BIND (is there anyting else?)

dnssec-keygen -a 7 -b 2048 -n ZONE domena.org dnssec-keygen -f KSK -a 8 -b 4096 -n ZONE domena.org

copy generated files in /etc/bind/keys.

if you put your keys in /etc/bind/keys do not forget about permissions and apparmor!

put this in zone domena.org

inline-signing yes; auto-dnssec maintain; key-directory “/etc/bind/keys/domena.org”; sig-validity-interval 3; default is 30D use dnssec-dsfromkey to create DS from KSK files. To enable add to bind.named.options:
dnssec-validation auto;
dnssec-enable yes;
dnssec-lookaside auto;
Add DS records at your domain registrar! check your domain with http://dnsviz.net/ https://www.dns-oarc.net/files/odvr/configs/bind/trusted-keys.conf

logging {
…
category dnssec { null;};};
==== Letting bind/named query a specific DNS server for only one specific domain ==== Add to the file /etc/bind/named.conf.local: <code> zone “mydomain.com” { type forward; forward only; forwarders { 192.168.0.2; 192.168.0.6; }; }; </code> Of course you need to replace 'mydomain.com' as well as the 2 ip addresses in the 'forwarders'-line. ==== Unsorted ==== host -t txt -c CHAOS version.bind localhost named - options {version “DNS daemon”;}; host -t txt -c CHAOS hostname.bind localhost gethostbyname() ==== audit dns ==== <code> kernel: audit(1209076817.081:16): type=1503 operation=“inode_create” requested_mask=“w::” denied_mask=“w::” name=“/etc/bind/xxxxx.com.hosts.jnl” pid=16561 profile=“/usr/sbin/named” namespace=“default” </code> So I had a look in: /etc/apparmor.d/usr.sbin.named and changed this line: <code> /etc/bind/ r, </code> to this: <code> /etc/bind/ rw, </code> ==== Fixing syntax highlighting in VIM ==== ~/.vimrc <code> “ BIND zone au BufNewFile,BufRead */named/db.*,*/bind/master/*,*/bind/slave/*,*/bind/arpa/* call s:StarSetf('bindzone') ” BIND configuration au BufNewFile,BufRead named.conf,rndc.conf,arpa.conf,named*,master.conf,slave.conf setf named </code>