1. Kunci yang digunakan oleh DNSSEC
Key | Description |
---|---|
Key Signing Key (KSK) | Digunakan untuk menandatangani kunci penandatanganan zona (ZSK). |
Zone Signing Key (ZSK) | Digunakan untuk menandatangani catatan sumber daya DNS untuk suatu zona. |
Common Signing Key (CSK) | I wish I knew. |
Type | Description |
---|---|
DS | Delegation Signer |
DNSKEY | Domain Name Signing Public Key |
RRSIG | Resource Record Signature |
CDNS | Child Copy of DNSKEY |
CDS | Child Copy of DS |
NSEC | Signature for a non-existing (NXDOMAIN) record |
NSEC3 | Signature of a hashed NXDOMAIN record |
NSEC3PARAM | Parameters used for hashing and signing NXDOMAIN records |
2. Algoritma Kriptografi (Cryptographic Algorithms)
Public Key Algorithm | Nr. | Status |
---|---|---|
RSAMD5 | 1 | Forbidden |
DSA | 3 | Optional |
RSASHA1 | 5 | Mandatory |
RSASHA1-NSEC3-SHA1 | 6 | Recommended |
RSASHA256 | 8 | Recommended |
RSASHA512 | 10 | Recommended |
ECC-GOST | 12 | Optional |
ECDSAP256SHA256 | 13 | Recommended |
ECDSAP384SHA384 | 14 | Recommended |
ED25519 | 15 | Optional |
ED448 | 16 | Optional |
Number | Mnemonics | DNSSEC Signing | DNSSEC Validation |
---|---|---|---|
1 | RSAMD5 | MUST NOT | MUST NOT |
3 | DSA | MUST NOT | MUST NOT |
5 | RSASHA1 | NOT RECOMMENDED | MUST |
6 | DSA-NSEC3-SHA1 | MUST NOT | MUST NOT |
7 | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST |
8 | RSASHA256 | MUST | MUST |
10 | RSASHA512 | NOT RECOMMENDED | MUST |
12 | ECC-GOST | MUST NOT | MAY |
13 | ECDSAP256SHA256 | MUST | MUST |
14 | ECDSAP384SHA384 | MAY | RECOMMENDED |
15 | ED25519 | RECOMMENDED | RECOMMENDED |
16 | ED448 | MAY | RECOMMENDED |
Digest Algorithm | Nr. | Status |
---|---|---|
SHA-1 | 1 | Mandatory |
SHA-256 | 2 | Mandatory |
GOST R 34.11-94 | 3 | Optional |
SHA-384 | 4 | Optional |
Flag | Meaning |
---|---|
256 | Only allowed to sign anything if signed by a key with the SEP flag. |
257 | Authorized by the parent zone DS record to sign anything in the child zone. |
3. Rekaman DS (DS Record)
# dig +multiline example.net. DS
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +multiline example.net. DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33503
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.net. IN DS
;; ANSWER SECTION:
example.net. 33698 IN DS 61250 8 1 (
EBF5191249B08ADBA60DC57DE26F8D530FE5D17D )
example.net. 33698 IN DS 31589 8 2 (
5A9EAEFC7CC7D6946E1D106418427D272D406B835BA9
EA0219DFBD3974A54A81 )
example.net. 33698 IN DS 31589 8 1 (
628FCA4806B2E475DA9FD97A1FB57B7E26F8494C )
example.net. 33698 IN DS 54761 8 2 (
9FDE7678F418E724ACE98537E0EAD92BB96B3109072D
076A117492DB708CE238 )
example.net. 33698 IN DS 54761 8 1 (
2B45E49265B30032497E0D61D259F4ACF821A5A0 )
example.net. 33698 IN DS 61250 8 2 (
984E001501B50F8D7B73935E12A0B15E9DCE5498F088
5C3C6193B4DCB8DDAD36 )
;; Query time: 0 msec
;; SERVER: 172.20.10.43#53(172.20.10.43)
;; WHEN: Sat Jan 06 11:31:16 CET 2018
;; MSG SIZE rcvd: 292
Field | Example | Description |
---|---|---|
Key Tag | 61250 | Identifies the key across parent and child zones. |
Algorithm | 8 | Which type of key (algorithm) the child key is using. |
Digest Type | 1 | Identifies the digest algorithm used by the parent. |
Digest | EBF5…D17D | The digest of the child’s public key. |
$ dig +multiline example.net. DNSKEY
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +multiline example.net. DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50414
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.net. IN DNSKEY
;; ANSWER SECTION:
example.net. 900 IN DNSKEY 257 3 8 (
AwEAAcSvBHUuazPyycexMEFH9+oQoJXAugbelISqKM0e
Qv4jPsp1qws6+rs6mpBgxwE6bOqOqAUDnXqkjPiLE8st
Q6l2r1jCN/Ad8N+tOqCPMIG93RE233PKm3hDK1KoLEmR
9us2vRfkM1H/tt0UuL/4RoVdUCHH8jcp9tueMQzQG4RO
nE/HctTb+WR/zBFa+GjGdoQGdjasr5CDrXvImipyG9fJ
ZQ+wNtAzjMpl2dR2oJERE9HFnv52GblveqAZcw3HqCn2
MsF8QKOFcPEXVk1lOtaqb0bBqftLEuoNysbYcKoXOO4Z
nKcxPB+bHoeHTWSvz5XSoCwulwE15xJ/GrA1rrk=
) ; KSK; alg = RSASHA256; key id = 61250
example.net. 900 IN DNSKEY 256 3 8 (
AwEAAZ/9wpQpBVsh1WLWtgOewqesLtZLV1nOgle7OmKs
aPSX4gFEWP3znBXICNsuFAaOY0JYZKO6A7Pip+6cmwiR
A34mr5Xk3XNtTPMfoT55D1qE/l8zMHBspEgulIFPSBPc
WQpXTkxQKIpYzn4yhak7BKBOm8I0AFDHlehtdf8qys9t
) ; ZSK; alg = RSASHA256; key id = 17491
example.net. 900 IN DNSKEY 257 3 8 (
AwEAAbMqsFTYoin5LDKjSo0Ix0nj29adzS97t2n3QImu
svDp8llLbKmG3wVX99FbLL232oVfvL1QgP3Uqa88yxrJ
iwJ+BxT5SWaU0kFbfEvLlAIwkcp8fIpZPiPLo0tXXFu7
h0LtXWUYMei1Q4wzxVaxTAWBuDnbUM+g629FeI9052lQ
DYpSa32CzDRXLXJ23hR2lNRecCnTXw+kudfL3oxUTUKi
Ijjf0zDcoa3G0TCogMhgXnJJ32havw+u3HevDLLQq5hk
KTR55Ymr8bagm7N0V8ZAxvnCG5ix9SFLvjG/7BQUEOgI
eeyoZoTGGkeFEA2Hs+j8BNPXwML+ETlYsgeaAwc=
) ; KSK; alg = RSASHA256; key id = 51916
;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(172.20.10.43)
;; WHEN: Sat Jan 06 11:26:45 CET 2018
;; MSG SIZE rcvd: 740
Field | Example | Description |
---|---|---|
Flags | 256 | Zone key and secure entry point (SEP) flags. |
Protocol | 3 | Always 3 |
Algorithm | 8 | The public key algorithm used to create the key. |
Public Key | AwEA…ys9t | The full public key. |
Bit | Flag |
---|---|
0 - 6 | Reserved |
7 | Zone Key Flag |
8 - 14 | Reserved |
15 | Secure Entry Point (SEP) Flag |
16 | Reserved |
Flag Bits Values | Decimal Value | Description |
---|---|---|
000000000000000 | 0 | Key is neither a zone key nor a secure entry point. |
000000000000001 | 1 | Key is not a zone key but is a secure entry point. |
000000100000000 | 256 | Key is a zone key but not a secure entry point. |
000000100000001 | 257 | Key is a zone key and a secure entry point. |
$ dig +multiline +dnssec example.net. SOA
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +multiline +dnssec example.net. SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5858
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.net. IN SOA
;; ANSWER SECTION:
example.net. 3588 IN SOA sns.dns.icann.org. noc.dns.icann.org. (
2017120519 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.net. 3588 IN RRSIG SOA 8 2 3600 (
20180123134822 20180102162512 17491 example.net.
