1DNSSEC Validation for lftp 2========================== 3This patch adds local DNSSEC validation to lftp, along with an option to 4enable it. The is code is only compiled if the configure option 5--dnssec-local-validation is specified. The libraries libval and libsres 6from DNSSEC-Tools are prequisites. Additional options may be needed 7to point configure at the correct directory for these libraries. 8 9When compiled in, the option is still off by default. The new boolean 10option 'dns:strict-dnssec' must be enabled by the user. 11 12Once strict DNSSEC checking is enabled, DNSSEC validation is done according 13to the configuration in the DNSSEC-tool configuration file dnsval.conf. 14Please refer to the DNSSEC-Tools documentation for more information. 15 16 http://www.dnssec-tools.org/ 17 18 19Testing 20======= 21By default, DNSSEC-Tools' configuration file should be validation 22all zones. A few zones are signed, but most are not. You can use 23the test zone provided by DNSSEC-Tools for verifying correct operation. 24 25First, configure lftp to require validation. 26 27 $ echo "set dns:strict-dnssec 1" > ~/.lftprc 28 29Next, simpy run lftp with a few domains. Here we use the DNSSEC-Tools domain 30as a known-good domain, and a domain in the DNSSEC-Tools test zone as 31a domain that will fail DNSSEC validation checks. 32 33 $ lftp www.dnssec-tools.org 34 cd ok, cwd=/ 35 lftp www.dnssec-tools.org:/> 36 37 $ lftp baddata-a.test.dnssec-tools.org 38 lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted. 39 40 41Viewing Details 42================ 43To see some debug output from the validation process, you can set the 44VAL_LOG_TARGET environment variable. (Higher numbers will result in more 45output. 5 is a good start, 7 is more than you really want.) 46 47 $ export VAL_LOG_TARGET="5:stdout" 48 49 $ lftp www.dnssec-tools.org 50 20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), A(1)}: VAL_SUCCESS:128 (Validated) 51 20120904::16:44:31 name=www.dnssec-tools.org class=IN type=A from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 52 20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 53 20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 54 20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 55 20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 56 20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12 57 20120904::16:44:31 Validation result for {www.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated) 58 20120904::16:44:31 Proof of non-existence [1 of 1] 59 20120904::16:44:31 name=www.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 60 20120904::16:44:31 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 61 20120904::16:44:31 name=dnssec-tools.org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 62 20120904::16:44:31 name=org class=IN type=DNSKEY[tag=21366] from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 63 20120904::16:44:31 name=org class=IN type=DS from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 64 20120904::16:44:31 name=. class=IN type=DNSKEY from-server=192.168.122.1 status=VAL_AC_TRUST:12 65 cd ok, cwd=/ 66 lftp www.dnssec-tools.org:/> 67 68 $ lftp baddata-a.test.dnssec-tools.org 69 20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), A(1)}: VAL_BOGUS:1 (Untrusted) 70 20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=A from-server=168.150.236.43 status=VAL_AC_NOT_VERIFIED:18 71 20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 72 20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 73 20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 74 20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31 75 20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31 76 20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31 77 20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12 78 20120904::13:29:20 Validation result for {baddata-a.test.dnssec-tools.org, IN(1), AAAA(28)}: VAL_NONEXISTENT_TYPE:133 (Validated) 79 20120904::13:29:20 Proof of non-existence [1 of 1] 80 20120904::13:29:20 name=baddata-a.test.dnssec-tools.org class=IN type=NSEC from-server=192.168.122.1 status=VAL_AC_VERIFIED:31 81 20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DNSKEY[tag=28827] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 82 20120904::13:29:20 name=test.dnssec-tools.org class=IN type=DS from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 83 20120904::13:29:20 name=dnssec-tools.org class=IN type=DNSKEY[tag=34816] from-server=168.150.236.43 status=VAL_AC_VERIFIED:31 84 20120904::13:29:20 name=dnssec-tools.org class=IN type=DS from-server=199.249.120.1 status=VAL_AC_VERIFIED:31 85 20120904::13:29:20 name=org class=IN type=DNSKEY[tag=21366] from-server=199.249.120.1 status=VAL_AC_VERIFIED:31 86 20120904::13:29:20 name=org class=IN type=DS from-server=198.41.0.4 status=VAL_AC_VERIFIED:31 87 20120904::13:29:20 name=. class=IN type=DNSKEY from-server=198.41.0.4 status=VAL_AC_TRUST:12 88 lftp: baddata-a.test.dnssec-tools.org: DNS resoloution not trusted. 89 90