Config DNSSEC di Authoritative Bind 9.11.x

Contoh tanpa DNSSEC

[root@ns1 ~]# dig @192.168.56.18 opikdesign.com. A +dnssec +multiline

; <<>> DiG 9.11.2 <<>> opikdesign.com. A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL:

;; QUESTION SECTION:
;opikdesign.com. IN A

;; ANSWER SECTION:
opikdesign.com. 3600 IN A 192.168.56.10

;; AUTHORITY SECTION:
opikdesign.com. 3600 IN NS ns1.opikdesign.com.
opikdesign.com. 3600 IN NS ns2.opikdesign.com.

;; ADDITIONAL SECTION:
ns2.opikdesign.com. 3600 IN A 192.168.56.18
ns1.opikdesign.com. 3600 IN A 172.16.57.11

;; Query time: 34 msec
;; SERVER: 192.168.56.18#53(192.168.56.18)
;; WHEN: Tue Jan 29 14:31:51 WIB 2019
;; MSG SIZE rcvd: 209

Contoh dengan DNSSEC, akan muncul hash tambahan

[root@ns1 ~]# dig @172.16.57.11 opikdesign.com. A +dnssec +multiline

; <<>> DiG 9.11.2 <<>> opikdesign.com. A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL:

;; QUESTION SECTION:
;opikdesign.com. IN A

;; ANSWER SECTION:
opikdesign.com. 3600 IN A 192.168.56.10
opikdesign.com. 3600 IN RRSIG A 8 3 3600 (
20190227192735 20190128192735 738 opikdesign.com.
Lhp1OTFpKHfHKx7XoxOmqyONv2Ee7SgGVOA1F5jApnTy
NPZyBt+nHO0bTA0ha7x6N1F2pyo+/HXRYNRfYcjY8XZm
kQw2R4e15fYIi42GIgxGDBsPCX2BkE08cHGb0L+hOZLw
Wd4YFvISRNaHE0HW4/+ObmHJ+m19ws6aiVxTpB4= )

;; AUTHORITY SECTION:
opikdesign.com. 3600 IN NS ns1.opikdesign.com.
opikdesign.com. 3600 IN NS ns2.opikdesign.com.
opikdesign.com. 3600 IN RRSIG NS 8 3 3600 (
20190227192735 20190128192735 738 opikdesign.com.
K3YOGQIdCYjWjU+FW1WnuULxfhfV2t1r3qS8SxxVTKpy
+aPgvOfu9QBLQHvYkqYadccFBjuop/fH9aUrpiLqmJxk
/UCLwp2hKJugwme6mIx4tlAZaWLVlTTBtFTL7A/4WqgZ
RHABSRCrMu8p9TsyQmGH413+qq8YGNqW1QppF/o= )

;; ADDITIONAL SECTION:
ns2.opikdesign.com. 3600 IN A 192.168.56.18
ns1.opikdesign.com. 3600 IN A 172.16.57.11
ns1.opikdesign.com. 3600 IN RRSIG A 8 4 3600 (
20190227192711 20190128192711 39813 opikdesign.com.
G/J+u7AUyM6OWwvsGXAJCKWsA+682ZPc77YpfKNtfjeD
/wjQzZ0O6AQ9ItM7/6D6zopjFgRjGjfvWfmhRMrCIorx
nLUHh3K8W+KBp7t+k3VCf60d27ugFp4bSAFKoErrrzVH
45oz+deH7sh8knnBtzOtnbFr8MgBv6xz9wfa7qY= )
ns2.opikdesign.com. 3600 IN RRSIG A 8 4 3600 (
20190227192711 20190128192711 39813 opikdesign.com.
Pnpnrig+kzyF1yDiVslIxLrlha2RWAYLJYe3rpBJ3bdT
Wc6Ikcbiv/AThazy9VKtJD+ibo2rg++9datV+/1DT3mH
h3tAN4RDpI6emPO4XctWnoccHX5JVa39/US6zw3NIRuR
kaPTFvcJudG7SsxYFGCrWnMk4wKmmohYCizRzyo= )

;; Query time: 34 msec
;; SERVER: 172.16.57.11#53(172.16.57.11)
;; WHEN: Tue Jan 29 14:31:51 WIB 2019
;; MSG SIZE rcvd: 209

Sedangkan yang dibutuhkan untuk mengaktifkan DNSSEC perlu SSL di BIND, cara pengecekan sebagai berikut, perhatikan yang di Bold

[root@ns1 ~]# named -V
BIND 9.11.2
running on Linux x86_64 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--disable-static' '--with-openssl=/usr' '--with-randomdev=/dev/urandom'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled

Langsung saja, di sini tidak di bahas perbedaan cara kerjanya dan sebagainya, untuk configuration basic -nya membuat DNS Server bisa ke Install Bind 9.11.1 di CentOS 7 dengan Master-Slave. Disini penulis menganggap installasi server dan zone domain sudah berjalan semestinya, dilanjut bagaimana proses mengaktifkan DNSSEC dan merubah zone yang ter-signed.

Aktifkan DNSSEC di BIND

Open file named.conf.options, isi edit sebagai berikut, setelah edit restart named

options {
.....
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
}

sebelum restart named, dengan menggunakan tools nmap  ke localhost, bind menggunakan UDP/53 namun setelah restart named akan berganti ke TCP/53

Membuat ZSK Key dan KSK Key

Sebelum membuat key, masuk ke folder zones terlebih dahulu barulah membuat key -nya.

[root@ns1]# cd /var/named/chroot/etc/namedb/master

Membuat ZSK Key dengan menggunakan algorithma RSA SHA256 1024bit…

[root@ns1 master]# dnssec-keygen -a RSASHA256 -b 1024 -n ZONE opikdesign.com
Generating key pair………………….++++++ ..++++++
Kopikdesign.com. +008+06963

[root@ns1 master]#

Membuat KSK Key dengan menggunakan algorithma RSA SHA256 2046bit…

[root@ns1 master]# dnssec-keygen -a RSASHA256 -b 2046 -n ZONE -f KSK opikdesign.com
Generating key pair…………………………………………………………………
…………………………………………………………………………………………….......+
++ …………………………………+++
Kopikdesign.com. +008+24610

[root@ns1 master]#

Menggabungkan ZSK file key dengan KSK Key dan membuat file ZONES baru

Menggabungkan menjadi satu file ikuti perintah berikut…

[root@ns1 master]# cat Kopikdesign.com.+008+*.key >> opikdesign.com.zone

Membuat file ZONES

[root@ns1 master]# dnssec-signzone -t -g -o opikdesign.com opikdesign.com.zone Kopikdesign.com.+008+*.private
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algoritm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
opikdesign.com.zone.signed
Signatures generated: 10
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.021
Signatures per second: 435.825
Runtime in seconds: 0.035

[root@ns1 master]#

kemudian pada file /var/named/chroot/etc/named.zones di edit dari file zone -nya domain sebagai berikut…

zone "opikdesign.com" IN {
...
file "master/opikdesign.com.zone";
...
};

ganti file zone -nya…

zone "opikdesign.com" IN {
...
file "master/opikdesign.com.zone.signed";
...
};

terakhir restart bind…

[root@ns1 master]# systemctl restart named