| 1 |
On Sun, Jan 6, 2013 at 7:31 PM, Robin H. Johnson <robbat2@g.o> wrote: |
| 2 |
> Just a heads up, |
| 3 |
> |
| 4 |
> DNSSEC is now live on *.dev.gentoo.org hosts. |
| 5 |
|
| 6 |
So for those that had to look up some or all of what Robin mentioned, |
| 7 |
I'll summarize below. |
| 8 |
|
| 9 |
> |
| 10 |
> There is a DLV anchor registered at dlv.isc.org, so all public DNSSEC |
| 11 |
> lookups within the domain should work fine. |
| 12 |
|
| 13 |
DLV allows you to break out of the traditional each parent needs to be |
| 14 |
signed and has an aside database that can confirm a specific node. |
| 15 |
Very useful when the TLD didn't support signing or if a DNS provider |
| 16 |
you use doesn't support DNSSEC. Stands for DNSSEC Lookaside |
| 17 |
Validation. |
| 18 |
|
| 19 |
> |
| 20 |
> Here's visualisation on my two test cases: |
| 21 |
> http://dnsviz.net/d/dev.gentoo.org/dnssec/ |
| 22 |
> http://dnsviz.net/d/mv78100.arm.dev.gentoo.org/dnssec/ |
| 23 |
> |
| 24 |
> If there are no problems reported in a week or two, I'm going to enable |
| 25 |
> this for the rest of our DNS zones, as well as registering the DS |
| 26 |
> records with the TLD. |
| 27 |
|
| 28 |
Basically getting rid of the need for the DLV and having the whole |
| 29 |
chain signed from the root down to each domain. |
| 30 |
|
| 31 |
|
| 32 |
> Thereafter, I'd also like to deploy DANE and SSH |
| 33 |
> fingerprints in DNS, and remove our reliance any elements of the CA |
| 34 |
> chain. |
| 35 |
|
| 36 |
SSH supports a specific record called SSHFP which stores the hosts key |
| 37 |
for validation. To against it when it enabled you should be able to do |
| 38 |
something like: |
| 39 |
|
| 40 |
$ ssh dev.gentoo.org -o VerifyHostKeyDNS=yes |
| 41 |
|
| 42 |
DANE is DNS-based Authentication of Named Entities. Looks like its a |
| 43 |
working group to add more public keys into DNS and get applications or |
| 44 |
protocols to support it. |
| 45 |
|
| 46 |
> |
| 47 |
> I haven't implemented NSEC3 by way of a conscious choice. I don't see |
| 48 |
> the need for any private information in our DNS records - simply |
| 49 |
> obscuring them isn't really security. |
| 50 |
|
| 51 |
NSEC3 is related to exposing the entities in your whole DNS record. |
| 52 |
With DNSSEC you end up getting the whole zone to verify that its |
| 53 |
signed. This has the side effect if you had www.mycompany.com but you |
| 54 |
also had secret.mycompany.com, with DNSSEC your hostname secret would |
| 55 |
be reveled as existing. NSEC3 attempts to mitigate this. |
| 56 |
|
| 57 |
For more info on everything see: |
| 58 |
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions |
| 59 |
> |
| 60 |
> -- |
| 61 |
> Robin Hugh Johnson |
| 62 |
> Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 63 |
> E-Mail : robbat2@g.o |
| 64 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 65 |
> |
| 66 |
|
| 67 |
Excellent job getting us DNSSEC support btw! |
| 68 |
|
| 69 |
-- |
| 70 |
Doug Goldstein |
Archives