Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

NSS module for DNSSEC validated hostname lookups

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 .gitignore
Octocat-spinner-32 Makefile
Octocat-spinner-32 README
Octocat-spinner-32 arpa.c
Octocat-spinner-32 domain_to_str.c
Octocat-spinner-32 libunbound.conf
Octocat-spinner-32 lookup.c
Octocat-spinner-32 nss-ubdns.c
Octocat-spinner-32 nss-ubdns.h
Octocat-spinner-32 nss_ubdns.map
README
    nss-ubdns - NSS module for DNSSEC validated hostname lookups

The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns
DNSSEC validated lookups to the NSS "hosts" database.  It is a replacement for
the standard libresolv based "dns" module that uses the libunbound library for
caching and validation.

INSTALLATION
============

nss-ubdns requires libunbound and the libunbound development headers to build.

Run "make && make install", which will build the plugin and install it to
/usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct
path for NSS plugins on your platform.

CONFIGURATION
=============

nss-ubdns reads the list of nameservers from the standard resolver
configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any
other settings are ignored.

The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to
configure the libunbound library. See the unbound.conf(5) man page for more
details. A sample libunbound.conf file that minimizes the resources consumed
by the resolver is included with nss-ubdns.

Trust anchors are configured by creating files in the /etc/nss-ubdns/keys
directory. Only files ending in ".key" will be processed. If the unbound
server is in use, any files that are in use as auto-trust-anchor-files can be
symlinked into this directory.

To configure the Name Service Switch to use nss-ubdns instead of the glibc dns
plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the
hosts database (the line beginning with "hosts:").

Note that installing nss-ubdns will cause your host to generate additional DNS
queries. You may want to install a local DNS cache to reduce the upstream
impact of this additional load.

TESTING
=======

The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be
used to test nss-ubdns.

In the following examples, "google.com" is an unsigned zone, "debian.org" is a
signed and validatable zone, and "dnssec-failed.org" is a signed but
unvalidatable zone.

    $ getent hosts www.google.com; echo $?
    74.125.157.147  www.google.com
    74.125.157.99   www.google.com
    74.125.157.104  www.google.com
    0

    $ getent hosts www.debian.org; echo $?
    2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org
    0

    $ getent hosts www.dnssec-failed.org; echo $?
    2

BUGS
====

* Aliases are not handled correctly.

nss-ubdns returns something like this when the qname is an alias:

    $ getent hosts www.google.com
    74.125.45.147   www.google.com
    74.125.45.104   www.google.com
    74.125.45.99    www.google.com
    74.125.45.105   www.google.com
    74.125.45.106   www.google.com
    74.125.45.103   www.google.com

while nss-dns returns something like this:

    $ getent hosts www.google.com
    74.125.45.147   www.l.google.com www.google.com
    74.125.45.104   www.l.google.com www.google.com
    74.125.45.99    www.l.google.com www.google.com
    74.125.45.105   www.l.google.com www.google.com
    74.125.45.106   www.l.google.com www.google.com
    74.125.45.103   www.l.google.com www.google.com

* Long-running processes will not pick up changes to /etc/nss-ubdns and
/etc/resolv.conf. (Though unpatched glibc has the same problem, see
http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of
the libunbound resolver API, which cannot be reconfigured after the first
resolution has been performed.
Something went wrong with that request. Please try again.