Menu
▾
▴
dnsjava-users
|
From: Adam F. <ada...@gm...> - 2011-10-30 22:11:47
|
Can anyone provide a quick example of verifying a DNSSEC response on the client side. I can't seem to find good documentation on how to do this. Thanks very much in advance. -Adam -- View this message in context: http://old.nabble.com/DNSSSEC-verification-example-tp32749151p32749151.html Sent from the dnsjava-users mailing list archive at Nabble.com. |
|
From: Brian W. <bwe...@xb...> - 2011-10-31 19:04:23
|
On Oct 30, 2011, at 3:11 PM, Adam Fisk wrote: > Can anyone provide a quick example of verifying a DNSSEC response on the > client side. I can't seem to find good documentation on how to do this. There isn't really a such thing as "a DNSSEC response", so I'm not completely sure what you're looking for. DNSSEC signs DNS records, not DNS messages. A response from a signed zone will (typically) contain one or more RRSIG records, signing the data records, which comprise an RRset. If you have the public key (which won't be in the response), then you can call DNSSEC.verify(rrset, rrsig, pubkey). The data and signature RRsets can be obtained from Message.getSectionRRsets() on the response, and the matching signature can be found by comparing the results of getFootprint() on the public key (DNSKEY) and signature (RRSIG). I don't think it's possible to come up with a quick example of all of this, as it's not trivial. Brian |
|
From: Adam F. <ada...@gm...> - 2011-10-31 21:10:01
|
Thanks very much, Brian -- this is super useful. I've been trying to avoid breaking out the RFCs, but it sounds like I've just been in denial. I'll take the plunge and learn the basics before circling back and using the building blocks you've graciously provided in dnsjava. All the Best, -Adam On Mon, Oct 31, 2011 at 11:12 AM, Brian Wellington <bwe...@xb...> wrote: > > On Oct 30, 2011, at 3:11 PM, Adam Fisk wrote: > >> Can anyone provide a quick example of verifying a DNSSEC response on the >> client side. I can't seem to find good documentation on how to do this. > > There isn't really a such thing as "a DNSSEC response", so I'm not completely sure what you're looking for. DNSSEC signs DNS records, not DNS messages. > > A response from a signed zone will (typically) contain one or more RRSIG records, signing the data records, which comprise an RRset. If you have the public key (which won't be in the response), > then you can call DNSSEC.verify(rrset, rrsig, pubkey). The data and signature RRsets can be obtained from Message.getSectionRRsets() on the response, and the matching signature can be found by comparing the results of getFootprint() on the public key (DNSKEY) and signature (RRSIG). > > I don't think it's possible to come up with a quick example of all of this, as it's not trivial. > > Brian -- Adam Fisk http://www.littleshoot.org | http://adamfisk.wordpress.com | http://twitter.com/adamfisk |
|
From: Adam F. <a...@br...> - 2011-11-23 04:39:04
|
Hi Brian- How do I modify the initial request message to request the DNSSEC extended attributes? Should I be able to get those attributes from a query to say gmail.com -- i.e can I just fire off queries to bunch of the major sites at this point and expect DNSSEC responses? Thanks very much. -Adam On Mon, Oct 31, 2011 at 2:09 PM, Adam Fisk <ada...@gm...> wrote: > Thanks very much, Brian -- this is super useful. I've been trying to > avoid breaking out the RFCs, but it sounds like I've just been in > denial. I'll take the plunge and learn the basics before circling back > and using the building blocks you've graciously provided in dnsjava. > > All the Best, > > -Adam > > > On Mon, Oct 31, 2011 at 11:12 AM, Brian Wellington <bwe...@xb...> wrote: >> >> On Oct 30, 2011, at 3:11 PM, Adam Fisk wrote: >> >>> Can anyone provide a quick example of verifying a DNSSEC response on the >>> client side. I can't seem to find good documentation on how to do this. >> >> There isn't really a such thing as "a DNSSEC response", so I'm not completely sure what you're looking for. DNSSEC signs DNS records, not DNS messages. >> >> A response from a signed zone will (typically) contain one or more RRSIG records, signing the data records, which comprise an RRset. If you have the public key (which won't be in the response), >> then you can call DNSSEC.verify(rrset, rrsig, pubkey). The data and signature RRsets can be obtained from Message.getSectionRRsets() on the response, and the matching signature can be found by comparing the results of getFootprint() on the public key (DNSKEY) and signature (RRSIG). >> >> I don't think it's possible to come up with a quick example of all of this, as it's not trivial. >> >> Brian > > > > -- > Adam Fisk > http://www.littleshoot.org | http://adamfisk.wordpress.com | > http://twitter.com/adamfisk > |
|
From: Brian W. <bwe...@xb...> - 2011-11-24 01:28:05
|
On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote: > Hi Brian- How do I modify the initial request message to request the > DNSSEC extended attributes? Should I be able to get those attributes > from a query to say gmail.com -- i.e can I just fire off queries to > bunch of the major sites at this point and expect DNSSEC responses? If you want to set it on all queries, you can call: Resolver.setEDNS(0, 0, ExtendedFlags.DO, null); on the resolver being used. To set it on an individual query: opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null); query.addRecord(opt, Section.ADDITIONAL); Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC. Whether this is true depends on how your ISP (or other DNS provider) has configured it. There are definitely major sites using DNSSEC, but gmail isn't one of them. I'm sure that someone's maintaining a list, but I haven't looked. Brian |
|
From: Adam F. <af...@br...> - 2012-02-20 22:52:22
|
I belatedly wanted to thank you for all these details, Brian. It's still an early version that needs more extensive testing in the wild, but the steps you described are integrated into DNSSEC4J at: https://github.com/adamfisk/DNSSEC4J I know others have mentioned it, but I'll throw in my +1 for putting dnsjava up at Sonatype for auto-syncing with Maven central -- would make it much easier for third parties to integrate things like DNSSEC4J as well. It's actually fairly easy to do and totally worth it -- described at: https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide All the Best, -Adam On Wed, Nov 23, 2011 at 4:32 PM, Brian Wellington <bwe...@xb...> wrote: > > On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote: > >> Hi Brian- How do I modify the initial request message to request the >> DNSSEC extended attributes? Should I be able to get those attributes >> from a query to say gmail.com -- i.e can I just fire off queries to >> bunch of the major sites at this point and expect DNSSEC responses? > > If you want to set it on all queries, you can call: > > Resolver.setEDNS(0, 0, ExtendedFlags.DO, null); > > on the resolver being used. To set it on an individual query: > > opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null); > query.addRecord(opt, Section.ADDITIONAL); > > Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC. Whether this is true depends on how your ISP (or other DNS provider) has configured it. > > There are definitely major sites using DNSSEC, but gmail isn't one of them. I'm sure that someone's maintaining a list, but I haven't looked. > > Brian > |
|
From: Brian W. <bwe...@xb...> - 2012-02-22 04:03:54
|
On Feb 20, 2012, at 1:52 PM, Adam Fisk wrote: > I belatedly wanted to thank you for all these details, Brian. It's > still an early version that needs more extensive testing in the wild, > but the steps you described are integrated into DNSSEC4J at: > > https://github.com/adamfisk/DNSSEC4J Thanks! Do you want me to add a link to this from dnsjava.org? > I know others have mentioned it, but I'll throw in my +1 for putting > dnsjava up at Sonatype for auto-syncing with Maven central -- would > make it much easier for third parties to integrate things like > DNSSEC4J as well. It's actually fairly easy to do and totally worth it > -- described at: > > https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide I don't use Maven, so I'm not planning to do this. If anyone else wants to do this on a regular basis, I'm happy to let them. Brian > On Wed, Nov 23, 2011 at 4:32 PM, Brian Wellington <bwe...@xb...> wrote: >> >> On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote: >> >>> Hi Brian- How do I modify the initial request message to request the >>> DNSSEC extended attributes? Should I be able to get those attributes >>> from a query to say gmail.com -- i.e can I just fire off queries to >>> bunch of the major sites at this point and expect DNSSEC responses? >> >> If you want to set it on all queries, you can call: >> >> Resolver.setEDNS(0, 0, ExtendedFlags.DO, null); >> >> on the resolver being used. To set it on an individual query: >> >> opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null); >> query.addRecord(opt, Section.ADDITIONAL); >> >> Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC. Whether this is true depends on how your ISP (or other DNS provider) has configured it. >> >> There are definitely major sites using DNSSEC, but gmail isn't one of them. I'm sure that someone's maintaining a list, but I haven't looked. >> >> Brian >> |
|
From: Adam F. <af...@br...> - 2012-02-27 19:33:26
|
A link would be welcome, but I mostly just wanted to let you know your detailed responses weren't falling on deaf ears. The only tricky part about third parties posting to Sonatype is that they require you to control the domain you publish under. I could do it under org.littleshoot, for example, but can't do it under org.xbill. It would also be somewhat challenging to stay in sync, as I don't follow dnsjava on a daily basis so am not always aware of the latest release right away. I could easily publish a placeholder under org.littleshoot if you wanted, however -- DNSSEC4J would just grab that one, and others could as well. I could shoot you the super simple pom.xml that would be useful in any case. -Adam On Tue, Feb 21, 2012 at 6:58 PM, Brian Wellington <bwe...@xb...> wrote: > > On Feb 20, 2012, at 1:52 PM, Adam Fisk wrote: > >> I belatedly wanted to thank you for all these details, Brian. It's >> still an early version that needs more extensive testing in the wild, >> but the steps you described are integrated into DNSSEC4J at: >> >> https://github.com/adamfisk/DNSSEC4J > > Thanks! Do you want me to add a link to this from dnsjava.org? > >> I know others have mentioned it, but I'll throw in my +1 for putting >> dnsjava up at Sonatype for auto-syncing with Maven central -- would >> make it much easier for third parties to integrate things like >> DNSSEC4J as well. It's actually fairly easy to do and totally worth it >> -- described at: >> >> https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide > > I don't use Maven, so I'm not planning to do this. If anyone else wants to do this on a regular basis, I'm happy to let them. > > Brian > > > >> On Wed, Nov 23, 2011 at 4:32 PM, Brian Wellington <bwe...@xb...> wrote: >>> >>> On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote: >>> >>>> Hi Brian- How do I modify the initial request message to request the >>>> DNSSEC extended attributes? Should I be able to get those attributes >>>> from a query to say gmail.com -- i.e can I just fire off queries to >>>> bunch of the major sites at this point and expect DNSSEC responses? >>> >>> If you want to set it on all queries, you can call: >>> >>> Resolver.setEDNS(0, 0, ExtendedFlags.DO, null); >>> >>> on the resolver being used. To set it on an individual query: >>> >>> opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null); >>> query.addRecord(opt, Section.ADDITIONAL); >>> >>> Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC. Whether this is true depends on how your ISP (or other DNS provider) has configured it. >>> >>> There are definitely major sites using DNSSEC, but gmail isn't one of them. I'm sure that someone's maintaining a list, but I haven't looked. >>> >>> Brian >>> > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X