Currently libunbound returns no data if no correct RRSIG can be found as is currently the case for the domain elstel.com.
Would anyone mind to change libunbound so that it returns the existent TLSA record as insecure data?
Currently libunbound returns no data if no correct RRSIG can be found
as is currently the case for the domain elstel.com.
Would anyone mind to change libunbound so that it returns the existent
TLSA record as insecure data?
What you are using is drill. This is not libunbound.
You seem to be talking about wanting drills sigchase printout to print
different output for output with wrong RRSIGs? Sounds like a change for
the ldns package. Not sure if that is better debug output for that tool.
unbound-host can also perform lookups, also of type TLSA and print them,
and DNSSEC verify them. And prints the verification output together
with the data, which may be what you want. unbound-host uses libunbound
for that.
$ unbound-host -v -f root.key -t TLSA _443._tcp.elstel.com
_443._tcp.elstel.com has TLSA record 3 0 1
A8EDF0CACAF776ACACDFE53564C51556AD325F03A369E4C8F4622B4DC5B06865 (secure)
Does anyone care about this? Who has tried to retrieve the TLSA record of elstel.com via libunbound? Why does it not return the TLSA record as unsafe if it is present but not signed correctly?
At least for me, that would be pointless; if I am to trust the information it has to be signed correctly. Returning untrusted values just removes the security and you might as well not use DANE at all.
No, I am not using drill, I am using a new tool called atea (see attachement). I have not finished its development but you can already download via DANE/libunbound:
Yesterday the first command succeeded while the second one returned "no data". However today the NSA is terrorizing the development of the tool and it can no more establish an internet connection at all:
> ./mk atea.c tii https://www.elstel.org/software/SHA512SUMS
error trying to connect tcp socket to address: Network is unreachable
error trying to connect tcp socket to address: Invalid argument
The exactly same program has worked yesterday so it can't be a programming error, at least to my believe.
Please test the tool on your own and tell me about the results!
I am looking forward to hear from your experience with the tool. F.i. it should be useful to download the SHA512SUMS from cdimage.debian.org. Downloading various programs as well as the gpg key from elstel.org is also supported.
You are aware of hash-slinger's "tlsa" command to generate / verify TLSA
records? It of course insists the TLSA records are secured by DNSSEC,
but it has a --insecure option if you want to test it before your domain
is secured by DNSSEC.
hash-slinger's "tlsa" command? I have never heard of it. I just have the libunbound library here. I do not even have the unbound-host executable here which you mentioned in my previous mail.
The atea tool I am already offering for download is something like a light weight curl or wget for https/DANE without html support. It can be used to download files though. As far as I have tested it, neither curl nor wget allow to specify a server certificate. You have to specify a certification authority which then grants access to all server certificates signed by this CA which may be direly unsafe. That was the reason why I wrote atea. The tool already works well. It offers the continuation of previously interrupted downloads among other features. The only things that do not work yet are a download progress screen as well as automatic restarts on stalled or interrupted connections. However I believe this is a minor issue. The tool can be used to download securely automatically verifying the server certificate via DANE. DANE is of high value. Since I have a boot stick where Firefox is preconfigured with DANE verified certifiicates for secure.dotplex.de and mail.dotplex.com dozens of people have replied me who said that they did not receive my emails before. It seems to be 100% rootkit safe. Unfortunately my development environment is not. It is rootkitted which can be proven with a tool called https://www.elstel.org/debcheckroot/. Any new installation will also be rootkitted within the fraction of a second as soon as I open a browser and visit a site not verified via DANE. As you may know from the Snowden revelations the NSA is running mirror servers for many public websites which infect the users who visit them. These sites are using rogue certificates. If you wanna see such a certificate visit https://www.elstel.org/DANE/ and download the true and the rogue certificate that is known for this site. Though I am planning to finish the development of atea some time I would welcome some testing by independent users before! The problem is that I can only go on with development once I have set up an offline computer with mininet to simulate a network because as I have told you before US intelligence is blocking me from continuing my online development effort.
I am looking forward to hear your comments/ responses on the program.
hash-slinger's "tlsa" command? I have never heard of it. I just have the libunbound library here. I do not even have the unbound-host executable here which you mentioned in my previous mail.
The atea tool I am already offering for download is something like a light weight curl or wget for https/DANE without html support. It can be used to download files though.
Oh I see. That is different then. The tlsa command is used to generate
or verify certificates with their DNSSEC TLSA record entries. It
supports both websites and mailservers.
A tool that adds curl/wget support for TLSA is cool. although cooler
would be if curl/wget get native support of course Maybe Viktor
knows more about curl with openssl/tlsa support?
For Firefox they do intentionally not fix the flaw that you can not
configure server certificates which use HSTS: https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them
being paid by intelligence because otherwise they would not forcefully
implement a bug like this (previous versions of FF were good). I do
not know how the situation is with wget and curl but the fact that you
can not set a server certificate by a command line switch at all
points in the same direction. Why are there dozens of switches to
configure certification authorities but not a single switch for a
server certificate then? The way things are now all of these projects
are not trustworthy all together.
For Firefox they do intentionally not fix the flaw that you can not
configure server certificates which use HSTS: https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them
being paid by intelligence because otherwise they would not forcefully
implement a bug like this (previous versions of FF were good). I do
not know how the situation is with wget and curl but the fact that you
can not set a server certificate by a command line switch at all
points in the same direction. Why are there dozens of switches to
configure certification authorities but not a single switch for a
server certificate then? The way things are now all of these projects
are not trustworthy all together.
Maybe Viktor