Difference between revisions of "DNSSEC"
From ArchWiki
(→DNSSEC Packages) |
m (Few format fixes) |
||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 6: | Line 6: | ||
== Facts == | == Facts == | ||
| + | |||
* [[Wikipedia:Domain Name System Security Extensions]] | * [[Wikipedia:Domain Name System Security Extensions]] | ||
* http://www.dnssec.net/ | * http://www.dnssec.net/ | ||
| Line 13: | Line 14: | ||
* https://www.dnssec-tools.org/ | * https://www.dnssec-tools.org/ | ||
* http://linux.die.net/man/1/sshfp | * http://linux.die.net/man/1/sshfp | ||
| − | * | + | * https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux |
== DNSSEC Packages == | == DNSSEC Packages == | ||
| − | * {{ | + | |
| + | {{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}} | ||
| + | * {{Pkg|dnssec-anchors}} | ||
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/ | ** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/ | ||
** VERY important! | ** VERY important! | ||
| Line 30: | Line 33: | ||
***** '''drill -TD badsign-a.test.dnssec-tools.org''' | ***** '''drill -TD badsign-a.test.dnssec-tools.org''' | ||
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key''' | **** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key''' | ||
| − | * {{ | + | * {{AUR|dnssec-tools}} ''(package is very experimental and volatile right now)'' |
** https://www.dnssec-tools.org/ | ** https://www.dnssec-tools.org/ | ||
** another good library '''libval''' which can add DNSSEC support to lots of programs | ** another good library '''libval''' which can add DNSSEC support to lots of programs | ||
| Line 37: | Line 40: | ||
*** https://www.dnssec-tools.org/wiki/index.php/Applications | *** https://www.dnssec-tools.org/wiki/index.php/Applications | ||
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html | ** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html | ||
| − | ** | + | ** PERL API |
| − | + | * {{AUR|openssh-dnssec}} | |
| − | |||
| − | * {{ | ||
** see lower on this page | ** see lower on this page | ||
| − | * {{ | + | * {{AUR|sshfp}} |
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon. | ** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon. | ||
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC | ** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC | ||
| − | * {{ | + | * {{AUR|opendnssec}} |
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.) | ** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.) | ||
** Automates refreshing signatures, key rollovers | ** Automates refreshing signatures, key rollovers | ||
== Howto enable DNSSEC in specific software == | == Howto enable DNSSEC in specific software == | ||
| + | |||
| + | {{Merge|DNSSEC#DNSSEC Packages|Duplicated information}} | ||
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways: | If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways: | ||
| Line 61: | Line 64: | ||
* DNS proxy | * DNS proxy | ||
| + | === [[OpenSSH]] (fixes only weak point in SSH design) === | ||
| − | |||
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh | * dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh | ||
** http://www.dnssec-tools.org/readme/README.ssh | ** http://www.dnssec-tools.org/readme/README.ssh | ||
| − | * openssh-dnssec wrapper | + | * {{AUR|openssh-dnssec}} wrapper |
** DNSSEC (ldns) wrapper for OpenSSH client. | ** DNSSEC (ldns) wrapper for OpenSSH client. | ||
** instantly adds minimal DNSSEC support to ssh (no SSHFP support). | ** instantly adds minimal DNSSEC support to ssh (no SSHFP support). | ||
| Line 71: | Line 74: | ||
=== [[Firefox]] (secure browsing - enchancment of HTTPS) === | === [[Firefox]] (secure browsing - enchancment of HTTPS) === | ||
| + | |||
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/ | * DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/ | ||
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html | * DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html | ||
| Line 76: | Line 80: | ||
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox | * dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox | ||
| − | === [[Chromium]]/<s> | + | === [[Chromium]]/<s>Google Chrome</s> (secure browsing - enchancment of HTTPS) === |
| + | |||
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874] | * Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874] | ||
** Patches not yet... | ** Patches not yet... | ||
| Line 83: | Line 88: | ||
=== BIND (serving signed DNS zones) === | === BIND (serving signed DNS zones) === | ||
| + | |||
* See [[BIND]] for more information on BIND | * See [[BIND]] for more information on BIND | ||
* http://www.dnssec.net/practical-documents | * http://www.dnssec.net/practical-documents | ||
| Line 92: | Line 98: | ||
=== [[Postfix]] (fight spam and frauds) === | === [[Postfix]] (fight spam and frauds) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| − | === | + | |
| + | === jabberd (fight spam and frauds) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| + | |||
=== [[Thunderbird]] (secure logins) === | === [[Thunderbird]] (secure logins) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| − | === | + | |
| + | === lftp (secure downloads and logins) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| + | |||
