DNSSEC
From Electromagnetic Field
Contents |
DNSSEC, What it is and why you need it
checking that resolving works
- http://dnssectest.sidn.nl/
- http://test.dnssec-or-not.org/
- dig +dnssec pointless.net
- look for ad bit set by resolver
- http://www.dnssec-failed.org/ <- should fail (broken on purpose).
DNSSEC client side plugins
Deploying and managing DNSSEC zones
Publishing key fingerprints in DNS
https/tls (TLSA/DANE)
- DANE RFC
- swede (afaict the other TLSA record generating tools haven't been upgraded to use the new RRTYPE yet).
plugins for TLSA/DANE
- newer patched version of the extended validator that supports TLSA/type 52 records: http://people.redhat.com/pwouters/
- https servers to test against to test against:
ssh
- SSHFP
- actually making it work: http://jpmens.net/2012/07/27/verifyhostkeydns-yessssss/
other useful bits
- http://blog.stalkr.net/2012/03/going-dnssec-unbound-and-powerdns.html
- http://people.redhat.com/pwouters/ <- good presentation and info if you are using fedora.
- http://dnssec-deployment.org/ <- lots and lots of good stuff here.
- js you can embed in your website to see if someone browsing it is dnssec enabled
- [1] <- also good.
- massive amount of stuff here.