Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:bind_c7 [29.12.2017 08:44. ] – [rndc-confgen] django
+++ centos:bind_c7 [31.12.2017 14:52. ] (aktuell) – [0.0.10.zone.db (intra)] django
@@ Zeile 255: / Zeile 255: @@
 ===== Grund-/Basis-Konfiguration =====
+==== Name Server Control Utility ====
+Zur administrativen Interaktion und Steuerung mit unserem DNS-Server nutzen wir das Name Server Control Utility **rndc** aus dem RPM **bind**. Die Optionen dieses User Interface finden am einfachsten in der zugehörigen manpage.
+<code>RNDC(8)                                     BIND9                                    RNDC(8)
+NAME
+       rndc - name server control utility
+SYNOPSIS
+       rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V]
+            [-y key_id] {command}
+DESCRIPTION
+       rndc controls the operation of a name server. It supersedes the ndc utility that was
+       provided in old BIND releases. If rndc is invoked with no command line options or
+       arguments, it prints a short summary of the supported commands and the available
+       options and their arguments.
+       rndc communicates with the name server over a TCP connection, sending commands
+       authenticated with digital signatures. In the current versions of rndc and named, the
+       only supported authentication algorithm is HMAC-MD5, which uses a shared secret on
+       each end of the connection. This provides TSIG-style authentication for the command
+       request and the name server's response. All commands sent over the channel must be
+       signed by a key_id known to the server.
+       rndc reads a configuration file to determine how to contact the name server and
+       decide what algorithm and key it should use.
+OPTIONS
+       -b source-address
+           Use source-address as the source address for the connection to the server.
+           Multiple instances are permitted to allow setting of both the IPv4 and IPv6
+           source addresses.
+       -c config-file
+           Use config-file as the configuration file instead of the default, /etc/rndc.conf.
+       -k key-file
+           Use key-file as the key file instead of the default, /etc/rndc.key. The key in
+           /etc/rndc.key will be used to authenticate commands sent to the server if the
+           config-file does not exist.
+       -s server
+           server is the name or address of the server which matches a server statement in
+           the configuration file for rndc. If no server is supplied on the command line,
+           the host named by the default-server clause in the options statement of the rndc
+           configuration file will be used.
+       -p port
+           Send commands to TCP port port instead of BIND 9's default control channel port,
+.
+       -V
+           Enable verbose logging.
+       -y key_id
+           Use the key key_id from the configuration file.  key_id must be known by named
+           with the same algorithm and secret string in order for control message validation
+           to succeed. If no key_id is specified, rndc will first look for a key clause in
+           the server statement of the server being used, or if no server statement is
+           present for that host, then the default-key clause of the options statement. Note
+           that the configuration file contains shared secrets which are used to send
+           authenticated control commands to name servers. It should therefore not have
+           general read or write access.
+COMMANDS
+       A list of commands supported by rndc can be seen by running rndc without arguments.
+       Currently supported commands are:
+       reload
+           Reload configuration file and zones.
+       reload zone [class [view]]
+           Reload the given zone.
+       refresh zone [class [view]]
+           Schedule zone maintenance for the given zone.
+       retransfer zone [class [view]]
+           Retransfer the given zone from the master.
+       sign zone [class [view]]
+           Fetch all DNSSEC keys for the given zone from the key directory (see the
+           key-directory option in the BIND 9 Administrator Reference Manual). If they are
+           within their publication period, merge them into the zone's DNSKEY RRset. If the
+           DNSKEY RRset is changed, then the zone is automatically re-signed with the new
+           key set.
+           This command requires that the auto-dnssec zone option be set to allow or
+           maintain, and also requires the zone to be configured to allow dynamic DNS. (See
+           "Dynamic Update Policies" in the Administrator Reference Manual for more
+           details.)
+       loadkeys zone [class [view]]
+           Fetch all DNSSEC keys for the given zone from the key directory. If they are
+           within their publication period, merge them into the zone's DNSKEY RRset. Unlike
+           rndc sign, however, the zone is not immediately re-signed by the new keys, but is
+           allowed to incrementally re-sign over time.
+           This command requires that the auto-dnssec zone option be set to maintain, and
+           also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
+           Update Policies" in the Administrator Reference Manual for more details.)
+       freeze [zone [class [view]]]
+           Suspend updates to a dynamic zone. If no zone is specified, then all zones are
+           suspended. This allows manual edits to be made to a zone normally updated by
+           dynamic update. It also causes changes in the journal file to be synced into the
+           master file. All dynamic update attempts will be refused while the zone is
+           frozen.
+       thaw [zone [class [view]]]
+           Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen
+           zones are enabled. This causes the server to reload the zone from disk, and
+           re-enables dynamic updates after the load has completed. After a zone is thawed,
+           dynamic updates will no longer be refused. If the zone has changed and the
+           ixfr-from-differences option is in use, then the journal file will be updated to
+           reflect changes in the zone. Otherwise, if the zone has changed, any existing
+           journal file will be removed.
+       sync [-clean] [zone [class [view]]]
+           Sync changes in the journal file for a dynamic zone to the master file. If the
+           "-clean" option is specified, the journal file is also removed. If no zone is
+           specified, then all zones are synced.
+       notify zone [class [view]]
+           Resend NOTIFY messages for the zone.
+       reconfig
+           Reload the configuration file and load new zones, but do not reload existing zone
+           files even if they have changed. This is faster than a full reload when there is
+           a large number of zones because it avoids the need to examine the modification
+           times of the zones files.
+       stats
+           Write server statistics to the statistics file.
+       querylog [on|off]
+           Enable or disable query logging. (For backward compatibility, this command can
+           also be used without an argument to toggle query logging on and off.)
+           Query logging can also be enabled by explicitly directing the queries category to
+           a channel in the logging section of named.conf or by specifying querylog yes; in
+           the options section of named.conf.
+       dumpdb [-all|-cache|-zone] [view ...]
+           Dump the server's caches (default) and/or zones to the dump file for the
+           specified views. If no view is specified, all views are dumped.
+       secroots [view ...]
+           Dump the server's security roots to the secroots file for the specified views. If
+           no view is specified, security roots for all views are dumped.
+       stop [-p]
+           Stop the server, making sure any recent changes made through dynamic update or
+           IXFR are first saved to the master files of the updated zones. If -p is specified
+           named's process id is returned. This allows an external process to determine when
+           named had completed stopping.
+       halt [-p]
+           Stop the server immediately. Recent changes made through dynamic update or IXFR
+           are not saved to the master files, but will be rolled forward from the journal
+           files when the server is restarted. If -p is specified named's process id is
+           returned. This allows an external process to determine when named had completed
+           halting.
+       trace
+           Increment the servers debugging level by one.
+       trace level
+           Sets the server's debugging level to an explicit value.
+       notrace
+           Sets the server's debugging level to 0.
+       flush
+           Flushes the server's cache.
+       flushname name [view]
+           Flushes the given name from the server's DNS cache and, if applicable, from the
+           server's nameserver address database or bad-server cache.
+       flushtree name [view]
+           Flushes the given name, and all of its subdomains, from the server's DNS cache.
+           Note that this does not affect he server's address database or bad-server cache.
+       status
+           Display status of the server. Note that the number of zones includes the internal
+           bind/CH zone and the default ./IN hint zone if there is not an explicit root zone
+           configured.
+       recursing
+           Dump the list of queries named is currently recursing on.
+       validation ( on | off | check ) [view ...]
+           Enable, disable, or check the current status of DNSSEC validation. Note
+           dnssec-enable also needs to be set to yes or auto to be effective. It defaults to
+           enabled.
+       tsig-list
+           List the names of all TSIG keys currently configured for use by named in each
+           view. The list both statically configured keys and dynamic TKEY-negotiated keys.
+       tsig-delete keyname [view]
+           Delete a given TKEY-negotiated key from the server. (This does not apply to
+           statically configured TSIG keys.)
+       addzone zone [class [view]] configuration
+           Add a zone while the server is running. This command requires the allow-new-zones
+           option to be set to yes. The configuration string specified on the command line
+           is the zone configuration text that would ordinarily be placed in named.conf.
+           The configuration is saved in a file called hash.nzf, where hash is a
+           cryptographic hash generated from the name of the view. When named is restarted,
+           the file will be loaded into the view configuration, so that zones that were
+           added can persist after a restart.
+           This sample addzone command would add the zone example.com to the default view:
+           $rndc addzone example.com '{ type master; file "example.com.db"; };'
+           (Note the brackets and semi-colon around the zone configuration text.)
+       delzone zone [class [view]]
+           Delete a zone while the server is running. Only zones that were originally added
+           via rndc addzone can be deleted in this manner.
+       signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters |
+       none ) ) ] zone [class [view]]
+           List, edit, or remove the DNSSEC signing state for the specified zone. The status
+           of ongoing DNSSEC operations (such as signing or generating NSEC3 chains) is
+           stored in the zone in the form of DNS resource records of type sig-signing-type.
+           rndc signing -list converts these records into a human-readable form, indicating
+           which keys are currently signing or have finished signing the zone, and which
+           NSEC3 chains are being created or removed.
+           rndc signing -clear can remove a single key (specified in the same format that
+           rndc signing -list uses to display it), or all keys. In either case, only
+           completed keys are removed; any record indicating that a key has not yet finished
+           signing the zone will be retained.
+           rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only
+           supported mechanism for using NSEC3 with inline-signing zones. Parameters are
+           of ongoing DNSSEC operations (such as signing or generating NSEC3 chains) is
+           stored in the zone in the form of DNS resource records of type sig-signing-type.
+           rndc signing -list converts these records into a human-readable form, indicating
+           which keys are currently signing or have finished signing the zone, and which
+           NSEC3 chains are being created or removed.
+           rndc signing -clear can remove a single key (specified in the same format that
+           rndc signing -list uses to display it), or all keys. In either case, only
+           completed keys are removed; any record indicating that a key has not yet finished
+           signing the zone will be retained.
+           rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only
+           supported mechanism for using NSEC3 with inline-signing zones. Parameters are
+           specified in the same format as an NSEC3PARAM resource record: hash algorithm,
+           flags, iterations, and salt, in that order.
+           Currently, the only defined value for hash algorithm is 1, representing SHA-1.
+           The flags may be set to 0 or 1, depending on whether you wish to set the opt-out
+           bit in the NSEC3 chain.  iterations defines the number of additional times to
+           apply the algorithm when generating an NSEC3 hash. The salt is a string of data
+           expressed in hexidecimal, or a hyphen (`-') if no salt is to be used.
+           So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no
+           opt-out flag, 10 iterations, and a salt value of "FFFF", use: rndc signing
+           -nsec3param 1 0 10 FFFF zone. To set the opt-out flag, 15 iterations, and no
+           salt, use: rndc signing -nsec3param 1 1 15 - zone.
+           rndc signing -nsec3param none removes an existing NSEC3 chain and replaces it
+           with NSEC.
+LIMITATIONS
+       There is currently no way to provide the shared secret for a key_id without using the
+       configuration file.
+       Several error messages could be clearer.
+SEE ALSO
+       rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9 Administrator
+       Reference Manual.
+AUTHOR
+       Internet Systems Consortium
+COPYRIGHT
+       Copyright © 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
+       Copyright © 2000, 2001 Internet Software Consortium.
