edmonds/nss-ubdns
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
nss-ubdns - NSS module for DNSSEC validated hostname lookups
The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns
DNSSEC validated lookups to the NSS "hosts" database. It is a replacement for
the standard libresolv based "dns" module that uses the libunbound library for
caching and validation.
INSTALLATION
============
nss-ubdns requires libunbound and the libunbound development headers to build.
Run "make && make install", which will build the plugin and install it to
/usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct
path for NSS plugins on your platform.
CONFIGURATION
=============
nss-ubdns reads the list of nameservers from the standard resolver
configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any
other settings are ignored.
The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to
configure the libunbound library. See the unbound.conf(5) man page for more
details. A sample libunbound.conf file that minimizes the resources consumed
by the resolver is included with nss-ubdns.
Trust anchors are configured by creating files in the /etc/nss-ubdns/keys
directory. Only files ending in ".key" will be processed. If the unbound
server is in use, any files that are in use as auto-trust-anchor-files can be
symlinked into this directory.
To configure the Name Service Switch to use nss-ubdns instead of the glibc dns
plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the
hosts database (the line beginning with "hosts:").
Note that installing nss-ubdns will cause your host to generate additional DNS
queries. You may want to install a local DNS cache to reduce the upstream
impact of this additional load.
TESTING
=======
The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be
used to test nss-ubdns.
In the following examples, "google.com" is an unsigned zone, "debian.org" is a
signed and validatable zone, and "dnssec-failed.org" is a signed but
unvalidatable zone.
$ getent hosts www.google.com; echo $?
74.125.157.147 www.google.com
74.125.157.99 www.google.com
74.125.157.104 www.google.com
0
$ getent hosts www.debian.org; echo $?
2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org
0
$ getent hosts www.dnssec-failed.org; echo $?
2
BUGS
====
* Aliases are not handled correctly.
nss-ubdns returns something like this when the qname is an alias:
$ getent hosts www.google.com
74.125.45.147 www.google.com
74.125.45.104 www.google.com
74.125.45.99 www.google.com
74.125.45.105 www.google.com
74.125.45.106 www.google.com
74.125.45.103 www.google.com
while nss-dns returns something like this:
$ getent hosts www.google.com
74.125.45.147 www.l.google.com www.google.com
74.125.45.104 www.l.google.com www.google.com
74.125.45.99 www.l.google.com www.google.com
74.125.45.105 www.l.google.com www.google.com
74.125.45.106 www.l.google.com www.google.com
74.125.45.103 www.l.google.com www.google.com
* Long-running processes will not pick up changes to /etc/nss-ubdns and
/etc/resolv.conf. (Though unpatched glibc has the same problem, see
http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of
the libunbound resolver API, which cannot be reconfigured after the first
resolution has been performed.
About
NSS module for DNSSEC validated hostname lookups
Resources
Stars
Watchers
Forks
Packages 0
No packages published