DNSChains + DANE Validator for sile.bit

https://bit.namecoin.org/
Post Reply
cryptosile
Posts: 7
Joined: Sat Aug 30, 2014 2:07 am
os: mac

DNSChains + DANE Validator for sile.bit

Post by cryptosile » Sat Sep 06, 2014 2:12 pm

Has anyone been able to get DNSChains to build the correct DNS records to make DANE validation actually work?

I've tried to validate with danetool from gnutls:
It says it can't find any TLSA record, however, with wireshark I can see it pull down the TLSA record successfully.

I've also tried this web plugin:
https://www.dnssec-validator.cz/

Is there any tool that can validate I have a correct TLSA record? Although, that is mostly useless unless we can get it into the browser.

I think namecoin would be much more useful if it could seemless drop in behind DNSSEC/DANE via DNSChains. That way we wouldn't even really need to have a web plugin we could just use the dnssec-validator one... although not sure if that one is open source or not.

Maybe the fact all the tools try to It seems both of them don't even try and pull the TLSA record DNSChains provides presumably because DNSSEC is not properly setup. DNSChains doesn't seem to have a way to provide a DNSKEY. And because the <root> servers don't know about .bit I don't think it DNSSEC would work anyway because of the way it does it's recursive validation.

right now i'm working on trying to deploy local validation of my sile.bit domain via bind running locally on my machine and seeing if I can get DNSSEC/DANE working there. If I get that working then I can look and see what the differences are see what needs to be done in DNSChains to get it to work with the validator. But If someone has already done this I'd love any assistance or help. This has taken longer than I had hoped.

Here is the domain i'm working with:

https://sile.bit
http://dns.dnschain.net/d/sile

[Update]
I've been able to get Dane tool to validate my TLSA record successfully. DNSChains, I believe incorrectly generates the record:
_443._tcp.sile.bit. 600 IN TLSA 3 1 1 (90638E25012B15862757056DC53673F38F1CC666C5B3 ECA5D72B84E6C3F4C492 )
It should be:
_443._tcp.sile.bit. 600 IN TLSA 3 0 1 (90638E25012B15862757056DC53673F38F1CC666C5B3 ECA5D72B84E6C3F4C492 )

Because I signed the full certificate, (I believe this is the correct way as per:

https://forum.namecoin.info/viewtopic.php?f=5&t=1137 "and we only check/hash the full certificate" )

I followed these steps to create my TLSA record:
http://blog.huque.com/2012/10/dnssec-an ... cates.html

the middle bit there needs to be a 0 instead of a 1

With this correction I can correctly confirm my domain with danetool

./danetool --insecure --local-dns --check sile.bit

I bypass DNSSEC validation via the insecure flag, and without the local-dns flag it seems to always go to the root DNS servers rather than my local bind instance.

So, in order to test differnt TLSA records I installed a local bind instance and tried to setup DNSSEC but I haven't got that working yet:

I followed these steps:
http://www.howtoforge.com/configuring-d ... untu-11.10

I ran into a bug in zonesigner and used this to fix:
https://bugs.launchpad.net/ubuntu/+sour ... ug/1215093
zonesigner -szopts "-O full" -genkeys -usensec3 -zone

And I put in a managed-keys entry to provide a local trust anchor (since the <root> dns servers don't know about .bit). However, I still can't seem to get dnssec to validate or get the validator web browser plugin to go green for sile.bit.

But, i'm happy at this point i've got the DANE record correct. Clearly, no one is using DANE yet to validate their domains. I think i'm going to go back to the old method of just using the fingerprint that freespeachme uses for now. I'll try and keep both records in there so I can continue testing with DANE.

biolizard89
Posts: 1971
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: DNSChains + DANE Validator for sile.bit

Post by biolizard89 » Sun Sep 07, 2014 8:09 am

Just FYI, the "tls" field which is used for DANE compatibility is a draft, and is subject to change. I will be proposing a new spec which changes the format significantly, to address serious shortcomings in both the "fingerprint" spec and the "tls" spec.

Not saying you shouldn't play around with it, just be aware that some things may be revised in the future.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Post Reply