{"id":3472,"date":"2025-12-27T15:30:09","date_gmt":"2025-12-27T12:30:09","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/dnssec-nedir-ne-ise-yarar-alan-adiniz-ve-hostinginiz-icin-adim-adim-dnssec-kurulum-rehberi\/"},"modified":"2025-12-27T15:30:09","modified_gmt":"2025-12-27T12:30:09","slug":"dnssec-nedir-ne-ise-yarar-alan-adiniz-ve-hostinginiz-icin-adim-adim-dnssec-kurulum-rehberi","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/dnssec-nedir-ne-ise-yarar-alan-adiniz-ve-hostinginiz-icin-adim-adim-dnssec-kurulum-rehberi\/","title":{"rendered":"DNSSEC Nedir, Ne \u0130\u015fe Yarar? Alan Ad\u0131n\u0131z ve Hostinginiz \u0130\u00e7in Ad\u0131m Ad\u0131m DNSSEC Kurulum Rehberi"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#DNSSEC_Nedir_ve_Neden_Ciddiye_Almalisiniz\"><span class=\"toc_number toc_depth_1\">1<\/span> DNSSEC Nedir ve Neden Ciddiye Almal\u0131s\u0131n\u0131z?<\/a><\/li><li><a href=\"#DNS_ve_DNSSECin_Temel_Mantigi\"><span class=\"toc_number toc_depth_1\">2<\/span> DNS ve DNSSEC\u2019in Temel Mant\u0131\u011f\u0131<\/a><ul><li><a href=\"#Klasik_DNSin_Zayif_Noktasi\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Klasik DNS\u2019in Zay\u0131f Noktas\u0131<\/a><\/li><li><a href=\"#DNSSEC_Nedir\"><span class=\"toc_number toc_depth_2\">2.2<\/span> DNSSEC Nedir?<\/a><\/li><\/ul><\/li><li><a href=\"#DNSSECin_Sagladigi_Avantajlar\"><span class=\"toc_number toc_depth_1\">3<\/span> DNSSEC\u2019in Sa\u011flad\u0131\u011f\u0131 Avantajlar<\/a><ul><li><a href=\"#1_Sahte_DNS_Yanitlarina_Karsi_Koruma\"><span class=\"toc_number toc_depth_2\">3.1<\/span> 1. Sahte DNS Yan\u0131tlar\u0131na Kar\u015f\u0131 Koruma<\/a><\/li><li><a href=\"#2_E-posta_ve_TLS_Ekosistemiyle_Entegrasyon\"><span class=\"toc_number toc_depth_2\">3.2<\/span> 2. E-posta ve TLS Ekosistemiyle Entegrasyon<\/a><\/li><li><a href=\"#3_Marka_Guveni_ve_Uyum_Gereksinimleri\"><span class=\"toc_number toc_depth_2\">3.3<\/span> 3. Marka G\u00fcveni ve Uyum Gereksinimleri<\/a><\/li><\/ul><\/li><li><a href=\"#DNSSECin_Teknik_Bilesenleri\"><span class=\"toc_number toc_depth_1\">4<\/span> DNSSEC\u2019in Teknik Bile\u015fenleri<\/a><ul><li><a href=\"#KSK_ve_ZSK_Iki_Farkli_Anahtar_Rolu\"><span class=\"toc_number toc_depth_2\">4.1<\/span> KSK ve ZSK: \u0130ki Farkl\u0131 Anahtar Rol\u00fc<\/a><\/li><li><a href=\"#Onemli_DNSSEC_Kayit_Tipleri\"><span class=\"toc_number toc_depth_2\">4.2<\/span> \u00d6nemli DNSSEC Kay\u0131t Tipleri<\/a><\/li><li><a href=\"#Guven_Zinciri_Nasil_Calisir\"><span class=\"toc_number toc_depth_2\">4.3<\/span> G\u00fcven Zinciri Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/a><\/li><\/ul><\/li><li><a href=\"#DNSSECe_Gecmeden_Once_Kontrol_Listesi\"><span class=\"toc_number toc_depth_1\">5<\/span> DNSSEC\u2019e Ge\u00e7meden \u00d6nce Kontrol Listesi<\/a><ul><li><a href=\"#1_DNSinizi_Kim_Yonetiyor\"><span class=\"toc_number toc_depth_2\">5.1<\/span> 1. DNS\u2019inizi Kim Y\u00f6netiyor?<\/a><\/li><li><a href=\"#2_Kayit_Operatorunuz_DNSSEC_Destekliyor_mu\"><span class=\"toc_number toc_depth_2\">5.2<\/span> 2. Kay\u0131t Operat\u00f6r\u00fcn\u00fcz DNSSEC Destekliyor mu?<\/a><\/li><li><a href=\"#3_TTL_ve_Yayilim_Stratejisi\"><span class=\"toc_number toc_depth_2\">5.3<\/span> 3. TTL ve Yay\u0131l\u0131m Stratejisi<\/a><\/li><\/ul><\/li><li><a href=\"#Genel_Senaryo_Adim_Adim_DNSSEC_Kurulum_Rehberi\"><span class=\"toc_number toc_depth_1\">6<\/span> Genel Senaryo: Ad\u0131m Ad\u0131m DNSSEC Kurulum Rehberi<\/a><ul><li><a href=\"#Adim_1_Mevcut_DNS_ve_Nameserver_Durumunu_Analiz\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Ad\u0131m 1: Mevcut DNS ve Nameserver Durumunu Analiz<\/a><\/li><li><a href=\"#Adim_2_DNS_Saglayicisinda_DNSSECi_Etkinlestirme_Zone_Signing\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Ad\u0131m 2: DNS Sa\u011flay\u0131c\u0131s\u0131nda DNSSEC\u2019i Etkinle\u015ftirme (Zone Signing)<\/a><\/li><li><a href=\"#Adim_3_DS_Kaydini_Registrar_Paneline_Eklemek\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Ad\u0131m 3: DS Kayd\u0131n\u0131 Registrar Paneline Eklemek<\/a><\/li><li><a href=\"#Adim_4_DNSSEC_Kurulumunu_Dogrulama\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Ad\u0131m 4: DNSSEC Kurulumunu Do\u011frulama<\/a><\/li><li><a href=\"#Adim_5_Izleme_Yedek_ve_Operasyonel_Sureklilik\"><span class=\"toc_number toc_depth_2\">6.5<\/span> Ad\u0131m 5: \u0130zleme, Yedek ve Operasyonel S\u00fcreklilik<\/a><\/li><\/ul><\/li><li><a href=\"#cPanel_ve_DirectAdmin_Uzerinde_DNSSEC_Mantigi\"><span class=\"toc_number toc_depth_1\">7<\/span> cPanel ve DirectAdmin \u00dczerinde DNSSEC Mant\u0131\u011f\u0131<\/a><ul><li><a href=\"#Paylasimli_Hosting_ve_Reseller_Senaryosu\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Payla\u015f\u0131ml\u0131 Hosting ve Reseller Senaryosu<\/a><\/li><li><a href=\"#VPS_veya_Dedicated_Uzerinde_Kendi_Nameserverinizi_Kullandiginizda\"><span class=\"toc_number toc_depth_2\">7.2<\/span> VPS veya Dedicated \u00dczerinde Kendi Nameserver\u2019\u0131n\u0131z\u0131 Kulland\u0131\u011f\u0131n\u0131zda<\/a><\/li><\/ul><\/li><li><a href=\"#Harici_DNS_Saglayici_Kullananlar_Icin_Dikkat_Edilmesi_Gerekenler\"><span class=\"toc_number toc_depth_1\">8<\/span> Harici DNS Sa\u011flay\u0131c\u0131 Kullananlar \u0130\u00e7in Dikkat Edilmesi Gerekenler<\/a><\/li><li><a href=\"#DNSSEC_SSLTLS_ve_E-posta_Guvenligiyle_Nasil_Birlikte_Calisir\"><span class=\"toc_number toc_depth_1\">9<\/span> DNSSEC, SSL\/TLS ve E-posta G\u00fcvenli\u011fiyle Nas\u0131l Birlikte \u00c7al\u0131\u015f\u0131r?