PELATIHAN HARI KE 1:
========================================================================
$TLL
fully qualified domain
soa= start of autority
refresh ---> 3 hour --> every 3 hour you will cek serial number
Retry ----> 15 second----> if down we can retry
expires ---> 1W ---> we try how long ? 1 week
minimum ---> minimum ttl
192.168.1.127
username=workshop
password= dns#1o1!
========================================================================
Mulai masuk ke linux :
$ sudo bash
masukan password
# apt-get install bind9
jika selesai bisa cek dengan cara :
#named -v
#named -V (huruf besar)
# cd /var
/var # mkdir named
/var # cd named
/var/named# mkdir recursive
/var/named# cd recursive/
/var/named/recursive#
/var/named/recursive# vi db.localhost
/var/named/recursive# nano db.localhost
/var/named/recursive# vi db.localhost
/var/named/recursive# more db.localhost
$TTL 300
@ SOA localhost. admin.localhost. (
2017051502
600
15
1d
300)
localhost. NS localhost.
localhost. A 127.0.0.1
root@dnssec:/var/named/recursived# vi root.hints
isi dengan yang ada di web : https://www.internic.net/domain/named.root
silakan dicopy
========================================================================
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file
========================================================================
*Buat file lalu isi sbb :
options {directory "var/named/recursive";};
zone "." {type hint;
file "root.hints" ;};
zone "localhost" {type master;
file "db.localhost" ;};
lalu simpan nama filenya named.conf
(kalau menggunaan nano savenya ^x , Y enter, sedangkan untk delet satu baris di nano teken ^K )
lalu jalankan dengan ketik :
named -g -c named.conf
jika error fatal error
service apparmor teardown
service apparmor stop
untuk cek
dig @localhost www.icann.org
=========================
zone ---> dedi,id
name ---> ns.dedi.id
ipaddress-----> 192.168.1.127
=========================
ketik :
/var/named/recursive
/var/named/master
zonefile
==================
setelah di ubah ke master
root.hits
menjadi :
3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
named.conf
menjadi :
options {directory "/var/named/master";};
zone "." {type hint;
file "root.hints" ;};
zone "localhost" {type master;
file "db.localhost" ;};
zone "dedi.id" {type master;
file "db.dedi.id" ;};
buat db.dedi.id :
$TTL 600
@ SOA ns1.dedi.id. admin.dedi.id (
2017051502
300
15
680
60)
dedi.id. ns1 ns1.dedi.id.
ns1.dedi.id A 192.168.1.127
www A 10.10.10.1
ftp A 10.10.10.2
============================master ubah di name.conf============
$TTL 600
@ SOA ns1.dedi.id. admin.dedi.id (
2017051503 -> setiap edit ubah dua digit angka belakangnya
300
15
680
60)
dedi.id. NS ns1.dedi.id.
dedi.id. NS ns.denny.id. --> tambah code ini
ns1.dedi.id A 192.168.1.127
www A 10.10.10.1
ftp A 10.10.10.2
================================================================
============================Slave ubah DB.Dedi.id =============
ps -ef|grep named
named -g -c named.conf
cara kill :
root@dnssec:/var/named/master# named -c named.conf
root@dnssec:/var/named/master# ps -ef|grep named
root 1758 1673 0 11:41 pts/1 00:00:00 named -g -c named.conf
root 1836 1 0 13:15 ? 00:00:00 named -c named.conf
root 1846 1673 0 13:16 pts/1 00:00:00 grep --color=auto named
root@dnssec:/var/named/master# kill -9 1758
root@dnssec:/var/named/master# kill -9 1836
[1] Killed named -g -c named.conf
root@dnssec:/var/named/master# ps -ef|grep named
root 1848 1673 0 13:16 pts/1 00:00:00 grep --color=auto named
root@dnssec:/var/named/master#
cek recursive dan master untuk dig
======================================================================
root@dnssec:/var/named/master# more db.
db.dedi.id db.dedi.id.save db.localhost
root@dnssec:/var/named/master# more db.
db.dedi.id db.dedi.id.save db.localhost
root@dnssec:/var/named/master# more db.
db.dedi.id db.dedi.id.save db.localhost
root@dnssec:/var/named/master# more db.dedi.id
$TTL 600
@ SOA ns1.dedi.id. admin.dedi.id.(
2017051507
300
15
680
60)
dedi.id. NS ns1.dedi.id.
dedi.id. NS ns.denny.id.
