0

It doesn't happen often that a root name server changes, but when it does sometimes it takes months for OS vendors to provide patches and in the mean time there is a security risk.

So:

How to get named.cache (or named.root/db.cache from the same directory - the files are identical) in a secure way from http://www.internic.net/zones/ or ftp://ftp.internic.net/domain/ or http://www.internic.net/domain/?

The server behind those URLs does not support https. But there are md5 and sig files in these directories for every data file available.

As md5 isn't that secure, could the sig files be used?

If so, how?

(Note I'm not asking this on unix.stackexchange.com or superuser.com as I'm interested in the security aspect of this in a platform neutral way).

2 Answers2

1

The .sig file provided for each zone allows for an method of verification using the signature located at the bottom of the INTERNIC_ROOT_ZONE.signatures.asc file.

Using PGP you can then do the following for verification (see PGP key here):

$ gpg --keyserver --recv-key 0x0BD07395
$ gpg --verify zone.sig zone
jas-
  • 929
  • 5
  • 9
  • So how do I know http://www.internic.net/zones/INTERNIC_ROOT_ZONE.signatures.asc is secure? – Jeroen Wiert Pluimers May 31 '15 at 14:56
  • With 100% certainty; you don't nor will you ever unless you are the one holding the private key used to derive the public key embedded within that file. So essentially there is a level of trust that the individual that is signing those packages is doing their due diligence in protecting the private keys associated with the signatures of the packages listed. Seeing as how these are indeed `root` level DNS servers there is a level of security that is employed that should allow you trust it. – jas- May 31 '15 at 15:00
  • I didn't mean that far fetched. Just how to get their public key securely. As this fails: `gpg --verify named.root.sig named.root gpg: Signature made Sat May 23 14:50:54 2015 CEST using DSA key ID 0BD07395 gpg: Can't check signature: No public key` (I'm new to gpg) – Jeroen Wiert Pluimers May 31 '15 at 15:01
  • Your question was "How do I know it is secure", my response addresses the nature of trust; how is that "far fetched" exactly? In regards to PGP usage here is a good document: http://www.pgpi.org/doc/pgpintro/#p12 – jas- May 31 '15 at 15:27
  • That's probably me not being native English. I meant that I'm not questioning their private key keeping, but only wanted to get hold of the necessary public information to verify what they signed. Hence my last question: how to obtain the'r public key in a secure way (on a system that I'm certain enough of it has a functioning DNS system). Reading the docs leads me to "I need to find the key server where their public key is stored". If you have any tips on that, please let me know. When not I'll try and dig further. Thanks for the help so far. – Jeroen Wiert Pluimers May 31 '15 at 15:43
  • 1
    To be honest I am not certain where their public key is for verification. You may have to contact them for it. Usually that is public domain but I couldn't find it in their site. – jas- May 31 '15 at 15:46
  • Thanks. I could only one post referring to their key so far: http://xenotrope.blogspot.nl/2015/04/on-dnssec-part-2-i-actually-used-dnssec.html which didn't get me much further. I'll do some more digging and let the results know here. – Jeroen Wiert Pluimers May 31 '15 at 15:50
  • 1
    Found it (yes, I know about https://www.youtube.com/watch?v=ibF36Yyeehw): `gpg --keyserver keys.gnupg.net --recv-key 0BD07395` which means I trust `keys.gnupg.net`, the way `gpg` communicates with `keys.gnupg.net` and the way Internic has communicated their public key to `keys.gnupg.net`. – Jeroen Wiert Pluimers May 31 '15 at 16:05
  • That is incorrect; the public key can be found by following this URL. http://www.internic.net/domains.html I will update the answer to reflect this as well. – jas- May 31 '15 at 18:47
  • But there is no https version of https://www.internic.net/domains.html, so you cannot download that public key in a secure way. Whereas pgp can receive it in a secure way. – Jeroen Wiert Pluimers May 31 '15 at 18:50
  • 1
    Note I needed this one: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0BD07395 – Jeroen Wiert Pluimers May 31 '15 at 18:58
  • Where did you find that? Did you just search for internet keys? – jas- May 31 '15 at 19:03
  • From the first message pgp gave me when checking the signature for `named.root`: `Signature made Sat May 23 14:50:54 2015 CEST using DSA key ID 0BD07395` – Jeroen Wiert Pluimers May 31 '15 at 19:04
0

Without SSL an attacker can potentially modify the data files and the md5 signature files to match. So they provide little security. Md5 checksums should be provided over SSL to secure them tho this isn't frequently done. The sig files don't need SSL to be secure provided that you securely get the public key.

Neil Smithline
  • 14,702
  • 4
  • 38
  • 55