The other day the question came up about how to better provide ssh host keys to end users in a secure manner. Sure, you can publish them somewhere and the user can check them the first time they connect, but thats prone to human error and not very automated. Turns out you can put SSH host key fingerprints into DNS for easy checking. Of course then the problem becomes how can you check that the DNS data is valid and correct? Thats where DNSSec comes into play.
Read on for my saga of implementing dnssec on my home domain…
Enabling dnssec isn't really too bad, but it's one of those things where searching the net for a good howto or guide results in a bunch of incomplete or inaccurate stuff. After several false starts and bad guides, I ended up at: https://dlv.isc.org/about/using. This page goes over how to set things up with bind. (although I think the dnssec-lookaside = line can just be 'auto' in recent bind versions).
I had everything setup in not too many minutes, but then testing it, I couldn't get it to work at all. It never showed the 'ad' flag in dig +dnssec to show that it was using dnssec. Turns out that you can't test this if you are using the authoritative server for the domain as your nameserver. It knows it's authoratative, so it doesn't bother with dnssec. I lost several hours trying to figure this out. ;)
In any case all my scrye.com test machines should have SSHFP records and be dnssec aware. So (if you are a Fedora packager), set: “VerifyHostKeyDNS yes” in your ~/.ssh/config file and you should be able to transparently connect to any of the http://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers machines, assured that the hostkey is valid. Note that several of the externally available fedoraproject.org machines also have SSHFP keys.
Help stomp out DNS hyjacking attacks today and dnssec enable your domains!comments powered by Disqus