Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(rm'ing crypto category (doesn't exist))
m (Few format fixes)
(25 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
[[Category:Web Server (English)]]
+
[[Category:Domain Name System]]
  
 +
{{Poor writing}}
 
{{stub}}
 
{{stub}}
  
 
== Facts ==
 
== Facts ==
 +
 
* [[Wikipedia:Domain Name System Security Extensions]]
 
* [[Wikipedia:Domain Name System Security Extensions]]
 
* http://www.dnssec.net/
 
* http://www.dnssec.net/
Line 12: Line 14:
 
* https://www.dnssec-tools.org/
 
* https://www.dnssec-tools.org/
 
* http://linux.die.net/man/1/sshfp
 
* http://linux.die.net/man/1/sshfp
* http://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
+
* https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
  
 
== DNSSEC Packages ==
 
== DNSSEC Packages ==
* '''dnssec-root-zone-trust-anchors''' http://aur.archlinux.org/packages.php?ID=39315
+
 
 +
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
 +
* {{Pkg|dnssec-anchors}}
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** VERY important!
 
** VERY important!
* '''ldns''' http://aur.archlinux.org/packages.php?ID=18996
+
* {{Pkg|ldns}}
 
** DNS(SEC) library '''libldns'''
 
** DNS(SEC) library '''libldns'''
 
** drill tool (like dig with DNSSEC support)
 
** drill tool (like dig with DNSSEC support)
Line 29: Line 33:
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
* '''dnssec-tools''' http://aur.archlinux.org/packages.php?ID=39294 ''(package is very experimental and volatile right now)''
+
* {{AUR|dnssec-tools}} ''(package is very experimental and volatile right now)''
 
** https://www.dnssec-tools.org/
 
** https://www.dnssec-tools.org/
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
Line 36: Line 40:
 
*** https://www.dnssec-tools.org/wiki/index.php/Applications
 
*** https://www.dnssec-tools.org/wiki/index.php/Applications
 
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
** [[PERL]] API
+
** PERL API
* '''openssh-dnssec''' http://aur.archlinux.org/packages.php?ID=39296
+
* {{AUR|openssh-dnssec}}
 
** see lower on this page
 
** see lower on this page
* '''sshfp''' http://aur.archlinux.org/packages.php?ID=29185
+
* {{AUR|sshfp}}
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 +
* {{AUR|opendnssec}}
 +
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 +
** Automates refreshing signatures, key rollovers
  
 
== Howto enable DNSSEC in specific software ==
 
== Howto enable DNSSEC in specific software ==
 +
 +
{{Merge|DNSSEC#DNSSEC Packages|Duplicated information}}
  
 
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
 
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
Line 54: Line 63:
 
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
* DNS proxy
 
* DNS proxy
 
  
 
=== [[OpenSSH]] (fixes only weak point in SSH design) ===
 
=== [[OpenSSH]] (fixes only weak point in SSH design) ===
 +
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
* openssh-dnssec wrapper http://aur.archlinux.org/packages.php?ID=39296
+
* {{AUR|openssh-dnssec}} wrapper
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
Line 65: Line 74:
  
 
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===
 
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===
 +
 
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
 
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
Line 70: Line 80:
 
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
 
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
  
=== [[Chromium]]/<s>[[Google Chrome]]</s> (secure browsing - enchancment of HTTPS) ===
+
=== [[Chromium]]/<s>Google Chrome</s> (secure browsing - enchancment of HTTPS) ===
 +
 
 
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]
 
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]
 
** Patches not yet...
 
** Patches not yet...
Line 76: Line 87:
 
*** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
 
*** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
  
=== [[Bind]] (serving signed DNS zones) ===
+
=== BIND (serving signed DNS zones) ===
 +
 
 +
* See [[BIND]] for more information on BIND
 
* http://www.dnssec.net/practical-documents
 
* http://www.dnssec.net/practical-documents
 
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''
 
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''
Line 82: Line 95:
 
** http://www.bind9.net/BIND-FAQ
 
** http://www.bind9.net/BIND-FAQ
 
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
 
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
 +
* Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
  
 
=== [[Postfix]] (fight spam and frauds) ===
 
=== [[Postfix]] (fight spam and frauds) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
=== [[jabberd]] (fight spam and frauds) ===
+
 
 +
=== jabberd (fight spam and frauds) ===
 +
 
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[Thunderbird]] (secure logins) ===
 
=== [[Thunderbird]] (secure logins) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
=== [[lftp]] (secure downloads and logins) ===
+
 
 +
=== lftp (secure downloads and logins) ===
 +
 
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[wget]] (secure downloads) ===
 
=== [[wget]] (secure downloads) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[proftpd]] ===
 
=== [[proftpd]] ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[Sendmail]] (fight spam and frauds) ===
 
=== [[Sendmail]] (fight spam and frauds) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
=== [[LibSPF]] ===
+
 
 +
=== LibSPF ===
 +
 
 
* dnssec-tools + patch
 
* dnssec-tools + patch
=== [[ncftp]] (secure downloads and logins) ===
+
 
 +
=== ncftp (secure downloads and logins) ===
 +
 
 
* dnssec-tools + patch
 
* dnssec-tools + patch
=== [[libpurple]] ([[pidgin]] + [[finch]] -> secure messaging) ===
+
 
 +
=== libpurple ([[pidgin]] + finch -> secure messaging) ===
 +
 
 
* no patches yet
 
* no patches yet
 +
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
  
 
== DNSSEC Hardware ==
 
== DNSSEC Hardware ==
You can check if your router/modem/AP/etc... supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python & GTK+ based app) to know if it's DNSSEC compatible and using this tool you can also upload gathered data to server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on [http://www.dnssec-tester.cz/ dnssec-tester] website.
+
 
 +
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
  
 
== See Also ==
 
== See Also ==
 +
 
* [[AppArmor]]
 
* [[AppArmor]]

Revision as of 12:02, 11 November 2013


Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:DNSSEC#)

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:DNSSEC#)

Facts

DNSSEC Packages

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#Howto enable DNSSEC in specific software.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

Howto enable DNSSEC in specific software

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#DNSSEC Packages.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:

OpenSSH (fixes only weak point in SSH design)

Firefox (secure browsing - enchancment of HTTPS)

Chromium/Google Chrome (secure browsing - enchancment of HTTPS)

  • Vote for #50874
    • Patches not yet...
    • DNSSEC Drill extension (EXPERIMENTAL!)
      • you need ldns and dnssec-root-zone-trust-anchors packages for this plugin

BIND (serving signed DNS zones)

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd (fight spam and frauds)

  • dnssec-tools + patch

Thunderbird (secure logins)

  • dnssec-tools + patch

lftp (secure downloads and logins)

  • dnssec-tools + patch

wget (secure downloads)

  • dnssec-tools + patch

proftpd

  • dnssec-tools + patch

Sendmail (fight spam and frauds)

  • dnssec-tools + patch

LibSPF

  • dnssec-tools + patch

ncftp (secure downloads and logins)

  • dnssec-tools + patch

libpurple (pidgin + finch -> secure messaging)

  • no patches yet

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See Also