In China soll es ab Dezember Telefonnummern oder Internet-Anschlüsse nur noch mit Identitätsfeststellung per Gesichtserkennung geben. Eine entsprechende Regelung wurde kürzlich erlassen und soll auch für bereits registrierte Anschlüsse gelten.
Christen, die in totalitär regierten Staaten leben, geraten immer stärker unter Druck. Laut dem aktuellen Weltverfolgungsindex des christlichen Hilfswerks Open Doors hat sich die Lage für Christen etwa in China und in der Türkei weiter zugespitzt.
Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).
Contents
# vi /etc/bind/named.conf.local
add
file “/var/lib/bind/example.com.zone.signed”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain
# vi /etc/bind/named.conf.options
add
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)
create the zone signing key (zsk)
# dnssec-keygen -a RSASHA256 -b 2048 example.com
create the key signing key (ksk)
# dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com
change permissions and the owner
(all keys must be readable by bind)
# chmod 644 Kexample.com*.key
# chmod 600 Kexample.com*.private
# chown bind Kexample.com*
you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls Kexample.com*.key`
do
echo “\$INCLUDE $key”>> example.com.zone
done
sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
# /etc/init.d/bind9 restart
# dig DNSKEY example.com. @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.
some good DNSSEC testing sites:
https://dnssec-analyzer.verisignlabs.com/
http://dnsviz.net/
https://mxtoolbox.com/DNSKey.aspxdnsviz
dnsviz
when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.
# cat dsset-example.com.
go to the registrar of your domain and enter those DS records
…are automatically signed with your domain
if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on dnsviz.net, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables th PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here: https://melkfl.es/article/2018/07/edns/
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
add
edns-udp-size 512;
max-udp-size 512;
If you like this write-up or I missed something, please let me know.
Jetzt will Bill Gates den Planeten mit Geoengineering kühlen, genauer gesagt mit Kalkpulver. Jede Menge Kalkpulver. Experten sagen, der Unfug könnte katastrophale Auswirkungen haben.
Quelle: recentr.com