evolix/wiki
22
0
Fork 0
Code Releases Activity

First draft

Browse source
This commit is contained in:
tpilat 2016-11-27 14:34:46 +01:00
parent c1260bbed0
commit f46b06451f
1 changed files with 190 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

190
HowtoNSD/edit.md Normal file
View file

@ -0,0 +1,190 @@
---
title: Howto NSD
categories: network openbsd
...
## Documentation
* <https://www.nlnetlabs.nl/projects/nsd/>
* <http://www.openbsd.org/cgi-bin/man.cgi?query=nsd.conf>
* <http://www.openbsd.org/cgi-bin/man.cgi?query=nsd>
NSD est un serveur DNS faisant authorité. Il utilise des fichiers de zone au format Bind ce qui a l'avantage de faciliter une migration.
### Liens utiles
* <https://calomel.org/nsd_dns.html>
* <https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04>
## Installation
Sous OpenBSD, nsd(4) fait partie du système de base.
Sous Debian, on l'installera via :
~~~
# apt-get install nsd
~~~
## Configuration
**La configuration est ici faite sous OpenBSD. Bien que globalement similaire, la configuration tiendra compte de l'arborescence sous OpenBSD.**
On configure le démon via le fichier `/var/nsd/etc/nsd.conf`.
Pour lancer nsd(4) :
OpenBSD
~~~
# rcctl start bgpd
~~~
Debian
~~~
# systemctl start nsd
~~~
Pour vérifier la configuration :
~~~
# nsd-checkzone example.com /chemin/vers/zone/db.example.com
# nsd-checkconf /chemin/vers/configuration/nsd.conf
~~~
## Exemple de configuration :
Prenons 2 machines, que l'on définit comme étant 2 serveurs DNS, l'un master, l'autre slave.
### Master
Voici le fichier `nsd.conf` sur le serveur avec l'adresse IP 192.0.2.53 (master) :
~~~
# vi /var/nsd/etc/nsd.conf
~~~
~~~
server:
server-count: 1 # use this number of cpu cores
database: "" # or use ""
zonelistfile: "/var/nsd/db/zone.list"
username: _nsd
logfile: "/var/log/nsd.log"
pidfile: "/var/nsd/run/nsd.pid"
xfrdfile: "/var/nsd/run/xfrd.state"
## bind to a specific address/port
ip-address: 192.0.2.53
remote-control:
control-enable: yes
## tsig key example
key:
name: "key.example.com."
algorithm: hmac-sha256
secret: "rMZVA3oOLyrk9Xn+aKe19aCqOf3xYv9kVw8M3crGkFE="
## master zone example.com
zone:
name: "example.com"
zonefile: "master/example.com"
notify: 192.0.2.54 key.example.com.
provide-xfr: 192.0.2.54 key.example.com.
~~~
Sur le serveur master on devra également définir la zone :
~~~
# vi /var/nsd/zones/master/db.example.com
~~~
~~~
$ORIGIN example.com.
$TTL 1800
@ IN SOA master.example.com. email.example.com. (
2014080301
3600
900
1209600
1800
)
@ IN NS master.example.com.
@ IN NS slave.example.com.
master IN A 192.0.2.53
slave IN A 192.0.2.54
@ IN A 192.0.2.80
www IN CNAME example.com.
@ IN MX 10 aspmx.l.google.com.
@ IN MX 20 alt1.aspmx.l.google.com.
~~~
On vérifie la configration ainsi que la zone :
~~~
# nsd-checkconf /var/nsd/etc/nsd.conf
# nsd-checkzone example.com /var/nsd/zones/master/db.example.com
zone example.com is ok
~~~
On active et démarre nsd :
~~~
# rcctl enable nsd
# rcctl start nsd
~~~
On peut désormais tester que tout fonctionne :
~~~
# dig ANY tristanpilat.com. @192.0.2.53
~~~
### Slave
Et voici le fichier `nsd.conf` sur le serveur avec l'adresse IP 192.0.2.54 (slave) :
~~~
# vi /var/nsd/etc/nsd.conf
~~~
~~~
server:
server-count: 1 # use this number of cpu cores
database: "" # or use ""
zonelistfile: "/var/nsd/db/zone.list"
username: _nsd
logfile: "/var/log/nsd.log"
pidfile: "/var/nsd/run/nsd.pid"
xfrdfile: "/var/nsd/run/xfrd.state"
## bind to a specific address/port
ip-address: 192.0.2.54
remote-control:
control-enable: yes
## tsig key example
key:
name: "key.example.com."
algorithm: hmac-sha256
secret: "rMZVA3oOLyrk9Xn+aKe19aCqOf3xYv9kVw8M3crGkFE="
## master zone example.com
zone:
name: "example.com"
zonefile: "master/example.com"
notify: 192.0.2.53 key.example.com.
provide-xfr: 192.0.2.53 key.example.com.
~~~
On vérifie la configration :
~~~
# nsd-checkconf /var/nsd/etc/nsd.conf
~~~
## Utilisation
### Outils utiles