Mudanças entre as edições de "Arquivo DNSSEC"
De Slacam_Wiki
Linha 1: | Linha 1: | ||
− | Arquivo com Exemplo do DNSSEC | + | '''Arquivo com Exemplo do DNSSEC''' |
+ | <pre> | ||
+ | /* | ||
+ | * UNESP - AI - Grupo de Redes | ||
+ | * (CJC) rev 1.1 - 20080728 | ||
+ | * | ||
+ | * BIND 9.4-P1 | ||
+ | * named.conf exemplo para ativacao dos seguintes recursos: | ||
+ | * - views para separar recursivo e autoritativo | ||
+ | * - consultas com validacao de DNSSEC | ||
+ | * - logs | ||
+ | * | ||
+ | */ | ||
+ | options { directory "/etc/namedb"; | ||
− | + | pid-file "/var/run/named/pid"; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | // Coloque aqui os servidores secundarios de suas zonas allow-transfer { 200.145.1.1; 200.145.9.9; }; | |
− | + | ||
− | + | ||
− | + | // Coloque aqui quais IP's locais responderao na porta 53 listen-on port 53 { any; }; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
}; | }; | ||
/* | /* | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | * Control listeners, for "ndc". Every nameserver needs at least one. | |
− | + | */ | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | controls { inet 127.0.0.1 allow { none; }; }; | |
− | + | ||
− | + | // Coloque aqui quem pode fazer consultas recursivas acl clientes { localhost; 200.145.111.0/24; 200.145.222.0/24; etc... 200.145.999.0/24; }; | |
− | + | ||
− | + | // DNSSEC Keys (download em http://grc.unesp.br/dnssec) include "/etc/namedb/chaves.dnssec"; | |
− | + | ||
− | + | ||
− | + | view "recursivo" { allow-recursion { clientes; }; | |
− | + | // Validacao de DNSSEC | |
− | + | ||
− | + | ||
− | + | ||
− | + | dnssec-validation yes; | |
− | + | dnssec-lookaside . trust-anchor dlv.isc.org.; | |
− | + | ||
− | + | ||
− | + | ||
− | + | // Coloque aqui as zonas de resolução local | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | zone "." { type hint; file "named.root"; }; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-update { none;}; }; | ||
+ | |||
+ | // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; file "localhost-v6.rev"; }; | ||
+ | |||
+ | // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; file "localhost-v6.rev"; }; | ||
}; | }; | ||
+ | view "autoritativo" { match-clients { any; }; recursion no; | ||
− | + | additional-from-auth no; additional-from-cache no; | |
− | + | ||
− | + | ||
− | + | // Coloque aqui as zonas autoritativas Master e Slave | |
− | + | ||
+ | zone "xxx.unesp.br" { type master; file "xxx.zone"; allow-update { none; }; }; | ||
− | + | zone "999.145.200.in-addr.arpa" { | |
− | + | type master; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | file "xxx.999.rev"; | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | allow-update { none; }; | |
+ | }; | ||
+ | |||
+ | etc... | ||
}; | }; | ||
− | logging { | + | logging { /* * All log output goes to one or more "channels"; you can make as * many of them as you want. */ |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | channel syslog_errors { // this channel will send errors or syslog user; // or worse to syslog (user facility) severity error; }; | |
− | + | ||
− | + | ||
− | + | ||
− | + | channel stderr_errors { stderr; }; | |
− | + | ||
− | + | ||
− | + | category parser { syslog_errors; // you can log to as many channels default_syslog; // as you want }; | |
− | + | ||
− | + | ||
− | + | ||
− | + | category lame-servers { null; }; // don't log these at all | |
− | }; | + | };</pre> |
− | + |
Edição das 11h01min de 31 de outubro de 2010
Arquivo com Exemplo do DNSSEC
/* * UNESP - AI - Grupo de Redes * (CJC) rev 1.1 - 20080728 * * BIND 9.4-P1 * named.conf exemplo para ativacao dos seguintes recursos: * - views para separar recursivo e autoritativo * - consultas com validacao de DNSSEC * - logs * */ options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; // Coloque aqui os servidores secundarios de suas zonas allow-transfer { 200.145.1.1; 200.145.9.9; }; // Coloque aqui quais IP's locais responderao na porta 53 listen-on port 53 { any; }; }; /* * Control listeners, for "ndc". Every nameserver needs at least one. */ controls { inet 127.0.0.1 allow { none; }; }; // Coloque aqui quem pode fazer consultas recursivas acl clientes { localhost; 200.145.111.0/24; 200.145.222.0/24; etc... 200.145.999.0/24; }; // DNSSEC Keys (download em http://grc.unesp.br/dnssec) include "/etc/namedb/chaves.dnssec"; view "recursivo" { allow-recursion { clientes; }; // Validacao de DNSSEC dnssec-validation yes; dnssec-lookaside . trust-anchor dlv.isc.org.; // Coloque aqui as zonas de resolução local zone "." { type hint; file "named.root"; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-update { none;}; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; file "localhost-v6.rev"; }; // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; file "localhost-v6.rev"; }; }; view "autoritativo" { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; // Coloque aqui as zonas autoritativas Master e Slave zone "xxx.unesp.br" { type master; file "xxx.zone"; allow-update { none; }; }; zone "999.145.200.in-addr.arpa" { type master; file "xxx.999.rev"; allow-update { none; }; }; etc... }; logging { /* * All log output goes to one or more "channels"; you can make as * many of them as you want. */ channel syslog_errors { // this channel will send errors or syslog user; // or worse to syslog (user facility) severity error; }; channel stderr_errors { stderr; }; category parser { syslog_errors; // you can log to as many channels default_syslog; // as you want }; category lame-servers { null; }; // don't log these at all };