Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(Packages: sshfp)
m (Packages)
Line 12: Line 12:
 
** drill tool (like dig with DNSSEC support)
 
** drill tool (like dig with DNSSEC support)
 
*** can be used for basic DNSSEC validation. eg.:
 
*** can be used for basic DNSSEC validation. eg.:
**** Should success:
+
**** Should success ''(return 0)'':
 
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''
 
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''
 
***** '''drill -TD google.com''' ''#not signed domain''
 
***** '''drill -TD google.com''' ''#not signed domain''

Revision as of 16:58, 31 July 2010

Facts

Packages

  • dnssec-root-zone-trust-anchors http://aur.archlinux.org/packages.php?ID=39315
    • essential package contains keys to internet stored in /usr/share/dnssec-trust-anchors/
    • VERY important!
  • ldns http://aur.archlinux.org/packages.php?ID=18996
    • DNS(SEC) library libldns
    • drill tool (like dig with DNSSEC support)
      • can be used for basic DNSSEC validation. eg.:
        • Should success (return 0):
          • drill -TD nic.cz #valid DNSSEC key
          • drill -TD google.com #not signed domain
        • Should fail (simulating fraudent DNS records):
          • drill -TD rhybar.cz
          • drill -TD badsign-a.test.dnssec-tools.org
        • to use root-zone trust anchor add option -k /usr/share/dnssec-trust-anchors/root-zone.key
  • dnssec-tools https://www.dnssec-tools.org/ (package not yet)
    • another good library which can add DNSSEC support to lots of programs
  • openssh-dnssec http://aur.archlinux.org/packages.php?ID=39296
    • DNSSEC (ldns) wrapper for OpenSSH client.
    • instantly adds minimal DNSSEC support to ssh (no SSHFP support).
    • usage: alias ssh=ssh-dnssec
  • sshfp http://aur.archlinux.org/packages.php?ID=29185
    • Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
    • not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC