you do not > need to secure this ACL. I have for testing only me second local DNS included and I call the key "tdnet.key" since it is under my own control... I have now (unneccesary lines striped) ----[ '/etc/bind/named.conf' ]------------------------------------------ include "/etc/bind/named.conf.options"; zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/etc/bind/named.conf.local"; ------------------------------------------------------------------------ ----[ '/etc/bind/named.conf.options' ]---------------------------------- options { directory "/var/cache/bind"; check-names master fail; check-names slave warn; check-names response ignore; auth-nxdomain no; listen-on-v6 { any; }; listen-on { 192.168.0.74; }; }; ------------------------------------------------------------------------ ----[ '/etc/bind/named.conf.local' ]------------------------------------ key "rndc-key" { algorithm hmac-md5; secret " ...very_short_key... "; }; key "tdnet.key" { algorithm hmac-md5; secret " ...very_long_key... "; }; server 192.168.0.194 { keys { tdnet.key; }; }; zone "private.tamay-dogan.net" { type master; file "/etc/bind/net.tamay-dogan.private"; allow-transfer { 192.168.0.194; }; allow-update { tdnet.key; }; // allow-update { 192.168.0.91; 192.168.0.92; 192.168.0.93; 192.168.0.112; }; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168.0"; allow-transfer { 192.168.0.194; }; }; ------------------------------------------------------------------------ And my Intranet Zone looks like: ----[ '/etc/bind/net.tamay.dogan.private' ]----------------------------- $ORIGIN . $TTL 86400 ; 1 day private.tamay-dogan.net IN SOA dns.private.tamay-dogan.net. hostmaster.tamay-dogan.net. ( 1230807508 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.private.tamay-dogan.net. MX 10 mail.private.tamay-dogan.net. MX 20 server4.pinguin-hosting.de. $ORIGIN private.tamay-dogan.net. $TTL 300 ; 5 minutes 128 A 192.168.0.84 336 A 192.168.0.81 576 A 192.168.0.82 access A 192.168.0.80 aspire1350 A 192.168.0.115 clamav A 192.168.0.76 devel A 192.168.0.92 dns A 192.168.0.74 karima1 A 192.168.0.94 keyserver A 192.168.0.73 ledger A 192.168.0.75 lpd A 192.168.0.72 mail A 192.168.0.70 $TTL 86400 ; 1 day TXT "v=spf1 a mx ~all" $TTL 300 ; 5 minutes michelle1 A 192.168.0.91 mobilix A 192.168.0.111 multimedia A 192.168.0.93 mysql A 192.168.0.66 pgsql A 192.168.0.66 r40 A 192.168.0.113 router A 192.168.0.65 samba1 A 192.168.0.67 TXT "sources archive; 258 GByte left" samba2 A 192.168.0.68 TXT "Multimedia stuff; 1783 GByte left" samba3 A 192.168.0.69 TXT "Some comment for bind-users" syslog A 192.168.0.71 t72 A 192.168.0.114 tp570 A 192.168.0.112 ------------------------------------------------------------------------ but if I restart bin I get: ----[ '/var/log/syslog' ]----------------------------------------------- Feb 6 17:40:10 dns named[24020]: starting BIND 9.3.4-P1.1 -u bind Feb 6 17:40:10 dns named[24020]: found 4 CPUs, using 4 worker threads Feb 6 17:40:10 dns named[24020]: loading configuration from '/etc/bind/named.conf' Feb 6 17:40:10 dns named[24020]: listening on IPv6 interfaces, port 53 Feb 6 17:40:10 dns named[24020]: listening on IPv4 interface eth0:4, 192.168.0.74#53 Feb 6 17:40:10 dns named[24020]: /etc/bind/named.conf.local:49: undefined ACL 'tdnet.key' Feb 6 17:40:10 dns named[24020]: loading configuration: not found Feb 6 17:40:10 dns named[24020]: exiting (due to fatal error) ------------------------------------------------------------------------ which looks not realy funn since I can not more send messages... :-/ if I restore the line allow-update { tdnet.key; }; bach to the IPs it works fine: ----[ '/var/log/syslog' ]----------------------------------------------- Feb 6 17:43:09 dns named[24170]: starting BIND 9.3.4-P1.1 -u bind Feb 6 17:43:09 dns named[24170]: found 4 CPUs, using 4 worker threads Feb 6 17:43:09 dns named[24170]: loading configuration from '/etc/bind/named.conf' Feb 6 17:43:09 dns named[24170]: listening on IPv6 interfaces, port 53 Feb 6 17:43:09 dns named[24170]: listening on IPv4 interface eth0:4, 192.168.0.74#53 Feb 6 17:43:09 dns named[24170]: zone 'private.tamay-dogan.net' allows updates by IP address, which is insecure Feb 6 17:43:09 dns named[24170]: command channel listening on 127.0.0.1#953 Feb 6 17:43:09 dns named[24170]: command channel listening on ::1#953 Feb 6 17:43:09 dns named[24170]: zone 0.in-addr.arpa/IN: loaded serial 1 Feb 6 17:43:09 dns named[24170]: zone 127.in-addr.arpa/IN: loaded serial 1 Feb 6 17:43:09 dns named[24170]: /etc/bind/db.192.168.0:3: using RFC 1035 TTL semantics Feb 6 17:43:09 dns named[24170]: zone 0.168.192.in-addr.arpa/IN: loaded serial 1230468458 Feb 6 17:43:09 dns named[24170]: zone 255.in-addr.arpa/IN: loaded serial 1 Feb 6 17:43:09 dns named[24170]: zone localhost/IN: loaded serial 1 Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.cybercenter:3: using RFC 1035 TTL semantics Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/IN: loaded serial 1220552501 Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.omega:3: using RFC 1035 TTL semantics Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN: loaded serial 1220552501 Feb 6 17:43:09 dns named[24170]: zone private.tamay-dogan.net/IN: loaded serial 1230807508 Feb 6 17:43:09 dns named[24170]: /etc/bind/net.tamay-dogan.redhat:3: using RFC 1035 TTL semantics Feb 6 17:43:09 dns named[24170]: zone redhat.tamay-dogan.net/IN: loaded serial 1220552501 Feb 6 17:43:09 dns named[24170]: running Feb 6 17:43:09 dns named[24170]: zone cybercenter.tamay-dogan.net/IN: sending notifies (serial 1220552501) Feb 6 17:43:09 dns named[24170]: zone omega.tamay-dogan.net/IN: sending notifies (serial 1220552501) ------------------------------------------------------------------------ What I have doen wrong? Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ ##################### Debian GNU/Linux Consultant ##################### <http://www.tamay-dogan.net/> <http://www.can4linux.org/> Michelle Konzack Apt. 917 ICQ #328449886 +49/177/9351947 50, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users