Posted on by opik

Config DNSSEC di Authoritative Bind 9.11.x

DNSSEC singkatan dari Domain Name System Security Extensions, adalah rangkaian dari IETF (Internet Engineering Task Force) yang berfungsi mengamankan beberapa jenis informasi yang diberikan oleh DNS. DNSSEC akan menambahkan tanda tangan digital (Signed SSL) yang berguna untuk menjaga keaslian data DNS yang di respon oleh client, sehingga client dapat mengetahui bahwa data itu berubah atau tidak. DNS Server menggunakan protocol UDP port 53 sedangkan DNSSEC berbeda, yaitu menggunakan protocl TCP port 53. Perbedaan lainnya dapat dilihat dengan menggunakan DIG, contoh:

Contoh tanpa DNSSEC

[root@ns1 ~]# dig @192.168.56.18 opikdesign.com. A +dnssec +multiline

; <<>> DiG 9.11.2 <<>> opikdesign.com. A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 

;; QUESTION SECTION:
;opikdesign.com.        IN A

;; ANSWER SECTION:
opikdesign.com.        3600 IN A 192.168.56.10
 
;; AUTHORITY SECTION:
opikdesign.com.        3600 IN NS ns1.opikdesign.com.
opikdesign.com.        3600 IN NS ns2.opikdesign.com.
 
;; ADDITIONAL SECTION:
ns2.opikdesign.com. 3600 IN A 192.168.56.18
ns1.opikdesign.com. 3600 IN A 172.16.57.11

;; Query time: 34 msec
;; SERVER: 192.168.56.18#53(192.168.56.18)
;; WHEN: Tue Jan 29 14:31:51 WIB 2019
;; MSG SIZE  rcvd: 209

Contoh dengan DNSSEC, akan muncul hash tambahan

[root@ns1 ~]# dig @172.16.57.11 opikdesign.com. A +dnssec +multiline

; <<>> DiG 9.11.2 <<>> opikdesign.com. A +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63502
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 

;; QUESTION SECTION:
;opikdesign.com.        IN A

;; ANSWER SECTION:
opikdesign.com.        3600 IN A 192.168.56.10
opikdesign.com.        3600 IN RRSIG A 8 3 3600 (
             20190227192735 20190128192735 738 opikdesign.com.
             Lhp1OTFpKHfHKx7XoxOmqyONv2Ee7SgGVOA1F5jApnTy
             NPZyBt+nHO0bTA0ha7x6N1F2pyo+/HXRYNRfYcjY8XZm
             kQw2R4e15fYIi42GIgxGDBsPCX2BkE08cHGb0L+hOZLw
             Wd4YFvISRNaHE0HW4/+ObmHJ+m19ws6aiVxTpB4= )
 
;; AUTHORITY SECTION:
opikdesign.com.        3600 IN NS ns1.opikdesign.com.
opikdesign.com.        3600 IN NS ns2.opikdesign.com.
opikdesign.com.        3600 IN RRSIG NS 8 3 3600 (
                 20190227192735 20190128192735 738 opikdesign.com.
                 K3YOGQIdCYjWjU+FW1WnuULxfhfV2t1r3qS8SxxVTKpy
                 +aPgvOfu9QBLQHvYkqYadccFBjuop/fH9aUrpiLqmJxk
                 /UCLwp2hKJugwme6mIx4tlAZaWLVlTTBtFTL7A/4WqgZ
                 RHABSRCrMu8p9TsyQmGH413+qq8YGNqW1QppF/o= )

;; ADDITIONAL SECTION:
ns2.opikdesign.com. 3600 IN A 192.168.56.18
ns1.opikdesign.com. 3600 IN A 172.16.57.11
ns1.opikdesign.com. 3600 IN RRSIG A 8 4 3600 (
                 20190227192711 20190128192711 39813 opikdesign.com.
                 G/J+u7AUyM6OWwvsGXAJCKWsA+682ZPc77YpfKNtfjeD
                 /wjQzZ0O6AQ9ItM7/6D6zopjFgRjGjfvWfmhRMrCIorx
                 nLUHh3K8W+KBp7t+k3VCf60d27ugFp4bSAFKoErrrzVH
                 45oz+deH7sh8knnBtzOtnbFr8MgBv6xz9wfa7qY= )
ns2.opikdesign.com. 3600 IN RRSIG A 8 4 3600 (
                 20190227192711 20190128192711 39813 opikdesign.com.
                 Pnpnrig+kzyF1yDiVslIxLrlha2RWAYLJYe3rpBJ3bdT
                 Wc6Ikcbiv/AThazy9VKtJD+ibo2rg++9datV+/1DT3mH
                 h3tAN4RDpI6emPO4XctWnoccHX5JVa39/US6zw3NIRuR
                 kaPTFvcJudG7SsxYFGCrWnMk4wKmmohYCizRzyo= )

