Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(Undo revision 522278 by Larivact (talk) moved article back)
 
(10 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
[[Category:Encryption]]
 
[[Category:Encryption]]
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
 +
[[es:DNSSEC]]
 
[[ja:DNSSEC]]
 
[[ja:DNSSEC]]
 +
[[pt:DNSSEC]]
 
{{Related articles start}}
 
{{Related articles start}}
 
{{Related|Unbound#DNSSEC validation}}
 
{{Related|Unbound#DNSSEC validation}}
Line 11: Line 13:
 
== Basic DNSSEC validation ==
 
== Basic DNSSEC validation ==
  
{{Note|Further setup is required for your DNS lookups DNSSEC by default. See [[#Install a DNSSEC-aware validating recursive server]] and [[#Enable DNSSEC in specific software]].}}
+
{{Note|Further setup is required for your DNS lookups DNSSEC by default. See [[#Install a DNSSEC-validating resolver]] and [[#Enable DNSSEC in specific software]].}}
  
 
=== Installation ===
 
=== Installation ===
  
 
The ''drill'' tool can be used for basic DNSSEC validation. To use ''drill'', [[install]] the {{pkg|ldns}} package.
 
The ''drill'' tool can be used for basic DNSSEC validation. To use ''drill'', [[install]] the {{pkg|ldns}} package.
 +
 +
For other available tools see [[Domain name resolution#Lookup utilities]].
  
 
=== Query with DNSSEC validation ===
 
=== Query with DNSSEC validation ===
Line 44: Line 48:
 
  ;;[S] self sig OK; [B] bogus; [T] trusted
 
  ;;[S] self sig OK; [B] bogus; [T] trusted
  
== Install a DNSSEC-aware validating recursive server ==
+
== Install a DNSSEC-validating resolver ==
  
To use DNSSEC system-wide, you can use a validating recursive resolver that is DNSSEC-aware, so that all DNS lookups go through the recursive resolver. [[BIND]] and [[unbound]] are two options that you can setup. Note that each requires specific options to enable their DNSSEC validation feature.
+
To use DNSSEC system-wide, you can use a DNS resolver that is capable of validating DNSSEC records, so that all DNS lookups go through the it. See [[Domain name resolution#Resolvers]] for available options. Note that each requires specific options to enable their DNSSEC validation feature.
  
If you attempt to visit a site with a bogus (spoofed) IP address, the validing resolver (i.e., BIND or unbound) will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validing resolver, you do not need software that has DNSSEC support built-in when using this option.
+
If you attempt to visit a site with a bogus (spoofed) IP address, the validating resolver will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validating resolver, you do not need software that has DNSSEC support built-in when using this option.
  
 
== Enable DNSSEC in specific software ==
 
== Enable DNSSEC in specific software ==
  
If not you choose not to [[#Install a DNSSEC-aware validating recursive server]], you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications is found [https://www.dnssec-tools.org/wiki/index.php?title=DNSSEC_Applications here]. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.
+
If you choose not to [[#Install a DNSSEC-validating resolver]], you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications is found [https://www.dnssec-tools.org/wiki/index.php?title=DNSSEC_Applications here]. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.
  
 
== DNSSEC Hardware ==
 
== DNSSEC Hardware ==
  
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
+
{{Out of date|[http://www.dnssec-tester.cz/ dnssec-tester] has been discontinued.}}
 +
 
 +
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventually fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
  
 
== See also ==
 
== See also ==
 +
 
* [http://dnssec.vs.uni-due.de/ DNSSEC Resolver Test] - a simple test to see if you have DNSSEC implemented on your machine.
 
* [http://dnssec.vs.uni-due.de/ DNSSEC Resolver Test] - a simple test to see if you have DNSSEC implemented on your machine.
 
* [https://www.dnssec-tools.org/ DNSSEC-Tools]
 
* [https://www.dnssec-tools.org/ DNSSEC-Tools]

Latest revision as of 08:44, 11 November 2018

From the DNSSEC Wikipedia article:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Basic DNSSEC validation

Note: Further setup is required for your DNS lookups DNSSEC by default. See #Install a DNSSEC-validating resolver and #Enable DNSSEC in specific software.

Installation

The drill tool can be used for basic DNSSEC validation. To use drill, install the ldns package.

For other available tools see Domain name resolution#Lookup utilities.

Query with DNSSEC validation

Then to query with DNSSEC validation, use the -D flag:

$ drill -D example.com

Testing

As a test use the following domains, adding the -T flag, which traces from the rootservers down to the domain being resolved:

$ drill -DT sigfail.verteiltesysteme.net

The result should end with the following lines, indicating that the DNSSEC signature is bogus:

[B] sigfail.verteiltesysteme.net.       60      IN      A       134.91.78.139
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted

Now to test a trusted signature:

$ drill -DT sigok.verteiltesysteme.net

The result should end with the following lines, indicating the signature is trusted:

[T] sigok.verteiltesysteme.net. 60      IN      A       134.91.78.139
;;[S] self sig OK; [B] bogus; [T] trusted

Install a DNSSEC-validating resolver

To use DNSSEC system-wide, you can use a DNS resolver that is capable of validating DNSSEC records, so that all DNS lookups go through the it. See Domain name resolution#Resolvers for available options. Note that each requires specific options to enable their DNSSEC validation feature.

If you attempt to visit a site with a bogus (spoofed) IP address, the validating resolver will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validating resolver, you do not need software that has DNSSEC support built-in when using this option.

Enable DNSSEC in specific software

If you choose not to #Install a DNSSEC-validating resolver, you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications is found here. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.

DNSSEC Hardware

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: dnssec-tester has been discontinued. (Discuss in Talk:DNSSEC#)

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventually fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See also