Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
m (rm red links)
(See Also: Visualizer weblink)
 
(8 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[[Category:Security]]
+
[[Category:Encryption]]
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
  
{{Poor writing}}
+
{{Poor writing|More a draft than an article}}
 
{{stub}}
 
{{stub}}
  
== Facts ==
+
== DNSSEC Packages ==
* [[Wikipedia:Domain Name System Security Extensions]]
+
* http://www.dnssec.net/
+
** http://www.dnssec.net/practical-documents
+
** http://www.dnssec.net/rfc
+
* https://www.iana.org/dnssec/
+
* https://www.dnssec-tools.org/
+
* http://linux.die.net/man/1/sshfp
+
* https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
+
  
== DNSSEC Packages ==
 
 
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
 
{{Merge|DNSSEC#Howto enable DNSSEC in specific software|Duplicated information}}
* {{pkg|dnssec-anchors}}
+
* {{Pkg|dnssec-anchors}}
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** essential package contains keys to internet from [https://www.iana.org/dnssec/ IANA] stored in /usr/share/dnssec-trust-anchors/
 
** VERY important!
 
** VERY important!
Line 31: Line 22:
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
* {{aur|dnssec-tools}} ''(package is very experimental and volatile right now)''
+
* {{Pkg|dnssec-tools}} ''(package is very experimental and volatile right now)''
 
** https://www.dnssec-tools.org/
 
** https://www.dnssec-tools.org/
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
Line 39: Line 30:
 
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** '''libval-shim''' LD_PRELOAD library to enable DNSSEC for lots of DNSSEC unaware programs http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** PERL API
 
** PERL API
* {{aur|openssh-dnssec}}
+
* {{AUR|sshfp}}
** see lower on this page
+
* {{aur|sshfp}}
+
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
* {{aur|opendnssec}}
+
* {{AUR|opendnssec}}
 
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 
** Automates refreshing signatures, key rollovers
 
** Automates refreshing signatures, key rollovers
Line 61: Line 50:
 
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
** libval-shim from dnssec-tools: http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
 
* DNS proxy
 
* DNS proxy
 
  
 
=== [[OpenSSH]] (fixes only weak point in SSH design) ===
 
=== [[OpenSSH]] (fixes only weak point in SSH design) ===
 +
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
* dnssec-tools + patch: https://www.dnssec-tools.org/wiki/index.php/Ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
 
** http://www.dnssec-tools.org/readme/README.ssh
* {{aur|openssh-dnssec}} wrapper
 
** DNSSEC (ldns) wrapper for OpenSSH client.
 
** instantly adds minimal DNSSEC support to ssh (no SSHFP support).
 
** usage: '''alias ssh=ssh-dnssec'''
 
  
=== [[Firefox]] (secure browsing - enchancment of HTTPS) ===
+
=== [[Firefox]] (secure browsing - enhancement of HTTPS) ===
 +
 
 
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 
* DNSSEC Validator plugin https://addons.mozilla.org/en-US/firefox/addon/64247/
 
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
 
* DNSSEC Drill plugin http://nlnetlabs.nl/projects/drill/drill_extension.html
Line 77: Line 63:
 
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
 
* dnssec-tools + firefox patch: https://www.dnssec-tools.org/wiki/index.php/Firefox
  
=== [[Chromium]]/<s>Google Chrome</s> (secure browsing - enchancment of HTTPS) ===
+
=== [[Chromium]]/<s>Google Chrome</s> (secure browsing - enhancement of HTTPS) ===
 +
 
 
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]
 
* Vote for [http://code.google.com/p/chromium/issues/detail?id=50874 #50874]
 
** Patches not yet...
 
** Patches not yet...
Line 84: Line 71:
  
 
=== BIND (serving signed DNS zones) ===
 
=== BIND (serving signed DNS zones) ===
 +
 
* See [[BIND]] for more information on BIND
 
* See [[BIND]] for more information on BIND
 
* http://www.dnssec.net/practical-documents
 
* http://www.dnssec.net/practical-documents
Line 93: Line 81:
  
