EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to verify DNS Sec ??

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#30250
Posted: 08/11/2014 00:14:28
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Hi there,

I am trying to implement DNSSec verification, and have implemented a TElDNSResolver object to query the DNS Servers. It works, but it wants to execute the OnKeyValidate event to validate the key from the server, but I have no idea how to do that.

I have searched the web for examples, but it seems that there is no example.

The domain that I am trying to verify is www.verisign.com (I am only using that because I am led to believe that DNSSec is perfectly setup for that domain and hence makes a good test case for my client software)

I have read the docs several times and whilst I understand that the resolver is wanting to validate the key, I simply don't know how to implement such validation.

Any advise would be appreciated;

Kind regards

Erich
#30251
Posted: 08/11/2014 02:39:49
by Alexander Ionov (EldoS Corp.)

Thank you for contacting us.

As far as I remember, the TElDNSResoler class requires you to validate the root key of the chain for the key of the domain you're resolving. Because SecureBlackbox does not handle any storage of trusted root keys for DNSSEC, it's up to you how to do this. You can create a storage of trusted keys and just perform a binary comparison of the key in your trusted key storage and the key you have in the OnKeyValidate event handler. There you have the Key parameter which has the PublicKey property which is a byte array. So there is no problem to compare 2 byte arrays. If they are equal, the key can be called valid and you should set the Valid parameter to True.


--
Best regards,
Alexander Ionov
#30252
Posted: 08/11/2014 04:09:08
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

An example would be really nice ... There are good examples on everything else, but not DNSSEC, and it's above my pay grade ... Hence why I'm a customer of yours.

Do you guys have any examples that you could give me access to?
#30254
Posted: 08/11/2014 05:14:30
by Alexander Ionov (EldoS Corp.)

Unfortunatelly there is no example for DNSSEC available at the moment. And you're the first one who asked us about DNSSEC usage since it was introduced 3 or 4 years ago. I'm going to create a very simple example by the end of this week.


--
Best regards,
Alexander Ionov
#30262
Posted: 08/11/2014 13:30:23
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Thank you. That would help a lot. Please advise when it's available.
#30373
Posted: 08/15/2014 05:58:16
by Alexander Ionov (EldoS Corp.)

Here is a very simple program that validates dnssec keys for com and net domains. There is dnssecdemo.ini file which contains those keys. This is a very simple storage. In production KeyTag values must also be stored and checked.

Sample


--
Best regards,
Alexander Ionov
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 639 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!