My DNSSEC validator
As readers of this blog might have noticed I started to experiment with DNSSEC a few months ago. DNSSEC is basically a way of adding cryptographic keys and signatures to your DNS data that gives resolvers the ability to cryptographically verify the correctness of your DNS records using a series of cryptographic operations.
DNSSEC protects the DNS system against a certain group of security problems such as the kaminskybug, where an attacker tricks a DNS server to return the wrong data to end users. If an attack against the DNS system is successful that means serious trouble, since we depend on it to work reliably in a vast number of online activities. An attacker that controls the DNS system can trick people to for example supply their account information to their online bank and use that to steal money. Whenever there is the potential for large scale fraud you can pretty much be sure that someone will try to break it, and that is why DNSSEC is important.
So, we need DNSSEC. What's stopping us from using it? A few things, but the most important obstacle in my opinion is that it is a complex set of standards and that it is difficult to understand. There are some presentations and HOWTO documents online that attempts to explain and help people get started, but the learning curve is steep. One thing that I ran into when experimenting with my own zones was that somehow I managed to corrupt the signatures of one zone and I couldn't easily pinpoint what the problem was.
When confronted with this I got the idea to build an online service that tries to answer a simple question. What data was used and what cryptographic operations was performed to actually verify one specific DNS record? The answer to that question can be thought of as a chain of operations and records where one link connects to the other from all the way from the record being verified down to the DLV root key.
I decided to write the service in Python and it was one of the most fun programming projects that I have worked on in years. In a way it was basic research but with a clear application and an end result that I think could be a useful contribution. I even wrote my own RSA signature verification functionality, with a lots of help from Python's excellent large integer support.
The service can be found at http://dnssec.resare.com Feel free to give it a spin. There are no doubt bugs and errors that will be fixed and other modifications that will be made, but the basic functionality is in place.
Thanks to Alex for the beautiful HTML design, to the python dns library dnspython that I use extensively and the airspeed templating library.
Filed under Cryptography, Programming, System administration | Comments (2)Random summer stuff. New jresolver, with DNSSEC support
After a sort of long summer break I'm slowly feeling like it would be fun to blog a bit again. After an intense election campaign for the European Parliament in June, we actually did get a Pirate party representatitive elected, which feels like a milestone for the geeks in politics. Congratulations Christian!
I have spent most of the summer doing work programming but I have also managed to go to Rome with Sångkraft and win a choir competition and update one of my free software projects, the jresolver Java stub resolver.
The new version of jresolver adds some autoconfig abilities as well as some awareness of DNSSEC. Now the resolver can query the recursive nameserver about weather a specific result is cryptographically verified or not. Perhaps not a terribly useful feature, but I think that anything that brings awareness to the effort to get people to use DNSSEC is a good thing. Anyway, the new version, 0.3.1, can be found over at fs.voxbiblia.com. Now, at least everyone that has a .se domain, run over to iis.se and read up on how to sign your zones.
Filed under Programming | Comment (0)