DNSSEC Validation for lftp

==========================

This patch adds local DNSSEC validation to lftp, along with an option to

enable it. The is code is only compiled if the configure option

--dnssec-local-validation is specified. The libraries libval and libsres

from DNSSEC-Tools are prequisites. Additional options may be needed

to point configure at the correct directory for these libraries.

When compiled in, the option is still off by default. The new boolean

option 'dns:strict-dnssec' must be enabled by the user.

Once strict DNSSEC checking is enabled, DNSSEC validation is done according

to the configuration in the DNSSEC-tool configuration file dnsval.conf.

Please refer to the DNSSEC-Tools documentation for more information.

	http://www.dnssec-tools.org/

Testing

=======

By default, DNSSEC-Tools' configuration file should be validation

all zones. A few zones are signed, but most are not. You can use

the test zone provided by DNSSEC-Tools for verifying correct operation.

First, configure lftp to require validation.

 $ echo "set dns:strict-dnssec 1" > ~/.lftprc

Next, simpy run lftp with a few domains. Here we use the DNSSEC-Tools domain

as a known-good domain, and a domain in the DNSSEC-Tools test zone as

a domain that will fail DNSSEC validation checks.

  $ lftp www.dnssec-tools.org

  cd ok, cwd=/                                             

  lftp www.dnssec-tools.org:/> 

  $ lftp baddata-a.test.dnssec-tools.org

  lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.

Viewing  Details

================

To see some debug output from the validation process, you can set the

VAL_LOG_TARGET environment variable. (Higher numbers will result in more

output. 5 is a good start, 7 is more than you really want.)

 $ export VAL_LOG_TARGET="5:stdout"

  $ lftp www.dnssec-tools.org

  20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), A(1)}: VAL_SUCCESS:128 (Validated)

  20120904::16:44:31     name=www.dnssec-tools.org class=IN type=A from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31     name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31     name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31     name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31     name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31     name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12

  20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)

  20120904::16:44:31     Proof of non-existence [1 of 1]

  20120904::16:44:31       name=www.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31       name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31       name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31       name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31       name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::16:44:31       name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12

  cd ok, cwd=/                                             

  lftp www.dnssec-tools.org:/> 

  $ lftp baddata-a.test.dnssec-tools.org

  20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), A(1)}: VAL_BOGUS:1 (Untrusted)

  20120904::13:29:20     name=baddata-a.test.dnssec-tools.org class=IN type=A from-server=168.150.236.43 status=VAL_AC_NOT_VERIFIED:18

  20120904::13:29:20     name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31

  20120904::13:29:20     name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12

  20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)

  20120904::13:29:20     Proof of non-existence [1 of 1]

  20120904::13:29:20       name=baddata-a.test.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31

  20120904::13:29:20       name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12

  lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.