NSS module for DNSSEC validated hostname lookups
Fetching latest commit…
Cannot retrieve the latest commit at this time
nss-ubdns - NSS module for DNSSEC validated hostname lookups The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns DNSSEC validated lookups to the NSS "hosts" database. It is a replacement for the standard libresolv based "dns" module that uses the libunbound library for caching and validation. INSTALLATION ============ nss-ubdns requires libunbound and the libunbound development headers to build. Run "make && make install", which will build the plugin and install it to /usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct path for NSS plugins on your platform. CONFIGURATION ============= nss-ubdns reads the list of nameservers from the standard resolver configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any other settings are ignored. The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to configure the libunbound library. See the unbound.conf(5) man page for more details. A sample libunbound.conf file that minimizes the resources consumed by the resolver is included with nss-ubdns. Trust anchors are configured by creating files in the /etc/nss-ubdns/keys directory. Only files ending in ".key" will be processed. If the unbound server is in use, any files that are in use as auto-trust-anchor-files can be symlinked into this directory. To configure the Name Service Switch to use nss-ubdns instead of the glibc dns plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the hosts database (the line beginning with "hosts:"). Note that installing nss-ubdns will cause your host to generate additional DNS queries. You may want to install a local DNS cache to reduce the upstream impact of this additional load. TESTING ======= The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be used to test nss-ubdns. In the following examples, "google.com" is an unsigned zone, "debian.org" is a signed and validatable zone, and "dnssec-failed.org" is a signed but unvalidatable zone. $ getent hosts www.google.com; echo $? 220.127.116.11 www.google.com 18.104.22.168 www.google.com 22.214.171.124 www.google.com 0 $ getent hosts www.debian.org; echo $? 2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org 0 $ getent hosts www.dnssec-failed.org; echo $? 2 BUGS ==== * Aliases are not handled correctly. nss-ubdns returns something like this when the qname is an alias: $ getent hosts www.google.com 126.96.36.199 www.google.com 188.8.131.52 www.google.com 184.108.40.206 www.google.com 220.127.116.11 www.google.com 18.104.22.168 www.google.com 22.214.171.124 www.google.com while nss-dns returns something like this: $ getent hosts www.google.com 126.96.36.199 www.l.google.com www.google.com 188.8.131.52 www.l.google.com www.google.com 184.108.40.206 www.l.google.com www.google.com 220.127.116.11 www.l.google.com www.google.com 18.104.22.168 www.l.google.com www.google.com 22.214.171.124 www.l.google.com www.google.com * Long-running processes will not pick up changes to /etc/nss-ubdns and /etc/resolv.conf. (Though unpatched glibc has the same problem, see http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of the libunbound resolver API, which cannot be reconfigured after the first resolution has been performed.