Hi,
the GNOME Sysadmin team worked hard recently to set up DNSSEC on the
gnome.org's DNS tree and we can finally say that both our major domains (
gnome.org, guadec.org) are currently being covered by DNSSEC successfully.
This actually means that you will be able to verify that the resources you
are viewing are really coming from the GNOME servers and not from any other
server in the middle between you and the GNOME servers themselves. (MITM
attack)
How can you verify you are really connecting to {git, master, webapps2}.
gnome.org? (with webapps2.gnome.org being the host you should be connecting
to for updating your people.gnome.org's webspace)
ssh -oVerifyHostKeyDNS=yes -v git.gnome.org
Or directly add the above parameter into your /etc/ssh/ssh_config file this
way:
VerifyHostKeyDNS=yes
And run 'ssh -v git.gnome.org', the result you should receive: (the same
procedure can be repeated with the other domains outlined above)
debug1: Server host key: RSA 00:39:fd:1a:a4:2c:6b:28:b8:2e:95:31:c2:90:72:03
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
debug1: ssh_rsa_verify: signature correct
If you instead want to verify if gnome.org or guadec.org are being
correctly verified by your DNS resolver, use dig this way:
dig . DNSKEY | grep -Ev '^($|;)' > root.keys
dig +sigchase +trusted-key=./root.keys gnome.org. A | cat -n
The result you should see:
105 ;; WE HAVE MATERIAL, WE NOW DO VALIDATION
106 ;; VERIFYING DS RRset for org. with DNSKEY:59085: success
107 ;; OK We found DNSKEY (or more) to validate the RRset
108 ;; Ok, find a Trusted Key in the DNSKEY RRset: 59085
109 ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036
110 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success
111
112 ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS
We'll be working to move more domains over to DNSSEC in the near future.
Have an awesome day everyone!
--
Cheers,
Andrea
Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin,
GNOME Foundation Membership & Elections Committee Chairman
Homepage: http://www.gnome.org/~av
_______________________________________________
desktop-devel-list mailing list
desktop-devel-list@gnome.org
https://mail.gnome.org/mailman/listinfo/desktop-devel-list