;; Query time: 34 msec
;; SERVER: 172.16.57.11#53(172.16.57.11)
;; WHEN: Tue Jan 29 14:31:51 WIB 2019
;; MSG SIZE  rcvd: 209

Sedangkan yang dibutuhkan untuk mengaktifkan DNSSEC perlu SSL di BIND, cara pengecekan sebagai berikut, perhatikan yang di Bold

[root@ns1 ~]# named -V
BIND 9.11.2 
running on Linux x86_64 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--disable-static' '--with-openssl=/usr' '--with-randomdev=/dev/urandom'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28)
compiled with OpenSSL version: OpenSSL 1.0.2k  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled

Langsung saja, di sini tidak di bahas perbedaan cara kerjanya dan sebagainya, untuk configuration basic -nya membuat DNS Server bisa ke Install Bind 9.11.1 di CentOS 7 dengan Master-Slave. Disini penulis menganggap installasi server dan zone domain sudah berjalan semestinya, dilanjut bagaimana proses mengaktifkan DNSSEC dan merubah zone yang ter-signed.

Aktifkan DNSSEC di BIND

Open file named.conf.options, isi edit sebagai berikut, setelah edit restart named

options {
           .....
           dnssec-enable yes;
           dnssec-validation yes;
           dnssec-lookaside auto;
}

sebelum restart named, dengan menggunakan tools nmap  ke localhost, bind menggunakan UDP/53 namun setelah restart named akan berganti ke TCP/53

Membuat ZSK Key dan KSK Key

Sebelum membuat key, masuk ke folder zones terlebih dahulu barulah membuat key -nya.

[root@ns1]# cd /var/named/chroot/etc/namedb/master

Membuat ZSK Key dengan menggunakan algorithma RSA SHA256 1024bit…

[root@ns1 master]# dnssec-keygen -a RSASHA256 -b 1024 -n ZONE opikdesign.com
Generating key pair………………….++++++  ..++++++
Kopikdesign.com. +008+06963

[root@ns1 master]#

Membuat KSK Key dengan menggunakan algorithma RSA SHA256 2046bit…

[root@ns1 master]# dnssec-keygen -a RSASHA256 -b 2046 -n ZONE -f KSK opikdesign.com
Generating key pair…………………………………………………………………
 …………………………………………………………………………………………….......+
 ++  …………………………………+++
 Kopikdesign.com. +008+24610

[root@ns1 master]#

Menggabungkan ZSK file key dengan KSK Key dan membuat file ZONES baru

Menggabungkan menjadi satu file ikuti perintah berikut…

[root@ns1 master]# cat Kopikdesign.com.+008+*.key >> opikdesign.com.zone

Membuat file ZONES

[root@ns1 master]# dnssec-signzone -t -g -o opikdesign.com opikdesign.com.zone Kopikdesign.com.+008+*.private
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algoritm:  RSASHA256:  KSKs:   1 active,   0 stand-by,   0 revoked
                       ZSKs:   1 active,   0 stand-by,   0 revoked
opikdesign.com.zone.signed
Signatures generated:                                          10
Signatures retained:                                            0
Signatures dropped:                                             0
Signatures successfully verified:                               0
Signatures unsuccessfully verified:                             0
Signing time in seconds:                                    0.021
Signatures per second:                                    435.825
Runtime in seconds:                                         0.035

[root@ns1 master]#

kemudian pada file /var/named/chroot/etc/named.zones di edit dari file zone -nya domain sebagai berikut…

zone "opikdesign.com" IN {
         ...
         file "master/opikdesign.com.zone";
         ...
};

ganti file zone -nya…

zone "opikdesign.com" IN {
         ...
         file "master/opikdesign.com.zone.signed";
         ...
};

terakhir restart bind…

[root@ns1 master]# systemctl restart named