First draft
This commit is contained in:
parent
c1260bbed0
commit
f46b06451f
190
HowtoNSD/edit.md
Normal file
190
HowtoNSD/edit.md
Normal file
|
@ -0,0 +1,190 @@
|
|||
---
|
||||
title: Howto NSD
|
||||
categories: network openbsd
|
||||
...
|
||||
|
||||
## Documentation
|
||||
|
||||
* <https://www.nlnetlabs.nl/projects/nsd/>
|
||||
* <http://www.openbsd.org/cgi-bin/man.cgi?query=nsd.conf>
|
||||
* <http://www.openbsd.org/cgi-bin/man.cgi?query=nsd>
|
||||
|
||||
NSD est un serveur DNS faisant authorité. Il utilise des fichiers de zone au format Bind ce qui a l'avantage de faciliter une migration.
|
||||
|
||||
### Liens utiles
|
||||
|
||||
* <https://calomel.org/nsd_dns.html>
|
||||
* <https://www.digitalocean.com/community/tutorials/how-to-set-up-dnssec-on-an-nsd-nameserver-on-ubuntu-14-04>
|
||||
|
||||
## Installation
|
||||
|
||||
Sous OpenBSD, nsd(4) fait partie du système de base.
|
||||
|
||||
Sous Debian, on l'installera via :
|
||||
|
||||
~~~
|
||||
# apt-get install nsd
|
||||
~~~
|
||||
|
||||
## Configuration
|
||||
|
||||
**La configuration est ici faite sous OpenBSD. Bien que globalement similaire, la configuration tiendra compte de l'arborescence sous OpenBSD.**
|
||||
|
||||
On configure le démon via le fichier `/var/nsd/etc/nsd.conf`.
|
||||
|
||||
Pour lancer nsd(4) :
|
||||
|
||||
OpenBSD
|
||||
~~~
|
||||
# rcctl start bgpd
|
||||
~~~
|
||||
|
||||
Debian
|
||||
~~~
|
||||
# systemctl start nsd
|
||||
~~~
|
||||
|
||||
Pour vérifier la configuration :
|
||||
|
||||
~~~
|
||||
# nsd-checkzone example.com /chemin/vers/zone/db.example.com
|
||||
# nsd-checkconf /chemin/vers/configuration/nsd.conf
|
||||
~~~
|
||||
|
||||
## Exemple de configuration :
|
||||
|
||||
Prenons 2 machines, que l'on définit comme étant 2 serveurs DNS, l'un master, l'autre slave.
|
||||
|
||||
### Master
|
||||
|
||||
Voici le fichier `nsd.conf` sur le serveur avec l'adresse IP 192.0.2.53 (master) :
|
||||
|
||||
~~~
|
||||
# vi /var/nsd/etc/nsd.conf
|
||||
~~~
|
||||
|
||||
~~~
|
||||
server:
|
||||
server-count: 1 # use this number of cpu cores
|
||||
database: "" # or use ""
|
||||
zonelistfile: "/var/nsd/db/zone.list"
|
||||
username: _nsd
|
||||
logfile: "/var/log/nsd.log"
|
||||
pidfile: "/var/nsd/run/nsd.pid"
|
||||
xfrdfile: "/var/nsd/run/xfrd.state"
|
||||
|
||||
## bind to a specific address/port
|
||||
ip-address: 192.0.2.53
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
|
||||
## tsig key example
|
||||
key:
|
||||
name: "key.example.com."
|
||||
algorithm: hmac-sha256
|
||||
secret: "rMZVA3oOLyrk9Xn+aKe19aCqOf3xYv9kVw8M3crGkFE="
|
||||
|
||||
## master zone example.com
|
||||
zone:
|
||||
name: "example.com"
|
||||
zonefile: "master/example.com"
|
||||
notify: 192.0.2.54 key.example.com.
|
||||
provide-xfr: 192.0.2.54 key.example.com.
|
||||
~~~
|
||||
|
||||
Sur le serveur master on devra également définir la zone :
|
||||
|
||||
~~~
|
||||
# vi /var/nsd/zones/master/db.example.com
|
||||
~~~
|
||||
|
||||
~~~
|
||||
$ORIGIN example.com.
|
||||
$TTL 1800
|
||||
@ IN SOA master.example.com. email.example.com. (
|
||||
2014080301
|
||||
3600
|
||||
900
|
||||
1209600
|
||||
1800
|
||||
)
|
||||
@ IN NS master.example.com.
|
||||
@ IN NS slave.example.com.
|
||||
master IN A 192.0.2.53
|
||||
slave IN A 192.0.2.54
|
||||
@ IN A 192.0.2.80
|
||||
www IN CNAME example.com.
|
||||
@ IN MX 10 aspmx.l.google.com.
|
||||
@ IN MX 20 alt1.aspmx.l.google.com.
|
||||
~~~
|
||||
|
||||
On vérifie la configration ainsi que la zone :
|
||||
|
||||
~~~
|
||||
# nsd-checkconf /var/nsd/etc/nsd.conf
|
||||
# nsd-checkzone example.com /var/nsd/zones/master/db.example.com
|
||||
zone example.com is ok
|
||||
~~~
|
||||
|
||||
On active et démarre nsd :
|
||||
|
||||
~~~
|
||||
# rcctl enable nsd
|
||||
# rcctl start nsd
|
||||
~~~
|
||||
|
||||
On peut désormais tester que tout fonctionne :
|
||||
|
||||
~~~
|
||||
# dig ANY tristanpilat.com. @192.0.2.53
|
||||
~~~
|
||||
|
||||
### Slave
|
||||
|
||||
Et voici le fichier `nsd.conf` sur le serveur avec l'adresse IP 192.0.2.54 (slave) :
|
||||
|
||||
~~~
|
||||
# vi /var/nsd/etc/nsd.conf
|
||||
~~~
|
||||
|
||||
~~~
|
||||
server:
|
||||
server-count: 1 # use this number of cpu cores
|
||||
database: "" # or use ""
|
||||
zonelistfile: "/var/nsd/db/zone.list"
|
||||
username: _nsd
|
||||
logfile: "/var/log/nsd.log"
|
||||
pidfile: "/var/nsd/run/nsd.pid"
|
||||
xfrdfile: "/var/nsd/run/xfrd.state"
|
||||
|
||||
## bind to a specific address/port
|
||||
ip-address: 192.0.2.54
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
|
||||
## tsig key example
|
||||
key:
|
||||
name: "key.example.com."
|
||||
algorithm: hmac-sha256
|
||||
secret: "rMZVA3oOLyrk9Xn+aKe19aCqOf3xYv9kVw8M3crGkFE="
|
||||
|
||||
## master zone example.com
|
||||
zone:
|
||||
name: "example.com"
|
||||
zonefile: "master/example.com"
|
||||
notify: 192.0.2.53 key.example.com.
|
||||
provide-xfr: 192.0.2.53 key.example.com.
|
||||
~~~
|
||||
|
||||
On vérifie la configration :
|
||||
|
||||
~~~
|
||||
# nsd-checkconf /var/nsd/etc/nsd.conf
|
||||
~~~
|
||||
|
||||
## Utilisation
|
||||
|
||||
|
||||
### Outils utiles
|
Loading…
Reference in a new issue