Menu
▾
▴
Re: DNSSEC
|
From: Brian W. <bwe...@xb...> - 2010-11-24 19:01:28
|
On Nov 24, 2010, at 4:37 AM, mod63 wrote: > Brian Wellington wrote: >> >> On Nov 23, 2010, at 1:50 AM, mod63 wrote: >> >>> Brian Wellington wrote: >>>> >>>> >>>> On Nov 22, 2010, at 5:04 AM, mod63 wrote: >>>> >>>>> >>>>> Hi there, >>>>> >>>>> I’m currently working on a project that requires DNSSEC, the current >>>>> situation is basically that I get a request from a client and based on >>>>> that >>>>> I generate a response i.e. Message object and send it of to the client, >>>>> very >>>>> basic stuff, the problem is I need to add DNSSEC to that, and that’s >>>>> where >>>>> I’m currently stuck. >>>>> >>>>> I couldn’t find any good resources about the subject and the >>>>> explanation >>>>> in >>>>> the dnsjava documentation wasn’t adequate >>>>> >>>>> Any help would be appreciated; I need to resolve this problem as >>>>> quickly >>>>> as >>>>> possible. >>>> >>>> If you want to write a DNSSEC-compliant name server, there is no >>>> resource >>>> better than the DNSSEC RFCs. There are a whole lot of them, but the >>>> important ones are probably 4034 and 4035. >>>> >>>> You're not going to find much in the dnsjava documentation, as dnsjava >>>> doesn't include a DNSSEC-compliant name server. I think the library is >>>> complete enough that one could be written, but it definitely would not >>>> be >>>> trivial, and would likely take a considerable amount of time. >>> >>> Thank you for the fast reply. >>> >>> The javadns documentation for version 2.1.0 contains additional methods >>> not >>> mentions in the online documentation such as the DNSSEC.sign() method >>> which >>> returns a RRSIGRecord, could you please clarify this, whats the state of >>> the >>> implementation?can it be used or modified? >> >> The online documentation was outdated; I just updated it to point at the >> current release. >> >> The implementation is complete (to the best of my knowledge), but as David >> said, the implementation only contains the low-level routines needed to >> build an authoritative server with DNSSEC support. >> >> Brian > > I got a little bit confused by your responses so hers what we’ve done so far > > We have a Message object which is the response we are sending back to the > client; we need to add DNSSEC to it. > > DNSSEC > 1) Initialize all the values needed to create a RRSIGRecord(name, algorithm, > ttl ,etc). > > 3) Read a private key from a file and generate PrivateKey object > > 4) Read a public key from a file and generate PublicKey object > > 4) Create a DNSKEYRecord object using the public key. > > 5) Create RRset object from the response Record used for signing. > > 6) Generate the response RRSIGRecord using the DNSSEC.sign() method which > takes all the objects created in previous steps. > > > ADDING DNSSEC TO THE RESPONSE > 1) Create a Record containing all the modified information that is needed by > the client. > > 2) Add the Record from the previous step into the messages ANSWER section. > > 3) Add the RRSIGRecord into the messages ANSWER section. > > 4) Send it to the client. I believe this will work, but only in a very limited situation where all queries have a simple, positive answer and performance is not an issue. Brian |
