Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
m (stub)
(Howto enable DNSSEC in specific software)
Line 5: Line 5:
 
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
 
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
  
== Packages ==
+
== DNSSEC Packages ==
 
* '''dnssec-root-zone-trust-anchors''' http://aur.archlinux.org/packages.php?ID=39315
 
* '''dnssec-root-zone-trust-anchors''' http://aur.archlinux.org/packages.php?ID=39315
 
** essential package contains keys to internet stored in /usr/share/dnssec-trust-anchors/
 
** essential package contains keys to internet stored in /usr/share/dnssec-trust-anchors/
 
** VERY important!
 
** VERY important!
 
* '''ldns''' http://aur.archlinux.org/packages.php?ID=18996
 
* '''ldns''' http://aur.archlinux.org/packages.php?ID=18996
** DNS(SEC) library libldns
+
** DNS(SEC) library '''libldns'''
 
** drill tool (like dig with DNSSEC support)
 
** drill tool (like dig with DNSSEC support)
 
*** can be used for basic DNSSEC validation. eg.:
 
*** can be used for basic DNSSEC validation. eg.:
Line 21: Line 21:
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-zone.key'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-zone.key'''
 
* '''dnssec-tools''' https://www.dnssec-tools.org/ (package not yet)
 
* '''dnssec-tools''' https://www.dnssec-tools.org/ (package not yet)
** another good library which can add DNSSEC support to lots of programs
+
** another good library '''libval''' which can add DNSSEC support to lots of programs
 
* '''openssh-dnssec''' http://aur.archlinux.org/packages.php?ID=39296
 
* '''openssh-dnssec''' http://aur.archlinux.org/packages.php?ID=39296
** DNSSEC (ldns) wrapper for OpenSSH client.
+
** see lower on this page
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
+
** usage: '''alias ssh=ssh-dnssec'''
+
 
* '''sshfp''' http://aur.archlinux.org/packages.php?ID=29185
 
* '''sshfp''' http://aur.archlinux.org/packages.php?ID=29185
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 +
 +
== Howto enable DNSSEC in specific software ==
 +
=== [[OpenSSH]] ===
 +
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 +
** http://www.dnssec-tools.org/readme/README.ssh
 +
* openssh-dnssec wrapper http://aur.archlinux.org/packages.php?ID=39296
 +
** DNSSEC (ldns) wrapper for OpenSSH client.
 +
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
 +
** usage: '''alias ssh=ssh-dnssec'''
 +
=== [[Firefox]] ===
 +
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 +
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
 +
** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
 +
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
 +
=== [[Postfix]] (fight spam and frauds) ===
 +
* dnssec-tools + patch
 +
=== [[jabberd]] ===
 +
* dnssec-tools + patch
 +
=== [[Thunderbird]] ===
 +
* dnssec-tools + patch
 +
=== [[lftp]] ===
 +
* dnssec-tools + patch
 +
=== [[wget]] ===
 +
* dnssec-tools + patch
 +
=== [[proftpd]] ===
 +
* dnssec-tools + patch
 +
=== [[Sendmail]] ===
 +
* dnssec-tools + patch
 +
=== [[LibSPF]] ===
 +
* dnssec-tools + patch
 +
=== [[ncftp]] ===
 +
* dnssec-tools + patch

Revision as of 21:14, 31 July 2010

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:DNSSEC#)

Facts

DNSSEC Packages

  • dnssec-root-zone-trust-anchors http://aur.archlinux.org/packages.php?ID=39315
    • essential package contains keys to internet stored in /usr/share/dnssec-trust-anchors/
    • VERY important!
  • ldns http://aur.archlinux.org/packages.php?ID=18996
    • DNS(SEC) library libldns
    • drill tool (like dig with DNSSEC support)
      • can be used for basic DNSSEC validation. eg.:
        • Should success (return 0):
          • drill -TD nic.cz #valid DNSSEC key
          • drill -TD google.com #not signed domain
        • Should fail (simulating fraudent DNS records):
          • drill -TD rhybar.cz
          • drill -TD badsign-a.test.dnssec-tools.org
        • to use root-zone trust anchor add option -k /usr/share/dnssec-trust-anchors/root-zone.key
  • dnssec-tools https://www.dnssec-tools.org/ (package not yet)
    • another good library libval which can add DNSSEC support to lots of programs
  • openssh-dnssec http://aur.archlinux.org/packages.php?ID=39296
    • see lower on this page
  • sshfp http://aur.archlinux.org/packages.php?ID=29185
    • Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
    • not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC

Howto enable DNSSEC in specific software

OpenSSH

Firefox

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd

  • dnssec-tools + patch

Thunderbird

  • dnssec-tools + patch

lftp

  • dnssec-tools + patch

wget

  • dnssec-tools + patch

proftpd

  • dnssec-tools + patch

Sendmail

  • dnssec-tools + patch

LibSPF

  • dnssec-tools + patch

ncftp

  • dnssec-tools + patch