1 |
On Sun, Jan 6, 2013 at 7:31 PM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> Just a heads up, |
3 |
> |
4 |
> DNSSEC is now live on *.dev.gentoo.org hosts. |
5 |
|
6 |
So for those that had to look up some or all of what Robin mentioned, |
7 |
I'll summarize below. |
8 |
|
9 |
> |
10 |
> There is a DLV anchor registered at dlv.isc.org, so all public DNSSEC |
11 |
> lookups within the domain should work fine. |
12 |
|
13 |
DLV allows you to break out of the traditional each parent needs to be |
14 |
signed and has an aside database that can confirm a specific node. |
15 |
Very useful when the TLD didn't support signing or if a DNS provider |
16 |
you use doesn't support DNSSEC. Stands for DNSSEC Lookaside |
17 |
Validation. |
18 |
|
19 |
> |
20 |
> Here's visualisation on my two test cases: |
21 |
> http://dnsviz.net/d/dev.gentoo.org/dnssec/ |
22 |
> http://dnsviz.net/d/mv78100.arm.dev.gentoo.org/dnssec/ |
23 |
> |
24 |
> If there are no problems reported in a week or two, I'm going to enable |
25 |
> this for the rest of our DNS zones, as well as registering the DS |
26 |
> records with the TLD. |
27 |
|
28 |
Basically getting rid of the need for the DLV and having the whole |
29 |
chain signed from the root down to each domain. |
30 |
|
31 |
|
32 |
> Thereafter, I'd also like to deploy DANE and SSH |
33 |
> fingerprints in DNS, and remove our reliance any elements of the CA |
34 |
> chain. |
35 |
|
36 |
SSH supports a specific record called SSHFP which stores the hosts key |
37 |
for validation. To against it when it enabled you should be able to do |
38 |
something like: |
39 |
|
40 |
$ ssh dev.gentoo.org -o VerifyHostKeyDNS=yes |
41 |
|
42 |
DANE is DNS-based Authentication of Named Entities. Looks like its a |
43 |
working group to add more public keys into DNS and get applications or |
44 |
protocols to support it. |
45 |
|
46 |
> |
47 |
> I haven't implemented NSEC3 by way of a conscious choice. I don't see |
48 |
> the need for any private information in our DNS records - simply |
49 |
> obscuring them isn't really security. |
50 |
|
51 |
NSEC3 is related to exposing the entities in your whole DNS record. |
52 |
With DNSSEC you end up getting the whole zone to verify that its |
53 |
signed. This has the side effect if you had www.mycompany.com but you |
54 |
also had secret.mycompany.com, with DNSSEC your hostname secret would |
55 |
be reveled as existing. NSEC3 attempts to mitigate this. |
56 |
|
57 |
For more info on everything see: |
58 |
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions |
59 |
> |
60 |
> -- |
61 |
> Robin Hugh Johnson |
62 |
> Gentoo Linux: Developer, Trustee & Infrastructure Lead |
63 |
> E-Mail : robbat2@g.o |
64 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
65 |
> |
66 |
|
67 |
Excellent job getting us DNSSEC support btw! |
68 |
|
69 |
-- |
70 |
Doug Goldstein |