DNSSEC Applications

From DNSSEC-Tools
Jump to: navigation, search

This is a brief introduction into the set of applications that have been patched to support DNSSEC queries via the DNSSEC-Tools package.

Contents

First Things First

Here's how to set up your system to use the DNSSEC-aware applications.

This section must be filled in by someone who knows.

DNSSEC-Aware Applications

The DNSSEC-Tools project has created a number of application patches so that they issue their DNS queries using the DNSSEC-Tools DNSSEC validating library. This allows the applications to trust the DNS responses it receives and to pass back DNSSEC validation error messages directly to their users. See the three examples of how a Firefox web-browser user will see DNSSEC related messages when they visit a URL that fails DNSSEC validation (i.e. a lookup that gives a bogus IP address).

Unpatched Firefox using a non-DNSSEC recursive server

If an unpatched browser goes to a bogus (e.g. spoofed) IP address it may end up at the wrong site and would not notice.

Unpatched Firefox using a DNSSEC supporting recursive server

If an unpatched browser goes to a bogus (e.g. spoofed) IP address it would not go to the bogus web site because the validating resolver would prevent it from receiving invalid DNS data. Instead, the browser would be told there was no such host.

Server not found
Firfox can't find the server at
badsign-a.test.dnssec-tools.org
...

Patched Firefox using DNSSEC-Tool's validator library

If an application is using application level DNSSEC validation then it has the ability to more accurately display the reason behind the inability to visit a given site:

DNSSEC Validation Error
badsign-a.test.dnssec-tools.org failed its DNSSEC security check
....

The main advantage of these patches is that the users can know why their attempted network connections failed.

Using the Patches

With the exception of Firefox, to use these patches, a user will have to install DNSSEC-Tools, download the application's source code, apply the patch contained within the DNSSEC-Tools package, compile and then install the patched version of the application. The DNSSEC-Tool's download site has pre-compiled versions of the patched Firefox Fedora RPMs available.

Note:

The list of domains that require DNSSEC validation and domains that do not require validation is configurable using libval's configuration file, dnsval.conf, (normally in /usr/local/etc/dnssec-tools/dnsval.conf). This file allows an administrator to specify which domains require validation and which trust anchors to use for those domains. A patched application will only require validation for the domains requiring validation as specified in the policies in dnsval.conf.

Configuring DNSSEC Validation Policy

When using these patches, the configuration of the DNSSEC-Tool's libval (in dnsval.conf) determines which sites require DNSSEC validation, which sites don't require DNSSEC validation, and the set of Trust Anchors available to use.


DNSSEC Applications

Firefox

A patched Firefox RPM is available as well as the patch itself. A patched Firefox will notify the user of DNSSEC validation failures.


Sendmail

With the DNSSEC-Tools sendmail patch applied it will perform DNSSEC validating DNS queries when determining where to send mail. The mail will bounce back to the sender when an attempt is made to send mail to sites that do not pass DNSSEC validation.

Once the patch is applied to a local sendmail installation, the only other configuration necessary (other than libval's dnsval.conf) is to add the 'RequireDNSSEC' option to ResolverOptions in sendmail's configuration.


Postfix

Similar to the sendmail patch, once patched, postfix will perform DNSSEC validating DNS queries when determining where to send mail. The mail will bounce back to the sender when sent to sites that do not pass DNSSEC validation.

Currently the postfix patch does not provide for configuring DNSSEC validation off and on. Once patched, it will always run DNSSEC checks (as configured in libval's dnsval.conf).

Bounced mail will look similar to the following:

<receivinguser@baddomain.net>: Validation error during Name Service lookup. Error 167 :
    VAL_UNTRUSTED_ANSWER  for name=baddomain.net type=MX

Reporting-MTA: dns; smtp.unknown.com
X-Postfix-Queue-ID: B3A0648DB2
X-Postfix-Sender: rfc822; sendinguser@unknown.com
Arrival-Date: Tue, 27 Mar 2007 12:34:06 -0700 (PDT)

Final-Recipient: rfc822; receivinguser@baddomain.net
Original-Recipient: rfc822;receivinguser@baddomain.net
Action: failed
Status: 5.4.3
Diagnostic-Code: X-Postfix; Validation error during Name Service lookup. Error
    167 : VAL_UNTRUSTED_ANSWER  for name=baddomain.net type=MX

LibSPF

This patch adds DNSSEC validation to DNS queries in libspf2. There are patches for libspf2 versions 1.0.4 and 1.2.5.. Recompiling with this patch allows applications using libspf2 to also check for DNSSEC validation.

Thunderbird

This patch adds DNSSEC validation to the Thunderbird mail client. It requires getting, patching and building the Thunderbird source code. It has been tested with version 1.5.0.10 and should be considered beta.

OpenSSH

Using the OpenSSH implementation either requires downloading pre-build binaries or downloading, patching and compiling the openssh source code. It has been tested with OpenSSH versions 4.5p1, and 4.7p1. The patched code performs DNSSEC validation for all DNS lookups, including the initial host to IP address and the SSHFP key fingerprint queries. (SSHFP records for a host can be generated on the host using ssh-keygen -r 'hostname' and then insert the output into you domain file). The DNSSEC validation in Openssh can be configured via 'VerifyHostKeyDNS' three ways off,on,ask (default: ask):

VerifyHostKeyDNS Configuration

When set to 'no'

On DNS queries that result in untrusted DNSSEC validation, the connection succeeds with a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
Last login: Tue Mar 18 16:38:45 2008 from goodhost.unknown.com
badhost>

When set to 'yes'

On DNS queries that result in untrusted DNSSEC validation, the connection fails with a warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
DNS resolution is not trusted (VAL_BOGUS_UNPROVABLE) and you have requested strict checking
goodhost>

When set to 'ask'

On DNS queries that result in untrusted DNSSEC validation, the user is asked whether to fail or continue:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNTRUSTED DNS RESOLOUTION FOR HOST IP ADRRESS! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The authenticity of DNS data for the host 'badhost.unknown.com' can't be established.
 IP address 10.0.0.1 port 22
 IP address 2001::1 port 22
Are you sure you want to attempt to connect (yes/no)?          

More information

lftp

The lftp maintainer integrated our patch to provide local DNSSEC validation in lftp Version 4.0.4.

ncftp

The ncftp maintainer incorporated our patch for local DNSSEC validation in release 3.2.4d.

proftpd

This patch adds DNSSEC validation using libval to proftpd. It has been tested against versions 1.3.0a and 1.3.1rc2 of proftpd. Using it requires patching and building a local version of proftpd.

jabberd

This patch adds DNSSEC validation using libval to jabberd.

Software Summary

End Users (DNSSEC Native Applications)
Firefox and Bloodhound README
Firefox-extension.png
Firefox-denied.png
Patch to add DNSSEC support to Firefox
Sendmail HowTo Patch to add DNSSEC support to Sendmail
Postfix 2.3.x HowTo
2.2.x HowTo
Example
Patch to add DNSSEC support to Postfix
LibSPF HowTo Patch to add DNSSEC support to Libspf2
Thunderbird README Patch to add DNSSEC support to Thunderbird
ssh README Patch to add DNSSEC support to ssh
lftp HowTo Patch to add DNSSEC support to lftp
wget HowTo Patch to add DNSSEC support to wget
ncftp HowTo Patch to add DNSSEC support to ncftp
proftpd HowTo Patch to add DNSSEC support to proftpd
jabberd Patch to add DNSSEC support to jabberd
Personal tools