Wiki source code of DNS en DNSSEC
Last modified by Ad Min on 2026/03/10 15:27
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | |||
| 2 | = DNS en DNSSEC = | ||
| 3 | |||
| 4 | == Nameservers == | ||
| 5 | |||
| 6 | (% class="wikitable" %) | ||
| 7 | |=Server|=IP|=Rol|=Zones | ||
| 8 | |ns1.rhebergen.net|185.47.61.211|Primary|rhebergen.net, rhebergen.org | ||
| 9 | |ns2.nerderlands.net|45.14.112.14|Secondary (rhebergen.net), Primary (nerderlands.net)|nerderlands.net, rhebergen.net (slave) | ||
| 10 | |ns6.gandi.net|217.70.177.42|Secondary (Gandi)|rhebergen.net (slave) | ||
| 11 | |||
| 12 | == DNSSEC == | ||
| 13 | |||
| 14 | Beide zones gebruiken NSEC3RSASHA1 (algoritme 7). | ||
| 15 | |||
| 16 | **Maandelijks onderhoud:** | ||
| 17 | 1. Serial ophogen in zonefile (formaat: YYYYMMDDNN) | ||
| 18 | 1. Zone ondertekenen met sign script | ||
| 19 | 1. BIND herladen met rndc reload | ||
| 20 | |||
| 21 | **Jaarlijks (key rotation):** | ||
| 22 | 1. Oude keys naar OLD_keys/ | ||
| 23 | 1. Nieuwe ZSK genereren (2048 bit) | ||
| 24 | 1. Nieuwe KSK genereren (4096 bit) | ||
| 25 | 1. $INCLUDE regels in zonefile bijwerken | ||
| 26 | 1. Ondertekenen en herladen | ||
| 27 | 1. DS records bij Gandi registrar bijwerken | ||
| 28 | |||
| 29 | **Verificatie:** | ||
| 30 | {{code language="bash"}} | ||
| 31 | # Signature expiry controleren | ||
| 32 | dig @ns1.rhebergen.net rhebergen.net A +dnssec | ||
| 33 | |||
| 34 | # Volledige validatie | ||
| 35 | delv @1.1.1.1 rhebergen.net A +rtrace | ||
| 36 | |||
| 37 | # Alle nameservers vergelijken | ||
| 38 | for ns in ns1.rhebergen.net ns2.nerderlands.net ns6.gandi.net; do | ||
| 39 | echo -n "$ns: "; dig @$ns rhebergen.net SOA +short | awk '{print $3}' | ||
| 40 | done | ||
| 41 | {{/code}} | ||
| 42 | |||
| 43 | **Laatst uitgevoerd:** | ||
| 44 | * ns1 key rotation: 3 januari 2026 | ||
| 45 | * ns2 key rotation: 4 februari 2026 |