Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(DNSSEC Packages: they're everywhere)
(use https for links to archlinux.org)
(4 intermediate revisions by one other user not shown)
Line 13: Line 13:
 
* https://www.dnssec-tools.org/
 
* https://www.dnssec-tools.org/
 
* http://linux.die.net/man/1/sshfp
 
* http://linux.die.net/man/1/sshfp
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
+
* https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
  
 
== DNSSEC Packages ==
 
== DNSSEC Packages ==
 +
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
 
* {{pkg|dnssec-anchors}}
 
* {{pkg|dnssec-anchors}}
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
Line 48: Line 49:
  
 
== Howto enable DNSSEC in specific software ==
 
== Howto enable DNSSEC in specific software ==
 +
 +
{{Merge|DNSSEC#DNSSEC Packages|Duplicated information}}
  
 
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
 
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
Line 63: Line 66:
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
* openssh-dnssec wrapper https://aur.archlinux.org/packages.php?ID=39296
+
* {{aur|openssh-dnssec}} wrapper
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
Line 110: Line 113:
 
* no patches yet
 
* no patches yet
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
  
 
== DNSSEC Hardware ==
 
== DNSSEC Hardware ==

Revision as of 23:52, 5 December 2012


Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:DNSSEC#)

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:DNSSEC#)

Facts

DNSSEC Packages

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#Howto enable DNSSEC in specific software.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

Howto enable DNSSEC in specific software

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#DNSSEC Packages.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:


OpenSSH (fixes only weak point in SSH design)

Firefox (secure browsing - enchancment of HTTPS)

Chromium/Google Chrome (secure browsing - enchancment of HTTPS)

  • Vote for #50874
    • Patches not yet...
    • DNSSEC Drill extension (EXPERIMENTAL!)
      • you need ldns and dnssec-root-zone-trust-anchors packages for this plugin

BIND (serving signed DNS zones)

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd (fight spam and frauds)

  • dnssec-tools + patch

Thunderbird (secure logins)

  • dnssec-tools + patch

lftp (secure downloads and logins)

  • dnssec-tools + patch

wget (secure downloads)

  • dnssec-tools + patch

proftpd

  • dnssec-tools + patch

Sendmail (fight spam and frauds)

  • dnssec-tools + patch

LibSPF

  • dnssec-tools + patch

ncftp (secure downloads and logins)

  • dnssec-tools + patch

libpurple (pidgin + finch -> secure messaging)

  • no patches yet
  • Vote for #12413

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python & GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See Also