FS#20325 - DNSSEC: Add DNS validation support to ArchLinux

Attached to Project: Arch Linux
Opened by Tomas Mudrunka (harvie) - Friday, 30 July 2010, 14:52 GMT
Last edited by Roman Kyrylych (Romashka) - Thursday, 04 November 2010, 18:28 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description: DNSSEC is up and working on internet but ArchLinux still have no support for it.

Adding following things are good start:
* dnssec-tools package: https://www.dnssec-tools.org/
* dnssec-tools patch for OpenSSH (SSHFP - makes SSH 100% secure): http://www.dnssec-tools.org/readme/README.ssh
* dnssec-tools patch for postfix (fight spam and frauds): https://www.dnssec-tools.org/wiki/index.php/Postfix
* other dnssec-tools components: https://www.dnssec-tools.org/wiki/index.php/DNSSEC-Tools_Components
* Firefox
* jabberd
* Thunderbird
* lftp
* wget
* proftpd
* Sendmail
* LibSPF
* ncftp
This task depends upon

Closed by  Roman Kyrylych (Romashka)
Thursday, 04 November 2010, 18:28 GMT
Reason for closing:  Won't implement
Additional comments about closing:  this is an area that AUR is for
Comment by Tomas Mudrunka (harvie) - Friday, 30 July 2010, 15:07 GMT Comment by Ionut Biru (wonder) - Friday, 30 July 2010, 15:09 GMT
we are against patching to add features that upstream doesn't provide
Comment by Tomas Mudrunka (harvie) - Friday, 30 July 2010, 15:29 GMT
Also having ldns package ( http://aur.archlinux.org/packages.php?ID=18996 ) with Drill utility in core repository (like dig with DNS support) would be usefull.

wonder: well. it's not good idea to patch openssh with some unt(ru|e)sted patches. but package with dnssec-tools libraries would be great beginning.
Comment by Tomas Mudrunka (harvie) - Friday, 30 July 2010, 17:08 GMT
And for those who are interested in enabling DNSSEC in OpenSSH i've made this wrapper: http://aur.archlinux.org/packages.php?ID=39296
(it's not reliably secure at this time... i am still working on it...)
Comment by Allan McRae (Allan) - Friday, 30 July 2010, 23:10 GMT
This is the sort of thing that should get started in the AUR or a custom repo.
Comment by Tomas Mudrunka (harvie) - Saturday, 31 July 2010, 00:22 GMT
Allan: definetely! but also sort of thing that needs developers ;-)
and official support of ldns and dnssec-tools packages seems to be very good platform to start development.
Comment by Tomas Mudrunka (harvie) - Saturday, 31 July 2010, 16:21 GMT
I've created package that is VERY essential for implementing DNSSEC in ArchLinux. It contains keys to internet :-)
dnssec-root-zone-trust-anchors: http://aur.archlinux.org/packages.php?ID=39315
Another package that is really needed if we want to start doing something...
Comment by Tomas Mudrunka (harvie) - Saturday, 31 July 2010, 16:52 GMT Comment by Tomas Mudrunka (harvie) - Tuesday, 03 August 2010, 21:49 GMT
well. after some experimenting i've found that only thing that we actually need to do is build dnssec-tools package and it's dependencies and move it to supported along with ldns (which is already working). unfortunatelly i didn't managed to build it on ArchLinux yet... if there is someone who can help. you are welcome.

Then we can use libval-shim from that package to enable DNSSEC for most applications using LD_PRELOAD and other improvements towards deeper DNSSEC support should be simple and can follow very soon.
Comment by Tomas Mudrunka (harvie) - Wednesday, 04 August 2010, 07:51 GMT
Well it seems that i have fixed all major issues and we will have full DNSSEC client support in AUR soon.

Loading...