ns1.dedi.id. A 192.168.1.127
dedi.id. A 192.168.1.127
www A 10.10.10.1
ftp A 10.10.10.2
root@dnssec:/var/named/master# ps -ef|grep named
root 1918 1 0 13:19 ? 00:00:00 named -c named.conf
root 1924 1 0 13:19 ? 00:00:00 named -c named.conf
root 1945 1673 0 13:21 pts/1 00:00:00 grep --color=auto named
root@dnssec:/var/named/master# kill -9 1918
root@dnssec:/var/named/master# kill -9 1924
root@dnssec:/var/named/master# nano /etc/resolv.conf
root@dnssec:/var/named/master# cd ../recursive/
root@dnssec:/var/named/recursive# ps -ef|grep named
root 1957 1673 0 13:22 pts/1 00:00:00 grep --color=auto named
root@dnssec:/var/named/recursive# name
No command 'name' found, did you mean:
Command 'mame' from package 'mame' (multiverse)
Command 'nama' from package 'nama' (universe)
Command 'named' from package 'bind9' (main)
Command 'nam' from package 'nam' (universe)
Command 'namei' from package 'util-linux' (main)
Command 'uname' from package 'coreutils' (main)
Command 'lame' from package 'lame' (universe)
Command 'nvme' from package 'nvme-cli' (universe)
name: command not found
root@dnssec:/var/named/recursive# service apparmor teardown
* Unloading AppArmor profiles [ OK ]
root@dnssec:/var/named/recursive# service apparmor stop
root@dnssec:/var/named/recursive# named -c named.conf
root@dnssec:/var/named/recursive# cd master
bash: cd: master: No such file or directory
root@dnssec:/var/named/recursive# cd ../master/
root@dnssec:/var/named/master# named -c named.conf
root@dnssec:/var/named/master# dig @localhost www.dedi.id
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @localhost www.dedi.id
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dedi.id. IN A
;; ANSWER SECTION:
www.dedi.id. 600 IN A 10.10.10.1
;; AUTHORITY SECTION:
dedi.id. 600 IN NS ns1.dedi.id.
dedi.id. 600 IN NS ns.denny.id.
;; ADDITIONAL SECTION:
ns.denny.id. 590 IN A 192.168.1.108
ns1.dedi.id. 600 IN A 192.168.1.127
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue May 16 13:23:44 WIB 2017
;; MSG SIZE rcvd: 129
root@dnssec:/var/named/master# dig detik.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> detik.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4360
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;detik.com. IN A
;; ANSWER SECTION:
detik.com. 21 IN A 103.49.221.211
detik.com. 21 IN A 203.190.242.211
;; Query time: 87 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 16 13:24:05 WIB 2017
;; MSG SIZE rcvd: 70
========================================================================
noted : Jalanin harus recursive dulu baru master
========================================================================
PELATIHAN HARI KE 2:
Cara Buat DNSSec
Pertama masuk ke master
root@dnssec:/var/named# cd master
root@dnssec:/var/named/master# ls
db.dedi.id db.localhost named.conf root.hits
db.dedi.id.save dblocalhost.save root.hints
Edit named.conf
=====================
root@dnssec:/var/named/master# nano named.conf
options {directory "/var/named/master";
dnssec-enable yes; ----------> tambahakan
dnssec-validation yes;}; ----------> tambahkan
zone "." {type hint;
file "root.hits" ;};
zone "localhost" {type master;
file "db.localhost" ;};
zone "dedi.id" {type master;
file "db.dedi.id" ;};
==================================
Lalu buat buat keygen ZSK :
cara#1. root@dnssec:/var/named/master# dnssec-keygen -a rsasha1 -b 1024 -n zone dedi.id
(hasilnya lama buat berhenti tekan ^c)
cara#2
root@dnssec:/var/named/master# dnssec-keygen -a rsasha1 -r /dev/urandom -b 1024 -n zone dedi.id
Generating key pair.........................++++++ .....++++++
Kdedi.id.+005+39696
(lebih cepat )
Buat cek
root@dnssec:/var/named/master# ls -la
total 52
drwxr-xr-x 2 root root 4096 May 16 13:57 .
drwxr-xr-x 4 root root 4096 May 15 14:39 ..
-rw-r--r-- 1 root root 488 May 15 17:57 db.dedi.id
-rw-r--r-- 1 root root 411 May 15 16:32 db.dedi.id.save
-rw-r--r-- 1 root root 248 May 15 15:39 db.localhost
-rw------- 1 root root 7 May 15 15:35 dblocalhost.save
-rw-r--r-- 1 root root 1024 May 15 15:35 .dblocalhost.swp
-rw-r--r-- 1 root root 423 May 16 13:57 Kdedi.id.+005+39696.key -----> public
-rw------- 1 root root 1010 May 16 13:57 Kdedi.id.+005+39696.private
-rw-r--r-- 1 root root 272 May 16 13:55 named.conf
-rw-r--r-- 1 root root 120 May 15 15:07 root.hints
-rw-r--r-- 1 root root 101 May 15 17:50 root.hits
-rw-r--r-- 1 root root 1024 May 15 17:43 .roots.hots.swp
root@dnssec:/var/named/master# more Kdedi.id.+005+39696.key
; This is a zone-signing key, keyid 39696, for dedi.id.