+BIND9                                   June 7, 2013                                 RNDC(8)
+</code>
+Die Kommunikation zwischen der **UI**((**U**ser**Interface**)) **rndc** und dem DNS-Daemon erfolgt bei CentOS 7 nur noch über eine digital signierten Zugangskanal, der auf einem entsprechenden symetrischen Schlüssel basiert. Dieser zugehörige Schlüssel muss direkt in einer entsprechenden Konfigurationsdateien hinterlegt werden und so dem Client **rndc** und dem Server **bind** bekannt gegeben werden.
+=== rndc-confgen ===
+Mit Hilfe des Befehls **rndc-confgen** aus dem RPM-Paket **bind** kann sowohl dieser symetrische Schlüssel wie auch die zugehörige Client-Konfigurationsdatei //**/etc/rndc.conf**// erzeugt, wie auch die benötigten Konfigurationsoptionen für die DNS-Server-Konfigurationsdatei //**/etc/named.conf**// angezeigt werden.
+<code>RNDC-CONFGEN(8)                             BIND9                            RNDC-CONFGEN(8)
+NAME
+       rndc-confgen - rndc key generation tool
+SYNOPSIS
+       rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port]
+                    [-r randomfile] [-s address] [-t chrootdir] [-u user]
+DESCRIPTION
+       rndc-confgen generates configuration files for rndc. It can be used as a convenient
+       alternative to writing the rndc.conf file and the corresponding controls and key
+       statements in named.conf by hand. Alternatively, it can be run with the -a option to
+       set up a rndc.key file and avoid the need for a rndc.conf file and a controls
+       statement altogether.
+OPTIONS
+       -a
+           Do automatic rndc configuration. This creates a file rndc.key in /etc (or
+           whatever sysconfdir was specified as when BIND was built) that is read by both
+           rndc and named on startup. The rndc.key file defines a default command channel
+           and authentication key allowing rndc to communicate with named on the local host
+           with no further configuration.
+           Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements
+           for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.
+           If a more elaborate configuration than that generated by rndc-confgen -a is
+           required, for example if rndc is to be used remotely, you should run rndc-confgen
+           without the -a option and set up a rndc.conf and named.conf as directed.
+       -b keysize
+           Specifies the size of the authentication key in bits. Must be between 1 and 512
+           bits; the default is 128.
+       -c keyfile
+           Used with the -a option to specify an alternate location for rndc.key.
+       -h
+           Prints a short summary of the options and arguments to rndc-confgen.
+       -k keyname
+           Specifies the key name of the rndc authentication key. This must be a valid
+           domain name. The default is rndc-key.
+       -p port
+           Specifies the command channel port where named listens for connections from rndc.
+           The default is 953.
+           Specifies the key name of the rndc authentication key. This must be a valid
+           domain name. The default is rndc-key.
+       -p port
+           Specifies the command channel port where named listens for connections from rndc.
+           The default is 953.
+       -r randomfile
+           Specifies a source of random data for generating the authorization. If the
+           operating system does not provide a /dev/random or equivalent device, the default
+           source of randomness is keyboard input.  randomdev specifies the name of a
+           character device or file containing random data to be used instead of the
+           default. The special value keyboard indicates that keyboard input should be used.
+       -s address
+           Specifies the IP address where named listens for command channel connections from
+           rndc. The default is the loopback address 127.0.0.1.
+       -t chrootdir
+           Used with the -a option to specify a directory where named will run chrooted. An
+           additional copy of the rndc.key will be written relative to this directory so
+           that it will be found by the chrooted named.
+       -u user
+           Used with the -a option to set the owner of the rndc.key file generated. If -t is
+           also specified only the file in the chroot area has its owner changed.
+EXAMPLES
+       To allow rndc to be used with no manual configuration, run
+       rndc-confgen -a
+       To print a sample rndc.conf file and corresponding controls and key statements to be
+       manually inserted into named.conf, run
+       rndc-confgen
+SEE ALSO
+       rndc(8), rndc.conf(5), named(8), BIND 9 Administrator Reference Manual.
+AUTHOR
+       Internet Systems Consortium
+COPYRIGHT
+       Copyright © 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+       Copyright © 2001, 2003 Internet Software Consortium.
+BIND9                                   Aug 27, 2001                         RNDC-CONFGEN(8)
+</code>
+In folgendem Konfigurationsbeispiel, welches wir lediglich zum Anzeigen der später benötigten Konfigurationsoptionen benutzen,  nutzen wir folgende Optionen beim Aufruf des Hilfsprogramms **//rndc-confgen//**
+  * -b keysize = 512
+  * -k keyname = rndc-key
+  * -r randomfile = /dev/random
+  * -u user = named
+   # rndc-confgen -b 512 -k rndc-key -r /dev/random -u named
+<code># Start of rndc.conf
+key "rndc-key" {
+	algorithm hmac-md5;
+	secret "FnqGCTNassQ6o5djkYN7pdgWifhUznPY+A2xqmvSRVvlWYphzSUHcJnqLciTZWAKJ9ogKIeQ763/tU8OZeta9A==";
+};
+options {
+	default-key "rndc-key";
+	default-server 127.0.0.1;
+	default-port 953;
+};
+# End of rndc.conf
+# Use with the following in named.conf, adjusting the allow list as needed:
+# key "rndc-key" {
+# 	algorithm hmac-md5;
+# 	secret "FnqGCTNassQ6o5djkYN7pdgWifhUznPY+A2xqmvSRVvlWYphzSUHcJnqLciTZWAKJ9ogKIeQ763/tU8OZeta9A==";
+# };
+#
+# controls {
+# 	inet 127.0.0.1 port 953
+# 		allow { 127.0.0.1; } keys { "rndc-key"; };
+# };
+# End of named.conf</code>
+<WRAP center round important 90%>
+**Wichtig:** \\
+Der symmetrische Schlüssel muss sowohl in der Client-Konfigurationsdatei **// /etc/rndc.conf //** wie auch Server-Konfigurationsdatei **// /etc/named.conf //** hinterlegt werden. Zweckmäßiger ist es jedoch diesen Schlüssel in eine eigene Konfigurationsdatei zu hinterlegen und diese Datei dann entsprechend zu inkludieren!
+</WRAP>
+Bei der Installation des RPM-Paketes **bind** wurde auch ein zugehörige Key-Datei **// /etc/rndc.conf //** mit installiert.
+   # ll /etc/rndc.key
+<code>-rw-r-----. 1 root named 77 Dec 28 18:26 /etc/rndc.key</code>
+   # less /etc/rndc.key
+<file bash /etc/rndc.key>key "rndc-key" {
+	algorithm hmac-md5;
+	secret "LXQvnV2ZbqG9QMg8eV7fsQ==";
+};</file>
+~~codedoc:xref:anchor_mount_3~~
+<WRAP center round important 90%>
+**WICHTIG**:
+Damit es später beim Aufruf von **rndc status** nicht zu folgender [[https://deepthought.isc.org/article/AA-00722/0/Why-does-rndc-log-warning-key-file-...-exists-but-using-default-configuration-file-rndc.conf.html|Fehlermeldung]] \\ ''WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf)'' \\ kommen wird, werden wir die mitgelieferte Datei löschen und in unserer chroot-Umgebung dafür [[centos:bind_c7#anchor_mount_1|später noch]] sorgen, dass unsere eigene lokale Datei in das chroot-jail mit übernommen wird.
+</WRAP>
+Diese Datei werden wir also nun zunächst sichern und dann automatisch eine neue lokale Datei anlegen lassen.
+   # mv /etc/rndc.key /etc/rndc.key.orig
+Nun erzeugen wir uns unsere eigenen Schlüssel.
+   # rndc-confgen -a -b 512 -c /etc/rndc_local.key -k rndc-key -r /dev/random -u named
+  wrote key file "/etc/rndc_local.key"
+Den Inhalt dieser Schlüsseldatei können wir uns nun auch anzeigen lassen.
+   # less /etc/rndc_local.key
+<file bash /etc/rndc_local.key>key "rndc-key" {
+	algorithm hmac-md5;
+	secret "prjseECUq/pzTKCwQKQoraA9KlYeuTMpwRd1qmQSYsKOOIw9b3QRN0ctcDlTvTs/6Urassjq0y+Vgi8eQPXQDA==";
+};</file>
+Anschließend passen wir dann noch die User- und Gruppen-Eigenschaften an:
+   # chown root:named /etc/rndc_local.key
+   # chmod 640 /etc/rndc_local.key
+Somit weist die Schlüsseldatei nunmehr die gleichen Rechte auf, die die original Datei aus dem RPM auf:
+   # ll /etc/rndc*key*
+<code>-rw-r-----. 1 root named  74 Dec 29 08:14 /etc/rndc.key.orig
+-rw-r-----. 1 root named 141 Dec 29 11:10 /etc/rndc_local.key</code>
+Zu guter Letzt legen wir nun noch die benötigte Konfigurationsdatei //**/etc/rndc.conf**// an.
+   # vim /etc/rndc.conf
+<file bash /etc/rndc.conf>include "/etc/rndc_local.key";
+options {
+	default-key "rndc-key";
+	default-server 127.0.0.1;
+	default-port 953;
+};</file>
 ==== change root - Umgebung ====
 Be der Installation des zugehörigen RPM-Paketes **bind-chroot** wurde der Verzeichnisbaum //**/var/named/chroot**// als Mustervorlage auf unseren Server installiert, welcher als [[https://de.wikipedia.org/wiki/Chroot|chroot jail]] für den IDC BIND Nameserver fungiert.
@@ Zeile 279: / Zeile 763: @@
 Beim Starten des named Daemon wird dann das chroot jail mit den zugehörigen Konfigurationsdateien gemountet und so dem Daemon verfügbar gemacht. In dem Bash-Sctript //**/usr/libexec/setup-named-chroot.sh**// ist so unter anderem vermerkt welche Verzeichnispfade ge(un)mounted werden sollen.
 ~~codedoc:xref:anchor_mount_1~~
-<code bash>...
+Damit auch unser [[centos:bind_c7#anchor_mount_3|zuvor generierte]] RNDC-Schlüssel kopiert wird, werden wir das Bash-Script aber ein klein wenig an unsere Umgebung anpassen. Zunächst machen wir von dem originalen Script eine Sicherheitskopie.
+   # cp -a /usr/libexec/setup-named-chroot.sh /usr/libexec/setup-named-chroot.sh.orig
+Anschließend korrigieren wir den Dateinamen der RNDC-Schlüsseldatei auf unseren lokalen Dateinamen **''/etc/rndc_local.kex''**.
+   # vim /usr/libexec/setup-named-chroot.sh
+~~codedoc:xref:anchor_mount_1~~
+<file bash /usr/libexec/setup-named-chroot.sh>#!/bin/bash
 # Warning: the order is important
 # If a directory containing $ROOTDIR is listed here,
 # it MUST be listed last. (/var/named contains /var/named/chroot)
+# Django : 2017-12-29
+# default: ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys /etc/named.root.key /etc/named.conf
+#          /etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /etc/named.iscdlv.key /etc/protocols /etc/services
+#          /usr/lib64/bind /usr/lib/bind /run/named
+#          /var/named'
 ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys /etc/named.root.key /etc/named.conf
-/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key /etc/named.iscdlv.key /etc/protocols /etc/services
+/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc_local.key /etc/named.iscdlv.key /etc/protocols /etc/services
 /usr/lib64/bind /usr/lib/bind /run/named
 /var/named'
-...
+usage()
-</code>
+{
+  echo
+  echo 'This script setups chroot environment for BIND'
+  echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
+}
+if ! [ "$#" -eq 2 ]; then
+  echo 'Wrong number of arguments'
+  usage
+  exit 1
+fi
+ROOTDIR="$1"
+# Exit if ROOTDIR doesn't exist
+if ! [ -d "$ROOTDIR" ]; then
+  echo "Root directory $ROOTDIR doesn't exist"
+  usage
+  exit 1
+fi
+mount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    for all in $ROOTDIR_MOUNT; do
+      # Skip nonexistant files
+      [ -e "$all" ] || continue
+      # If mount source is a file
+      if ! [ -d "$all" ]; then
+        # mount it only if it is not present in chroot or it is empty
+        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+          touch "$ROOTDIR$all"
+          mount --bind "$all" "$ROOTDIR$all"
+        fi
+      else
+        # Mount source is a directory. Mount it only if directory in chroot is
+        # empty.
+        if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+          mount --bind --make-private "$all" "$ROOTDIR$all"
+        fi
+      fi
+    done
+  fi
+}
+umount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    for all in $ROOTDIR_MOUNT; do
+      # Check if file is mount target. Do not use /proc/mounts because detecting
+      # of modified mounted files can fail.
+      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+        umount "$ROOTDIR$all"
+        # Remove temporary created files
+        [ -f "$all" ] && rm -f "$ROOTDIR$all"
+      fi
+    done
+  fi
+}
+case "$2" in
+  on)
+    mount_chroot_conf
+    ;;
+  off)
+    umount_chroot_conf
+    ;;
+  *)
+    echo 'Second argument has to be "on" or "off"'
+    usage
+    exit 1
+esac
+exit 0</file>
 [[centos:bind_c7#anchor_mount_2|Später]] können wir dann über den Befehl **''df -ah | grep named''** das gemountete chroot-jail abfragen, sofern der Dameon gestartet worden ist.
@@ Zeile 864: / Zeile 1435: @@
 ;; MSG SIZE  rcvd: 662</code>
-==== Name Server Control Utility - rndc ====
+==== Root Hints Data File ====
-Zur administrativen Interaktion und Steuerung mit unserem DNS-Server nutzen wir das Name Server Control Utility **rndc** aus dem RPM **bind**. Die Optionen dieses User Interface finden am einfachsten in der zugehörigen manpage.
+Bei der Installation unseres Nameservers mit Hilfe des RPMs wurde eine Datei mit den 13 ROOT-Nameservern mitgeliefert. Diese Liste ist jedoch nicht statisch und sollte erfahrungsgemäß alle sechs Monate einmal aktualisiert werden.
-<code>RNDC(8)                                     BIND9                                    RNDC(8)
-NAME
+Wir können uns diese Datei direkt vom FTP-Server der [[http://www.internic.net/|InterNIC]] laden. Hierzu benutzen wir z.B. folgenden Befehl:
-       rndc - name server control utility
+   # wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.ca
-SYNOPSIS
+<file /var/named/named.ca>;       This file holds the information on root name servers needed to
-       rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V]
+;       initialize cache of Internet domain name servers
-            [-y key_id] {command}
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     November 16, 2017
+;       related version of root zone:     2017111601
+;
+; FORMERLY NS.INTERNIC.NET
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+</file>
-DESCRIPTION
+Zum Neueinlesen der Root Hints Daten Datei starten wir den BIND-Daemon einmal durch.
-       rndc controls the operation of a name server. It supersedes the ndc utility that was
+   # systemctl restart named-chroot.service
-       provided in old BIND releases. If rndc is invoked with no command line options or
-       arguments, it prints a short summary of the supported commands and the available
-       options and their arguments.
-       rndc communicates with the name server over a TCP connection, sending commands
+Alternativ dazu können wir auch die Datei mit Hilfe eines DNS-Lookups aktualisieren.
-       authenticated with digital signatures. In the current versions of rndc and named, the
+   # dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.ca
-       only supported authentication algorithm is HMAC-MD5, which uses a shared secret on
+<file /var/named/named.ca>; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
-       each end of the connection. This provides TSIG-style authentication for the command
+;; global options: +cmd
-       request and the name server's response. All commands sent over the channel must be
+;; Got answer:
-       signed by a key_id known to the server.
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42016
+;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
-       rndc reads a configuration file to determine how to contact the name server and
+;; OPT PSEUDOSECTION:
-       decide what algorithm and key it should use.
+; EDNS: version: 0, flags:; udp: 4096
+;; QUESTION SECTION:
+;.                              IN      NS
-OPTIONS
+;; ANSWER SECTION:
-       -b source-address
+.                       518400  IN      NS      e.root-servers.net.
-           Use source-address as the source address for the connection to the server.
+.                       518400  IN      NS      h.root-servers.net.
-           Multiple instances are permitted to allow setting of both the IPv4 and IPv6
+.                       518400  IN      NS      l.root-servers.net.
-           source addresses.
+.                       518400  IN      NS      i.root-servers.net.
+.                       518400  IN      NS      a.root-servers.net.
+.                       518400  IN      NS      d.root-servers.net.
+.                       518400  IN      NS      c.root-servers.net.
+.                       518400  IN      NS      b.root-servers.net.
+.                       518400  IN      NS      j.root-servers.net.
+.                       518400  IN      NS      k.root-servers.net.
+.                       518400  IN      NS      g.root-servers.net.
+.                       518400  IN      NS      m.root-servers.net.
+.                       518400  IN      NS      f.root-servers.net.
-       -c config-file
+;; ADDITIONAL SECTION:
-           Use config-file as the configuration file instead of the default, /etc/rndc.conf.
+e.root-servers.net.     518400  IN      A       192.203.230.10
+e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
+h.root-servers.net.     518400  IN      A       198.97.190.53
+h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
+l.root-servers.net.     518400  IN      A       199.7.83.42
+l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
+i.root-servers.net.     518400  IN      A       192.36.148.17
+i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
+a.root-servers.net.     518400  IN      A       198.41.0.4
+a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
+d.root-servers.net.     518400  IN      A       199.7.91.13
+d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
+c.root-servers.net.     518400  IN      A       192.33.4.12
+c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
+b.root-servers.net.     518400  IN      A       199.9.14.201
+b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
+j.root-servers.net.     518400  IN      A       192.58.128.30
+j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
+k.root-servers.net.     518400  IN      A       193.0.14.129
+k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
+g.root-servers.net.     518400  IN      A       192.112.36.4
+g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
+m.root-servers.net.     518400  IN      A       202.12.27.33
+m.root-servers.net.     518400  IN      AAAA    2001:dc3::35
+f.root-servers.net.     518400  IN      A       192.5.5.241
+f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
-       -k key-file
+;; Query time: 39 msec
-           Use key-file as the key file instead of the default, /etc/rndc.key. The key in
+;; SERVER: 198.41.0.4#53(198.41.0.4)
-           /etc/rndc.key will be used to authenticate commands sent to the server if the
+;; WHEN: Fri Dec 29 10:07:19 CET 2017
-           config-file does not exist.
+;; MSG SIZE  rcvd: 811
+</file>
-       -s server
+Auch hier müssen wir natürlich zum Neueinlesen der Datei den Daemon einmal durchstarten.
-           server is the name or address of the server which matches a server statement in
+   # systemctl restart named-chroot.service
-           the configuration file for rndc. If no server is supplied on the command line,
-           the host named by the default-server clause in the options statement of the rndc
-           configuration file will be used.
-       -p port
+Damit wir die Datei nun nicht manuell aktualisieren müssen, werden wir uns einen cronjob anlegen. Wir werden dabei die erste Variante verwenden, da in der heruntergeladenen Datei auch das Aktualisierungsdatum steht, welches wir ggf. später auswerten bzw. überwachen können.
-           Send commands to TCP port port instead of BIND 9's default control channel port,
-.
-       -V
+   # vim /root/bin/update-dns-roots
-           Enable verbose logging.
+<file bash /root/bin/update-dns-roots>#!/bin/bash
+# Django : 2017-12-29 - Script zum Aktualisieren des Root Hints Data File
-       -y key_id
+/usr/bin/wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.ca
-           Use the key key_id from the configuration file.  key_id must be known by named
+/usr/bin/systemctl restart named-chroot.service
-           with the same algorithm and secret string in order for control message validation
+</file>
-           to succeed. If no key_id is specified, rndc will first look for a key clause in
-           the server statement of the server being used, or if no server statement is
-           present for that host, then the default-key clause of the options statement. Note
-           that the configuration file contains shared secrets which are used to send
-           authenticated control commands to name servers. It should therefore not have
-           general read or write access.
-COMMANDS
+Anschließen statten wir die Datei noch mit den e**X**ecutable-Rechten aus, damit wir es direkt aufrufen können.
-       A list of commands supported by rndc can be seen by running rndc without arguments.
+   # chmod +x /root/bin/update-dns-roots
-       Currently supported commands are:
+Abschließend tragen wir noch in die crontab ein, dass alle 5 Monate die Datei aktualisiert werden soll.
+   # vim /etc/crontab
+<file bash /etc/crontab>SHELL=/bin/bash
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=root
-       reload
+# For details see man 4 crontabs
-           Reload configuration file and zones.
-       reload zone [class [view]]
+# Example of job definition:
-           Reload the given zone.
+# .---------------- minute (0 - 59)
+# |  .------------- hour (0 - 23)
+# |  |  .---------- day of month (1 - 31)
+# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
+# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
+# |  |  |  |  |
+# *  *  *  *  * user-name  command to be executed
-       refresh zone [class [view]]
+# Django : 2017-12-29 - alle fünft Monate Aktualisieren der BIND Root Hints Data File
-           Schedule zone maintenance for the given zone.
+3 * */5 * /root/bin/update-dns-roots >/dev/null 2>&1
+</file>
-       retransfer zone [class [view]]
+==== Zonen-Dateien für lokale Adressen ====
-           Retransfer the given zone from the master.
+In nun folgenden Konfigurationsbeispiel wollen wir einen primären DNS-Server aufsetzen, der folgende zwei Zonen verwalten soll:
+  * **DMZ** : Domäne **dmz.nausch.org** - IP-Netz: **10.0.0.0/24**
+  * **INTRA** : Domäne **intra.nausch.org** - IP-Netz: **10.0.10.0/25**
-       sign zone [class [view]]
+Die Clientanfragen aus den beiden Netzen sollen dabei mit Hilfe unterschiedlicher **[[https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html|views]]** voneinander getrennt werden, so dass ein Client aus dem Intranet für die gleiche Anfrage wie von einen anderen Client aus der DMZ **__unterschiedliche__** Antworten bekommen soll.
-           Fetch all DNSSEC keys for the given zone from the key directory (see the
+  * **view** - **INTRA**
-           key-directory option in the BIND 9 Administrator Reference Manual). If they are
+  * **view** - **DMZ**
-           within their publication period, merge them into the zone's DNSKEY RRset. If the
-           DNSKEY RRset is changed, then the zone is automatically re-signed with the new
-           key set.
-           This command requires that the auto-dnssec zone option be set to allow or
+Bevor wir nun die notwendigen Zonen-Dateien für unseren DNS-Server anlegen werden, legen wir uns zunächst eine eigenen Verzeichnis an, in dem wir später dann die Zonen-Dateien ablegen werden.
-           maintain, and also requires the zone to be configured to allow dynamic DNS. (See
+   # mkdir /var/named/master
-           "Dynamic Update Policies" in the Administrator Reference Manual for more
+   # mkdir /var/named/intra
-           details.)
