-
Notifications
You must be signed in to change notification settings - Fork 2
edmonds/nss-ubdns
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
nss-ubdns - NSS module for DNSSEC validated hostname lookups The nss-ubdns module for the glibc NSS (Name Service Switch) interface returns DNSSEC validated lookups to the NSS "hosts" database. It is a replacement for the standard libresolv based "dns" module that uses the libunbound library for caching and validation. INSTALLATION ============ nss-ubdns requires libunbound and the libunbound development headers to build. Run "make && make install", which will build the plugin and install it to /usr/lib. Reset the "NSSDIR" Makefile variable if /usr/lib is not the correct path for NSS plugins on your platform. CONFIGURATION ============= nss-ubdns reads the list of nameservers from the standard resolver configuration file, /etc/resolv.conf. Only "nameserver" lines are used, any other settings are ignored. The file /etc/nss-ubdns/libunbound.conf, if it exists, will be used to configure the libunbound library. See the unbound.conf(5) man page for more details. A sample libunbound.conf file that minimizes the resources consumed by the resolver is included with nss-ubdns. Trust anchors are configured by creating files in the /etc/nss-ubdns/keys directory. Only files ending in ".key" will be processed. If the unbound server is in use, any files that are in use as auto-trust-anchor-files can be symlinked into this directory. To configure the Name Service Switch to use nss-ubdns instead of the glibc dns plugin, edit the /etc/nsswitch.conf file and change "dns" to "ubdns" for the hosts database (the line beginning with "hosts:"). Note that installing nss-ubdns will cause your host to generate additional DNS queries. You may want to install a local DNS cache to reduce the upstream impact of this additional load. TESTING ======= The "getent hosts", "getent ahostsv4", and "getent ahostsv6" commands can be used to test nss-ubdns. In the following examples, "google.com" is an unsigned zone, "debian.org" is a signed and validatable zone, and "dnssec-failed.org" is a signed but unvalidatable zone. $ getent hosts www.google.com; echo $? 74.125.157.147 www.google.com 74.125.157.99 www.google.com 74.125.157.104 www.google.com 0 $ getent hosts www.debian.org; echo $? 2607:f8f0:610:4000:211:25ff:fec4:5b28 www.debian.org 0 $ getent hosts www.dnssec-failed.org; echo $? 2 BUGS ==== * Aliases are not handled correctly. nss-ubdns returns something like this when the qname is an alias: $ getent hosts www.google.com 74.125.45.147 www.google.com 74.125.45.104 www.google.com 74.125.45.99 www.google.com 74.125.45.105 www.google.com 74.125.45.106 www.google.com 74.125.45.103 www.google.com while nss-dns returns something like this: $ getent hosts www.google.com 74.125.45.147 www.l.google.com www.google.com 74.125.45.104 www.l.google.com www.google.com 74.125.45.99 www.l.google.com www.google.com 74.125.45.105 www.l.google.com www.google.com 74.125.45.106 www.l.google.com www.google.com 74.125.45.103 www.l.google.com www.google.com * Long-running processes will not pick up changes to /etc/nss-ubdns and /etc/resolv.conf. (Though unpatched glibc has the same problem, see http://www.eglibc.org/archives/patches/msg00772.html.) This is a limitation of the libunbound resolver API, which cannot be reconfigured after the first resolution has been performed.
About
NSS module for DNSSEC validated hostname lookups
Resources
Stars
Watchers
Forks
Packages 0
No packages published