Dns

A quick guide about how to migrate a signed zone from dnssec-tools to OpenDNSSEC.

Some time ago, I wrote a post about using dnssec-tools for managing an authoritative name server in CentOS, now I’m going to extend it to cover their usage in a Fedora system.

First of all, I’m going to use the latest versions which currently is not in the repositories. Download the source rpm, recompile and install the rpms: $ mock -r fedora-19-x86_64 dnssec-tools-2.0-1.fc18.src.rpm # yum install /var/lib/mock/fedora-19-x86_64/result/*rpm

The configuration of bind as authoritative name server /etc/named.conf:

I’m going to explain how to implement DNSSEC in CentOS, using Bind as authoritative name server and the dnssec-tools utilities. To deploy DNSSEC, your parent zone must be signed, you can check it here.

The main reference for this post is in the dnssec-tools Wiki: https://www.dnssec-tools.org/wiki/index.php/Authoritative_Server

In a computer which is in a isolated network, I have experienced a long delay while logging in via SSH. This is because a DNS timeout. It’s possible to disable the DNS lookups of sshd, modifying this setting in /etc/ssh/sshd_config:

UseDNS no

Podemos configurar un servidor DNS bind para recibir zonas de un controlador de dominio, para ello simplemente habría que habilitar la transferencia de zona en el servidor Windows y configurarlas en bind de la siguiente manera:

zone "dominio.local" in {
   type slave;
   file "slaves/dominio.local.db";
   masters { 192.168.1.100; };
   allow-transfer { any; };
   allow-query { any;};
   check-names ignore;
   notify yes;
};

zone "_msdcs.dominio.local" in {
   type slave;
   file "slaves/_msdcs.dominio.local.db";
   masters { 192.168.1.100; };
   allow-transfer { any; };
   allow-query { any;};
   check-names ignore;
   notify yes;
};

zone "1.168.192.in-addr.arpa" in {
   type slave;
   file "slaves/1.168.192.in-addr.arpa.db";
   masters { 192.168.1.100; };
   allow-transfer { any; };
   allow-query { any;};
   check-names ignore;
   notify yes;
};