DNSSEC
Contents
- 1 DNSSEC Packages
-
2 Howto enable DNSSEC in specific software
- 2.1 OpenSSH (fixes only weak point in SSH design)
- 2.2 Firefox (secure browsing - enhancement of HTTPS)
- 2.3 Chromium/
Google Chrome(secure browsing - enhancement of HTTPS) - 2.4 BIND (serving signed DNS zones)
- 2.5 Postfix (fight spam and frauds)
- 2.6 jabberd (fight spam and frauds)
- 2.7 Thunderbird (secure logins)
- 2.8 lftp (secure downloads and logins)
- 2.9 wget (secure downloads)
- 2.10 proftpd
- 2.11 Sendmail (fight spam and frauds)
- 2.12 LibSPF
- 2.13 ncftp (secure downloads and logins)
- 2.14 libpurple (pidgin + finch -> secure messaging)
- 3 DNSSEC Hardware
- 4 See Also
DNSSEC Packages
- dnssec-anchors
- essential package contains keys to internet from IANA stored in /usr/share/dnssec-trust-anchors/
- VERY important!
- ldns
- DNS(SEC) library libldns
- drill tool (like dig with DNSSEC support)
- can be used for basic DNSSEC validation. eg.:
- Should success (return 0):
- drill -TD nic.cz #valid DNSSEC key
- drill -TD google.com #not signed domain
- Should fail (simulating fraudent DNS records):
- drill -TD rhybar.cz
- drill -TD badsign-a.test.dnssec-tools.org
- to use root-zone trust anchor add option -k /usr/share/dnssec-trust-anchors/root-anchor.key
- Should success (return 0):
- can be used for basic DNSSEC validation. eg.:
- dnssec-tools (package is very experimental and volatile right now)
- https://www.dnssec-tools.org/
- another good library libval which can add DNSSEC support to lots of programs
- some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components
- libval-shim LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
- PERL API
- sshfpAUR
- Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
- not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
- opendnssecAUR
- Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
- Automates refreshing signatures, key rollovers
Howto enable DNSSEC in specific software
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
- patches
- plugins, extensions, wrappers
- universal LD_PRELOAD wrapper
- overriding calls to: gethostbyname(3), gethostbyaddr(3), getnameinfo(3), getaddrinfo(3), res_query(3)
- libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
- DNS proxy
OpenSSH (fixes only weak point in SSH design)
- dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
Firefox (secure browsing - enhancement of HTTPS)
- DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
- DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
- you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
- dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
Chromium/Google Chrome (secure browsing - enhancement of HTTPS)
- Vote for #50874
- Patches not yet...
- DNSSEC Drill extension (EXPERIMENTAL!)
- you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
BIND (serving signed DNS zones)
- See BIND for more information on BIND
- http://www.dnssec.net/practical-documents
- http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
- Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
Postfix (fight spam and frauds)
- dnssec-tools + patch
jabberd (fight spam and frauds)
- dnssec-tools + patch
Thunderbird (secure logins)
- dnssec-tools + patch
lftp (secure downloads and logins)
- dnssec-tools + patch
wget (secure downloads)
- dnssec-tools + patch
proftpd
- dnssec-tools + patch
Sendmail (fight spam and frauds)
- dnssec-tools + patch
LibSPF
- dnssec-tools + patch
ncftp (secure downloads and logins)
- dnssec-tools + patch
libpurple (pidgin + finch -> secure messaging)
- no patches yet
- Vote for #12413
DNSSEC Hardware
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf
). You can also find the results of performed tests on the dnssec-tester website.
See Also
- AppArmor
- Wikipedia:Domain Name System Security Extensions
- http://www.dnssec.net/
- https://www.iana.org/dnssec/
- https://www.dnssec-tools.org/
- http://linux.die.net/man/1/sshfp
- https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
- DNSSEC Visualizer