Hi,
the GNOME Sysadmin team worked hard recently to set up DNSSEC on the
gnome.org's DNS tree and we can finally say that both our major domains (
gnome.org,
guadec.org) are currently being covered by DNSSEC successfully.
This actually means that you will be able to verify that the resources you are viewing are really coming from the GNOME servers and not from any other server in the middle between you and the GNOME servers themselves. (MITM attack)
ssh -oVerifyHostKeyDNS=yes -v
git.gnome.org
Or directly add the above parameter into your /etc/ssh/ssh_config file this way:
VerifyHostKeyDNS=yes
And run 'ssh -v
git.gnome.org', the result you should receive: (the same procedure can be repeated with the other domains outlined above)
debug1: Server host key: RSA 00:39:fd:1a:a4:2c:6b:28:b8:2e:95:31:c2:90:72:03
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: ssh_rsa_verify: signature correct
If you instead want to verify if
gnome.org or
guadec.org are being correctly verified by your DNS resolver, use dig this way:
dig . DNSKEY | grep -Ev '^($|;)' > root.keys
dig +sigchase +trusted-key=./root.keys
gnome.org. A | cat -n
The result you should see:
105 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
106 ;; VERIFYING DS RRset for org. with DNSKEY:59085: success
107 ;; OK We found DNSKEY (or more) to validate the RRset
108 ;; Ok, find a Trusted Key in the DNSKEY RRset: 59085
109 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
110 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
111
112 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
We'll be working to move more domains over to DNSSEC in the near future.
Have an awesome day everyone!
--
Cheers,
Andrea
Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman
Homepage:
http://www.gnome.org/~av