Difference between revisions of "DNSSEC"

From ArchWiki
Jump to: navigation, search
(DNSSEC Packages)
Line 30: Line 30:
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
***** '''drill -TD badsign-a.test.dnssec-tools.org'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
 
**** to use root-zone trust anchor add option '''-k /usr/share/dnssec-trust-anchors/root-anchor.key'''
* '''dnssec-tools''' https://aur.archlinux.org/packages.php?ID=39294 ''(package is very experimental and volatile right now)''
+
* {{aur|dnssec-tools}} ''(package is very experimental and volatile right now)''
 
** https://www.dnssec-tools.org/
 
** https://www.dnssec-tools.org/
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
 
** another good library '''libval''' which can add DNSSEC support to lots of programs
Line 40: Line 40:
 
* '''dnsval''' https://aur.archlinux.org/packages.php?ID=55830
 
* '''dnsval''' https://aur.archlinux.org/packages.php?ID=55830
 
** C libraries that implement DNSSEC aware DNS resolution APIs from the DNSSEC-tools project. Provides libval, libres, and the aforementioned libval-shim.
 
** C libraries that implement DNSSEC aware DNS resolution APIs from the DNSSEC-tools project. Provides libval, libres, and the aforementioned libval-shim.
* '''openssh-dnssec''' https://aur.archlinux.org/packages.php?ID=39296
+
* {{aur|openssh-dnssec}}
 
** see lower on this page
 
** see lower on this page
* '''sshfp''' https://aur.archlinux.org/packages.php?ID=29185
+
* {{aur|sshfp}}
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** Generates DNS SSHFP-type records from SSH public keys from public keys from a known_hosts file or from scanning the host's sshd daemon.
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
 
** not directly related to DNSSEC, but i guess this will become very popular because of DNSSEC
* '''opendnssec''' https://aur.archlinux.org/packages.php?ID=55926
+
* {{aur|opendnssec}}
 
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 
** Signs DNS zones to be later published by a DNS server (bind, nsd, etc.)
 
** Automates refreshing signatures, key rollovers
 
** Automates refreshing signatures, key rollovers

Revision as of 08:35, 13 October 2012


Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:DNSSEC#)

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:DNSSEC#)

Facts

DNSSEC Packages

Howto enable DNSSEC in specific software

If you want full support of DNSSEC, you need each single application to use DNSSEC validation. It can be done using several ways:


OpenSSH (fixes only weak point in SSH design)

Firefox (secure browsing - enchancment of HTTPS)

Chromium/Google Chrome (secure browsing - enchancment of HTTPS)

  • Vote for #50874
    • Patches not yet...
    • DNSSEC Drill extension (EXPERIMENTAL!)
      • you need ldns and dnssec-root-zone-trust-anchors packages for this plugin

BIND (serving signed DNS zones)

Postfix (fight spam and frauds)

  • dnssec-tools + patch

jabberd (fight spam and frauds)

  • dnssec-tools + patch

Thunderbird (secure logins)

  • dnssec-tools + patch

lftp (secure downloads and logins)

  • dnssec-tools + patch

wget (secure downloads)

  • dnssec-tools + patch

proftpd

  • dnssec-tools + patch

Sendmail (fight spam and frauds)

  • dnssec-tools + patch

LibSPF

  • dnssec-tools + patch

ncftp (secure downloads and logins)

  • dnssec-tools + patch

libpurple (pidgin + finch -> secure messaging)

  • no patches yet
  • Vote for #12413


DNSSEC Hardware

You can check if your router, modem, AP, etc. supports DNSSEC (many different features) using dnssec-tester (Python & GTK+ based app) to know if it is DNSSEC-compatible, and using this tool you can also upload gathered data to a server, so other users and manufacturers can be informed about compatibility of their devices and eventualy fix the firmware (they will be probably urged to do so). (Before running dnssec-tester please make sure, that you do not have any other nameservers in /etc/resolv.conf). You can also find the results of performed tests on the dnssec-tester website.

See Also