[DNSOP] BIND implementation of draft-muks-dnsop-dns-message-checksums
Mukund Sivaraman <muks@isc.org> Sun, 25 October 2015 09:41 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E681A038F for <dnsop@ietfa.amsl.com>; Sun, 25 Oct 2015 02:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlwN_Z9PLCkm for <dnsop@ietfa.amsl.com>; Sun, 25 Oct 2015 02:41:10 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id D7EA31A0398 for <dnsop@ietf.org>; Sun, 25 Oct 2015 02:41:09 -0700 (PDT)
Received: from jurassic.l0.malgudi.org (unknown [115.118.61.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id BA2E02BA0DB3; Sun, 25 Oct 2015 09:41:06 +0000 (GMT)
Date: Sun, 25 Oct 2015 15:11:03 +0530
From: Mukund Sivaraman <muks@isc.org>
To: dnsop@ietf.org
Message-ID: <20151025094103.GA22337@jurassic.l0.malgudi.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="k+w/mQv8wyuph6w0"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/nu6Q4pr7onZ6RQeBZD-y-iaG6JA>
Subject: [DNSOP] BIND implementation of draft-muks-dnsop-dns-message-checksums
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2015 09:41:11 -0000
Hi all Ref: https://datatracker.ietf.org/doc/draft-muks-dnsop-dns-message-checksums/ A preliminary BIND implementation of DNS message checksums is here: https://github.com/muks/bind9/ .. in the "dns-message-checksums" branch. You can configure BIND as an authoritative server and play with it using dig from the same tree. dig requests a checksum by default (use +nochecksum to disable) and should return output whether the checksum validation passed or not. The exchange can be observed using a packet capture tool such as Wireshark. It uses the experimental EDNS0 OPTION-CODE 65002. Checksum validation MUST fail when the message is poisoned or the nonce mismatches. (Note that currently, BIND as resolver doesn't signal support for the option to servers. Use dig to test it for now.) It implements the draft as specified, adds some behaviors and checksum algorithm that are to be introduced in revision -02. A working copy of that upcoming revision can be seen here: https://users.isc.org/~muks/draft-muks-dnsop-dns-message-checksums.txt Mukund
- [DNSOP] BIND implementation of draft-muks-dnsop-d… Mukund Sivaraman