-       loadkeys zone [class [view]]
+Anschließend statten wir unser neues Konfigurationsverzeichnis noch mit den nötigen Datei, Benutzer- und Gruppenrechten aus.
-           Fetch all DNSSEC keys for the given zone from the key directory. If they are
+   # chown named:named /var/named/master
-           within their publication period, merge them into the zone's DNSKEY RRset. Unlike
+   # chown named:named /var/named/intra
-           rndc sign, however, the zone is not immediately re-signed by the new keys, but is
-           allowed to incrementally re-sign over time.
-           This command requires that the auto-dnssec zone option be set to maintain, and
+   # chmod 770 /var/named/master
-           also requires the zone to be configured to allow dynamic DNS. (See "Dynamic
+   # chmod 770 /var/named/intra
-           Update Policies" in the Administrator Reference Manual for more details.)
-       freeze [zone [class [view]]]
+Nun können wir für jede Zone in unserem neuen Verzeichnis //**/var/named/master**// jeweils die benötigten Dateien anlegen.
-           Suspend updates to a dynamic zone. If no zone is specified, then all zones are
+  * **Zone INTRANET**
-           suspended. This allows manual edits to be made to a zone normally updated by
+    * Zonen-Datei für die **Forward**-Auflösung - //**[[centos:bind_c7#intranauschorgzonedb|/var/named/master/intra.nausch.org.zone.db]]**//
-           dynamic update. It also causes changes in the journal file to be synced into the
+    * Zonen-Datei für die **Reverse**-Auflösung - //**[[centos:bind_c7#zonedb|/var/named/master/10.0.10.zone.db]]**// - Netz 10.0.10.0/25
-           master file. All dynamic update attempts will be refused while the zone is
+  * **Zone DMZ** (für die Anfragen aus der DMZ)
-           frozen.
+    * Zonen-Datei für die **Forward**-Auflösung - //**[[centos:bind_c7#dmznauschorgzonedb|/var/named/master/dmz.nausch.org.zone.db]]**//
+    * Zonen-Datei für die **Reverse**-Auflösung - //**[[centos:bind_c7#anchor_zone|/var/named/master/0.0.10.zone.db]]**// - Netz 10.0.0.0/24
+  * **Zone DMZ** (für die Anfragen aus dem Intranet)
+    * Zonen-Datei für die **Forward**-Auflösung - //**[[centos:bind_c7#dmznauschorgzonedb_intra|/var/named/intra/dmz.nausch.org.zone.db]]**// für die Anfragen aus dem Intranet
+    * Zonen-Datei für die **Reverse**-Auflösung - //**[[centos:bind_c7#zonedb_intra|/var/named/intra/0.0.10.zone.db]]**// - Netz 10.0.0.0/24 für die Anfragen aus dem Intranet
-       thaw [zone [class [view]]]
+=== intra.nausch.org.zone.db ===
-           Enable updates to a frozen dynamic zone. If no zone is specified, then all frozen
+Zunächst legen wir uns also die Zonen-Datei für die Forward-Auflösung der Zone **INTRANET** an.
-           zones are enabled. This causes the server to reload the zone from disk, and
+   # vim /var/named/master/intra.nausch.org.zone.db
-           re-enables dynamic updates after the load has completed. After a zone is thawed,
-           dynamic updates will no longer be refused. If the zone has changed and the
-           ixfr-from-differences option is in use, then the journal file will be updated to
-           reflect changes in the zone. Otherwise, if the zone has changed, any existing
-           journal file will be removed.
-       sync [-clean] [zone [class [view]]]
+<file bind /var/named/master/intra.nausch.org.zone.db>$ORIGIN .
-           Sync changes in the journal file for a dynamic zone to the master file. If the
+$TTL    86400 ; 1 day
-           "-clean" option is specified, the journal file is also removed. If no zone is
+intra.nausch.org        IN SOA  ns1.intra.nausch.org. hostmaster.nausch.org. (
-           specified, then all zones are synced.
+                                2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.intra.nausch.org.
+                        MX      10 mx1.nausch.org.
+$ORIGIN intra.nausch.org.
+ns1                     A       10.0.10.27
-       notify zone [class [view]]
+vml010027               A       10.0.10.27
-           Resend NOTIFY messages for the zone.
+pml010051               A       10.0.10.17
-       reconfig
+$ORIGIN intra.nausch.org.
-           Reload the configuration file and load new zones, but do not reload existing zone
+test                    CNAME   ns1
-           files even if they have changed. This is faster than a full reload when there is
-           a large number of zones because it avoids the need to examine the modification
-           times of the zones files.
-       stats
+fwi                     CNAME   vml010027
-           Write server statistics to the statistics file.
+gateway			CNAME	vml010027
+proton                  CNAME   pml010051
+</file>
-       querylog [on|off]
+Zur Prüfung unserer gerade angelegten Zonendatei nutzen wir folgenden Befehl:
-           Enable or disable query logging. (For backward compatibility, this command can
+   # named-checkzone intra.nausch.org /var/named/master/intra.nausch.org.zone.db
-           also be used without an argument to toggle query logging on and off.)
-           Query logging can also be enabled by explicitly directing the queries category to
+  zone intra.nausch.org/IN: loaded serial 2017122901
-           a channel in the logging section of named.conf or by specifying querylog yes; in
+  OK
-           the options section of named.conf.
-       dumpdb [-all|-cache|-zone] [view ...]
+=== 10.0.10.zone.db ===
-           Dump the server's caches (default) and/or zones to the dump file for the
+Nun legen wir für die Reverseauflösung der Zone **INTRANET** für das IP-Netz **10.0.10.0/25** das zugehörige Zonenfile an.
-           specified views. If no view is specified, all views are dumped.
+   # vim /var/named/master/10.0.10.in-addr.arpa.zone.db
+<file bind /var/named/master/10.0.10.in-addr.arpa.zone.db>$TTL    86400 ; 1 day
+@                       IN SOA  ns1.intra.nausch.org. hostmaster.nausch.org. (
+                                2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.intra.nausch.org.
+                        MX      10 mx1.nausch.org.
-       secroots [view ...]
+      		PTR    	ns1.intra.nausch.org.
-           Dump the server's security roots to the secroots file for the specified views. If
+      		PTR    	pml010051.intra.nausch.org.</file>
-           no view is specified, security roots for all views are dumped.
-       stop [-p]
+Wie schon zuvor bei der Zonen-Datei für die Forward-Auflösung checken wir nun auch hier die gerade angelegte Datei auf Tippfehler mit folgenden Befehl:
-           Stop the server, making sure any recent changes made through dynamic update or
+   # named-checkzone 10.0.10 /var/named/master/10.0.10.in-addr.arpa.zone.db
-           IXFR are first saved to the master files of the updated zones. If -p is specified
-           named's process id is returned. This allows an external process to determine when
-           named had completed stopping.
-       halt [-p]
+  zone 10.0.10/IN: loaded serial 2017122901
-           Stop the server immediately. Recent changes made through dynamic update or IXFR
+  OK
-           are not saved to the master files, but will be rolled forward from the journal
-           files when the server is restarted. If -p is specified named's process id is
-           returned. This allows an external process to determine when named had completed
-           halting.
-       trace
+=== dmz.nausch.org.zone.db ===
-           Increment the servers debugging level by one.
+Nachdem wir die Konfiguration der Zone Intranet abgeschlossen haben, werden wir nun als nächstes die Zone **DMZ** konfigurieren. Als erstes werden wir auch hier das Zonefile für die Forwardauflösung anlegen.
+   # vim /var/named/master/dmz.nausch.org.zone.db
-       trace level
+<file bind /var/named/master/dmz.nausch.org.zone.db>$ORIGIN .
-           Sets the server's debugging level to an explicit value.
+$TTL    86400 ; 1 day
+dmz.nausch.org          IN SOA  ns1.dmz.nausch.org. hostmaster.nausch.org. (
+				2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.dmz.nausch.org.
+                        MX	10 mx1.nausch.org.
+$ORIGIN dmz.nausch.org.
+ns1			A	10.0.0.27
-       notrace
+vml000017               A       10.0.0.17
-           Sets the server's debugging level to 0.
+vml000027		A       10.0.0.27
-       flush
+$ORIGIN dmz.nausch.org.
-           Flushes the server's cache.
+test			CNAME	ns1
+fwe			CNAME   vml000017
+fwi			CNAME   vml000027
+</file>
-       flushname name [view]
+Auch hier führen wir den Syntax- und Plausibilitäts-Check durch.
-           Flushes the given name from the server's DNS cache and, if applicable, from the
+   # named-checkzone dmz.nausch.org /var/named/master/dmz.nausch.org.zone.db
-           server's nameserver address database or bad-server cache.
-       flushtree name [view]
+  zone dmz.nausch.org/IN: loaded serial 2017122901
-           Flushes the given name, and all of its subdomains, from the server's DNS cache.
+  OK
-           Note that this does not affect he server's address database or bad-server cache.
-       status
+=== 0.0.10.zone.db ===
-           Display status of the server. Note that the number of zones includes the internal
+Was nun noch fehlt ist das Zonenfile für die Zonendatei für die Reverseauflösung der Zone **DMZ**. ~~codedoc:xref:anchor_zone~~
-           bind/CH zone and the default ./IN hint zone if there is not an explicit root zone
+   # vim /var/named/master/0.0.10.in-addr.arpa.zone.db
-           configured.
+<file bind /var/named/master/0.0.10.in-addr.arpa.zone.db>$TTL    86400 ; 1 day
+@                       IN SOA  ns1.dmz.nausch.org. hostmaster.nausch.org. (
+                                2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.dmz.nausch.org.
+                        MX      10 mx1.nausch.org.
-       recursing
+                      PTR     vml000017.dmz.nausch.org.
-           Dump the list of queries named is currently recursing on.
+                      PTR     vml000027.dmz.nausch.org.
+</file>
-       validation ( on | off | check ) [view ...]
+Wie schon zuvor bei der Zonen-Datei für die Forward-Auflösung checken wir nun auch hier die gerade angelegte Datei auf Tippfehler mit folgenden Befehl:
-           Enable, disable, or check the current status of DNSSEC validation. Note
+   # named-checkzone 0.0.10 /var/named/master/0.0.10.in-addr.arpa.zone.db
-           dnssec-enable also needs to be set to yes or auto to be effective. It defaults to
-           enabled.
-       tsig-list
+  zone 0.0.10/IN: loaded serial 2017122901
-           List the names of all TSIG keys currently configured for use by named in each
+  OK
-           view. The list both statically configured keys and dynamic TKEY-negotiated keys.
-       tsig-delete keyname [view]
+=== dmz.nausch.org.zone.db (intra) ===
-           Delete a given TKEY-negotiated key from the server. (This does not apply to
+Nachdem wir die Konfiguration der Zone Intranet abgeschlossen haben, werden wir nun als nächstes die Zone **DMZ** konfigurieren. Als erstes werden wir auch hier das Zonefile für die Forwardauflösung anlegen.
-           statically configured TSIG keys.)
+   # vim /var/named/intra/dmz.nausch.org.zone.db
-       addzone zone [class [view]] configuration
+<file bind /var/named/intra/dmz.nausch.org.zone.db>$ORIGIN .
-           Add a zone while the server is running. This command requires the allow-new-zones
+$TTL    86400 ; 1 day
-           option to be set to yes. The configuration string specified on the command line
+dmz.nausch.org          IN SOA  ns1.dmz.nausch.org. hostmaster.nausch.org. (
-           is the zone configuration text that would ordinarily be placed in named.conf.
+				2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.dmz.nausch.org.
+                        MX	10 mx1.nausch.org.
+$ORIGIN dmz.nausch.org.
+ns1			A	10.0.0.27
+</file>
-           The configuration is saved in a file called hash.nzf, where hash is a
+Auch hier führen wir den Syntax- und Plausibilitäts-Check durch.
-           cryptographic hash generated from the name of the view. When named is restarted,
+   # named-checkzone dmz.nausch.org /var/named/intra/dmz.nausch.org.zone.db
-           the file will be loaded into the view configuration, so that zones that were
-           added can persist after a restart.
-           This sample addzone command would add the zone example.com to the default view:
+  zone dmz.nausch.org/IN: loaded serial 2017122901
+  OK
-           $rndc addzone example.com '{ type master; file "example.com.db"; };'
+=== 0.0.10.zone.db (intra) ===
+Was nun noch fehlt ist das Zonenfile für die Zonendatei für die Reverseauflösung der Zone **DMZ**.
+   # vim /var/named/intra/0.0.10.in-addr.arpa.zone.db
+<file bind /var/named/intra/0.0.10.in-addr.arpa.zone.db>$TTL    86400 ; 1 day
+@                       IN SOA  ns1.dmz.nausch.org. hostmaster.nausch.org. (
+                                2017122901 ; serial
+      ; refresh (8 hours)
+       ; retry (2 hours)
+     ; expire (1 week)
+      ; minimum (1 day)
+                                )
+                        NS      ns1.dmz.nausch.org.
+                        MX      10 mx1.nausch.org.
-           (Note the brackets and semi-colon around the zone configuration text.)
+                      PTR     ns1.dmz.nausch.org.
+</file>
-       delzone zone [class [view]]
+Wie schon zuvor bei der Zonen-Datei für die Forward-Auflösung checken wir nun auch hier die gerade angelegte Datei auf Tippfehler mit folgenden Befehl:
-           Delete a zone while the server is running. Only zones that were originally added
+   # named-checkzone 0.0.10 /var/named/intra/0.0.10.in-addr.arpa.zone.db
-           via rndc addzone can be deleted in this manner.
-       signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param ( parameters |
+  zone 0.0.10/IN: loaded serial 2017122901
-       none ) ) ] zone [class [view]]
+  OK
-           List, edit, or remove the DNSSEC signing state for the specified zone. The status
-           of ongoing DNSSEC operations (such as signing or generating NSEC3 chains) is
-           stored in the zone in the form of DNS resource records of type sig-signing-type.
-           rndc signing -list converts these records into a human-readable form, indicating
-           which keys are currently signing or have finished signing the zone, and which
-           NSEC3 chains are being created or removed.
-           rndc signing -clear can remove a single key (specified in the same format that
-           rndc signing -list uses to display it), or all keys. In either case, only
-           completed keys are removed; any record indicating that a key has not yet finished
-           signing the zone will be retained.
-           rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only
+==== named.conf ====
-           supported mechanism for using NSEC3 with inline-signing zones. Parameters are
+Für unser Konfigurationsbeispiel legen wir uns nun eine eigene individuelle Konfigurationsdatei an, die all unsere Anwendungsfälle abdeckt. Die enizelnen Optionen sind in der Konfigurationsdatei //**/etc/named.conf**// ausführlich beschrieben.
-           of ongoing DNSSEC operations (such as signing or generating NSEC3 chains) is
+   # vim /etc/named.conf
-           stored in the zone in the form of DNS resource records of type sig-signing-type.
-           rndc signing -list converts these records into a human-readable form, indicating
-           which keys are currently signing or have finished signing the zone, and which
-           NSEC3 chains are being created or removed.
-           rndc signing -clear can remove a single key (specified in the same format that
+<file ini /etc/named.conf>/* ****************************** named.conf ****************************** */
-           rndc signing -list uses to display it), or all keys. In either case, only
-           completed keys are removed; any record indicating that a key has not yet finished
-           signing the zone will be retained.
-           rndc signing -nsec3param sets the NSEC3 parameters for a zone. This is the only
+// ISC Bind Konfigurationsdatei auf Basis der Beispiels-Konfigurationsdatei
-           supported mechanism for using NSEC3 with inline-signing zones. Parameters are
+//       /usr/share/doc/bind*/sample/ aus dem zugehörigen RPM-Paket
-           specified in the same format as an NSEC3PARAM resource record: hash algorithm,
+// Konfig-Beschreibung: https://dokuwiki.nausch.org/doku.php/centos:bind_c7
-           flags, iterations, and salt, in that order.
-           Currently, the only defined value for hash algorithm is 1, representing SHA-1.
+/* ********** Variablendefinition für die unterschiedlichen ACLs ********** */
-           The flags may be set to 0 or 1, depending on whether you wish to set the opt-out
+acl dmz        {
-           bit in the NSEC3 chain.  iterations defines the number of additional times to
+.0.0.0/24;
-           apply the algorithm when generating an NSEC3 hash. The salt is a string of data
+};
-           expressed in hexidecimal, or a hyphen (`-') if no salt is to be used.
-           So, for example, to create an NSEC3 chain using the SHA-1 hash algorithm, no
+acl intra      {
-           opt-out flag, 10 iterations, and a salt value of "FFFF", use: rndc signing
+.0.10.0/25;
-           -nsec3param 1 0 10 FFFF zone. To set the opt-out flag, 15 iterations, and no
+};
-           salt, use: rndc signing -nsec3param 1 1 15 - zone.
-           rndc signing -nsec3param none removes an existing NSEC3 chain and replaces it
+acl primary    {
-           with NSEC.
+.0.0.27/32;
+};
-LIMITATIONS
+acl interfaces {
-       There is currently no way to provide the shared secret for a key_id without using the
+.0.0.27/32;
-       configuration file.
+.0.10.27/32;
+};
-       Several error messages could be clearer.
-SEE ALSO
+/* *********************** rndc Schlüsseldefinition *********************** */
-       rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9 Administrator
+include "/etc/rndc_local.key";
-       Reference Manual.
-AUTHOR
-       Internet Systems Consortium
-COPYRIGHT
+/* *********************** rndc Control-Definition ************************ */
-       Copyright © 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
+controls {
-       Copyright © 2000, 2001 Internet Software Consortium.
+        inet 127.0.0.1 port 953
+        allow { 127.0.0.1; } keys { "rndc-key"; };
+};
-BIND9                                   June 7, 2013                                 RNDC(8)
-</code>
-Die Kommunikation zwischen der **UI**((**U**ser**Interface**)) **rndc** und dem DNS-Daemon erfolgt bei CentOS 7 nur noch über eine digital signierten Zugangskanal, der auf einem entsprechenden symetrischen Schlüssel basiert. Dieser zugehörige Schlüssel muss direkt in einer entsprechenden Konfigurationsdateien hinterlegt werden und so dem Client **rndc** und dem Server **bind** bekannt gegeben werden.
+/* ***************** Definition der allgemeinen Optionen ****************** */
+options {
+	// Arbeitsverzeichnis des Servers
+	directory "/var/named";
-=== rndc-confgen ===
+	// Das Verzeichnis, in dem sich die öffentlichen und privaten
-Mit Hilfe des Befehls **rndc-confgen** aus dem RPM-Paket **bind** kann sowohl dieser symetrische Schlüssel wie auch die zugehörige Client-Konfigurationsdatei //**/etc/rndc.conf**// erzeugt, wie auch die benötigten Konfigurationsoptionen für die DNS-Server-Konfigurationsdatei //**/etc/named.conf**// angezeigt werden.
+	// DNSSEC-Schlüsseldateien befinden sollen.
+	key-directory "/var/named";
-<code>RNDC-CONFGEN(8)                             BIND9                            RNDC-CONFGEN(8)
+	// Das Verzeichnis, in dem die Dateien gespeichert werden, welche
+	// die verwalteten DNSSEC-Schlüssel verfolgen.
+	managed-keys-directory "/var/named/dynamic";
-NAME
+	// Pfadname der Datei, um die eingebauten vertrauenswürdigen Schlüssel
-       rndc-confgen - rndc key generation tool
+	// von named zu überschreiben. Pfad zum ISC DLV Schlüssel.
+	bindkeys-file "/etc/named.iscdlv.key";
-SYNOPSIS
+        // Der Pfadname der Datei, in die ein TSIG-Sitzungsschlüssel geschrieben
-       rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port]
+        // werden soll, der mit named für die Verwendung durch nsupdate -l
-                    [-r randomfile] [-s address] [-t chrootdir] [-u user]
+        // erzeugt wurde.
+        session-keyfile "/run/named/session.key";
-DESCRIPTION
+	// Der Pfadname der Datei, auf die der Server die security roots
-       rndc-confgen generates configuration files for rndc. It can be used as a convenient
+	// schreibt, wenn er hierzu angewiesen wird.
-       alternative to writing the rndc.conf file and the corresponding controls and key
+	secroots-file "/var/named/data/named_secroots.db";
-       statements in named.conf by hand. Alternatively, it can be run with the -a option to
-       set up a rndc.key file and avoid the need for a rndc.conf file and a controls
-       statement altogether.
-OPTIONS
+	// Der Pfadname der Datei, auf die der Server die Datenbank übergibt,
-       -a
+	// wenn er angewiesen wird.
-           Do automatic rndc configuration. This creates a file rndc.key in /etc (or
+	dump-file "/var/named/data/cache_dump.db";
-           whatever sysconfdir was specified as when BIND was built) that is read by both
-           rndc and named on startup. The rndc.key file defines a default command channel
-           and authentication key allowing rndc to communicate with named on the local host
-           with no further configuration.
-           Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements
+	// Der Pfadname der Datei, an die der Server Statistiken anhängt,
-           for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file.
+	// wenn er Server hierzu angewiesen wird.
+	statistics-file "/var/named/data/named_stats.txt";
-           If a more elaborate configuration than that generated by rndc-confgen -a is
+	// Der Pfadname der Datei, in die der Server beim Beenden die
-           required, for example if rndc is to be used remotely, you should run rndc-confgen
+	// Speicherverbrauchsstatistik schreibt.
-           without the -a option and set up a rndc.conf and named.conf as directed.
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
-       -b keysize
+	// Pfadname der Datei, in die der Server Abfragen, die gerade
-           Specifies the size of the authentication key in bits. Must be between 1 and 512
+	// wiederkehren, ausgibt, wenn er dazu angewiesen wird.
-           bits; the default is 128.
+	recursing-file "/var/named/data/named_recursing.db";
-       -c keyfile
+	// Pfadname der Datei, in die der Server seine Prozess-ID schreibt.
-           Used with the -a option to specify an alternate location for rndc.key.
+	pid-file "/run/named/named.pid";
-       -h
+	// Wird folgender Parameter auf "yes" gesetzt, dann fügt der Server
-           Prints a short summary of the options and arguments to rndc-confgen.
+	// bei der Generierung von Antworten nur dann Datensätze zur authority
+	// und additional data sections hinzu, wenn sie benötigt werden.
+	minimal-responses no;
-       -k keyname
+	/* Wird folgender Parameter auf "yes" gesetzt, dann wird der Server
-           Specifies the key name of the rndc authentication key. This must be a valid
+	   versuchen bei einer rekursiven DNS-Abfrage, alles versuchen um die
-           domain name. The default is rndc-key.
+	   Anfrage bestmöglich abzuarbeiten. Ist die Rekursion ausgeschaltet
+	   ist und der Server die Antwort noch nicht kennt, gibt er eine
+	   referral response (Empfehlungsantwort) zurück.
