A few weeks ago, the weather on Ibiza was 22C, partly cloudy; you may recall that I showed you how to do dynamic DNS updates. If I query the weather now, look what I get:
dig +dnssec +multiline -p 5053 ibiza.temp.aa txt
;; ANSWER SECTION:
ibiza.temp.aa. 120 IN TXT "Fair 24 C"
ibiza.temp.aa. 120 IN RRSIG TXT 7 3 120 20101211152628 (
20101113152628 16487 temp.aa.
Yp5G0fGUmUFfKkOtQyo5AsKP1pvRWuObO3EpyPxNH8Rc
aew93Ot3mWSTnDHuKs1ua6eCsRYQMXUdHkyetLKkIoGW
7UOBmngy/MQVq3Bx16B4pKesFPVan4DIWuiKt9sw32FA
ljbS+LH8eVyv+pZbmPcpwG6bwDcpD76OzIQlX/0= )
The weather has changed of course. :-) But the important bit here, is
that the record is signed! The DNSSEC signed resource record set is
compliments of Phreebird, a tool just released by Dan Kaminsky. It sits
as a kind of proxy between a client and your non-DNSSEC-capable DNS server
(e.g. PowerDNS) and signs RRsets on the fly before returning them to the
client. What I did, without touching the temp.aa
zone what so ever, is to
add Phreebird (I changed its port numbers) and query that. To get
started, build and install the prerequisites (from the deps/
directory).
Then create a key (or have Phreebird create a key for you with -g
):
ldns-keygen -a RSASHA1 temp.aa
Ktemp.aa.+005+14607
Launch Phreebird:
bin/phreebird -k Ktemp.aa.+005+14607.private
Send it a query. Use any domain name served by your local DNS
server. I repeat: any domain name. (See above.) You have a key generated by
Phreebird in the file dns.key
and need the DS
record to publish at your
parent? Here it is:
dig -p 5053 temp.aa ds
;; ANSWER SECTION:
temp.aa. 3600 IN DS 14607 5 1 9DE5D716CFDFC6FBF09AC3DEEABCCC1A710F8C9B
Time over DNS
dig -p 5053 _dns._time txt
;; ANSWER SECTION:
_dns._time. 1 IN TXT "v=dtm1 t=20101114144106"
This is wow! Phreebird supports
- automatic key generation (but I can provide my own key)
- zero configuration; apart from an initial key (that can be generated automatically)
- real-time signing with caching of signed answers
Read more on what goes on behind the scenes in Dan’s slides. The utility is not ready for production yet, but it may soon be. If and when it is ready, I expect this to revolutionize and greatly speed up DNSSEC deployment.