bfE6eVnjxMcX/UH2rzc7HRZ1DwetaTVseDeMVUQEAwno
ioWhGnsHxaXs6pA7btGEC9ZIZ3PgUiexL1fWxOU4p049
3dy1wkkUrmEj22viN/cj0S1DhhP2x/8ROqpG+L4Rhovx
BtvD3H+uOeVGRIXQ781UiXL4po/ti7AdFDSf49I= )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(172.20.10.43)
;; WHEN: Sat Jan 06 12:02:54 CET 2018
;; MSG SIZE rcvd: 268
Field | Example | Description |
---|---|---|
Original Type | SOA | The type of record that has been signed. |
Algorithm | 8 | The algorithm used for signing |
Number of Labels | 2 | If the answer was formed from a wildcard record. |
Original TTL | 3600 | The time-to-live of the signed record. |
Signature Expiration | 20180123134822 | The expiration time of the signature. |
Signature Inception | 20180102162512 | The time when the record was signed. |
Key Tag | 17491 | The key-tag of the key used for signing. |
Name of Signer | example.net. | The name of the zone who signed the record. |
Signature | bfE6…49I= | The signature. |
- Jika "Jumlah Label" memiliki nilai 3, klien tahu bahwa ia dapat memvalidasi tanda tangan secara normal menggunakan nama host yang dimintanya.
- Jika "Jumlah Label" memiliki nilai kurang, katakanlah "2", klien akan memvalidasi tanda tangan terhadap *.example.net dan bukan terhadap apa yang dimintanya.
$ mysql -u root -p pdns
-- Automatically increment the SOA serial number after DNSSEC signatures
-- have been refreshed. Avoids slaves to server DNS records with expired
-- signatures.
INSERT INTO `domainmetadata` (
`domain_id`,
`kind`, `content`
) VALUES (
(SELECT id from domains where name='example.net'),
'SOA-EDIT', 'INCEPTION-INCREMENT'
);
-- Automatically increment the SOA serial number after changes made trough
-- API calls or signatures have been refreshed. Avoids slaves to server DNS
-- records with expired signatures.
INSERT INTO `domainmetadata` (
`domain_id`,
`kind`, `content`
) VALUES (
(SELECT id from domains where name='example.net'),
'SOA-EDIT-API', 'INCEPTION-INCREMENT'
);
-- Automatically rectify zone (as needed by DNSSEC for NSEC/NSEC3)
-- after any changes made trough API calls.