=== [[wget]] (secure downloads) === | === [[wget]] (secure downloads) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| + | |||
=== [[proftpd]] === | === [[proftpd]] === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| + | |||
=== [[Sendmail]] (fight spam and frauds) === | === [[Sendmail]] (fight spam and frauds) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| − | === | + | |
| + | === LibSPF === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| − | === | + | |
| + | === ncftp (secure downloads and logins) === | ||
| + | |||
* dnssec-tools + patch | * dnssec-tools + patch | ||
| − | === | + | |
| + | === libpurple ([[pidgin]] + finch -> secure messaging) === | ||
| + | |||
* no patches yet | * no patches yet | ||
| + | |||
* Vote for [http://developer.pidgin.im/ticket/12413 #12413] | * Vote for [http://developer.pidgin.im/ticket/12413 #12413] | ||
| + | == DNSSEC Hardware == | ||
| − | + | You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website. | |
| − | You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python | ||
== See Also == | == See Also == | ||
| + | |||
* [[AppArmor]] | * [[AppArmor]] | ||
Revision as of 12:02, 11 November 2013
Contents
- 1 Facts
- 2 DNSSEC Packages
- 3 Howto enable DNSSEC in specific software
- 3.1 OpenSSH (fixes only weak point in SSH design)
- 3.2 Firefox (secure browsing - enchancment of HTTPS)
- 3.3 Chromium/
Google Chrome(secure browsing - enchancment of HTTPS) - 3.4 BIND (serving signed DNS zones)
- 3.5 Postfix (fight spam and frauds)
- 3.6 jabberd (fight spam and frauds)
- 3.7 Thunderbird (secure logins)
- 3.8 lftp (secure downloads and logins)
- 3.9 wget (secure downloads)
- 3.10 proftpd
- 3.11 Sendmail (fight spam and frauds)
- 3.12 LibSPF
- 3.13 ncftp (secure downloads and logins)
- 3.14 libpurple (pidgin + finch -> secure messaging)
- 4 DNSSEC Hardware
- 5 See Also
Facts
- Wikipedia:Domain Name System Security Extensions
- http://www.dnssec.net/
- https://www.iana.org/dnssec/
- https://www.dnssec-tools.org/
- http://linux.die.net/man/1/sshfp
- https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
DNSSEC Packages
- dnssec-anchors
- essential package contains keys to internet from IANA stored in /usr/share/dnssec-trust-anchors/
- VERY important!
- ldns
- DNS(SEC) library libldns
- drill tool (like dig with DNSSEC support)
- can be used for basic DNSSEC validation. eg.:
- Should success (return 0):
- drill -TD nic.cz #valid DNSSEC key
- drill -TD google.com #not signed domain
- Should fail (simulating fraudent DNS records):
- drill -TD rhybar.cz
- drill -TD badsign-a.test.dnssec-tools.org
- to use root-zone trust anchor add option -k /usr/share/dnssec-trust-anchors/root-anchor.key
- Should success (return 0):
- can be used for basic DNSSEC validation. eg.:
- dnssec-toolsAUR (package is very experimental and volatile right now)
- https://www.dnssec-tools.org/
- another good library libval which can add DNSSEC support to lots of programs
- some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components
- libval-shim LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
- PERL API
- openssh-dnssecAUR
- see lower on this page
- sshfpAUR
- Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
- not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
- opendnssecAUR
- Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
- Automates refreshing signatures, key rollovers
Howto enable DNSSEC in specific software
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
- patches
- plugins, extensions, wrappers
- universal LD_PRELOAD wrapper
- overriding calls to: gethostbyname(3), gethostbyaddr(3), getnameinfo(3), getaddrinfo(3), res_query(3)
- libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
- DNS proxy
OpenSSH (fixes only weak point in SSH design)
- dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
- openssh-dnssecAUR wrapper
- DNSSEC (ldns) wrapper for OpenSSH client.
- instantly adds minimal DNSSEC support to ssh (no SSHFP support).
- usage: alias ssh=ssh-dnssec
Firefox (secure browsing - enchancment of HTTPS)
- DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
- DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
- you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
- dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
Chromium/Google Chrome (secure browsing - enchancment of HTTPS)
- Vote for #50874
- Patches not yet...
- DNSSEC Drill extension (EXPERIMENTAL!)
- you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
BIND (serving signed DNS zones)
- See BIND for more information on BIND
- http://www.dnssec.net/practical-documents
- http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
- Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
Postfix (fight spam and frauds)
- dnssec-tools + patch
jabberd (fight spam and frauds)
- dnssec-tools + patch
Thunderbird (secure logins)
- dnssec-tools + patch
lftp (secure downloads and logins)
- dnssec-tools + patch
wget (secure downloads)
- dnssec-tools + patch
proftpd
- dnssec-tools + patch
Sendmail (fight spam and frauds)
- dnssec-tools + patch
LibSPF
- dnssec-tools + patch
ncftp (secure downloads and logins)
- dnssec-tools + patch
libpurple (pidgin + finch -> secure messaging)
- no patches yet
- Vote for #12413
DNSSEC Hardware
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.