DNSSEC validation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

DNSSEC validation

SIMON BABY
Hello,


I am trying to implement the full recursive resolver with libbind library in my client code. 
I am not using resolv.conf in my implementation. Can anyone please help to point any sample code for this.

Thank you for your help and time. 

Rgds
simon
 



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

Evan Hunt
On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote:
> I am trying to implement the full recursive resolver with libbind library
> in my client code. I am not using resolv.conf in my implementation. Can
> anyone please help to point any sample code for this.

Not even BIND uses libbind anymore.

What's the purpose of this? Why not just use BIND 9, or some other
existing resolver?

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

SIMON BABY
Hello Evan,

Thank you so much for the quick response.
 
My requirement is to implement only the recursive resolve and validation part of the DNSSEC in my client application. Our CPU and memory are very limited. So I am not sure I can go and use BIND 9. 

With BIND 9, can I integrate the library in my application to send queries and validate the answer in my client code itself. Can you please point if any sample code.


Rgds
Simon
 
 

On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt <[hidden email]> wrote:
On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote:
> I am trying to implement the full recursive resolver with libbind library
> in my client code. I am not using resolv.conf in my implementation. Can
> anyone please help to point any sample code for this.

Not even BIND uses libbind anymore.

What's the purpose of this? Why not just use BIND 9, or some other
existing resolver?

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

Evan Hunt
On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote:
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.

But why do you need your application to contain a recursive resolver?

I can understand why you'd want a built-in validator, but you don't need
to do full recursive resolution for that; you can send queries to an
external resolver and then validate the responses.

> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.

If you're content to do as I suggested above - send queries to an external
resolver, validate the responses - then see the command 'delv' in the
BIND 9 source tree; it does that.

Implementing a full resolver with a library is possible in BIND 9.12,
in which we spun off a lot of the name server code into a new libns
library.  I can't point you to any sample code other than named itself,
though.

Given what you said about limited CPU and memory, I can't really recommand
either solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

SIMON BABY
Hello Evan,

Thanks you so much for answering my questions. Inline my comments.

But why do you need your application to contain a recursive resolver?

1. Assume if I use an external recursive resolver and if that resolver does not support DNSSEC, how can I validate the signature? 

2. If I use an external resolver and if a hacker sits in between my system and the external resolver, will it detect ?

3. When the external resolver resolve a query and when it response back to the client , will it strip off the signatures? I assume the validation is already done at the recursive resolver. 

4. Can I integrate dnsmasq option with my client application? Any reference.

Thanks once again for your help and time.

Rgds
Simon

On Tue, Feb 13, 2018 at 1:11 PM, Evan Hunt <[hidden email]> wrote:
On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote:
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.

But why do you need your application to contain a recursive resolver?

I can understand why you'd want a built-in validator, but you don't need
to do full recursive resolution for that; you can send queries to an
external resolver and then validate the responses.

> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.

If you're content to do as I suggested above - send queries to an external
resolver, validate the responses - then see the command 'delv' in the
BIND 9 source tree; it does that.

Implementing a full resolver with a library is possible in BIND 9.12,
in which we spun off a lot of the name server code into a new libns
library.  I can't point you to any sample code other than named itself,
though.

Given what you said about limited CPU and memory, I can't really recommand
either solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

Warren Kumari
In reply to this post by SIMON BABY
On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY <[hidden email]> wrote:
> Hello Evan,
>
> Thank you so much for the quick response.
>
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.
>

I get that this is bind-users, but have you looked at https://getdnsapi.net/ ?

W

> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.
>
>
> Rgds
> Simon
>
>
>
> On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt <[hidden email]> wrote:
>>
>> On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote:
>> > I am trying to implement the full recursive resolver with libbind
>> > library
>> > in my client code. I am not using resolv.conf in my implementation. Can
>> > anyone please help to point any sample code for this.
>>
>> Not even BIND uses libbind anymore.
>>
>> What's the purpose of this? Why not just use BIND 9, or some other
>> existing resolver?
>>
>> --
>> Evan Hunt -- [hidden email]
>> Internet Systems Consortium, Inc.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

SIMON BABY
Thanks Warren. I will look into   https://getdnsapi.net/ .