+	   Die Default-Einstellung ist "yes".
+	   Wichtig: Das Setzen der Rekursions-Option auf "no" verhindert nicht,
+	   dass Clients Daten aus dem Server-Cache beziehen; es verhindert nur,
+	   dass neue Daten als Folge von Client-Abfragen zwischengespeichert werden.
+	   Sofern der rekursiver DNS-Server über eine öffentliche IP-Adresse
+	   verfügt, MUSS zwingend eine Zugriffskontrolle aktiviert werden, um
+	   Abfragen auf die legitimen Benutzer zu beschränken!
+	   Nichtbeachtung kann zu Folgen haben, dass sonst der Server ein Teil
+	   von groß angelegten DNS-Amplifikations-Angriffen werden könnte.
+	   Die Implementierung von BCP38 in Ihrem Netzwerk würde diese
+	   Angriffsfläche erheblich reduzieren!
+	 */
+	recursion yes;
-       -p port
+	// DNSsec-Support aktivieren
-           Specifies the command channel port where named listens for connections from rndc.
+	dnssec-enable yes;
-           The default is 953.
-           Specifies the key name of the rndc authentication key. This must be a valid
-           domain name. The default is rndc-key.
-       -p port
+	/* DNSsec-Validierung aktivieren und mit den Root-Zertificaten abgleichen.
-           Specifies the command channel port where named listens for connections from rndc.
+	   "yes" = DNSSEC-Validierung ist aktiviert, aber ein Vertrauensanker muss
-           The default is 953.
+		   manuell konfiguriert werden. Eine Validierung findet erst dann
+		   statt, wenn mindestens einen vertrauenswürdigen Schlüssel
+		   manuell konfiguriert haben. Dies ist die Voreinstellung.
+	   "no"  = Die DNSSEC-Validierung ist deaktiviert, und rekursive Server
+		   verhalten sich in der "altmodischen" Art und Weise, unsichere
+		   DNS-Lookups durchzuführen.
+	   "auto"= Die DNSSEC-Validierung ist aktiviert, und es wird ein
+		   Standard-Trust-Anker (als Teil von BIND enthalten) für die
+		   DNS-Rootzone verwendet.
+	 */
+	dnssec-validation auto;
-       -r randomfile
+	/* Wird diese option gesetzt, stellt dnssec-lookaside dem validator eine
-           Specifies a source of random data for generating the authorization. If the
+	   alternative Methode zur Verfügung, um DNSKEY-Einträge bei Start einer
-           operating system does not provide a /dev/random or equivalent device, the default
+	   Zone (top of a zone) zu validieren. Wenn dnssec-lookaside auf auto
-           source of randomness is keyboard input.  randomdev specifies the name of a
+	   gesetzt ist, dann werden die eingebauten Standardwerte für die
-           character device or file containing random data to be used instead of the
+	   DLV-Domäne und den Vertrauensanker verwendet, zusammen mit einem
-           default. The special value keyboard indicates that keyboard input should be used.
+	   eingebauten Schlüssel für die Validierung.
+	 */
+	dnssec-lookaside auto;
-       -s address
+	// Diese Option wird verwendet, um den Zeichensatz und die Syntax
-           Specifies the IP address where named listens for command channel connections from
+	// bestimmter Domänennamen in Masterdateien und/oder DNS-Antworten,
-           rndc. The default is the loopback address 127.0.0.1.
+	// die vom Netzwerk empfangen werden, einzuschränken.
+	check-names master warn;
-       -t chrootdir
+	// Gibt an, welche Hosts diesen Server, einen Slave, zusätzlich zu den
-           Used with the -a option to specify a directory where named will run chrooted. An
+	// Zonen-Mastern über Zonenänderungen benachrichtigen dürfen.
-           additional copy of the rndc.key will be written relative to this directory so
+        allow-notify { 127.0.0.1; };
-           that it will be found by the chrooted named.
-       -u user
+        // Definiert, welche Hosts gewöhnliche DNS-Fragen stellen dürfen.
-           Used with the -a option to set the owner of the rndc.key file generated. If -t is
+        allow-query { ::1; 127.0.0.1; dmz; intra; };
-           also specified only the file in the chroot area has its owner changed.
-EXAMPLES
+        // Legt fest, welche Hosts rekursive Abfragen über diesen Server
-       To allow rndc to be used with no manual configuration, run
+	// durchführen dürfen.
+        allow-recursion { ::1; 127.0.0.1; dmz; intra; };
-       rndc-confgen -a
+        // Gibt an, welche Hosts Zonentransfers vom Server empfangen dürfen.
+        allow-transfer { 127.0.0.1; primary; };
-       To print a sample rndc.conf file and corresponding controls and key statements to be
+	// Gibt eine Liste von Adressen an, von denen der Server keine Anfragen
-       manually inserted into named.conf, run
+	// annimmt oder die zur Lösung einer Anfrage verwendet werden. Anfragen
+	// von diesen Adressen werden nicht beantwortet.
+        blackhole { none; };
-       rndc-confgen
+	// Die Schnittstellen und Ports, von denen der Server Anfragen
+	// beantwortet, können mit der Listen-On-Option angegeben werden.
+	listen-on port 53 { 127.0.0.1; interfaces; };
+	listen-on-v6 port 53 { ::1; };
-SEE ALSO
+	// Sofern der Server die Antwort auf eine Frage nicht kennt, fragt er
-       rndc(8), rndc.conf(5), named(8), BIND 9 Administrator Reference Manual.
+	// andere Nameserver ab. query-source gibt die Adresse und den Port an,
+	// die für solche Abfragen verwendet werden.
+        query-source address * port *;
-AUTHOR
+	// Maximale Größe eines Core Dump
-       Internet Systems Consortium
+	coresize default;
-COPYRIGHT
+	// Maximale Größe an RAM, die der Server verbrauchen darf.
-       Copyright © 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+	datasize default;
-       Copyright © 2001, 2003 Internet Software Consortium.
-BIND9                                   Aug 27, 2001                         RNDC-CONFGEN(8)
+	// Maximale Anzahl von geöffneten Dateien.
-</code>
+        files unlimited;
+        // Maximale Menge an Stack-Speicher, die der Server verwenden darf.
+        stacksize default;
-In folgendem Konfigurationsbeispiel, welches wir lediglich zum Anzeigen der später benötigten Konfigurationsoptionen benutzen,  nutzen wir folgende Optionen beim Aufruf des Hilfsprogramms **//rndc-confgen//**
+	// Maximale Größe jeder Journaldatei fest.
-  * -b keysize = 512
+	// (default ist unbegrenzt, was auch 2 Gigabyte bedeutet)
-  * -k keyname = rndc-key
+        max-journal-size unlimited;
-  * -r randomfile = /dev/random
-  * -u user = named
+	// Maximale Anzahl gleichzeitiger rekursiver Suchvorgänge, die der Server
+	// für Clients durchführt. Der Standardwert ist 1000.
+        recursive-clients 1000;
+	// Maximale Anzahl gleichzeitiger TCP Verbindungen die der Server von
+	// Clients akzeptiert. Der Standardwert ist 100.
+        tcp-clients 100;
+	/* Maximale Menge an Arbeitsspeicher (in Bytes), die für den Server-Cache
+	   verwendet werden kann. Ein Wert von 0 ist speziell, d.h. Datensätze
+	   werden nur aus dem Cache gelöscht, wenn ihre TTLs ablaufen ist. Ein
+	   weiteres spezielles Schlüsselwort unlimited bedeutet den maximalen Wert
+	   von 32-Bit-Ganzzahlen ohne Vorzeichen (0xffffffffffff), die haben nicht
+	   den gleichen Effekt wie 0 auf Maschinen, die mehr als 32 Bit unterstützen.
+           Alle positiven Werte kleiner als 2MB werden ignoriert und auf 2MB gesetzt.
+           Bei einem Server mit mehreren Views gilt die Begrenzung separat für
+         den Cache der einzelnen Views. Der Standardwert ist 0.
+	 */
+        max-cache-size 0;
+	/* List Queue Depth: Die Standardeinstellung und das Minimum ist 10. Sofern
+	   der Kernel Accept-Filter-Verbindungen unterstützt, werden die Daten im
+	   Kernel-Space gehalten und gewartet bevor die Anfrage weiterverarbeitet
+	   wird. Werte ungleich 0 unter 10 werden stillschweigend erhöht.
+	   ein Wert von 0 kann gesetzt werden und definiert auf den meisten
+	   Plattformen, dass die Länge der Listen-Warteschlange auf einen
+           systembedingter Standardwert gesetzt wird.
+	 */
+	tcp-listen-queue 10;
+	/* Der Server scannt die Liste der Netzwerkschnittstellen in regelmäßigen
+	   Abständen (Minuten). Die Standardeinstellung ist 60 Minuten. Der
+	   Maximalwert beträgt 28 Tage (40320 Minuten). Wird der wert auf 0 gesetzt,
+	   erfolgt die Überprüfung der Schnittstelle nur dann, wenn die
+	   Konfigurationsdatei geladen wird. Nach dem Scan beginnt der Server mit
+	   dem Abhören von Abfragen auf neu entdeckte Interfaces (vorausgesetzt, sie
+	   sind durch die Listen-On-Konfiguration erlaubt) und hört auf, auf nicht
+	   mehr vorhandene Interfaces zu hören.
+	 */
+	interface-interval 0;
+	/* Definiert die Zeit in Sekunden, in denen eine lahme Serveranzeige
+	   zwischengespeichert wird. 0 deaktiviert das Caching. (Dies wird NICHT
+	   empfohlen!) Der Standardwert ist 600 (10 Minuten) und der Maximalwert
+	   ist 1800 (30 Minuten).
+	 */
+        lame-ttl 600;
+	/* Um den Netzwerkverkehr zu reduzieren und die Leistung zu erhöhen,
+	   speichert der Server negative Antworten. max-ncache-ttl wird verwendet,
+	   um eine maximale Aufbewahrungszeit für diese Antworten im Server in
+	   Sekunden festzulegen. Die Standardeinstellung von max-ncache-ttl ist
+Sekunden (3 Stunden). max-ncache-ttl kann nicht länger als 7 Tage
+	   dauern und wird stillschweigend auf 7 Tage gekürzt, sollte er auf einen
+	   größeren Wert gesetzt werden!
+	 */
+        max-ncache-ttl 10800;
+	/* Legt die maximale Zeit fest, für die der Server gewöhnliche (positive)
+	   Antworten zwischenspeichert. Der Standardwert ist eine Woche (7 Tage).
+	   Ein Wert von Null kann dazu führen, dass alle Abfragen SERVFAIL
+	   zurückgeben, da im Auflösungsprozess verloren gegangene Caches von
+	   Zwischen-RRsets (z.B. NS und glue AAAA/A-Records) verloren gehen!
+	 */
+        max-cache-ttl 604800;
+	 /* Definiert die Größe des angebotenen EDNS UDP-Puffers (in Bytes), um
+	    die Größe der empfangenen Pakete zu kontrollieren. Gültige Werte sind
+bis 4096 (Werte außerhalb dieses Bereichs werden stillschweigend
+	    angepasst). Der Standardwert ist 4096. Der übliche Grund für das
+	    Setzen von edns-udp-size auf einen nicht standardmäßigen Wert ist es,
+	    UDP-Antworten zu erhalten, um durch gebrochene Firewalls zu gehen, die
+	    fragmentierte Pakete blockieren und/oder UDP-Pakete blockieren, die
+	    größer als 512 Bytes sind. named wird auf die Verwendung von 512 Bytes
+	    zurückgreifen, wenn es eine Reihe von Zeitüberschreitungen beim
+	    Anfangswert erhält. 512 Bytes werden nicht angeboten, um Websites zu
+	    ermutigen, ihre Firewalls zu reparieren. Kleine EDNS UDP-Größen führen
+	    zu einer übermäßigen Nutzung von TCP.
