DNSSEC has been deployed on gnome.org

From: Andrea Veri <av gnome org>
To: infrastructure-announce gnome org, Foundation List <foundation-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>
Subject: DNSSEC has been deployed on gnome.org
Date: Tue, 12 Nov 2013 11:21:30 +0100

Hi,

the GNOME Sysadmin team worked hard recently to set up DNSSEC on the gnome.org's DNS tree and we can finally say that both our major domains (gnome.org, guadec.org) are currently being covered by DNSSEC successfully.

This actually means that you will be able to verify that the resources you are viewing are really coming from the GNOME servers and not from any other server in the middle between you and the GNOME servers themselves. (MITM attack)

How can you verify you are really connecting to {git, master, webapps2}.gnome.org? (with webapps2.gnome.org being the host you should be connecting to for updating your people.gnome.org's webspace)

ssh -oVerifyHostKeyDNS=yes -v git.gnome.org

Or directly add the above parameter into your /etc/ssh/ssh_config file this way:

VerifyHostKeyDNS=yes

And run 'ssh -v git.gnome.org', the result you should receive: (the same procedure can be repeated with the other domains outlined above)

debug1: Server host key: RSA 00:39:fd:1a:a4:2c:6b:28:b8:2e:95:31:c2:90:72:03

debug1: found 1 secure fingerprints in DNS

debug1: matching host key fingerprint found in DNS

debug1: ssh_rsa_verify: signature correct

If you instead want to verify if gnome.org or guadec.org are being correctly verified by your DNS resolver, use dig this way:

dig . DNSKEY | grep -Ev '^($|;)' > root.keys

dig +sigchase +trusted-key=./root.keys gnome.org. A | cat -n

The result you should see:

105 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
106 ;; VERIFYING DS RRset for org. with DNSKEY:59085: success
107 ;; OK We found DNSKEY (or more) to validate the RRset
108 ;; Ok, find a Trusted Key in the DNSKEY RRset: 59085
109 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
110 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
111
112 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

We'll be working to move more domains over to DNSSEC in the near future.

Have an awesome day everyone!

--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]