Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(use https for links to archlinux.org)
m (Enable DNSSEC in specific software: typo)
 
(25 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Security]]
+
[[Category:Encryption]]
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
 +
[[ja:DNSSEC]]
 +
{{Related articles start}}
 +
{{Related|Unbound#DNSSEC validation}}
 +
{{Related articles end}}
  
{{Poor writing}}
+
From [[W:Domain Name System Security Extensions]]:
{{stub}}
+
:The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
  
== Facts ==
+
== Basic DNSSEC validation ==
* [[Wikipedia:Domain Name System Security Extensions]]
+
 
* http://www.dnssec.net/
+
{{Note|Further setup is required for your DNS lookups DNSSEC by default. See [[#Install a DNSSEC-aware validating recursive server]] and [[#Enable DNSSEC in specific software]].}}
** http://www.dnssec.net/practical-documents
+
 
** http://www.dnssec.net/rfc
+
=== Installation ===
* https://www.iana.org/dnssec/
+
 
* https://www.dnssec-tools.org/
+
The ''drill'' tool can be used for basic DNSSEC validation. To use ''drill'', [[install]] the {{pkg|ldns}} package.
* http://linux.die.net/man/1/sshfp
+
 
* https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
+
=== Query with DNSSEC validation ===
 +
 
 +
Then to query with DNSSEC validation, use the {{ic|-D}} flag:
 +
 
 +
$ drill -D ''example.com''
 +
 
 +
=== Testing ===
 +
 
 +
As a test use the following domains, adding the {{ic|-T}} flag, which traces from the rootservers down to the domain being resolved:
 +
 
 +
$ drill -DT sigfail.verteiltesysteme.net
 +
 
 +
The result should end with the following lines, indicating that the DNSSEC signature is bogus:
  
== DNSSEC Packages ==
+
[B] sigfail.verteiltesysteme.net.       60      IN      A      134.91.78.139
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
+
;; Error: Bogus DNSSEC signature
* {{pkg|dnssec-anchors}}
+
;;[S] self sig OK; [B] bogus; [T] trusted
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** VERY important!
 
* {{Pkg|ldns}}
 
** DNS(SEC) library '''libldns'''
 
** drill tool (like dig with DNSSEC support)
 
*** can be used for basic DNSSEC validation. eg.:
 
**** Should success ''(return 0)'':
 
***** '''drill -TD nic.cz''' ''#valid DNSSEC key''
 
***** '''drill -TD google.com''' ''#not signed domain''
 
**** Should fail ''(simulating fraudent DNS records)'':
 
***** '''drill -TD rhybar.cz'''
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
 
* {{aur|dnssec-tools}} ''(package is very experimental and volatile right now)''
 
** https://www.dnssec-tools.org/
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
 
*** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications
 
** some tools https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components
 
*** https://www.dnssec-tools.org/wiki/index.php/Applications
 
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** [[PERL]] API
 
* {{aur|openssh-dnssec}}
 
** see lower on this page
 
* {{aur|sshfp}}
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 
* {{aur|opendnssec}}
 
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 
** Automates refreshing signatures, key rollovers
 
  
== Howto enable DNSSEC in specific software ==
+
Now to test a trusted signature:
  
{{Merge|DNSSEC#DNSSEC Packages|Duplicated information}}
+
$ drill -DT sigok.verteiltesysteme.net
  
If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:
+
The result should end with the following lines, indicating the signature is trusted:
* patches
 
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Applications
 
** https://www.dnssec-tools.org/wiki/index.php/DNSSEC_Application_Development
 
* plugins, extensions, wrappers
 
* universal LD_PRELOAD wrapper
 
** overriding calls to: gethostbyname(3), gethostbyaddr(3), getnameinfo(3), getaddrinfo(3), res_query(3)
 
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
* DNS proxy
 
  
 +
[T] sigok.verteiltesysteme.net. 60      IN      A      134.91.78.139
 +
;;[S] self sig OK; [B] bogus; [T] trusted
  
=== [[OpenSSH]] (fixes only weak point in SSH design) ===
+
== Install a DNSSEC-aware validating recursive server ==
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
 
* {{aur|openssh-dnssec}} wrapper
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
 
** usage: '''alias ssh=ssh-dnssec'''
 
  
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===
+
To use DNSSEC system-wide, you can use a validating recursive resolver that is DNSSEC-aware, so that all DNS lookups go through the recursive resolver. [[BIND]] and [[unbound]] are two options that you can setup. Note that each requires specific options to enable their DNSSEC validation feature.
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
 
** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
 
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
 
  
=== [[Chromium]]/<s>[[Google Chrome]]</s> (secure browsing - enchancment of HTTPS) ===
+
If you attempt to visit a site with a bogus (spoofed) IP address, the validing resolver (i.e., BIND or unbound) will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validing resolver, you do not need software that has DNSSEC support built-in when using this option.
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]
 
** Patches not yet...
 
** [http://chromium.googlecode.com/issues/attachment?aid=-8803347052009476090&name=chromium-drill-dnssec-validator.zip&token=6e3489c4e5c62bfaae02516be442d7da DNSSEC Drill extension] (EXPERIMENTAL!)
 
