|
Packit |
8f70b4 |
DNSSEC Validation for lftp
|
|
Packit |
8f70b4 |
==========================
|
|
Packit |
8f70b4 |
This patch adds local DNSSEC validation to lftp, along with an option to
|
|
Packit |
8f70b4 |
enable it. The is code is only compiled if the configure option
|
|
Packit |
8f70b4 |
--dnssec-local-validation is specified. The libraries libval and libsres
|
|
Packit |
8f70b4 |
from DNSSEC-Tools are prequisites. Additional options may be needed
|
|
Packit |
8f70b4 |
to point configure at the correct directory for these libraries.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
When compiled in, the option is still off by default. The new boolean
|
|
Packit |
8f70b4 |
option 'dns:strict-dnssec' must be enabled by the user.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
Once strict DNSSEC checking is enabled, DNSSEC validation is done according
|
|
Packit |
8f70b4 |
to the configuration in the DNSSEC-tool configuration file dnsval.conf.
|
|
Packit |
8f70b4 |
Please refer to the DNSSEC-Tools documentation for more information.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
http://www.dnssec-tools.org/
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
Testing
|
|
Packit |
8f70b4 |
=======
|
|
Packit |
8f70b4 |
By default, DNSSEC-Tools' configuration file should be validation
|
|
Packit |
8f70b4 |
all zones. A few zones are signed, but most are not. You can use
|
|
Packit |
8f70b4 |
the test zone provided by DNSSEC-Tools for verifying correct operation.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
First, configure lftp to require validation.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ echo "set dns:strict-dnssec 1" > ~/.lftprc
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
Next, simpy run lftp with a few domains. Here we use the DNSSEC-Tools domain
|
|
Packit |
8f70b4 |
as a known-good domain, and a domain in the DNSSEC-Tools test zone as
|
|
Packit |
8f70b4 |
a domain that will fail DNSSEC validation checks.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ lftp www.dnssec-tools.org
|
|
Packit |
8f70b4 |
cd ok, cwd=/
|
|
Packit |
8f70b4 |
lftp www.dnssec-tools.org:/>
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ lftp baddata-a.test.dnssec-tools.org
|
|
Packit |
8f70b4 |
lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
Viewing Details
|
|
Packit |
8f70b4 |
================
|
|
Packit |
8f70b4 |
To see some debug output from the validation process, you can set the
|
|
Packit |
8f70b4 |
VAL_LOG_TARGET environment variable. (Higher numbers will result in more
|
|
Packit |
8f70b4 |
output. 5 is a good start, 7 is more than you really want.)
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ export VAL_LOG_TARGET="5:stdout"
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ lftp www.dnssec-tools.org
|
|
Packit |
8f70b4 |
20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), A(1)}: VAL_SUCCESS:128 (Validated)
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=www.dnssec-tools.org class=IN type=A from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12
|
|
Packit |
8f70b4 |
20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)
|
|
Packit |
8f70b4 |
20120904::16:44:31 Proof of non-existence [1 of 1]
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=www.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12
|
|
Packit |
8f70b4 |
cd ok, cwd=/
|
|
Packit |
8f70b4 |
lftp www.dnssec-tools.org:/>
|
|
Packit |
8f70b4 |
|
|
Packit |
8f70b4 |
$ lftp baddata-a.test.dnssec-tools.org
|
|
Packit |
8f70b4 |
20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), A(1)}: VAL_BOGUS:1 (Untrusted)
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=A from-server=168.150.236.43 status=VAL_AC_NOT_VERIFIED:18
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12
|
|
Packit |
8f70b4 |
20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)
|
|
Packit |
8f70b4 |
20120904::13:29:20 Proof of non-existence [1 of 1]
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31
|
|
Packit |
8f70b4 |
20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12
|
|
Packit |
8f70b4 |
lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.
|
|
Packit |
8f70b4 |
|