<\/a><ul><li><a href=\"#HTTPS_Tarafi\"><span class=\"toc_number toc_depth_2\">9.1<\/span> HTTPS Taraf\u0131<\/a><\/li><li><a href=\"#E-posta_Tarafi\"><span class=\"toc_number toc_depth_2\">9.2<\/span> E-posta Taraf\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#DNSSEC_Kurarken_Yapilan_Yaygin_Hatalar_ve_Kurtarma_Onerileri\"><span class=\"toc_number toc_depth_1\">10<\/span> DNSSEC Kurarken Yap\u0131lan Yayg\u0131n Hatalar ve Kurtarma \u00d6nerileri<\/a><ul><li><a href=\"#Yanlis_DS_Kaydi_Eklemek\"><span class=\"toc_number toc_depth_2\">10.1<\/span> Yanl\u0131\u015f DS Kayd\u0131 Eklemek<\/a><\/li><li><a href=\"#Nameserver_Degisikliginde_DNSSECi_Unutmak\"><span class=\"toc_number toc_depth_2\">10.2<\/span> Nameserver De\u011fi\u015fikli\u011finde DNSSEC\u2019i Unutmak<\/a><\/li><li><a href=\"#Anahtar_Dondurmeyi_Plansiz_Yapmak\"><span class=\"toc_number toc_depth_2\">10.3<\/span> Anahtar D\u00f6nd\u00fcrmeyi Plans\u0131z Yapmak<\/a><\/li><\/ul><\/li><li><a href=\"#DCHost_ile_DNSSEC_Stratejinizi_Nasil_Kurabilirsiniz\"><span class=\"toc_number toc_depth_1\">11<\/span> DCHost ile DNSSEC Stratejinizi Nas\u0131l Kurabilirsiniz?<\/a><\/li><li><a href=\"#Sonuc_ve_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">12<\/span> Sonu\u00e7 ve Yol Haritas\u0131<\/a><\/li><\/ul><\/div>\n<h2><span id=\"DNSSEC_Nedir_ve_Neden_Ciddiye_Almalisiniz\">DNSSEC Nedir ve Neden Ciddiye Almal\u0131s\u0131n\u0131z?<\/span><\/h2>\n<p>Alan ad\u0131n\u0131z\u0131n DNS kay\u0131tlar\u0131, sitenizin ger\u00e7ekten size ait olup olmad\u0131\u011f\u0131 konusunda taray\u0131c\u0131lara ve e-posta sunucular\u0131na g\u00fcven veren ilk katmand\u0131r. Ancak klasik DNS protokol\u00fc, tasarland\u0131\u011f\u0131 d\u00f6nem gere\u011fi g\u00fcvenlik neredeyse hi\u00e7 d\u00fc\u015f\u00fcn\u00fclmeden olu\u015fturuldu. Yani bir sald\u0131rgan, a\u011fda araya girerek veya DNS \u00f6nbelleklerini zehirleyerek (cache poisoning) ziyaret\u00e7ilerinizi sahte bir IP adresine y\u00f6nlendirebilir. SSL\/TLS kullan\u0131yor olsan\u0131z bile, yanl\u0131\u015f IP\u2019ye giden bir kullan\u0131c\u0131 i\u00e7in sald\u0131r\u0131 y\u00fczeyi olu\u015fur. \u0130\u015fte DNSSEC tam bu noktada devreye giriyor: DNS yan\u0131tlar\u0131n\u0131 kriptografik olarak imzalayarak, kay\u0131tlar\u0131n yol boyunca de\u011fi\u015ftirilmedi\u011fini kan\u0131tl\u0131yor.<\/p>\n<p>Bu rehberde, DNSSEC\u2019in ne oldu\u011funu sade bir dille a\u00e7\u0131klay\u0131p, alan ad\u0131n\u0131z ve hostinginiz i\u00e7in ad\u0131m ad\u0131m nas\u0131l kuraca\u011f\u0131n\u0131z\u0131 anlataca\u011f\u0131z. Hangi kay\u0131tlar\u0131n i\u015fin i\u00e7inde oldu\u011funu, KSK\/ZSK ve DS gibi kavramlar\u0131n ne anlama geldi\u011fini, hangi panelde hangi ad\u0131mlar\u0131 izlemeniz gerekti\u011fini ve en \u00f6nemlisi, siteyi \u00e7\u00f6kertmeden g\u00fcvenli ge\u00e7i\u015fi nas\u0131l yapaca\u011f\u0131n\u0131z\u0131 pratik \u00f6rneklerle ele alaca\u011f\u0131z. DCHost olarak g\u00fcnl\u00fck operasyonlar\u0131m\u0131zda DNSSEC\u2019i hem kendi alan adlar\u0131m\u0131zda hem de m\u00fc\u015fterilerimizin kurumsal, e-ticaret ve SaaS projelerinde aktif olarak kullan\u0131yoruz; bu yaz\u0131y\u0131 da sahadaki ger\u00e7ek tecr\u00fcbelerimizi s\u00fczerek haz\u0131rlad\u0131k.<\/p>\n<h2><span id=\"DNS_ve_DNSSECin_Temel_Mantigi\">DNS ve DNSSEC\u2019in Temel Mant\u0131\u011f\u0131<\/span><\/h2>\n<h3><span id=\"Klasik_DNSin_Zayif_Noktasi\">Klasik DNS\u2019in Zay\u0131f Noktas\u0131<\/span><\/h3>\n<p>DNS\u2019i \u00e7o\u011fu zaman \u201calan ad\u0131 &rarr; IP adresi \u00e7evirisi yapan rehber\u201d olarak anlat\u0131yoruz. Teknik olarak do\u011fru, ancak eksik. DNS; A, AAAA, MX, TXT, CNAME gibi bir\u00e7ok kay\u0131t tipini bar\u0131nd\u0131ran, hiyerar\u015fik ve da\u011f\u0131t\u0131k bir veritaban\u0131. Klasik DNS\u2019te bu kay\u0131tlar d\u00fcz metin olarak sorgulan\u0131r ve cevaplan\u0131r; cevaplar\u0131n do\u011frulu\u011fu kriptografik olarak do\u011frulanmaz. Bu nedenle:<\/p>\n<ul>\n<li>DNS \u00f6nbellek zehirleme (cache poisoning)<\/li>\n<li>Man-in-the-middle (MITM) sald\u0131r\u0131lar\u0131<\/li>\n<li>Sahte ad sunucular (rogue DNS)<\/li>\n<\/ul>\n<p>gibi sald\u0131r\u0131larla kullan\u0131c\u0131lar, fark\u0131nda olmadan sahte IP adreslerine y\u00f6nlendirilebilir. Bu durum, \u00f6zellikle \u00f6deme sayfalar\u0131 ve giri\u015f formlar\u0131 i\u00e7in ciddi bir risk olu\u015fturur. DNS kay\u0131tlar\u0131n\u0131n temellerine hakim de\u011filseniz, \u00f6nce <a href=\"https:\/\/www.dchost.com\/blog\/dns-kayitlari-nedir-a-aaaa-cname-mx-txt-ve-srv-rehberi\/\">DNS kay\u0131tlar\u0131 A, AAAA, CNAME, MX, TXT ve SRV rehberimizi<\/a> okuman\u0131z\u0131 tavsiye ederiz.<\/p>\n<h3><span id=\"DNSSEC_Nedir\">DNSSEC Nedir?<\/span><\/h3>\n<p>DNSSEC (DNS Security Extensions), DNS protokol\u00fcne eklenen bir g\u00fcvenlik katman\u0131d\u0131r. Temel amac\u0131, \u201cBu DNS kayd\u0131 ger\u00e7ekten yetkili ad sunucusundan m\u0131 geldi ve yolda de\u011fi\u015ftirilmedi mi?\u201d sorusuna kriptografik olarak do\u011frulanabilir bir yan\u0131t vermektir. Bunu da \u015fu \u015fekilde yapar:<\/p>\n<ul>\n<li>Alan ad\u0131 b\u00f6lgenizdeki (zone) DNS kay\u0131tlar\u0131n\u0131 <strong>\u00f6zel anahtar<\/strong> ile imzalar.<\/li>\n<li>Ortaya \u00e7\u0131kan imza verilerini RRSIG kay\u0131tlar\u0131 olarak DNS\u2019e ekler.<\/li>\n<li>Kamuya a\u00e7\u0131k <strong>DNSKEY<\/strong> kay\u0131tlar\u0131 ve \u00fcst d\u00fczeydeki <strong>DS<\/strong> kayd\u0131 ile bir g\u00fcven zinciri olu\u015fturur.<\/li>\n<\/ul>\n<p>Taray\u0131c\u0131lar do\u011frudan DNSSEC do\u011frulamas\u0131 yapmasa bile, \u00e7\u00f6z\u00fcmleyici (resolver) taraf\u0131nda DNSSEC do\u011frulamas\u0131 etkinse sahte veya bozulmu\u015f yan\u0131tlar \u201cbogus\u201d olarak i\u015faretlenir ve kullan\u0131c\u0131ya iletilmez. B\u00f6ylece sahte IP\u2019ye y\u00f6nlendirilme riski ciddi bi\u00e7imde azal\u0131r.<\/p>\n<h2><span id=\"DNSSECin_Sagladigi_Avantajlar\">DNSSEC\u2019in Sa\u011flad\u0131\u011f\u0131 Avantajlar<\/span><\/h2>\n<h3><span id=\"1_Sahte_DNS_Yanitlarina_Karsi_Koruma\">1. Sahte DNS Yan\u0131tlar\u0131na Kar\u015f\u0131 Koruma<\/span><\/h3>\n<p>DNSSEC\u2019in en somut faydas\u0131, DNS yan\u0131tlar\u0131n\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc ve kayna\u011f\u0131n\u0131 do\u011frulamas\u0131d\u0131r. Bir sald\u0131rgan, araya girip DNS yan\u0131tlar\u0131n\u0131 de\u011fi\u015ftirmeye \u00e7al\u0131\u015fsa bile:<\/p>\n<ul>\n<li>\u0130mza (RRSIG) ile kay\u0131t uyu\u015fmaz.<\/li>\n<li>Do\u011frulama yapan resolver sonucu \u201cge\u00e7ersiz (bogus)\u201d olarak i\u015faretler.<\/li>\n<li>Kay\u0131t kullan\u0131c\u0131ya iletilmez; b\u00f6ylece sald\u0131r\u0131 bo\u015fa d\u00fc\u015fer.<\/li>\n<\/ul>\n<p>Bu, \u00f6zellikle e-ticaret, finans, sa\u011fl\u0131k, kamu kurumlar\u0131 ve kurumsal paneller i\u00e7in kritik bir g\u00fcvenlik katman\u0131d\u0131r. Ziyaret\u00e7i say\u0131n\u0131z ve marka bilinirli\u011finiz artt\u0131k\u00e7a, DNS katman\u0131na y\u00f6nelik hedefli sald\u0131r\u0131 ihtimali de artar; DNSSEC bu noktada temel bir sigorta g\u00f6revi g\u00f6r\u00fcr.<\/p>\n<h3><span id=\"2_E-posta_ve_TLS_Ekosistemiyle_Entegrasyon\">2. E-posta ve TLS Ekosistemiyle Entegrasyon<\/span><\/h3>\n<p>DNSSEC, tek ba\u015f\u0131na sadece DNS kay\u0131tlar\u0131n\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc garanti eder. Ancak \u00fczerinde in\u015fa edilen <strong>DANE\/TLSA<\/strong>, <strong>SMIMEA<\/strong> gibi standartlarla beraber kullan\u0131ld\u0131\u011f\u0131nda, e-posta ve HTTPS g\u00fcvenli\u011fini daha da g\u00fc\u00e7lendirebilir. \u00d6rne\u011fin DANE\/TLSA ile bir alan ad\u0131 i\u00e7in hangi TLS sertifikalar\u0131n\u0131n ge\u00e7erli oldu\u011funu DNS \u00fczerinden ilan edebilir, DNSSEC sayesinde bu bilginin manip\u00fcle edilmesini zorla\u015ft\u0131rabilirsiniz. Bu konuyu daha detayl\u0131 incelemek isterseniz <a href=\"https:\/\/www.dchost.com\/blog\/mta-sts-tls-rpt-ve-dane-tlsa-ile-smtp-guvenligi-teslim-edilebilirligi-ve-sifrelemeyi-nasil-guclendirirsin\/\">MTA-STS, TLS-RPT ve DANE\/TLSA ile SMTP g\u00fcvenli\u011fi rehberimize<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h3><span id=\"3_Marka_Guveni_ve_Uyum_Gereksinimleri\">3. Marka G\u00fcveni ve Uyum Gereksinimleri<\/span><\/h3>\n<p>Baz\u0131 reg\u00fclat\u00f6rler ve kurumsal g\u00fcvenlik standartlar\u0131, kritik altyap\u0131larda DNSSEC kullan\u0131m\u0131n\u0131 do\u011frudan veya dolayl\u0131 olarak tavsiye eder. Bankac\u0131l\u0131k, kamu, b\u00fcy\u00fck kurumsal yap\u0131larda DNSSEC; ihale \u015fartlar\u0131, denetim raporlar\u0131 veya s\u0131zma testi \u00e7\u0131kt\u0131lar\u0131nda kar\u015f\u0131n\u0131za gelebilir. DNSSEC kullan\u0131yor olman\u0131z, alan ad\u0131 g\u00fcvenli\u011fi konusunda olgun bir yakla\u015f\u0131m sergiledi\u011finizi g\u00f6sterir ve <a href=\"https:\/\/www.dchost.com\/blog\/alan-adi-guvenligi-rehberi-registrar-lock-dnssec-whois-gizliligi-ve-2fa\/\">Registrar Lock, Whois gizlili\u011fi ve 2FA gibi di\u011fer alan ad\u0131 g\u00fcvenlik \u00f6nlemleriyle<\/a> birlikte ele al\u0131nd\u0131\u011f\u0131nda g\u00fc\u00e7l\u00fc bir b\u00fct\u00fcn olu\u015fturur.<\/p>\n<h2><span id=\"DNSSECin_Teknik_Bilesenleri\">DNSSEC\u2019in Teknik Bile\u015fenleri<\/span><\/h2>\n<h3><span id=\"KSK_ve_ZSK_Iki_Farkli_Anahtar_Rolu\">KSK ve ZSK: \u0130ki Farkl\u0131 Anahtar Rol\u00fc<\/span><\/h3>\n<p>DNSSEC\u2019te genellikle iki tip anahtar kullan\u0131l\u0131r:<\/p>\n<ul>\n<li><strong>KSK (Key Signing Key):<\/strong> Di\u011fer DNS anahtarlar\u0131n\u0131 (\u00f6zellikle ZSK\u2019yi) imzalamak i\u00e7in kullan\u0131l\u0131r. Daha uzun \u00f6m\u00fcrl\u00fc olur, daha az s\u0131kl\u0131kla de\u011fi\u015ftirilir.<\/li>\n<li><strong>ZSK (Zone Signing Key):<\/strong> As\u0131l DNS kay\u0131tlar\u0131n\u0131 imzalamak i\u00e7in kullan\u0131l\u0131r. Daha s\u0131k d\u00f6nd\u00fcr\u00fclebilir (rollover) ve operasyonel y\u00fck\u00fc ta\u015f\u0131r.<\/li>\n<\/ul>\n<p>Bu ayr\u0131m, g\u00fcvenlik ve operasyonel esneklik sa\u011flar. \u00d6rne\u011fin s\u0131k anahtar de\u011fi\u015ftirmeniz gerekti\u011finde sadece ZSK\u2019yi d\u00f6nd\u00fcr\u00fcp KSK\u2019yi daha stabil b\u0131rakabilirsiniz. Geli\u015fmi\u015f senaryolarda anahtar d\u00f6nd\u00fcrmeyi (key rollover) planl\u0131yorsan\u0131z, mutlaka <a href=\"https:\/\/www.dchost.com\/blog\/dnssec-key-rollover-ksk-zsk-ve-ds-kayit-guncelleme-sifir-kesintiyle-anahtar-dondurme-nasil-yapilir\/\">DNSSEC key rollover ve DS kay\u0131t g\u00fcncelleme rehberimizi<\/a> okuman\u0131z\u0131 \u00f6neririz.<\/p>\n<h3><span id=\"Onemli_DNSSEC_Kayit_Tipleri\">\u00d6nemli DNSSEC Kay\u0131t Tipleri<\/span><\/h3>\n<ul>\n<li><strong>DNSKEY:<\/strong> Alan ad\u0131n\u0131z\u0131n kulland\u0131\u011f\u0131 a\u00e7\u0131k anahtarlar\u0131 i\u00e7erir. \u00c7\u00f6z\u00fcc\u00fc, bu kay\u0131tlar sayesinde imzalar\u0131n ge\u00e7erlili\u011fini kontrol eder.<\/li>\n<li><strong>RRSIG:<\/strong> Alan ad\u0131n\u0131zdaki her kay\u0131t setinin (\u00f6rne\u011fin A kay\u0131tlar\u0131) imzas\u0131n\u0131 tutar. \u201cBu A kay\u0131tlar\u0131 \u015fu anahtarla \u015fu zamanda imzaland\u0131\u201d bilgisini ta\u015f\u0131r.<\/li>\n<li><strong>DS (Delegation Signer):<\/strong> \u00dcst alan (\u00f6rne\u011fin .com veya .tr) taraf\u0131nda tutulan ve sizin DNSKEY kayd\u0131n\u0131za i\u015faret eden \u00f6zet bilgidir. G\u00fcven zincirinin kritik halkas\u0131d\u0131r.<\/li>\n<li><strong>NSEC \/ NSEC3:<\/strong> \u201cBu alan alt\u0131nda \u015fu kay\u0131tlar var, \u015fu kay\u0131tlar yok\u201d bilgisini imzal\u0131 \u015fekilde sunar. Var olmayan kay\u0131tlar i\u00e7in g\u00fcvenli negatif yan\u0131t \u00fcretmeye yarar.<\/li>\n<\/ul>\n<h3><span id=\"Guven_Zinciri_Nasil_Calisir\">G\u00fcven Zinciri Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/span><\/h3>\n<p>DNSSEC\u2019in kalbinde \u201cchain of trust\u201d yani g\u00fcven zinciri kavram\u0131 vard\u0131r:<\/p>\n<ol>\n<li>K\u00f6k alan (.) kendi anahtarlar\u0131yla imzal\u0131d\u0131r.<\/li>\n<li>.com, .net, .tr gibi TLD\u2019lerin anahtarlar\u0131 k\u00f6k taraf\u0131ndan do\u011frulanabilir.<\/li>\n<li>Sizin alan ad\u0131n\u0131z\u0131n (\u00f6rne\u011fin <em>ornekalanadi.com<\/em>) DS kayd\u0131, TLD b\u00f6lgesinde saklan\u0131r ve TLD\u2019nin DNSSEC anahtarlar\u0131yla imzalan\u0131r.<\/li>\n<li>\u00c7\u00f6z\u00fcc\u00fc, ad\u0131m ad\u0131m yukar\u0131dan a\u015fa\u011f\u0131ya bu zinciri takip ederek, DNSKEY ve RRSIG kay\u0131tlar\u0131n\u0131 do\u011frular.<\/li>\n<\/ol>\n<p>Bu sayede, yaln\u0131zca sizin yetkili ad sunucular\u0131n\u0131zdan \u00e7\u0131kan imzal\u0131 DNS kay\u0131tlar\u0131 \u201cg\u00fcvenilir\u201d kabul edilir. Zincirin herhangi bir halkas\u0131nda kopukluk (\u00f6rne\u011fin eksik veya yanl\u0131\u015f DS kayd\u0131) olmas\u0131 durumunda, alan ad\u0131n\u0131z do\u011frulanamaz ve bir\u00e7ok DNSSEC do\u011frulayan \u00e7\u00f6z\u00fcc\u00fc sitenize cevap d\u00f6nd\u00fcrmez.<\/p>\n<h2><span id=\"DNSSECe_Gecmeden_Once_Kontrol_Listesi\">DNSSEC\u2019e Ge\u00e7meden \u00d6nce Kontrol Listesi<\/span><\/h2>\n<h3><span id=\"1_DNSinizi_Kim_Yonetiyor\">1. DNS\u2019inizi Kim Y\u00f6netiyor?<\/span><\/h3>\n<p>DNSSEC kurulumuna ba\u015flamadan \u00f6nce, alan ad\u0131n\u0131z\u0131n DNS\u2019inin nerede tutuldu\u011funu netle\u015ftirin:<\/p>\n<ul>\n<li>Alan ad\u0131 DNS\u2019i DCHost \u00fczerinde, cPanel\/DirectAdmin DNS y\u00f6neticisinde mi?<\/li>\n<li>Harici bir DNS sa\u011flay\u0131c\u0131s\u0131 veya CDN \u00fczerinden mi y\u00f6netiliyor?<\/li>\n<li>\u00d6zel nameserver (ns1.sirketiniz.com gibi) kullan\u0131yor musunuz?<\/li>\n<\/ul>\n<p>Bu bilgi \u00f6nemli, \u00e7\u00fcnk\u00fc DNSSEC\u2019i <strong>DNS\u2019in fiilen y\u00f6netildi\u011fi yerde<\/strong> etkinle\u015ftirmeniz gerekir. Sadece domain kay\u0131t firmas\u0131n\u0131n panelinden DS kayd\u0131 eklemek tek ba\u015f\u0131na yetmez; \u00f6nce DNS b\u00f6lgeniz imzalanm\u0131\u015f olmal\u0131.<\/p>\n<h3><span id=\"2_Kayit_Operatorunuz_DNSSEC_Destekliyor_mu\">2. Kay\u0131t Operat\u00f6r\u00fcn\u00fcz DNSSEC Destekliyor mu?<\/span><\/h3>\n<p>\u0130kinci ad\u0131mda, alan ad\u0131n\u0131z\u0131 kay\u0131tl\u0131 tuttu\u011funuz firman\u0131n (registrar) DNSSEC deste\u011fi olup olmad\u0131\u011f\u0131n\u0131 kontrol etmelisiniz. Destek varsa genellikle panelde \u201cDNSSEC\u201d, \u201cDS Record\u201d gibi bir b\u00f6l\u00fcm g\u00f6r\u00fcrs\u00fcn\u00fcz. Buradan DS kayd\u0131 ekleme \/ silme i\u015flemleri yap\u0131l\u0131r. E\u011fer registrar\u2019\u0131n\u0131z DNSSEC desteklemiyorsa, ya alan ad\u0131n\u0131z\u0131 DNSSEC destekleyen bir registrara transfer etmeniz ya da DNSSEC kullanmaktan vazge\u00e7meniz gerekir; zira DS kayd\u0131 olmadan g\u00fcven zinciri tamamlanmaz.<\/p>\n<h3><span id=\"3_TTL_ve_Yayilim_Stratejisi\">3. TTL ve Yay\u0131l\u0131m Stratejisi<\/span><\/h3>\n<p>DNSSEC ge\u00e7i\u015fi s\u0131ras\u0131nda en kritik konulardan biri de TTL de\u011ferleridir. \u00c7ok y\u00fcksek TTL\u2019ler, hatal\u0131 bir DS kayd\u0131 eklemeniz durumunda problemi d\u00fczeltmenizi geciktirebilir. Bu y\u00fczden:<\/p>\n<ul>\n<li>Ge\u00e7i\u015ften birka\u00e7 g\u00fcn \u00f6nce A\/AAAA, NS ve SOA gibi kritik kay\u0131tlar\u0131n TTL\u2019lerini d\u00fc\u015f\u00fcr\u00fcn (\u00f6rne\u011fin 300 saniye).<\/li>\n<li>Ge\u00e7i\u015fi tamamlay\u0131p do\u011frulad\u0131ktan sonra TTL\u2019leri yeniden y\u00fckseltin.<\/li>\n<\/ul>\n<p>DNS yay\u0131l\u0131m\u0131n\u0131 ve TTL planlamas\u0131n\u0131 daha iyi anlamak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/zero-downtime-tasima-icin-ttl-stratejileri-dns-yayilimini-gercekten-nasil-hizlandirirsin\/\">Zero-downtime ta\u015f\u0131ma i\u00e7in TTL stratejileri rehberimizi<\/a> incelemenizi \u00f6zellikle \u00f6neririz; ayn\u0131 mant\u0131k DNSSEC ge\u00e7i\u015flerinde de birebir ge\u00e7erlidir.<\/p>\n<h2><span id=\"Genel_Senaryo_Adim_Adim_DNSSEC_Kurulum_Rehberi\">Genel Senaryo: Ad\u0131m Ad\u0131m DNSSEC Kurulum Rehberi<\/span><\/h2>\n<h3><span id=\"Adim_1_Mevcut_DNS_ve_Nameserver_Durumunu_Analiz\">Ad\u0131m 1: Mevcut DNS ve Nameserver Durumunu Analiz<\/span><\/h3>\n<p>\u00d6ncelikle alan ad\u0131n\u0131z\u0131n \u015fu an hangi nameserver\u2019lara i\u015faret etti\u011fini tespit edin. Bunu:<\/p>\n<ul>\n<li>Alan ad\u0131 panelinizden<\/li>\n<li>veya terminalde <code>whois alanadiniz.com<\/code> komutuyla<\/li>\n<\/ul>\n<p>kontrol edebilirsiniz. \u00c7\u0131kan nameserver\u2019lar\u0131n DCHost altyap\u0131s\u0131nda m\u0131, harici bir DNS hizmetinde mi oldu\u011funu not al\u0131n. DNSSEC\u2019i, bu nameserver\u2019lar\u0131n y\u00f6netti\u011fi DNS b\u00f6lgesinde etkinle\u015ftireceksiniz.<\/p>\n<h3><span id=\"Adim_2_DNS_Saglayicisinda_DNSSECi_Etkinlestirme_Zone_Signing\">Ad\u0131m 2: DNS Sa\u011flay\u0131c\u0131s\u0131nda DNSSEC\u2019i Etkinle\u015ftirme (Zone Signing)<\/span><\/h3>\n<p>\u0130kinci ad\u0131m, DNS b\u00f6lgenizin imzalanmas\u0131d\u0131r. Bu i\u015flem genellikle \u201cEnable DNSSEC\u201d, \u201cZone Signing\u201d, \u201cSign Zone\u201d gibi bir butonla yap\u0131l\u0131r. Mant\u0131k \u015fu \u015fekildedir:<\/p>\n<ul>\n<li>DNS sa\u011flay\u0131c\u0131n\u0131z alan ad\u0131n\u0131z i\u00e7in bir KSK ve bir ZSK \u00fcretir.<\/li>\n<li>T\u00fcm DNS kay\u0131tlar\u0131n\u0131z\u0131 ZSK ile imzalar ve RRSIG kay\u0131tlar\u0131n\u0131 ekler.<\/li>\n<li>DNSKEY kay\u0131tlar\u0131n\u0131z\u0131 alan ad\u0131 b\u00f6lgesine ekler.<\/li>\n<\/ul>\n<p>Bu a\u015famadan sonra, alan ad\u0131n\u0131z\u0131n yetkili ad sunucular\u0131 DNSSEC\u2019li yan\u0131t vermeye ba\u015flar; ancak hen\u00fcz DS kayd\u0131 eklemedi\u011finiz i\u00e7in g\u00fcven zinciri tam de\u011fildir. Yine de bu a\u015famada <code>dig +dnssec alanadiniz.com<\/code> ile imzalar\u0131n d\u00f6nd\u00fc\u011f\u00fcn\u00fc g\u00f6rebilirsiniz.<\/p>\n<h3><span id=\"Adim_3_DS_Kaydini_Registrar_Paneline_Eklemek\">Ad\u0131m 3: DS Kayd\u0131n\u0131 Registrar Paneline Eklemek<\/span><\/h3>\n<p>DNSSEC\u2019in kilit ad\u0131m\u0131 DS kayd\u0131n\u0131 eklemektir. \u00c7o\u011fu DNS sa\u011flay\u0131c\u0131s\u0131 size \u015fu bilgileri verir:<\/p>\n<ul>\n<li>Key Tag<\/li>\n<li>Algorithm (\u00f6rne\u011fin 8 &ndash; RSASHA256)<\/li>\n<li>Digest Type (\u00f6rne\u011fin 2 &ndash; SHA-256)<\/li>\n<li>Digest (uzun bir hex de\u011fer)<\/li>\n<\/ul>\n<p>Bu alanlar\u0131, alan ad\u0131n\u0131z\u0131n kay\u0131tl\u0131 oldu\u011fu firman\u0131n DNSSEC\/DS y\u00f6netim ekran\u0131na aynen girmeniz gerekir. DS kayd\u0131, TLD b\u00f6lgesine yaz\u0131l\u0131r ve \u201cBu alan ad\u0131n\u0131n DNSKEY\u2019si \u015fu \u00f6zetle do\u011frulanabilir\u201d bilgisini d\u00fcnyaya duyurur. \u0130\u015fte bu noktadan sonra g\u00fcven zinciri tamamlan\u0131r.<\/p>\n<h3><span id=\"Adim_4_DNSSEC_Kurulumunu_Dogrulama\">Ad\u0131m 4: DNSSEC Kurulumunu Do\u011frulama<\/span><\/h3>\n<p>DS kayd\u0131n\u0131 ekledikten sonra a\u015fa\u011f\u0131daki kontrolleri yap\u0131n:<\/p>\n<ul>\n<li><code>dig +dnssec alanadiniz.com<\/code> komutuyla <strong>ad<\/strong> (Authenticated Data) bayra\u011f\u0131n\u0131n d\u00f6nd\u00fc\u011f\u00fcn\u00fc kontrol edin.<\/li>\n<li>Alan ad\u0131n\u0131z i\u00e7in DNSSEC durumunu g\u00f6steren \u00e7evrimi\u00e7i test ara\u00e7lar\u0131n\u0131 kullan\u0131n.<\/li>\n<li>Farkl\u0131 ISP\u2019lerden ve cihazlardan siteye eri\u015fmeyi deneyin; herhangi bir \u00e7\u00f6z\u00fcmleme problemi olmamal\u0131.<\/li>\n<\/ul>\n<p>Unutmay\u0131n: Yanl\u0131\u015f DS kayd\u0131 girerseniz, baz\u0131 resolver\u2019lar alan ad\u0131n\u0131z\u0131 \u201cbogus\u201d olarak i\u015faretleyip hi\u00e7 \u00e7\u00f6z\u00fcmlemeyebilir. Bu nedenle do\u011frulama ad\u0131m\u0131n\u0131 hafife almay\u0131n.