 
=== [[Postfix]] (fight spam and frauds) ===
 
=== [[Postfix]] (fight spam and frauds) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== jabberd (fight spam and frauds) ===
 
=== jabberd (fight spam and frauds) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[Thunderbird]] (secure logins) ===
 
=== [[Thunderbird]] (secure logins) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== lftp (secure downloads and logins) ===
 
=== lftp (secure downloads and logins) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[wget]] (secure downloads) ===
 
=== [[wget]] (secure downloads) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[proftpd]] ===
 
=== [[proftpd]] ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== [[Sendmail]] (fight spam and frauds) ===
 
=== [[Sendmail]] (fight spam and frauds) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== LibSPF ===
 
=== LibSPF ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== ncftp (secure downloads and logins) ===
 
=== ncftp (secure downloads and logins) ===
 +
 
* dnssec-tools + patch
 
* dnssec-tools + patch
 +
 
=== libpurple ([[pidgin]] + finch -> secure messaging) ===
 
=== libpurple ([[pidgin]] + finch -> secure messaging) ===
 +
 
* no patches yet
 
* no patches yet
 +
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
 
* Vote for [http://developer.pidgin.im/ticket/12413 #12413]
  
 
== DNSSEC Hardware ==
 
== DNSSEC Hardware ==
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python & GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
+
 
 +
You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using [http://www.dnssec-tester.cz/ dnssec-tester] (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in {{ic|/etc/resolv.conf}}). You can also find the results of performed tests on the [http://www.dnssec-tester.cz/ dnssec-tester] website.
  
 
== See Also ==
 
== See Also ==
 +
 
* [[AppArmor]]
 
* [[AppArmor]]
 +
* [[Wikipedia:Domain Name System Security Extensions]]
 +
* http://www.dnssec.net/
 +
** http://www.dnssec.net/practical-documents
 +
** http://www.dnssec.net/rfc
 +
* https://www.iana.org/dnssec/
 +
* https://www.dnssec-tools.org/
 +
* http://linux.die.net/man/1/sshfp
 +
* https://bugs.archlinux.org/task/20325 - [DNSSEC] Add DNS validation support to ArchLinux
 +
* [http://dnsviz.net DNSSEC Visualizer]

Latest revision as of 11:00, 24 April 2016


Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: More a draft than an article (Discuss in Talk:DNSSEC#)

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:DNSSEC#)

DNSSEC Packages

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#Howto enable DNSSEC in specific software.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

Howto enable DNSSEC in specific software

Merge-arrows-2.pngThis article or section is a candidate for merging with DNSSEC#DNSSEC Packages.Merge-arrows-2.png

Notes: Duplicated information (Discuss in Talk:DNSSEC#)

If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:

OpenSSH (fixes only weak point in SSH design)

Firefox (secure browsing - enhancement of HTTPS)

Chromium/Google Chrome (secure browsing - enhancement of HTTPS)

  • Vote for #50874
    • Patches not yet...
    • DNSSEC Drill extension (EXPERIMENTAL!)
      • you need ldns and dnssec-root-zone-trust-anchors packages for this plugin

BIND (serving signed DNS zones)

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd (fight spam and frauds)

  • dnssec-tools + patch

Thunderbird (secure logins)

  • dnssec-tools + patch

lftp (secure downloads and logins)

  • dnssec-tools + patch

wget (secure downloads)

  • dnssec-tools + patch

proftpd

  • dnssec-tools + patch

Sendmail (fight spam and frauds)

  • dnssec-tools + patch

LibSPF

  • dnssec-tools + patch

ncftp (secure downloads and logins)

  • dnssec-tools + patch

libpurple (pidgin + finch -> secure messaging)

  • no patches yet

DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python and GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See Also