+	  */
+	edns-udp-size 4096;
+	/* Legt die maximale EDNS UDP-Nachrichtengröße fest, die in Bytes gesendet
+	   wird. Gültige Werte sind 512 bis 4096 (Werte außerhalb dieses Bereichs
+	   werden stillschweigend angepasst). Der Standardwert ist 4096. Der
+	   übliche Grund für das Setzen von max-udp-size auf einen nicht
+	   standardmäßigen Wert ist es, UDP-Antworten zu erhalten, um durch defekte
+	   Firewalls zu gehen, die fragmentierte Pakete blockieren und/oder
+	   UDP-Pakete blockieren, die größer als 512 Bytes sind. Dies ist unabhängig
+	   vom beworbenen Empfangspuffer (edns-udp-size). Wird dieser Wert auf einen
+	   niedrigen Wert gesetzt, wird zusätzlicher TCP-Verkehr zum Nameserver
+	   erzeugt!
+	 */
+        max-udp-size 4096;
-   # rndc-confgen -b 512 -k rndc-key -r /dev/random -u named
+	/* Definiert den Anfangswert (Minimum) der Anzahl rekursiver gleichzeitiger
-<code># Start of rndc.conf
+	   Clients für eine beliebige Abfrage (<qname,qtype,qclass>) fest, die der
-key "rndc-key" {
+	   Server akzeptiert, bevor er weitere Clients ignorieren wird. Named wird
-	algorithm hmac-md5;
+	   versuchen, diesen Wert selbst zu tunen und Änderungen werden
-	secret "FnqGCTNassQ6o5djkYN7pdgWifhUznPY+A2xqmvSRVvlWYphzSUHcJnqLciTZWAKJ9ogKIeQ763/tU8OZeta9A==";
+	   protokolliert. Der Standardwerte ist 10.
+	 */
+        clients-per-query 10;
+	/* Definiert den Anfangswert (Maximum) der Anzahl rekursiver gleichzeitiger
+	   Clients für eine beliebige Abfrage (<qname,qtype,qclass>) fest, die der
+	   Server akzeptiert, bevor er neue Client-Verbindungen anlehnen wird.
+	   Named wird versuchen, diesen Wert selbst zu tunen und Änderungen werden
+	   protokolliert. Die Standardeinstellung ist 100.
+	 */
+        max-clients-per-query 100;
+	/* Festlegung der Angaben (Version), die der Server über eine Abfrage des
+	   Namens version.bind mit dem Typ TXT, Klasse CHAOS, melden soll. Der
+	   Default-Wert ist die reale Versionsnummer des Servers. Durch die Angabe
+	   der Version none wird die Verarbeitung der Abfragen deaktiviert.
+	 */
+	version "DNS - nausch.org";
+	/* Der Hostname, den der Server über eine Abfrage des Namens hostname.bind
+	   mit dem Typ TXT, Klasse CHAOS, melden soll. Dies ist standardmäßig der
+	   Hostname des Rechners, auf dem sich der Name-Server befindet, wie er von
+	   der Funktion gethostname() gefunden wird. Die ID, die der Server beim
+	   Empfang einer NSID-Abfrage (Name Server Identifier) oder einer Abfrage
+	   des Namens ID.SERVER vom Typ TXT, Klasse CHAOS, melden soll. Der primäre
+	   Zweck solcher Abfragen ist es, herauszufinden, welcher einer Gruppe von
+	   Anycast-Servern Ihre Anfragen tatsächlich beantwortet.
+	   Angabe von server-id none; deaktiviert die Verarbeitung der Abfragen.
+	   Die Angabe von server-id hostname; bewirkt, dass named den Hostnamen
+	   verwendet, wie er durch die Funktion gethostname() gefunden wurde.
+	   Der Standardwert ist none.
+	 */
+        server-id none;
 };
-options {
+/* ******************* Definition der Logging-Parameter ******************* */
-	default-key "rndc-key";
+logging {
-	default-server 127.0.0.1;
-	default-port 953;
+        // Definition der unterschiedlichen Kanäle
+        // Standard-Startmeldungen
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+                print-category yes;
+                print-severity yes;
+                print-time yes;
+        };
+        // Genehmigung und Ablehnung von DNS-Anfragen
+        channel custom_security {
+                file "data/named.security";
+                severity info;
+                print-category yes;
+                print-severity yes;
+                print-time yes;
+        };
+        // Lame servers. Dabei handelt es sich um Fehlkonfigurationen bei
+        // Remote-Servern, die von BIND 9 entdeckt wurden, als dieser
+        // versuchte, diese Server während der Auflösung abzufragen.
+        channel custom_lame-servers {
+                file "data/named.lame-servers";
+                severity info;
+                print-category yes;
+                print-severity yes;
+                print-time yes;
+        };
+        // Definition der beiden Kathegorien security und lame-servers
+        category security {
+                custom_security;
+                default_syslog;
+                default_debug;
+        };
+        category lame-servers {
+                custom_lame-servers ;
+                default_syslog;
+                default_debug;
+        };
 };
-# End of rndc.conf
-# Use with the following in named.conf, adjusting the allow list as needed:
+/* ******************** Definition der Views and Zones ******************** */
-# key "rndc-key" {
+/*
-# 	algorithm hmac-md5;
+                                WICHTIG:
-# 	secret "FnqGCTNassQ6o5djkYN7pdgWifhUznPY+A2xqmvSRVvlWYphzSUHcJnqLciTZWAKJ9ogKIeQ763/tU8OZeta9A==";
+                                ========
-# };
-#
-# controls {
-# 	inet 127.0.0.1 port 953
-# 		allow { 127.0.0.1; } keys { "rndc-key"; };
-# };
-# End of named.conf</code>
-<WRAP center round important 90%>
+           Die Reihenfolge der View-Anweisungen ist signifikant.
-**Wichtig:** \\
+           Eine Client-Anfrage wird im Kontext der ersten Ansicht
-Der symmetrische Schlüssel muss sowohl in der Client-Konfigurationsdatei **// /etc/rndc.conf //** wie auch Server-Konfigurationsdatei **// /etc/named.conf //** hinterlegt werden. Zweckmäßiger ist es jedoch diesen Schlüssel in eine eigene Konfigurationsdatei zu hinterlegen und diese Datei dann entsprechend zu inkludieren!
+                      beantwortet, zu der sie passt!
-</WRAP>
+ */
+view "intra" IN {
+        // Ist der Anfragende Client aus dem Netz 10.0.10.0/25 (Intranet)?
+        match-clients { intra; };
-Bei der Installation des RPM-Paketes **bind** wurde auch ein zugehörige Key-Datei **// /etc/rndc.conf //** mit installiert.
+        /* ACHTUNG: Eine Zone kann entweder durch Bearbeiten von Zonendateien
-   # ll /etc/rndc.key
+                    und Neuladen des Servers oder durch dynamisches Update
-<code>-rw-r-----. 1 root named 77 Dec 28 18:26 /etc/rndc.key</code>
+		    aktualisiert werden, aber NIEMALS durch beides!
+		    Ist die dynamische Aktualisierung für eine Zone mit der
+		    Option "allow-update" aktiviert, darf KEINENFALLS die
+		    Zonendatei manuell bearbeitet werden! Der Server würde
+		    dann nicht mehr versuchen, die Informationen zur Zone
+		    aus der Datei zu laden!
+	 */
-   # less /etc/rndc.key
+        // Zone: root server
-<file bash /etc/rndc.key>key "rndc-key" {
+        zone "." IN {
-	algorithm hmac-md5;
+                type hint;
-	secret "LXQvnV2ZbqG9QMg8eV7fsQ==";
+                file "named.ca";
-};</file>
+        };
-Diese Datei werden wir nun zunächst sichern und dann automatisch neu anlegen lassen.
+        // Zone: localhost
-   # cp -a /etc/rndc.key /etc/rndc.key.orig
+        include "/etc/named.rfc1912.zones";
-Nun erzeugen wir uns unsere eigenen Schlüssel.
+        // Zone: intra.nausch.org (forward)
-   # rndc-confgen -a -b 512 -c /etc/rndc.key -k rndc-key -r /dev/random -u named
+        zone "intra.nausch.org" IN {
+                type master;
+                file "master/intra.nausch.org.zone.db";
+        };
-  wrote key file "/etc/rndc.key"
+        // Zone: intra.nausch.org (reverse)
+        zone "10.0.10.in-addr.arpa" IN {
+                type master;
+                file "master/10.0.10.in-addr.arpa.zone.db";
+        };
-Den Inhalt dieser Schlüsseldatei können wir uns nun auch anzeigen lassen.
+        // Zone: dmz.nausch.org   (forward)
-   # less /etc/rndc.key
+        zone "dmz.nausch.org" IN {
-<file bash /etc/rndc_local.key>key "rndc-key" {
+                type master;
-	algorithm hmac-md5;
+                file "intra/dmz.nausch.org.zone.db";
-	secret "prjseECUq/pzTKCwQKQoraA9KlYeuTMpwRd1qmQSYsKOOIw9b3QRN0ctcDlTvTs/6Urassjq0y+Vgi8eQPXQDA==";
+        };
-};</file>
-Anschließend passen wir dann noch die User- und Gruppen-Eigenschaften an:
+        // Zone: dmz.nausch.org   (reverse)
-   # chown root:named /etc/rndc.key
+        zone "0.0.10.in-addr.arpa" IN {
+                type master;
+                file "intra/0.0.10.in-addr.arpa.zone.db";
+        };
-Somit weist die Schlüsseldatei nunmehr die gleichen Rechte auf, die die original Datei aus dem RPM auf:
+};
-   # ll /etc/rndc.k*
-<code>-rw-r-----. 1 root named 74 Dec 29 08:14 /etc/rndc.key
+view "dmz" IN {
--rw-r-----. 1 root named 74 Dec 28 18:26 /etc/rndc.key.orig</code>
+        // Ist der Anfragende Client aus dem Netz 10.0.0.0/24 (DMZ)?
+        match-clients { localhost; dmz; };
-Zu guter Letzt legen wir nun noch die benötigte Konfigurationsdatei //**/etc/rndc.conf**// an.
+        /* ACHTUNG: Eine Zone kann entweder durch Bearbeiten von Zonendateien
-   # vim /etc/rndc.conf
+                    und Neuladen des Servers oder durch dynamisches Update
-<file bash /etc/rndc.conf>include "/etc/rndc.key";
+                    aktualisiert werden, aber NIEMALS durch beides!
+                    Ist die dynamische Aktualisierung für eine Zone mit der
-options {
+                    Option "allow-update" aktiviert, darf KEINENFALLS die
-	default-key "rndc-key";
+                    Zonendatei manuell bearbeitet werden! Der Server würde
-	default-server 127.0.0.1;
+                    dann nicht mehr versuchen, die Informationen zur Zone
-	default-port 953;
+                    aus der Datei zu laden!
-};</file>
+         */
-==== Root Hints Data File ====
+        // Zone: root server
-Bei der Installation unseres Nameservers mit Hilfe des RPMs wurde eine Datei mit den 13 ROOT-Nameservern mitgeliefert. Diese Liste ist jedoch nicht statisch und sollte erfahrungsgemäß alle sechs Monate einmal aktualisiert werden.
+        zone "." IN {
+                type hint;
+                file "named.ca";
+        };
-Wir können uns diese Datei direkt vom FTP-Server der [[http://www.internic.net/|InterNIC]] laden. Hierzu benutzen wir z.B. folgenden Befehl:
+        // Zone: localhost
-   # wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/chroot/var/named/named.ca
+        include "/etc/named.rfc1912.zones";
-Bevor wir den DNS-Server zum Einlesen der neuen datei einmal durchstarten, werden wir noch die Datei- und Verzeichnisrechte entsprechend anpassen.
+        // Zone: intra.nausch.org (forward)
-   # chmod 640 /var/named/chroot/var/named/named.ca
+        zone "intra.nausch.org" IN {
-   # chown root:named /var/named/chroot/var/named/named.ca
+                type master;
+                file "master/intra.nausch.org.zone.db";
+        };
+        // Zone: intra.nausch.org (reverse)
+        zone "10.0.10.in-addr.arpa" IN {
+                type master;
+                file "master/10.0.10.in-addr.arpa.zone.db";
+        };
+        // Zone: dmz.nausch.org   (forward)
+        zone "dmz.nausch.org" IN {
+                type master;
+                file "master/dmz.nausch.org.zone.db";
+        };
+        // Zone: dmz.nausch.org   (reverse)
+        zone "0.0.10.in-addr.arpa" IN {
+                type master;
+                file "master/0.0.10.in-addr.arpa.zone.db";
+        };
+};
+/* *************************** sonstige includes ************************** */
+include "/etc/named.root.key";</file>
+Bevor wir zur Aktivierung unserer Konfiguration nun den Nameserver einmal durchstarten überprüfen wir noch, ob sich kein Schreibfehler oder sonstiger Konfigurationsfehler eingeschlichen hat.
+   # named-checkconf
+Geben wir beim Aufruf des Befehls **named-checkconf** die Option //**-p**// an, wird uns die (aufgelöste) Konfiguration __ohne__ die ganzen Kommentare ausgegeben.
+   # named-checkconf -p
+<code>options {
+	bindkeys-file "/etc/named.iscdlv.key";
+	blackhole {
+		"none";
+	};
+	coresize default;
+	datasize default;
+	session-keyfile "/run/named/session.key";
+	directory "/var/named";
+	dump-file "/var/named/data/cache_dump.db";
+	files unlimited;
+	interface-interval 0;
+	listen-on port 53 {
+.0.0.1/32;
+		"interfaces";
+	};
+	listen-on-v6 port 53 {
+		::1/128;
+	};
+	managed-keys-directory "/var/named/dynamic";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	pid-file "/run/named/named.pid";
+	recursing-file "/var/named/data/named_recursing.db";
+	recursive-clients 1000;
+	secroots-file "/var/named/data/named_secroots.db";
+	server-id none;
+	stacksize default;
+	statistics-file "/var/named/data/named_stats.txt";
+	tcp-clients 100;
+	tcp-listen-queue 10;
+	version "DNS - nausch.org";
+	allow-recursion {
+		::1/128;
+.0.0.1/32;
+		"dmz";
+		"intra";
+	};
+	check-names master warn;
+	clients-per-query 10;
+	dnssec-enable yes;
+	dnssec-lookaside auto;
+	dnssec-validation auto;
+	edns-udp-size 4096;
+	lame-ttl 600;
+	max-cache-size 0;
+	max-cache-ttl 604800;
+	max-clients-per-query 100;
+	max-ncache-ttl 10800;
+	max-udp-size 4096;
+	minimal-responses no;
+	query-source address 0.0.0.0 port 0;
+	recursion yes;
+	allow-notify {
+.0.0.1/32;
+	};
+	allow-query {
+		::1/128;
+.0.0.1/32;
+		"dmz";
+		"intra";
+	};
+	allow-transfer {
+.0.0.1/32;
+		"primary";
+	};
+	key-directory "/var/named";
+	max-journal-size unlimited;
+};
+controls {
+	inet 127.0.0.1 port 953 allow {
+.0.0.1/32;
+	} keys {
+		"rndc-key";
+	};
+};
+acl "dmz" {
+.0.0.0/24;
+};
+acl "intra" {
+.0.10.0/25;
+};
+acl "primary" {
+.0.0.27/32;
+};
+acl "interfaces" {
+.0.0.27/32;
+.0.10.27/32;
+};
+logging {
+	channel "default_debug" {
+		file "data/named.run";
+		severity dynamic;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+	channel "custom_security" {
+		file "data/named.security";
+		severity info;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+	channel "custom_lame-servers" {
+		file "data/named.lame-servers";
+		severity info;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+	category "security" {
+		"custom_security";
+		"default_syslog";
+		"default_debug";
+	};
+	category "lame-servers" {
+		"custom_lame-servers";
+		"default_syslog";
+		"default_debug";
+	};
+};
+view "intra" IN {
+	match-clients {
+		"intra";
+	};
+	zone "." IN {
+		type hint;
+		file "named.ca";
+	};
+	zone "localhost.localdomain" IN {
+		type master;
+		file "named.localhost";
+		allow-update {
+			"none";
+		};
+	};
+	zone "localhost" IN {
+		type master;
+		file "named.localhost";
+		allow-update {
+			"none";
+		};
+	};
+	zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+		type master;
+		file "named.loopback";
+		allow-update {
+			"none";
+		};
+	};
+	zone "1.0.0.127.in-addr.arpa" IN {
+		type master;
+		file "named.loopback";
+		allow-update {
+			"none";
+		};
+	};
+	zone "0.in-addr.arpa" IN {
+		type master;
+		file "named.empty";
+		allow-update {
+			"none";
+		};
+	};
+	zone "intra.nausch.org" IN {
+		type master;
+		file "master/intra.nausch.org.zone.db";
+	};
+	zone "10.0.10.in-addr.arpa" IN {
+		type master;
+		file "master/10.0.10.in-addr.arpa.zone.db";
+	};
+	zone "dmz.nausch.org" IN {
+		type master;
+		file "intra/dmz.nausch.org.zone.db";
+	};
+	zone "0.0.10.in-addr.arpa" IN {
+		type master;
+		file "intra/0.0.10.in-addr.arpa.zone.db";
+	};
+};
+view "dmz" IN {
+	match-clients {
+		"localhost";
+		"dmz";
+	};
+	zone "." IN {
+		type hint;
+		file "named.ca";
+	};
+	zone "localhost.localdomain" IN {
+		type master;
+		file "named.localhost";
+		allow-update {
+			"none";
+		};
+	};
+	zone "localhost" IN {
+		type master;
+		file "named.localhost";
+		allow-update {
+			"none";
+		};
+	};
+	zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+		type master;
+		file "named.loopback";
+		allow-update {
+			"none";
+		};
+	};
+	zone "1.0.0.127.in-addr.arpa" IN {
+		type master;
+		file "named.loopback";
+		allow-update {
+			"none";
+		};
+	};
+	zone "0.in-addr.arpa" IN {
+		type master;
+		file "named.empty";
+		allow-update {
+			"none";
+		};
+	};
+	zone "intra.nausch.org" IN {
+		type master;
+		file "master/intra.nausch.org.zone.db";
+	};
+	zone "10.0.10.in-addr.arpa" IN {
+		type master;
+		file "master/10.0.10.in-addr.arpa.zone.db";
+	};
+	zone "dmz.nausch.org" IN {
+		type master;
+		file "master/dmz.nausch.org.zone.db";
+	};
+	zone "0.0.10.in-addr.arpa" IN {
+		type master;
+		file "master/0.0.10.in-addr.arpa.zone.db";
+	};
+};
+key "rndc-key" {
+	algorithm "hmac-md5";
+	secret "TLtbjaRq8ci9RivwIseG42qAL88Vt05UESRrOtT4Kh2oUvU81tosVmHQWeX488lbuVxYfdpKZMD7d76Q6jyCJw==";
+};
+managed-keys {
+	"." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
+	"." initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
+};</code>
+==== Neustart des Daemon ====
+Da mit der zuvor erstellten Konfiguration unseres Servers alles in Ordnung war, spricht nun nichts mehr dagegen, zur Aktivierung unserer Konfiguration den Daemon einmal durchzustarten.
+   # systemctl restart named-chroot.service
+Den Status des laufenden Daemon fragen wir wie gewohnt wie folgt ab.
+   # systemctl status named-chroot.service
+<html><pre class="code">
+<font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">named-chroot.service - Berkeley Internet Name Domain (DNS)
+   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
+   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Sat 2017-12-30 18:38:53 CET; 13s ago
+  Process: 13221 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
+  Process: 13324 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
+  Process: 13322 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
+ Main PID: 13327 (named)
+   CGroup: /system.slice/named-chroot.service
+           └─13327 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: automatic empty zone: view dmz: B.E.F.IP6.ARPA
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: automatic empty zone: view dmz: 8.B.D.0.1.0.0.2.IP6.ARPA
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: <b>command channel listening on 127.0.0.1#953</b>
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: managed-keys-zone/intra: loaded serial 0
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: managed-keys-zone/dmz: loaded serial 0
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: zone 0.in-addr.arpa/IN/intra: loaded serial 0
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: zone 10.0.10.in-addr.arpa/IN/intra: loaded serial 2017122901
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: zone 1.0.0.127.in-addr.arpa/IN/intra: loaded serial 0
+Dec 30 18:38:53 vml000027.dmz.nausch.org named[13327]: zone intra.nausch.org/IN/intra: loaded serial 2017122901
+Dec 30 18:38:53 vml000027.dmz.nausch.org systemd[1]: Started Berkeley Internet Name Domain (DNS).
+</font>
+</pre></html>
-Nun können wir den Bind-Daemon durchstarten.
+Natürlich können wir den Status des DNS-servers auch mit Hilfe des Name Server Control Utility **rndc** abfragen.
-   #
+   # rndc status
+<code>version: 9.9.4-RedHat-9.9.4-51.el7_4.1 (DNS - nausch.org) <id:8f9657aa>
+CPUs found: 1
+worker threads: 1
+UDP listeners per interface: 1
+number of zones: 208
+debug level: 0
+xfers running: 0
+xfers deferred: 0
+soa queries in progress: 0
+query logging is OFF
+recursive clients: 0/0/1000
+tcp clients: 0/100
+server is up and running</code>
+Zur weiteren Überprüfung und/oder ggf. nötigen Fehlersuche ist ein Blick in folgende Logdateien vorzunehmen:
+  * //**/var/log/messages**// mit <code> # less /var/log/messages</code> oder <code> # tailf /var/log/messages</code>
+  * //**/var/named/data/named.run**// mit <code> # less /var/named/data/named.run</code> oder <code> # tailf /var/named/data/named.run</code>
+  * //**/var/named/data/named.lame-servers**// mit <code> # less /var/named/data/named.lame-servers</code> oder <code> # tailf /var/named/data/named.lame-servers</code>
+  * //**/var/named/data/named.security**// mit <code> # less /var/named/data/named.security</code> oder <code> # tailf /var/named/data/named.security</code>
+===== DNSsec =====
-How To Update The Root Hints Data File for BIND Named Server?
+\\
 FIXME //**... do gehda weida!**// FIXME