<\/p>\n<h3><span id=\"Adim_5_Izleme_Yedek_ve_Operasyonel_Sureklilik\">Ad\u0131m 5: \u0130zleme, Yedek ve Operasyonel S\u00fcreklilik<\/span><\/h3>\n<p>DNSSEC\u2019i kurduktan sonra i\u015f bitmiyor. \u015eunlar\u0131 mutlaka planlay\u0131n:<\/p>\n<ul>\n<li>Anahtar d\u00f6nd\u00fcrme (\u00f6zellikle KSK ve ZSK i\u00e7in periyodik plan)<\/li>\n<li>Nameserver de\u011fi\u015fikli\u011fi yaparken DS kayd\u0131n\u0131n g\u00fcncellenmesi<\/li>\n<li>DNS sa\u011flay\u0131c\u0131s\u0131 de\u011fi\u015fikli\u011fi senaryosunda DNSSEC ge\u00e7i\u015f plan\u0131<\/li>\n<\/ul>\n<p>DCHost\u2019ta altyap\u0131 de\u011fi\u015fiklikleri yaparken, m\u00fc\u015fterilerimizin DNSSEC yap\u0131land\u0131rmalar\u0131n\u0131 da g\u00f6zden ge\u00e7iriyor, gerekirse DS kay\u0131tlar\u0131n\u0131 birlikte g\u00fcncelliyoruz. Anahtar de\u011fi\u015fimi gibi daha ileri konular i\u00e7in yukar\u0131da bahsetti\u011fimiz <a href=\"https:\/\/www.dchost.com\/blog\/dnssec-key-rollover-ksk-zsk-ve-ds-kayit-guncelleme-sifir-kesintiyle-anahtar-dondurme-nasil-yapilir\/\">DNSSEC key rollover rehberini<\/a> mutlaka okuman\u0131z\u0131 tavsiye ederiz.<\/p>\n<h2><span id=\"cPanel_ve_DirectAdmin_Uzerinde_DNSSEC_Mantigi\">cPanel ve DirectAdmin \u00dczerinde DNSSEC Mant\u0131\u011f\u0131<\/span><\/h2>\n<h3><span id=\"Paylasimli_Hosting_ve_Reseller_Senaryosu\">Payla\u015f\u0131ml\u0131 Hosting ve Reseller Senaryosu<\/span><\/h3>\n<p>DCHost \u00fczerindeki pek \u00e7ok <a href=\"https:\/\/www.dchost.com\/tr\/web-hosting\">payla\u015f\u0131ml\u0131 hosting<\/a> ve reseller hesab\u0131nda, alan adlar\u0131n\u0131n DNS y\u00f6netimi do\u011frudan cPanel\/DirectAdmin \u00fczerinden yap\u0131l\u0131r. Bu senaryoda tipik ak\u0131\u015f \u015f\u00f6yle olur:<\/p>\n<ol>\n<li>cPanel veya DirectAdmin\u2019de alan ad\u0131n\u0131z\u0131n DNS b\u00f6lgesine girersiniz.<\/li>\n<li>DNSSEC veya Zone Signing b\u00f6l\u00fcm\u00fcnden \u201cEtkinle\u015ftir \/ Anahtar Olu\u015ftur\u201d gibi bir se\u00e7enekle KSK\/ZSK olu\u015fturursunuz.<\/li>\n<li>Panel size DS kayd\u0131 i\u00e7in gerekli <strong>Key Tag, Algorithm, Digest Type, Digest<\/strong> bilgilerini g\u00f6sterir.<\/li>\n<li>Bu bilgileri, alan ad\u0131n\u0131z\u0131n kay\u0131tl\u0131 oldu\u011fu firman\u0131n paneline <strong>DS kayd\u0131<\/strong> olarak eklersiniz.<\/li>\n<\/ol>\n<p>Baz\u0131 durumlarda alan ad\u0131n\u0131z\u0131n registrar\u0131 ile DNS sa\u011flay\u0131c\u0131n\u0131z (DCHost) ayn\u0131 olabilir; bu durumda t\u00fcm i\u015flem tek panel \u00fczerinden birka\u00e7 t\u0131klamayla tamamlan\u0131r. E\u011fer farkl\u0131 ise DS bilgisini bir yerden al\u0131p di\u011ferine manuel ta\u015f\u0131man\u0131z gerekir.<\/p>\n<h3><span id=\"VPS_veya_Dedicated_Uzerinde_Kendi_Nameserverinizi_Kullandiginizda\">VPS veya Dedicated \u00dczerinde Kendi Nameserver\u2019\u0131n\u0131z\u0131 Kulland\u0131\u011f\u0131n\u0131zda<\/span><\/h3>\n<p>Kendi <em>ns1.sirketiniz.com<\/em> ve <em>ns2.sirketiniz.com<\/em> ad sunucular\u0131n\u0131z\u0131 DCHost <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a>nuz \u00fczerinde \u00e7al\u0131\u015ft\u0131r\u0131yorsan\u0131z, DNSSEC kurulumunda ekstra baz\u0131 ad\u0131mlar vard\u0131r:<\/p>\n<ul>\n<li>DNS sunucunuzun (BIND, PowerDNS vb.) DNSSEC destekli ve do\u011fru yap\u0131land\u0131r\u0131lm\u0131\u015f oldu\u011fundan emin olmal\u0131s\u0131n\u0131z.<\/li>\n<li>KSK\/ZSK anahtarlar\u0131n\u0131 komut sat\u0131r\u0131yla veya panel entegrasyonu ile \u00fcretirsiniz.<\/li>\n<li>DNSKEY ve RRSIG kay\u0131tlar\u0131n\u0131z\u0131 otomatik imzalama (auto-signing) ile g\u00fcncel tutars\u0131n\u0131z.<\/li>\n<li>Olu\u015fturdu\u011funuz KSK\u2019den t\u00fcretilen DS kayd\u0131n\u0131 registrara eklersiniz.<\/li>\n<\/ul>\n<p>Bu senaryo, biraz daha fazla sistem bilgisi gerektirir. DCHost olarak kendi nameserver altyap\u0131s\u0131n\u0131 y\u00f6neten m\u00fc\u015fterilerimize, sunucu seviyesindeki DNSSEC yap\u0131land\u0131rmas\u0131nda da destek verebiliyoruz; ihtiya\u00e7 halinde teknik ekibimizle birlikte planl\u0131 bir ge\u00e7i\u015f yap\u0131lmas\u0131 en g\u00fcvenli y\u00f6ntemdir.<\/p>\n<h2><span id=\"Harici_DNS_Saglayici_Kullananlar_Icin_Dikkat_Edilmesi_Gerekenler\">Harici DNS Sa\u011flay\u0131c\u0131 Kullananlar \u0130\u00e7in Dikkat Edilmesi Gerekenler<\/span><\/h2>\n<p>Bir\u00e7ok kullan\u0131c\u0131, alan ad\u0131n\u0131 DCHost\u2019ta bar\u0131nd\u0131rsa bile DNS\u2019i harici bir DNS hizmetine veya CDN platformuna ta\u015f\u0131yabiliyor. Bu durumda DNSSEC ak\u0131\u015f\u0131 \u015fu \u015fekilde olur:<\/p>\n<ul>\n<li>DNSSEC\u2019i, DNS b\u00f6lgenizin tutuldu\u011fu harici DNS panelinde etkinle\u015ftirirsiniz.<\/li>\n<li>Harici panel size DS kayd\u0131 bilgilerini verir.<\/li>\n<li>Alan ad\u0131n\u0131z\u0131n kay\u0131tl\u0131 oldu\u011fu DCHost panelinden bu DS kayd\u0131n\u0131 eklersiniz.<\/li>\n<\/ul>\n<p>\u00d6nemli nokta \u015fudur: DNS sa\u011flay\u0131c\u0131s\u0131 de\u011fi\u015ftirdi\u011finizde (\u00f6rne\u011fin tekrar DCHost DNS\u2019ine d\u00f6nmek istedi\u011finizde) <strong>eski DNSSEC yap\u0131land\u0131rmas\u0131n\u0131 devre d\u0131\u015f\u0131 b\u0131rakmadan<\/strong> direkt nameserver de\u011fi\u015ftirirseniz, TLD taraf\u0131nda kay\u0131tl\u0131 DS kayd\u0131 yeni DNSKEY ile uyu\u015fmayaca\u011f\u0131 i\u00e7in alan ad\u0131n\u0131z \u00e7\u00f6z\u00fclmez hale gelebilir. Bu tip kar\u0131\u015f\u0131k senaryolarda <a href=\"https:\/\/www.dchost.com\/blog\/cloudflare-dns-mi-hosting-dnsi-mi-en-dogru-nameserver-stratejisi\/\">nameserver stratejisi rehberimizde anlatt\u0131\u011f\u0131m\u0131z<\/a> planl\u0131 yakla\u015f\u0131m\u0131 DNSSEC taraf\u0131na da uyarlamak en g\u00fcvenli y\u00f6ntemdir.