*** you need ldns and dnssec-root-zone-trust-anchors packages for this plugin
 
  
=== BIND (serving signed DNS zones) ===
+
== Enable DNSSEC in specific software ==
* See [[BIND]] for more information on BIND
 
* http://www.dnssec.net/practical-documents
 
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''
 
** http://www.bind9.net/manuals
 
** http://www.bind9.net/BIND-FAQ
 
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
 
* Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
 
  
=== [[Postfix]] (fight spam and frauds) ===
+
If not you choose not to [[#Install a DNSSEC-aware validating recursive server]], you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications is found [https://www.dnssec-tools.org/wiki/index.php?title=DNSSEC_Applications here]. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.
* dnssec-tools + patch
 
=== [[jabberd]] (fight spam and frauds) ===
 
* dnssec-tools + patch
 
=== [[Thunderbird]] (secure logins) ===
 
* dnssec-tools + patch
 
=== [[lftp]] (secure downloads and logins) ===
 
* dnssec-tools + patch
 
=== [[wget]] (secure downloads) ===
 
* dnssec-tools + patch
 
=== [[proftpd]] ===
 
* dnssec-tools + patch
 
=== [[Sendmail]] (fight spam and frauds) ===
 
* dnssec-tools + patch
 
=== [[LibSPF]] ===
 
* dnssec-tools + patch
 
=== [[ncftp]] (secure downloads and logins) ===
 
* dnssec-tools + patch
 
=== [[libpurple]] ([[pidgin]] + [[finch]] -> secure messaging) ===
 
* no patches yet
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
  
 
== DNSSEC Hardware ==
 
== DNSSEC Hardware ==
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python & GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
 
  
== See Also ==
+
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
* [[AppArmor]]
+
 
 +
== See also ==
 +
* [http://dnssec.vs.uni-due.de/ DNSSEC Resolver Test] - a simple test to see if you have DNSSEC implemented on your machine.
 +
* [https://www.dnssec-tools.org/ DNSSEC-Tools]
 +
* [http://dnsviz.net DNSSEC Visualizer] - a tool for visualizing the status of a DNS zone.
 +
* [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_DNS_Traffic_with_DNSSEC.html RedHat: Securing DNS Traffic with DNSSEC] - thorough article on implementing DNSSEC with ''unbound''. Note that some tools are RedHat specific and not found in Arch Linux.
 +
* [[Wikipedia:Domain Name System Security Extensions]]

Latest revision as of 11:30, 23 April 2017

From W:Domain Name System Security Extensions:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Basic DNSSEC validation

Note: Further setup is required for your DNS lookups DNSSEC by default. See #Install a DNSSEC-aware validating recursive server and #Enable DNSSEC in specific software.

Installation

The drill tool can be used for basic DNSSEC validation. To use drill, install the ldns package.

Query with DNSSEC validation

Then to query with DNSSEC validation, use the -D flag:

$ drill -D example.com

Testing

As a test use the following domains, adding the -T flag, which traces from the rootservers down to the domain being resolved:

$ drill -DT sigfail.verteiltesysteme.net

The result should end with the following lines, indicating that the DNSSEC signature is bogus:

[B] sigfail.verteiltesysteme.net.       60      IN      A       134.91.78.139
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted

Now to test a trusted signature:

$ drill -DT sigok.verteiltesysteme.net

The result should end with the following lines, indicating the signature is trusted:

[T] sigok.verteiltesysteme.net. 60      IN      A       134.91.78.139
;;[S] self sig OK; [B] bogus; [T] trusted

Install a DNSSEC-aware validating recursive server

To use DNSSEC system-wide, you can use a validating recursive resolver that is DNSSEC-aware, so that all DNS lookups go through the recursive resolver. BIND and unbound are two options that you can setup. Note that each requires specific options to enable their DNSSEC validation feature.

If you attempt to visit a site with a bogus (spoofed) IP address, the validing resolver (i.e., BIND or unbound) will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validing resolver, you do not need software that has DNSSEC support built-in when using this option.

Enable DNSSEC in specific software

If not you choose not to #Install a DNSSEC-aware validating recursive server, you need to use software that has DNSSEC support builtin in order to use its features. Often this means you must patch the software yourself. A list of several patched applications is found here. Additionally some web browsers have extensions or add-ons that can be installed to implement DNSSEC without patching the program.

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See also