Fwd: DNSSEC has been deployed on gnome.org



Prezados,

Para seu conhecimento, agora temos mais segurança no acesso os sites *.gnome.org e *.guadec.org

Obs.: MITM = Man In The Middle

Atenciosamente,
Rafael Ferreira

---------- Forwarded message ----------
From: Andrea Veri <av gnome org>
Date: 2013/11/12
Subject: DNSSEC has been deployed on gnome.org
To: infrastructure-announce gnome org, Foundation List <foundation-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>


Hi,

the GNOME Sysadmin team worked hard recently to set up DNSSEC on the gnome.org's DNS tree and we can finally say that both our major domains (gnome.org, guadec.org) are currently being covered by DNSSEC successfully. 

This actually means that you will be able to verify that the resources you are viewing are really coming from the GNOME servers and not from any other server in the middle between you and the GNOME servers themselves. (MITM attack)

How can you verify you are really connecting to {git, master, webapps2}.gnome.org? (with webapps2.gnome.org being the host you should be connecting to for updating your people.gnome.org's webspace)

ssh -oVerifyHostKeyDNS=yes -v git.gnome.org

Or directly add the above parameter into your /etc/ssh/ssh_config file this way:

VerifyHostKeyDNS=yes

And run 'ssh -v git.gnome.org', the result you should receive: (the same procedure can be repeated with the other domains outlined above)

debug1: Server host key: RSA 00:39:fd:1a:a4:2c:6b:28:b8:2e:95:31:c2:90:72:03
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: ssh_rsa_verify: signature correct

If you instead want to verify if gnome.org or guadec.org are being correctly verified by your DNS resolver, use dig this way:

dig . DNSKEY | grep -Ev '^($|;)' > root.keys

dig +sigchase +trusted-key=./root.keys gnome.org. A | cat -n

The result you should see:

   105 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
   106 ;; VERIFYING DS RRset for org. with DNSKEY:59085: success
   107 ;; OK We found DNSKEY (or more) to validate the RRset
   108 ;; Ok, find a Trusted Key in the DNSKEY RRset: 59085
   109 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
   110 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
   111
   112 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

We'll be working to move more domains over to DNSSEC in the near future. 

Have an awesome day everyone!

--
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av

_______________________________________________
infrastructure-announce mailing list
infrastructure-announce gnome org
https://mail.gnome.org/mailman/listinfo/infrastructure-announce




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]