<\/p>\n<h2><span id=\"DNSSEC_SSLTLS_ve_E-posta_Guvenligiyle_Nasil_Birlikte_Calisir\">DNSSEC, SSL\/TLS ve E-posta G\u00fcvenli\u011fiyle Nas\u0131l Birlikte \u00c7al\u0131\u015f\u0131r?<\/span><\/h2>\n<h3><span id=\"HTTPS_Tarafi\">HTTPS Taraf\u0131<\/span><\/h3>\n<p>DNSSEC ve SSL\/TLS temelde iki farkl\u0131 katmanda \u00e7al\u0131\u015f\u0131r:<\/p>\n<ul>\n<li>DNSSEC, <strong>DNS kay\u0131tlar\u0131n\u0131n b\u00fct\u00fcnl\u00fc\u011f\u00fcn\u00fc ve kayna\u011f\u0131n\u0131<\/strong> korur.<\/li>\n<li>SSL\/TLS, <strong>istemci ile sunucu aras\u0131ndaki trafi\u011fin \u015fifrelenmesini<\/strong> sa\u011flar.<\/li>\n<\/ul>\n<p>\u0130kisini bir arada kullanmak, kullan\u0131c\u0131ya u\u00e7tan uca daha g\u00fcvenli bir yol sunar: Do\u011fru IP adresine gitti\u011finden emin oldu\u011funuz bir ba\u011flant\u0131da, SSL\/TLS ile veriyi de g\u00fcvence alt\u0131na al\u0131rs\u0131n\u0131z. SSL taraf\u0131ndaki g\u00fcncel geli\u015fmeler ve g\u00fcvenli s\u00fcr\u00fcmler hakk\u0131nda bilgi almak i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/ssl-tls-protokol-guncellemeleri-modern-https-icin-net-yol-haritasi\/\">modern HTTPS i\u00e7in SSL\/TLS g\u00fcncellemeleri rehberimizi<\/a> inceleyebilirsiniz.<\/p>\n<h3><span id=\"E-posta_Tarafi\">E-posta Taraf\u0131<\/span><\/h3>\n<p>E-posta altyap\u0131s\u0131nda SPF, DKIM, DMARC, MTA-STS, DANE\/TLSA gibi pek \u00e7ok g\u00fcvenlik katman\u0131 DNS \u00fczerinden ilan edilir. DNSSEC, bu kay\u0131tlar\u0131n manip\u00fcle edilmesini zorla\u015ft\u0131rarak e-posta g\u00fcvenli\u011finizi takviye eder:<\/p>\n<ul>\n<li>SPF kayd\u0131n\u0131z de\u011fi\u015ftirilirse, sahte g\u00f6nderici IP\u2019lerine kap\u0131 a\u00e7\u0131labilir.<\/li>\n<li>DKIM public key\u2019iniz manip\u00fcle edilirse, imza do\u011frulama zay\u0131flar.<\/li>\n<li>MTA-STS ve DANE\/TLSA kay\u0131tlar\u0131, e-posta sunucular\u0131 aras\u0131ndaki TLS politikas\u0131n\u0131 belirler.<\/li>\n<\/ul>\n<p>DNSSEC ile bu kay\u0131tlar\u0131n g\u00fcvenilir bir \u015fekilde do\u011frulanmas\u0131, phishing ve sahte e-posta sald\u0131r\u0131lar\u0131n\u0131n etkisini azaltmaya yard\u0131mc\u0131 olur. E-posta taraf\u0131ndaki di\u011fer ayarlar i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/spf-dkim-ve-dmarc-nedir-ozel-alan-adi-ile-e-posta-dogrulamasini-cpanel-ve-vpste-sifirdan-kurmak\/\">SPF, DKIM ve DMARC kurulum rehberimize<\/a> de g\u00f6z atabilirsiniz.<\/p>\n<h2><span id=\"DNSSEC_Kurarken_Yapilan_Yaygin_Hatalar_ve_Kurtarma_Onerileri\">DNSSEC Kurarken Yap\u0131lan Yayg\u0131n Hatalar ve Kurtarma \u00d6nerileri<\/span><\/h2>\n<h3><span id=\"Yanlis_DS_Kaydi_Eklemek\">Yanl\u0131\u015f DS Kayd\u0131 Eklemek<\/span><\/h3>\n<p>En kritik hata, yanl\u0131\u015f DS kayd\u0131 eklemektir. \u00d6rne\u011fin:<\/p>\n<ul>\n<li>Yanl\u0131\u015f DNSKEY\u2019den \u00fcretilmi\u015f bir DS kullanmak<\/li>\n<li>Eski DNS sa\u011flay\u0131c\u0131s\u0131na ait DS kayd\u0131n\u0131 silmeyi unutmak<\/li>\n<li>Algorithm veya Digest Type alanlar\u0131n\u0131 hatal\u0131 girmek<\/li>\n<\/ul>\n<p>Bu durumda bir\u00e7ok DNS \u00e7\u00f6z\u00fcc\u00fcs\u00fc alan ad\u0131n\u0131z\u0131 karantinaya al\u0131r ve kullan\u0131c\u0131lar sitenize eri\u015femez. Kurtarmak i\u00e7in:<\/p>\n<ul>\n<li>\u00d6nce DNS b\u00f6lgenizin imzal\u0131 oldu\u011fundan ve DNSKEY\/RRSIG kay\u0131tlar\u0131n\u0131n do\u011fru oldu\u011fundan emin olun.<\/li>\n<li>Ard\u0131ndan registrardaki DS kayd\u0131n\u0131 tamamen kald\u0131r\u0131n veya do\u011fru de\u011ferlerle g\u00fcncelleyin.<\/li>\n<li>TTL d\u00fc\u015f\u00fckse etki k\u0131sa s\u00fcrede d\u00fczelecektir.<\/li>\n<\/ul>\n<h3><span id=\"Nameserver_Degisikliginde_DNSSECi_Unutmak\">Nameserver De\u011fi\u015fikli\u011finde DNSSEC\u2019i Unutmak<\/span><\/h3>\n<p>Ba\u015fka bir yayg\u0131n hata da DNS sa\u011flay\u0131c\u0131s\u0131 de\u011fi\u015ftirirken DNSSEC\u2019i hesaba katmamakt\u0131r. Do\u011fru ak\u0131\u015f \u015fu olmal\u0131d\u0131r:<\/p>\n<ol>\n<li>Yeni DNS sa\u011flay\u0131c\u0131s\u0131nda alan ad\u0131 b\u00f6lgenizi haz\u0131r hale getirin.<\/li>\n<li>Yeni sa\u011flay\u0131c\u0131da DNSSEC\u2019i etkinle\u015ftirip yeni DS bilgisini al\u0131n.<\/li>\n<li>Eski DS kayd\u0131n\u0131, yeni DS kayd\u0131yla dikkatle de\u011fi\u015ftirin veya \u00f6nce tamamen devre d\u0131\u015f\u0131 b\u0131rak\u0131n.<\/li>\n<li>Nameserver de\u011fi\u015fikli\u011fini <strong>en son<\/strong> ad\u0131mda yap\u0131n.<\/li>\n<\/ol>\n<p>B\u00f6ylece g\u00fcven zinciri kopmadan kontroll\u00fc bir ge\u00e7i\u015f yapabilirsiniz. Bu tarz s\u0131f\u0131r kesintili ge\u00e7i\u015fler i\u00e7in TTL ve DNS stratejilerini, daha \u00f6nce bahsetti\u011fimiz TTL rehberimizle birlikte planlamak \u00e7ok faydal\u0131 olacakt\u0131r.