INSERT INTO `domainmetadata` (
`domain_id`,
`kind`, `content`
) VALUES (
(SELECT id from domains where name='example.net'),
'API-RECTIFY', '1'
);
-- Allow all slaves to request AXFR zone transfers
INSERT INTO `domainmetadata` (
`domain_id`,
`kind`, `content`
) VALUES (
(SELECT id from domains where name='example.net'),
'ALLOW-AXFR-FROM', 'AUTO-NS'
);
SELECT domains.name AS Domain, kind AS Option, content AS Value
FROM domainmetadata
LEFT JOIN domains ON domainmetadata.domain_id = domains.id
ORDER BY Domain, Option, Value ASC;
Domain | Option | Value |
---|---|---|
example.net | ALLOW-AXFR-FROM | AUTO-NS |
example.net | API-RECTIFY | 1 |
example.net | SOA-EDIT | INCEPTION-INCREMENT |
example.net | SOA-EDIT-API | INCEPTION-INCREMENT |
example.org | ALLOW-AXFR-FROM | AUTO-NS |
example.org | API-RECTIFY | 1 |
example.org | SOA-EDIT | INCEPTION-INCREMENT |
example.org | SOA-EDIT-API | INCEPTION-INCREMENT |
4. Mengamankan Zona
$ sudo pdnssec secure-zone example.net
Securing zone with rsasha256 algorithm with default key size
Zone example.net secured
Adding NSEC ordering information
$ sudo pdnssec rectify-zone example.net
$ sudo pdnssec rectify-all-zones
$ sudo pdnssec show-zone exmaple.com
$ whois exmaple.com | grep DNSSEC
DNSSEC:signedDelegation
5. Update Slave
$ sudo pdnssec increase-serial example.net
- Buat pasangan kunci baru dengan algoritma baru ECDSAP256SHA256 untuk digunakan sebagai KSK, tetapi biarkan tidak aktif untuk saat ini. Jangan publikasikan kunci publik di mana pun dulu.
- Buat pasangan kunci baru dengan algoritma baru ECDSAP256SHA256 untuk digunakan sebagai ZSK. Yang ini dapat diaktifkan, sehingga zona kita terisi dengan tanda tangan baru menggunakan algoritma baru, di samping yang lama yang juga tetap aktif.
- Cari rekaman dengan TTL tertinggi di zona Anda. Gandakan waktu itu untuk menunggu langkah berikutnya. Ini untuk memastikan tanda tangan dengan algoritma baru terisi di mana-mana dalam cache.
- Setelah menunggu, aktifkan KSK baru yang dibuat sebelumnya tetapi belum diaktifkan.
- Komunikasikan KSK baru ke pendaftar Anda dan tunggu rekaman delegasi DS muncul.
- Tunggu hingga SOA TTL kedaluwarsa. Ini untuk memastikan semua cache mengambil KSK baru Anda sehingga dapat memverifikasi tanda tangan baru.
- Biarkan pencatat Anda menghapus KSK lama.
- Tunggu hingga DS TTL induk Anda kedaluwarsa. Ini untuk memastikan semua cache mengetahui bahwa KSK lama tidak dapat lagi digunakan untuk verifikasi.
- Nonaktifkan dan hapus ZSK lama dari zona Anda.
- Buat kunci/pasangan KSK baru.
- Aktifkan kunci sehingga kunci penandatanganan zona (ZSK) akan ditandatangani oleh KSK baru dan lama selama periode transisi.
- Pastikan semua rekaman ditandatangani ulang dan semua slave telah memilih perubahan.
- Berikan kunci publik ke pendaftar domain.
- Tunggu publikasi rekaman DS baru di domain induk.
- Tunggu waktu cache domain (TTL dalam rekaman SOA) berakhir.
- Nonaktifkan KSK lama.
$ sudo -sH
$ mkdir -p ~/dnssec-keys
$ cd ~/dnssec-keys
$ pdnssec check-all-zones
$ export ZONE=example.net
$ pdnssec show-zone $ZONE > $ZONE.dnssec.txt
$ cat $ZONE.dnssec.txt
$ grep '(KSK)' $ZONE.dnssec.txt
$ export KEY_ID=<NUMBER>
$ pdnssec export-zone-key $ZONE $KEY_ID > ${ZONE}_ID${KEY_ID}.ksk
$ pdnssec export-zone-dnskey $ZONE $KEY_ID > ${ZONE}_ID${KEY_ID}.ksk.pub
$ export KEY_ID=<NUMBER>
$ ...
$ grep '(ZSK)' $ZONE.dnssec.txt
$ export KEY_ID=<NUMBER>
$ pdnssec export-zone-key $ZONE $KEY_ID > ${ZONE}_ID${KEY_ID}.zsk
$ pdnssec export-zone-dnskey $ZONE $KEY_ID > ${ZONE}_ID${KEY_ID}.zsk.pub
Posting Komentar
別ページに移動します