Rgds
simon

On Tue, Feb 13, 2018 at 2:07 PM, Warren Kumari <[hidden email]> wrote:
On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY <[hidden email]> wrote:
> Hello Evan,
>
> Thank you so much for the quick response.
>
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.
>

I get that this is bind-users, but have you looked at https://getdnsapi.net/ ?

W

> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.
>
>
> Rgds
> Simon
>
>
>
> On Tue, Feb 13, 2018 at 12:26 PM, Evan Hunt <[hidden email]> wrote:
>>
>> On Tue, Feb 13, 2018 at 12:08:18PM -0800, SIMON BABY wrote:
>> > I am trying to implement the full recursive resolver with libbind
>> > library
>> > in my client code. I am not using resolv.conf in my implementation. Can
>> > anyone please help to point any sample code for this.
>>
>> Not even BIND uses libbind anymore.
>>
>> What's the purpose of this? Why not just use BIND 9, or some other
>> existing resolver?
>>
>> --
>> Evan Hunt -- [hidden email]
>> Internet Systems Consortium, Inc.
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

Evan Hunt
In reply to this post by SIMON BABY
On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:
> 1. Assume if I use an external recursive resolver and if that resolver does
> not support DNSSEC, how can I validate the signature?

Depends what you mean by supporting DNSSEC; see below.

> 2. If I use an external resolver and if a hacker sits in between my
> system and the external resolver, will it detect ?

That's exactly what DNSSEC is for. If someone alters the answer,
the signatures won't validate.

> 3. When the external resolver resolve a query and when it response back to
> the client, will it strip off the signatures? I assume the validation is
> already done at the recursive resolver.

The resolver doesn't have to do DNSSEC validation itself (though of course
it's a good idea). It just needs to pass along signatures on request. If
you're using a resolver that doesn't do that... well, use a different one.

You can run a resolver as a separate local process, listening on the
localhost address. This ensures you have the resolver features you need
and also makes it quite a lot harder to mount a man-in-the-middle attack.

> 4. Can I integrate dnsmasq option with my client application? Any reference.

If you need it to be built in to your application, I'm not sure.  Warren's
suggestion of using getdns-api was a better idea anyway.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: DNSSEC validation

SIMON BABY
Thanks Evan for answering my questions. I will look more into getdns-api or libunbund library for the client side resolve.

Rgds
Simon

On Tue, Feb 13, 2018 at 3:00 PM, Evan Hunt <[hidden email]> wrote:
On Tue, Feb 13, 2018 at 01:33:10PM -0800, SIMON BABY wrote:
> 1. Assume if I use an external recursive resolver and if that resolver does
> not support DNSSEC, how can I validate the signature?

Depends what you mean by supporting DNSSEC; see below.

> 2. If I use an external resolver and if a hacker sits in between my
> system and the external resolver, will it detect ?

That's exactly what DNSSEC is for. If someone alters the answer,
the signatures won't validate.

> 3. When the external resolver resolve a query and when it response back to
> the client, will it strip off the signatures? I assume the validation is
> already done at the recursive resolver.

The resolver doesn't have to do DNSSEC validation itself (though of course
it's a good idea). It just needs to pass along signatures on request. If
you're using a resolver that doesn't do that... well, use a different one.

You can run a resolver as a separate local process, listening on the
localhost address. This ensures you have the resolver features you need
and also makes it quite a lot harder to mount a man-in-the-middle attack.

> 4. Can I integrate dnsmasq option with my client application? Any reference.

If you need it to be built in to your application, I'm not sure.  Warren's
suggestion of using getdns-api was a better idea anyway.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users