crosbymichael
commented
10 years ago @miekg I can work on HTTPS if you take the DNSSEC part
Closed miekg closed 10 years ago
crosbymichael
commented
10 years ago @miekg I can work on HTTPS if you take the DNSSEC part
miekg
commented
10 years ago Ok. cool. Works for me.
miekg
commented
10 years ago Just thought of something. It would be cool if a client could retrieve the DNSKEY(s) from skydns via HTTPS with the authentication secret already provided. This way we only need one secret at the client side from which they can bootstrap DNSSEC.
bketelsen
commented
10 years ago that makes a lot of sense. I like it.
miekg
commented
10 years ago Are we willing to create another http path for fetching DNSKEY information? Like /security, /security/dnskey or /key or something? Something sane and extensible.
bketelsen
commented
10 years ago yes. routes are cheap.
miekg
commented
10 years ago I still need to add a cache and a http route for the dnskey(*), but this already holds a complete DNSSEC implementation: https://github.com/miekg/skydns/tree/dnssechttps://github.com/miekg/skydns/tree/dnssec
Use:
% dnssec-keygen -r /dev/urandom skydns.local.
Generating key pair............++++++ ...................................++++++
Kskydns.local.+005+49860
% ./skydns [OPTIONS] -dnssec=Kskydns.local.+005+49860[*]: why should return for the DNSKEY in HTTP? Some sort of (non standard) JSON representation or the more standard text format which then clashes a bit with the rest of SkyDNS' responses...?
crosbymichael
commented
10 years ago @miekg I would prefer json for consistency but you can also look at the Accept header in a request to skydns to see if the client accepts json or text.
miekg
commented
10 years ago Ack. I think there are some IETF drafts which have an syntax for putting a DNSKEY in json, I will use that.
Btw: in my dnssec-branch: signing for all supported types works, caching of signatures works. 4 item still TODO:
miekg
commented
10 years ago So, I'm nearing completion of this in my dnssec branch. Almost all functionality is contained in one file dnssec.go. The main thing now is testing: a) skydns should not crash b) is this valid from a DNS(SEC) perspective.
Example: starting skydns:
./skydns -dns="127.0.0.1:1053" -nameserver 8.8.8.8:53 -dnssec Kskydns.local.+005+51945performing a query and looking at the reply:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15877
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;production.skydns.local. IN TXT
;; AUTHORITY SECTION:
skydns.local. 3600 IN SOA skydns.skydns.local. hostmaster.skydns.local. 1391414400 28800 7200 604800 60
skydns.local. 60 IN NSEC skydns.local. A NS SOA AAAA RRSIG NSEC DNSKEY
skydns.local. 60 IN RRSIG SOA 5 2 60 20140210080101 20140203060101 51945 skydns.local. j+PR1xIPKYnYaYgdJMW1o9OgxWxPqWANrDQjNXqBauAPAoo7US+gAHv0 PZFh5ouIRwES6hxEGcVMjwb5YAQ5ChC3kEapBjtXvRwwV4RghAXHSd28 TP52UiMKV4dlbST9JWeRsFLkMXrB7svRMndb2RnNprwzoEq+hkslwOdn goo=
skydns.local. 60 IN RRSIG NSEC 5 2 60 20140210080101 20140203060101 51945 skydns.local. VcN1iFzN3YcZZNFmXOHbLcHrxBNVYFCDvA6P5E3SYPuNh6YxXuJjp673 JF6fFnEYgu5mMuxKI6uLSXBbGZ8/f9aExuczWD5l6Yk2IuBL59EInS8S 7ssVt/GKZvWsxyFr8tBQjlS7b/Cv5GPrbJ1di/qU8V0eFqwKM96HWJxR 1xA=Started on the testing. Now would be a good time to crash skydns with this enabled.
crosbymichael
commented
10 years ago This can be closed now
This is in the TODO (because I added it). But I think SkyDNS would benefit (in the long run) from DNSSEC support. It might be too soon to implement it and there are performance penalties, but those can probably be solved with a cache.
As skydns often will hijack a .local domain, the way to implement this is to give all clients access to a public key which they can use to verify the answers from SkyDNS. Together with HTTPS and an authentication key used for http request I think we have a solid and secure implementation.