; Created: 20170516065705 (Tue May 16 13:57:05 2017)
; Publish: 20170516065705 (Tue May 16 13:57:05 2017)
; Activate: 20170516065705 (Tue May 16 13:57:05 2017)
dedi.id. IN DNSKEY 256 3 5 AwEAAagXfWukURRz8uCt7qD0JV92pHqO3Dqz1iATR/dGQvHTZbmqK
4+j 3r9TpO772FhuDl1vOnRlsq4vGhw0bFDqWLV1rpZ45LE0QJ233c7duVgI 7NIaZpdB2pH9Vn4QgIy
ZvY08aOeKk+Uit4xE08o38+Q+dFSU/ewpdKHE oJB+PAGJ
root@dnssec:/var/named/master# more Kdedi.id.+005+39696.private
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: qBd9a6RRFHPy4K3uoPQlX3akeo7cOrPWIBNH90ZC8dNluaorj6Pev1Ok7vvYWG4OXW86dGW
yri8aHDRsUOpYtXWulnjksTRAnbfdzt25WAjs0hpml0Hakf1WfhCAjJm9jTxo54qT5SK3jETTyjfz5D5
0VJT97Cl0ocSgkH48AYk=
PublicExponent: AQAB
PrivateExponent: cy6FdvlFxeoeB++nkQs7gMrfskuqhV8t3xTXP44Z2XOuRSdiai80N46tekWA3je
sCEJrn88APXNxRNp3TosG9VS3jn8+Vwk+t7FF3PN/tY7Vq/SuhgFkYWqwVWAw7erPlVFI8d2N+i9Gl/H
yhaO16MfAYtb58Ob8EiQlFl58nsE=
Prime1: 0ogqfqgFQpvxSXu0M7Hr2aRuu1KG/v9NK0UA5nIkVvxuCBxZFOkVTqxwQ1N4rAh12SJmvIp9
iinaF423WtNBHQ==
Prime2: zGTnexwwOMDUMr8lq3wMuGWJRyrlXumSlM/LpXinQ7/GnOcLyfe/cv4vXKChrvgbP+UgCWcY
yiHAoQQDMB2iXQ==
Exponent1: fO8XIKA+tt9pmWzSbBb6WeZtW7ZGrA3+0l2ZgidcD06vURrZdkI3Rb+owxtGsfg3TwpOI
zaf9xyM8otDsp9ItQ==
Exponent2: hpCsIc42JTc2vU5BM7xQ95nJnnQsXKd0XMrNrVxY6u64iRZIGaklf0S/08DhkbtA3Xkw9
V/N304HbzqgCq6H9Q==
Coefficient: oR8D10eOEb4lwO/P2AN5vAHNh2/Kjyj6Kqd7O5dwvuYOWgbTIIwHgk9z7yVxwPhGUlm
Onh6zi0zA3Zp8LoLutg==
Created: 20170516065705
Publish: 20170516065705
Activate: 20170516065705
Lalu buat KSK :
root@dnssec:/var/named/master# dnssec-keygen -a rsasha1 -r /dev/urandom -b 1400 -f KSK -n zone dedi.id
root@dnssec:/var/named/master# dnssec-signzone -o dedi.id -k Kdedi.id.+005+26077 db.dedi.id Kdedi.id.+005+39696
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
db.dedi.id.signed
root@dnssec:/var/named/master# ls
db.dedi.id dsset-dedi.id. named.conf
db.dedi.id.save Kdedi.id.+005+26077.key root.hints
db.dedi.id.signed Kdedi.id.+005+26077.private root.hits
db.localhost Kdedi.id.+005+39696.key
dblocalhost.save Kdedi.id.+005+39696.private
root@dnssec:/var/named/master#
Ketik :
named.conf
options {directory "/var/named/master";
dnssec-enable yes;
dnssec-validation yes;};
zone "." {type hint;
file "root.hits" ;};
zone "localhost" {type master;
file "db.localhost" ;};
zone "dedi.id" {type master;
file "db.dedi.id.signed" ;};
root@dnssec:/var/named/master# ls
db.dedi.id dsset-dedi.id. named.conf
db.dedi.id.save Kdedi.id.+005+26077.key root.hints
db.dedi.id.signed Kdedi.id.+005+26077.private root.hits
db.localhost Kdedi.id.+005+39696.key
dblocalhost.save Kdedi.id.+005+39696.private
root@dnssec:/var/named/master# more dsset-dedi.id.
dedi.id. IN DS 26077 5 1 2E483B889CC92CF181E08BE94EC0661E636D6683
dedi.id. IN DS 26077 5 2 379D62AF138036B6F61DCBDC91AC9C745213F5DD
B3E65C0B05004765 26012367
root@dnssec:/var/named/master#
============================DOKUMENTASI ===============================
0 Response to "Belajar ! instaling ! Tutorial DNSSec"
Post a Comment