Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
nss-ubdns - NSS module for DNSSEC validated hostname lookups The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns DNSSEC validated lookups to the NSS "hosts" database. It is a replacement for the standard libresolv based "dns" module that uses the libunbound library for caching and validation. INSTALLATION ============ nss-ubdns requires libunbound and the libunbound development headers to build. Run "make && make install", which will build the plugin and install it to /usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct path for NSS plugins on your platform. CONFIGURATION ============= nss-ubdns reads the list of nameservers from the standard resolver configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any other settings are ignored. The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to configure the libunbound library. See the unbound.conf(5) man page for more details. A sample libunbound.conf file that minimizes the resources consumed by the resolver is included with nss-ubdns. Trust anchors are configured by creating files in the /etc/nss-ubdns/keys directory. Only files ending in ".key" will be processed. If the unbound server is in use, any files that are in use as auto-trust-anchor-files can be symlinked into this directory. To configure the Name Service Switch to use nss-ubdns instead of the glibc dns plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the hosts database (the line beginning with "hosts:"). Note that installing nss-ubdns will cause your host to generate additional DNS queries. You may want to install a local DNS cache to reduce the upstream impact of this additional load. TESTING ======= The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be used to test nss-ubdns. In the following examples, "google.com" is an unsigned zone, "debian.org" is a signed and validatable zone, and "dnssec-failed.org" is a signed but unvalidatable zone. $ getent hosts www.google.com; echo $? 22.214.171.124 www.google.com 126.96.36.199 www.google.com 188.8.131.52 www.google.com 0 $ getent hosts www.debian.org; echo $? 2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org 0 $ getent hosts www.dnssec-failed.org; echo $? 2 BUGS ==== * Aliases are not handled correctly. nss-ubdns returns something like this when the qname is an alias: $ getent hosts www.google.com 184.108.40.206 www.google.com 220.127.116.11 www.google.com 18.104.22.168 www.google.com 22.214.171.124 www.google.com 126.96.36.199 www.google.com 188.8.131.52 www.google.com while nss-dns returns something like this: $ getent hosts www.google.com 184.108.40.206 www.l.google.com www.google.com 220.127.116.11 www.l.google.com www.google.com 18.104.22.168 www.l.google.com www.google.com 22.214.171.124 www.l.google.com www.google.com 126.96.36.199 www.l.google.com www.google.com 188.8.131.52 www.l.google.com www.google.com * Long-running processes will not pick up changes to /etc/nss-ubdns and /etc/resolv.conf. (Though unpatched glibc has the same problem, see http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of the libunbound resolver API, which cannot be reconfigured after the first resolution has been performed.