Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(DNSSEC Packages: new section)
(rm old information)
Line 43: Line 43:
  [T] sigok.verteiltesysteme.net. 60      IN      A
  [T] sigok.verteiltesysteme.net. 60      IN      A
  ;;[S] self sig OK; [B] bogus; [T] trusted
  ;;[S] self sig OK; [B] bogus; [T] trusted
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
* {{Pkg|dnssec-anchors}}
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
** VERY important!
* {{Pkg|ldns}}
** DNS(SEC) library '''libldns'''
** drill tool (like dig with DNSSEC support)
*** can be used for basic DNSSEC validation. eg.:
**** Should success ''(return 0)'':
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''
***** '''drill -TD google.com''' ''#not signed domain''
**** Should fail ''(simulating fraudent DNS records)'':
***** '''drill -TD rhybar.cz'''
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
* {{Pkg|dnssec-tools}} ''(package is very experimental and volatile right now)''
** https://www.dnssec-tools.org/
** another good library '''libval''' which can add DNSSEC support to lots of programs
*** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications
** some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components
*** https://www.dnssec-tools.org/wiki/index.php/Applications
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
* {{AUR|sshfp}}
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
* {{AUR|opendnssec}}
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
** Automates refreshing signatures, key rollovers
== Howto enable DNSSEC in specific software ==
== Howto enable DNSSEC in specific software ==

Revision as of 12:35, 22 April 2017

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: More a draft than an article (Discuss in Talk:Style#Reworking)

From W:Domain Name System Security Extensions:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Basic DNSSEC validation


The drill tool can be used for basic DNSSEC validation. To use drill, install the ldns package.

Query with DNSSEC validation

Then to query with DNSSEC validation, use the -D flag:

$ drill -D example.com


As a test use the following domains, adding the -T flag, which traces from the rootservers down to the domain being resolved:

$ drill -DT sigfail.verteiltesysteme.net

The result should end with the following lines, indicating that the DNSSEC signature is bogus:

[B] sigfail.verteiltesysteme.net.       60      IN      A
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted

Now to test a trusted signature:

$ drill -DT sigok.verteiltesysteme.net

The result should end with the following lines, indicating the signature is trusted:

[T] sigok.verteiltesysteme.net. 60      IN      A
;;[S] self sig OK; [B] bogus; [T] trusted

Howto enable DNSSEC in specific software

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#DNSSEC Packages.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:

OpenSSH (fixes only weak point in SSH design)

Firefox (secure browsing - enhancement of HTTPS)

Chromium/Google Chrome (secure browsing - enhancement of HTTPS)

  • Vote for #50874
    • Patches not yet...
    • DNSSEC Drill extension (EXPERIMENTAL!)
      • you need ldns and dnssec-root-zone-trust-anchors packages for this plugin

BIND (serving signed DNS zones)

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd (fight spam and frauds)

  • dnssec-tools + patch

Thunderbird (secure logins)

  • dnssec-tools + patch

lftp (secure downloads and logins)

  • dnssec-tools + patch

wget (secure downloads)

  • dnssec-tools + patch


  • dnssec-tools + patch

Sendmail (fight spam and frauds)

  • dnssec-tools + patch


  • dnssec-tools + patch

ncftp (secure downloads and logins)

  • dnssec-tools + patch

libpurple (pidgin + finch -> secure messaging)

  • no patches yet

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See Also