<\/p>\n<h3><span id=\"Anahtar_Dondurmeyi_Plansiz_Yapmak\">Anahtar D\u00f6nd\u00fcrmeyi Plans\u0131z Yapmak<\/span><\/h3>\n<p>DNSSEC anahtarlar\u0131n\u0131 (\u00f6zellikle KSK\u2019yi) rastgele ve plans\u0131z de\u011fi\u015ftirmek, DS kayd\u0131 ile DNSKEY uyumsuzlu\u011funa yol a\u00e7abilir. Sonu\u00e7 yine ayn\u0131: Alan ad\u0131n\u0131z baz\u0131 kullan\u0131c\u0131lar i\u00e7in \u00e7\u00f6z\u00fclemez hale gelebilir. Bu nedenle:<\/p>\n<ul>\n<li>\u00d6nce yeni anahtar\u0131 \u00fcretin ve DNS b\u00f6lgenize ekleyin.<\/li>\n<li>Eski ve yeni anahtar bir s\u00fcre birlikte (pre-publish) tutulsun.<\/li>\n<li>DS kayd\u0131n\u0131 yeni anahtara g\u00fcncelleyin.<\/li>\n<li>Yeterli yay\u0131l\u0131m s\u00fcresinden sonra eski anahtar\u0131 kald\u0131r\u0131n.<\/li>\n<\/ul>\n<p>Bu s\u00fcreci detayl\u0131 ad\u0131mlar\u0131yla g\u00f6rmek i\u00e7in tekrar <a href=\"https:\/\/www.dchost.com\/blog\/dnssec-key-rollover-ksk-zsk-ve-ds-kayit-guncelleme-sifir-kesintiyle-anahtar-dondurme-nasil-yapilir\/\">DNSSEC key rollover rehberine<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h2><span id=\"DCHost_ile_DNSSEC_Stratejinizi_Nasil_Kurabilirsiniz\">DCHost ile DNSSEC Stratejinizi Nas\u0131l Kurabilirsiniz?<\/span><\/h2>\n<p>DCHost olarak hem domain, hem payla\u015f\u0131ml\u0131 hosting, hem VPS\/dedicated, hem de colocation hizmetleri sunarken DNSSEC\u2019i g\u00fcnl\u00fck operasyonlar\u0131m\u0131z\u0131n do\u011fal bir par\u00e7as\u0131 olarak g\u00f6r\u00fcyoruz. M\u00fc\u015fterilerimizin alan adlar\u0131 i\u00e7in tipik olarak \u015fu yakla\u015f\u0131mla ilerliyoruz:<\/p>\n<ul>\n<li>\u00d6nce alan ad\u0131, DNS ve hosting mimarisini birlikte de\u011ferlendiriyoruz.<\/li>\n<li>DNS\u2019in nerede tutuldu\u011funu (DCHost DNS, harici DNS veya kendi nameserver\u2019\u0131n\u0131z) netle\u015ftiriyoruz.<\/li>\n<li>Risk almadan, <strong>\u00f6nce TTL d\u00fc\u015f\u00fcrerek<\/strong> test ortam\u0131nda DNSSEC\u2019i etkinle\u015ftiriyoruz.<\/li>\n<li>DS kayd\u0131n\u0131 ekleyip yay\u0131l\u0131m\u0131 ve do\u011frulamay\u0131 yak\u0131ndan izliyoruz.<\/li>\n<li>Son olarak TTL\u2019leri kal\u0131c\u0131 de\u011ferlere \u00e7ekip anahtar d\u00f6nd\u00fcrme takvimini planl\u0131yoruz.<\/li>\n<\/ul>\n<p>Alan ad\u0131n\u0131z, DCHost\u2019ta kay\u0131tl\u0131 olmasa bile hostinginiz bizde ise; DNSSEC kurulumunda hangi taraf\u0131n ne yapmas\u0131 gerekti\u011fini birlikte planlayabilir, riskli ad\u0131mlar\u0131 minimize edebiliriz. Ayr\u0131ca, birden fazla alan ad\u0131n\u0131z ve karma\u015f\u0131k bir DNS mimariniz varsa, <a href=\"https:\/\/www.dchost.com\/blog\/alan-adi-portfoy-yonetimi-onlarca-domaini-kontrol-altina-alma-rehberi\/\">alan ad\u0131 portf\u00f6y y\u00f6netimi rehberimizdeki<\/a> prensipleri DNSSEC stratejinizle birle\u015ftirmek i\u015finizi olduk\u00e7a kolayla\u015ft\u0131r\u0131r.<\/p>\n<h2><span id=\"Sonuc_ve_Yol_Haritasi\">Sonu\u00e7 ve Yol Haritas\u0131<\/span><\/h2>\n<p>DNSSEC, \u201cg\u00fcvenlik eklerim ama her \u015fey daha karma\u015f\u0131k olur\u201d hissi uyand\u0131ran teknolojilerden biri olabilir; \u00f6zellikle ilk kez kurulum yaparken yanl\u0131\u015f DS kayd\u0131 gibi hatalardan \u00e7ekinmek son derece do\u011fal. Ancak do\u011fru planlama, d\u00fc\u015f\u00fck TTL\u2019ler ve ad\u0131m ad\u0131m ilerleyen bir s\u00fcre\u00e7le bak\u0131ld\u0131\u011f\u0131nda, asl\u0131nda DNSSEC kurmak san\u0131ld\u0131\u011f\u0131 kadar korkutucu de\u011fildir. \u00dcstelik kazand\u0131rd\u0131\u011f\u0131 \u015fey, alan ad\u0131n\u0131z\u0131n temel g\u00fcvenlik katman\u0131na eklenen g\u00fc\u00e7l\u00fc bir kriptografik imza mekanizmas\u0131d\u0131r.<\/p>\n<p>Alan ad\u0131n\u0131z e-ticaret, SaaS, kurumsal panel veya kritik m\u00fc\u015fteri verisi bar\u0131nd\u0131r\u0131yorsa, DNSSEC\u2019i art\u0131k \u201cileride bakar\u0131z\u201d kategorisinden \u00e7\u0131kar\u0131p bir yol haritas\u0131na oturtman\u0131z iyi bir fikirdir. Dilerseniz \u00f6nce tek bir test alan\u0131nda ba\u015flay\u0131p s\u00fcreci deneyimleyebilir, ard\u0131ndan \u00fcretim alanlar\u0131n\u0131za yayabilirsiniz. DCHost olarak; domain, hosting, VPS, dedicated ve colocation projelerinizde DNSSEC\u2019i en ba\u015ftan mimarinin i\u00e7ine yerle\u015ftirmenize yard\u0131mc\u0131 olabiliriz. Mevcut mimarinizi birlikte g\u00f6zden ge\u00e7irmek veya yeni bir proje planlarken DNSSEC ve di\u011fer alan ad\u0131 g\u00fcvenlik katmanlar\u0131n\u0131 masaya yat\u0131rmak isterseniz, her zaman destek talebi a\u00e7arak ekibimizle ileti\u015fime ge\u00e7ebilirsiniz.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 DNSSEC Nedir ve Neden Ciddiye Almal\u0131s\u0131n\u0131z?2 DNS ve DNSSEC\u2019in Temel Mant\u0131\u011f\u01312.1 Klasik DNS\u2019in Zay\u0131f Noktas\u01312.2 DNSSEC Nedir?3 DNSSEC\u2019in Sa\u011flad\u0131\u011f\u0131 Avantajlar3.1 1. Sahte DNS Yan\u0131tlar\u0131na Kar\u015f\u0131 Koruma3.2 2. E-posta ve TLS Ekosistemiyle Entegrasyon3.3 3. Marka G\u00fcveni ve Uyum Gereksinimleri4 DNSSEC\u2019in Teknik Bile\u015fenleri4.1 KSK ve ZSK: \u0130ki Farkl\u0131 Anahtar Rol\u00fc4.2 \u00d6nemli DNSSEC Kay\u0131t Tipleri4.3 G\u00fcven Zinciri [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3473,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3472"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3473"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}