Skip to content

edmonds/nss-ubdns

Repository files navigation

    nss-ubdns - NSS module for DNSSEC validated hostname lookups

The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns
DNSSEC validated lookups to the NSS "hosts" database.  It is a replacement for
the standard libresolv based "dns" module that uses the libunbound library for
caching and validation.

INSTALLATION
============

nss-ubdns requires libunbound and the libunbound development headers to build.

Run "make && make install", which will build the plugin and install it to
/usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct
path for NSS plugins on your platform.

CONFIGURATION
=============

nss-ubdns reads the list of nameservers from the standard resolver
configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any
other settings are ignored.

The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to
configure the libunbound library. See the unbound.conf(5) man page for more
details. A sample libunbound.conf file that minimizes the resources consumed
by the resolver is included with nss-ubdns.

Trust anchors are configured by creating files in the /etc/nss-ubdns/keys
directory. Only files ending in ".key" will be processed. If the unbound
server is in use, any files that are in use as auto-trust-anchor-files can be
symlinked into this directory.

To configure the Name Service Switch to use nss-ubdns instead of the glibc dns
plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the
hosts database (the line beginning with "hosts:").

Note that installing nss-ubdns will cause your host to generate additional DNS
queries. You may want to install a local DNS cache to reduce the upstream
impact of this additional load.

TESTING
=======

The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be
used to test nss-ubdns.

In the following examples, "google.com" is an unsigned zone, "debian.org" is a
signed and validatable zone, and "dnssec-failed.org" is a signed but
unvalidatable zone.

    $ getent hosts www.google.com; echo $?
    74.125.157.147  www.google.com
    74.125.157.99   www.google.com
    74.125.157.104  www.google.com
    0

    $ getent hosts www.debian.org; echo $?
    2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org
    0

    $ getent hosts www.dnssec-failed.org; echo $?
    2

BUGS
====

* Aliases are not handled correctly.

nss-ubdns returns something like this when the qname is an alias:

    $ getent hosts www.google.com
    74.125.45.147   www.google.com
    74.125.45.104   www.google.com
    74.125.45.99    www.google.com
    74.125.45.105   www.google.com
    74.125.45.106   www.google.com
    74.125.45.103   www.google.com

while nss-dns returns something like this:

    $ getent hosts www.google.com
    74.125.45.147   www.l.google.com www.google.com
    74.125.45.104   www.l.google.com www.google.com
    74.125.45.99    www.l.google.com www.google.com
    74.125.45.105   www.l.google.com www.google.com
    74.125.45.106   www.l.google.com www.google.com
    74.125.45.103   www.l.google.com www.google.com

* Long-running processes will not pick up changes to /etc/nss-ubdns and
/etc/resolv.conf. (Though unpatched glibc has the same problem, see
http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of
the libunbound resolver API, which cannot be reconfigured after the first
resolution has been performed.

About

NSS module for DNSSEC validated hostname lookups

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages