Track3Sec: 2.4_bind_validation.html

File 2.4_bind_validation.html, 2.0 KB (added by Fakrul Alam, 6 years ago)
Line 
1<html><head>
2<META HTTP-EQUIV="Expires" CONTENT="25-DEC-1980 12:00:00 GMT">
3<META HTTP-EQUIV="pragma" CONTENT="no-cache">
4</head>
5<body>
6<p>
7To turn on DNSSEC validation on your recusrsive resolver you only
8need to enable it and include the root trust anchor.  For example
9on BIND /etc/namedb/named.conf you might look like below. Make sure
10to remove or comment (//) out "recursion yes" and
11"dnssec-validation yes" and do a "service named restart" when
12done with this exercize to return your nameserver to authoritative
13server mode.
14
15<pre>
16# cat /etc/namedb/named.conf
17
18options {
19        directory       "/etc/namedb/working";
20        pid-file        "/var/run/named/pid";
21        dump-file       "/var/dump/named_dump.db";
22        statistics-file "/var/stats/named.stats";
23
24        recursion yes;
25<font color=red>
26        dnssec-validation yes;
27</font>
28        allow-query { any; };
29};
30zone "." {
31        type hint;
32        file "/etc/namedb/named.root";
33};
34<font color=red>
35trusted-keys {
36// real root
37"." 257 3 8
38    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
39    bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
40    /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
41    JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
42    oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
43    LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
44    Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
45    LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
46// class root
47"." 257 3 8
48    "AwEAAd48pv33mNzjgL+dT78CM9DouBVY2hUSOAIpVGpFN0c6jNaQOqO+
49     YZVBRmePsx2Pbn8SHpSJwJdEWv8GtwFx1pcn3UPP4jjGxKP/uue5uTmx
50     BteLGfad2bK912e4xMJaou6LDeNKmh0CvnssKe8eI3gjvjQvRdRxakUB
51     kAJ1xkTs03+7IEBFMk2XOsAaoTbTmUr3rmVzUtDLFAt/qs14iwPDQ1IN
52     VYDjCOdJQ3Mh52t8qmktjH3njMJD7HQVOmlZdOkqCgzX55pXlhK5xtG3
53     UUOyQoVJeDPQwG9ZAdwsw9ZQYv9OBGLzgYBtN2EYM5q8TnkukoKwsfgn
54     FjSzydcGXFU=";
55};
56</font>
57
58</pre>
59
60</body>
61</html>
62
63<!--
64<pre>
65num=0; while [ $num -le 10 ]; do dig @127.0.0.1 +short +tries=1 +time=1 www.gonzalo.dnstest.gov.co a; num=$(expr $num + 1); done
66</pre>
67-->