All I'm saying, is that the integrity that it provides to DNS lookups is massively valuable.īy the way, I wrote a long article about setting up DNSSEC on Monday: I'm not claiming that DNSSEC is a perfect solution. Of course, somebody could compromise my DNS server or the end users resolver. Because I also have DNSSEC set up on my domain, if you have a DNSSEC supporting resolver, you know that the fingerprint you've received hasn't been tampered with on the way. Gpg -auto-key-locate pka -ear "" with "". You can automatically download my key and encrypt something using it by typing: I publish a record in the DNS which contains a URL to my public PGP key, and its fingerprint. I don't like that any CA can currently generate a cert for my domain.Īnother benefit that DNSSEC brings is with PKA records. Will be nice when the spec is finalised and browser support becomes native. This is because I'm following the latest draft of the DANE protocol. "Domainname is secured by DNSSEC and the certificate is validated by CA and DNSSEC" If you install a Firefox addon named "Extended DNSSEC Validator", visit and click the lock button to the left of the address bar, you will notice it says: There's also DANE (still going through the standards process) which allows you to publish a fingerprint of your SSL certificate on a domain/port basis, in DNSSEC secured DNS. There is also "VerifyHostKeyDNS ask", which just displays the result of the lookup, but still allows you to confirm the fingerprint.ĭNSSEC allows you to do stuff like this because it secures the integrity of the record all the way from the authoratitive DNS server to the users resolver. You also know for sure that has resolved to the correct IP address. You wont be prompted to verify the fingerprint as usual, because OpenSSH will already have done that verification using the DNS. If you have a resolver which supports DNSSEC, you can run this command: There is also RFC4255 which allows people to publish fingerprints of their SSH server public key in DNSSEC secured "SSHFP" RRs.
The trust anchor scheme SSH uses is "key continuity"
0 kommentar(er)
