-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for DNSSEC #7
Comments
This was now suggested for GSoC. I'll give access to this repo and maven in that case. Or move it over to an org if wanted. |
GSoC students are announced, any updates on this? |
OK, I just read through most of the DNSSEC RFCs.... DNSSEC comes with a quite some resource records. I'd guess they would be nice to have in the core, as they might be received by any client. (DS, NSEC, DNSKEY, RRSIG, ...) BTW: does anyone know how well UDP and UDP fragmentation are supported by e.g. android? What should be a safe udp payload size? What do other clients use? There is this huge part of what-should-we-do for a real client. My thinking is that this will be huge. Ideally it would support up to a RFC-4033 "Validating Security-Aware Stub Resolver", right?
This sounds like a rather huge block that just some users will need. It's also required to allow configuration of at least one key (https://tools.ietf.org/html/rfc4035#section-4.4), which means it might not work out-of-the-box anyway. I'm wondering what to do about obsolete crypto. Should this be regarded as "bad" data? Or cause a warning? What if the status quo moves differently than the RFCs? RFC 6944 lists some NIST ECC curves as recommended, although many people expressed their distrust against those curves (including technical summaries like http://safecurves.cr.yp.to/). |
so no gsoc student? yes, a validating security-aware stub resolver is exactly what we should be going for here. this will probably require support for tcp queries, too. reading the (relevant parts of the) dnsjava code will likely answer many of the other questions. I wouldn't worry too much about which curves to support, all of that should obviously be handled by a library. |
@Valodim there is. @mar-v-in is happily adding records and features, see https://github.com/mar-v-in/minidns |
Squashed commit of the following: commit 8bd3eb5 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Oct 1 12:05:50 2015 +0200 Missing JavaDoc information on public methods commit 803a549 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Oct 1 11:53:15 2015 +0200 Use JUnit Asserts for integration tests commit e6258e0 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Sep 24 22:05:58 2015 +0200 Add integration test based on cloudflare (ECDSA) commit afc102a Author: mar-v-in <github@rvin.mooo.com> Date: Thu Sep 24 22:05:05 2015 +0200 Make sure to correctly react on unsuccesful read() commit ae55052 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Sep 24 22:04:04 2015 +0200 Fix test names for consistency commit 1e425f1 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Sep 24 22:03:01 2015 +0200 Add more tests for SignatureVerifiers commit 5692d84 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Sep 23 23:12:14 2015 +0200 Better logging output in integration tests commit 174c1af Author: mar-v-in <github@rvin.mooo.com> Date: Wed Sep 23 22:53:29 2015 +0200 Add initial integration test commit 764d40d Author: mar-v-in <github@rvin.mooo.com> Date: Wed Sep 23 22:53:14 2015 +0200 Small fixes commit 3c48f0d Author: mar-v-in <github@rvin.mooo.com> Date: Sun Aug 30 18:16:53 2015 +0200 Provide meaningful information on why the result is unverified commit 1ad941e Author: mar-v-in <github@rvin.mooo.com> Date: Sun Aug 30 12:47:51 2015 +0200 Use detailed exceptions commit 6cc83b0 Author: mar-v-in <github@rvin.mooo.com> Date: Sun Aug 30 12:47:16 2015 +0200 .AlgorithmTest -> .algorithms.DigestTest commit a9e7dbf Author: mar-v-in <github@rvin.mooo.com> Date: Thu Aug 27 21:43:36 2015 +0200 Add support for ECDSA and GOST signatures commit 9681106 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Aug 27 09:57:25 2015 +0200 Correctly use yyyy instead of YYYY for year commit 4875a07 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Aug 21 15:25:18 2015 +0200 Small fixes, A lot of tests commit 797ba2e Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 19 17:51:26 2015 +0200 Fix jacoco, add more tests, fix query bit for outgoing DNSMessage instances (usually never touched by the user) commit 7177bcc Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 19 02:40:52 2015 +0200 Add easy verification routines for HttpsURLConnection commit e5fbddc Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 19 01:20:28 2015 +0200 Store delegations during recurse commit 8dda3dc Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 19 01:16:41 2015 +0200 Add support for DLV commit 4d01028 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 19 00:44:31 2015 +0200 Fix LRUCache commit 4b6708b Author: mar-v-in <github@rvin.mooo.com> Date: Sat Aug 15 18:19:24 2015 +0200 Proposed fixes, minidns-dane-java7 commit eba5e49 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Aug 14 13:17:40 2015 +0200 Fix copy'n'paste Typo commit fa6edf1 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Aug 14 11:44:18 2015 +0200 Add DaneVerifier commit e7202cb Author: mar-v-in <github@rvin.mooo.com> Date: Fri Aug 14 11:43:35 2015 +0200 Log if alogirthm is not supported by platform commit 6993bf6 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 16:43:36 2015 +0200 Rename toPrintableString() to asTerminalOutput() and add JavaDoc commit e54544e Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 15:02:30 2015 +0200 Add JavaDocs to public APIs, hide components not necassary for usage commit 05f80cb Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 14:40:32 2015 +0200 Handle RRSIGs out of date commit 3877a2f Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 12:06:01 2015 +0200 Fix codestyle commit 7f26420 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 12:00:35 2015 +0200 Various fixes commit fe61f0d Author: mar-v-in <github@rvin.mooo.com> Date: Wed Aug 5 11:56:04 2015 +0200 Add DSA and alias algorithm numbers commit 0d940e1 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 29 16:24:46 2015 +0200 Add more negative tests commit efccbcc Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 29 16:23:01 2015 +0200 Make toString() failsafe against null values in object commit 1f77149 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:58:03 2015 +0200 Add first basic DNSSEC tests commit edb30ad Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:57:51 2015 +0200 Add DNSSEC testing environment (including key generation) commit 6a4bce3 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:57:03 2015 +0200 Various fixes in DNSSECClient commit fea936b Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:55:45 2015 +0200 DNSWorld: Allow more types, add support for multi record results and attached signatures commit d8c01ea Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:54:33 2015 +0200 Fix exception and toString() representation commit 8420877 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:53:45 2015 +0200 DNSMessage: create printable string with toPrintableString(), use different representation in toString(), add possibility to create Message with updated records. commit fe73054 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 23:52:13 2015 +0200 Make RR constructor public, add DNSSEC iana registered constants commit cb2dc81 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:43:07 2015 +0200 Use subpackage for recursive resolver commit a693a14 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:42:20 2015 +0200 Use own dnssec package, add dnssec exceptions commit b8cb23e Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:38:03 2015 +0200 Fix exception usage in DNSWorld commit 7c0518d Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:37:22 2015 +0200 Add missing record tests commit ea48a2d Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:36:29 2015 +0200 Add parsing test case for NSEC3 commit d416fa9 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:33:57 2015 +0200 Use RuntimeException to encapsulate impossible IOException, add missing constructors for record payload, fix NSEC3PARAM string representation (hex instead of Base32) commit a9580f7 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jul 28 00:27:40 2015 +0200 Ensure Base32/64 will not get instantiated commit 96877a4 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 22 17:15:48 2015 +0200 Add OPENPGPKEY record commit dfa35be Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 22 15:40:52 2015 +0200 Add TLSA record support commit 4b6dbd9 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jul 16 15:45:06 2015 +0200 Add NSEC3 support, extract AlgorithmMap into dedicated class, add some not security related test routines commit 524572b Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jul 16 15:32:27 2015 +0200 Add constructor for AAAA records and tests commit 7fe8bc3 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jul 16 15:11:15 2015 +0200 Minimal test set for minimal base32/64 commit b05ff28 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jul 16 15:00:12 2015 +0200 Add minimal Base32/64 encoder commit 4ebb091 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jul 16 14:59:17 2015 +0200 Correctly display NSEC3 salt commit 6b0cd6a Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 1 02:54:12 2015 +0200 Various fixes and basic NSEC support commit f756314 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 1 02:50:55 2015 +0200 Implement toByteArray() in NSEC(3) RRs commit db2a6d8 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jul 1 02:49:37 2015 +0200 Fix TCP on slow connections. commit 6060161 Author: mar-v-in <github@rvin.mooo.com> Date: Mon Jun 22 00:47:51 2015 +0200 Add basic verification support commit 0d7626e Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 22:47:29 2015 +0200 Catch unassociated labels count commit 4a817f4 Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 13:01:54 2015 +0200 Add first DNSSECClient version without cryptographic verification commit 94de555 Author: mar-v-in <github@rvin.mooo.com> Date: Mon Jun 22 03:08:59 2015 +0200 Add tests for toByteArray() of records commit 6f863bf Author: mar-v-in <github@rvin.mooo.com> Date: Mon Jun 22 00:48:13 2015 +0200 Add missing toByteArray() in RDATA commit a516cd4 Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 22:48:17 2015 +0200 Prefer glued ns records to reduce number of requests commit a908901 Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 15:24:33 2015 +0200 Make output more RFC compliant commit 7ca1b2a Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 15:15:02 2015 +0200 Add tests for DNSSEC records commit ba2f4d7 Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 15:14:38 2015 +0200 Add missing method to read edns flags from opt record commit 583a55d Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 20 13:48:33 2015 +0200 Add dummy test to ensure jacoco is running commit c28ec1f Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 19 14:52:35 2015 +0200 Cache all authoritative answers in recursive resolver. commit fef28f5 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 19 14:51:18 2015 +0200 Set socket timeout for TCP as well. commit 8e0a3ec Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 19 14:50:41 2015 +0200 Add key tag calculation to DNSKEY commit a5d4440 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jun 16 01:33:14 2015 +0200 Add OPT reading test commit 9612a7f Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jun 16 01:22:44 2015 +0200 Move pseudosecution specific code into OPT class commit 8e5a927 Author: mar-v-in <github@rvin.mooo.com> Date: Tue Jun 16 00:58:19 2015 +0200 Improve output of OPT pseudo-section and flags commit eadea95 Author: mar-v-in <github@rvin.mooo.com> Date: Sun Jun 14 11:40:18 2015 +0200 Add additional test for recursive dns client commit 814b4f6 Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 13 13:23:17 2015 +0200 Fix test build commit 145964b Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 13 13:16:34 2015 +0200 Add tests for recursive dns client commit 6f5d42d Author: mar-v-in <github@rvin.mooo.com> Date: Sat Jun 13 13:16:09 2015 +0200 Restrict recursion depth in RecursiveDNSClient commit dcfc849 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 12 23:30:21 2015 +0200 Add DNSWorld for testing commit 4395c4b Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 12 21:33:53 2015 +0200 Continue recursive dns commit a7921dd Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 11 20:49:59 2015 +0200 Rename DNSWorld as it caused confusion commit 4cdd733 Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jun 10 19:05:49 2015 +0200 Refactor: DNSWorld commit 49684ff Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jun 10 17:54:20 2015 +0200 Add CNAME handling to recursive resolver commit 5266a7f Author: mar-v-in <github@rvin.mooo.com> Date: Wed Jun 10 13:52:17 2015 +0200 Add WIP recursive resolver commit 38ddee7 Author: mar-v-in <github@rvin.mooo.com> Date: Mon Jun 8 02:32:07 2015 +0200 Checkstyle fixes commit b3be128 Author: mar-v-in <github@rvin.mooo.com> Date: Mon Jun 8 00:53:49 2015 +0200 Add minidns-dnssec subproject commit b8fe7db Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 5 14:55:13 2015 +0200 Add UNKNOWN type commit 02aa095 Author: mar-v-in <github@rvin.mooo.com> Date: Fri Jun 5 01:08:02 2015 +0200 Various fixes, improve toString output (look more like dig output + rfc) commit 36f20de Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 23:22:58 2015 +0200 Add NSEC3PARAM commit 2c3e180 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 14:54:25 2015 +0200 Allow setting the do (DNSSEC OK) flag in EDNS commit e0042cb Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 14:54:04 2015 +0200 Add Test for TCP fallback commit 5c21df3 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 13:02:37 2015 +0200 Add Base32/64 dummy files for usage in RR classes commit 92d0574 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 12:39:56 2015 +0200 Use StringBuilder instead of concatenation commit 29c3d04 Author: mar-v-in <github@rvin.mooo.com> Date: Thu Jun 4 12:39:16 2015 +0200 Add NSEC3 RR commit ebb342a Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 22:38:25 2015 +0200 Add NSEC RR commit 3592558 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 19:20:57 2015 +0200 Allow serializing of DNSKEY RR commit a693cf1 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 17:45:49 2015 +0200 Add support for DS record commit b309f44 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 13:43:34 2015 +0200 Add JavaDocs commit e4c394b Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 13:26:00 2015 +0200 Add RRSIG record commit 94dad5d Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 11:19:36 2015 +0200 Fix openjdk8 travis commit a67c7b6 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 03:08:05 2015 +0200 Add DNSKEY RR commit dcb5913 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 02:52:19 2015 +0200 Add TCP support commit a49a648 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 02:04:45 2015 +0200 Add OPT RR and announce udp payload size commit bfd1362 Author: mar-v-in <github@rvin.mooo.com> Date: Fri May 29 01:40:30 2015 +0200 Add support for creating RRs client side
This first 0.2.0-alpha versions of MiniDNS with DNSSEC where uploaded to Maven Central. Read more about it http://geekplace.eu/flow/posts/2016-04-22-minidns-dnssec-alpha.html |
I know this is a long shot, that is not going to be easy.
Smack already has an issue requesting DNSSEC support (SMACK-366), and with DANE in mind, DNSSEC would be the required first step.
There are already two DNSSEC implementations for Java, one is from the Jitsi project called dnssecjava. The problem with both is that they are build as Resolver for dnsjava. But dnsjava, while being a mature DNS implementation, is not a really good match for resource constraint environments like Android (dnsjava's nameserver determination is also a problem on Android, which is much nicer solved in minidns). I've just put effort into moving away from dnsjava towards minidns since it's the better option especially on Android. so I'm not keen on going back to dnsjava.
Maybe, we could team up with Jitsi, convince them that they don't want to use dnsjava with Jitsi Android, and de-couple dnssecjava from dnsjava. I think we all agree that it's not a good idea to implement a security critical component from scratch/on our own, instead we should reuse existing code (dnssecjava). I think this would also be a possible candidate for a GSOC project 2015: "A DNSSEC enabled DNS resolver for Android".
The text was updated successfully, but these errors were encountered: