1
DNSSEC Validation for lftp
2
==========================
3
This patch adds local DNSSEC validation to lftp, along with an option to
4
enable it. The is code is only compiled if the configure option
5
--dnssec-local-validation is specified. The libraries libval and libsres
6
from DNSSEC-Tools are prequisites. Additional options may be needed
7
to point configure at the correct directory for these libraries.
9
When compiled in, the option is still off by default. The new boolean
10
option 'dns:strict-dnssec' must be enabled by the user.
12
Once strict DNSSEC checking is enabled, DNSSEC validation is done according
13
to the configuration in the DNSSEC-tool configuration file dnsval.conf.
14
Please refer to the DNSSEC-Tools documentation for more information.
16
http://www.dnssec-tools.org/
21
By default, DNSSEC-Tools' configuration file should be validation
22
all zones. A few zones are signed, but most are not. You can use
23
the test zone provided by DNSSEC-Tools for verifying correct operation.
25
First, configure lftp to require validation.
27
$ echo "set dns:strict-dnssec 1" > ~/.lftprc
29
Next, simpy run lftp with a few domains. Here we use the DNSSEC-Tools domain
30
as a known-good domain, and a domain in the DNSSEC-Tools test zone as
31
a domain that will fail DNSSEC validation checks.
33
$ lftp www.dnssec-tools.org
35
lftp www.dnssec-tools.org:/>
37
$ lftp baddata-a.test.dnssec-tools.org
38
lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.
43
To see some debug output from the validation process, you can set the
44
VAL_LOG_TARGET environment variable. (Higher numbers will result in more
45
output. 5 is a good start, 7 is more than you really want.)
47
$ export VAL_LOG_TARGET="5:stdout"
49
$ lftp www.dnssec-tools.org
50
20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), A(1)}: VAL_SUCCESS:128 (Validated)
51
20120904::16:44:31 name=www.dnssec-tools.org class=IN type=A from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
52
20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
53
20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
54
20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
55
20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
56
20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12
57
20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)
58
20120904::16:44:31 Proof of non-existence [1 of 1]
59
20120904::16:44:31 name=www.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
60
20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
61
20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
62
20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
63
20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
64
20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12
66
lftp www.dnssec-tools.org:/>
68
$ lftp baddata-a.test.dnssec-tools.org
69
20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), A(1)}: VAL_BOGUS:1 (Untrusted)
70
20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=A from-server=168.150.236.43 status=VAL_AC_NOT_VERIFIED:18
71
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
72
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
73
20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
74
20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
75
20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
76
20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31
77
20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12
78
20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated)
79
20120904::13:29:20 Proof of non-existence [1 of 1]
80
20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31
81
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
82
20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
83
20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31
84
20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
85
20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31
86
20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31
87
20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12
88
lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted.