Calls: Send in your ideas. Deadline April 1, 2024
logo
Grant
Theme fund: Internet Hardening Fund
Start: 2017-02
End: 2019-05

GetDNS

Deliver DNSSEC as a building block in harsh environments

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

Why does this actually matter to end users?

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. DANE (DNS-Based Authentication of Named Entities) is a method of bootstrapping encrypted TLS channels without third parties (i.e. Certificate Authorities) having to vouch for a name. It provides the owner of the name the means to authenticate the keys used for their TLS enabled services themselves, by putting the key material (or a reference for it) in the DNSSEC signed zone for the name.

DNSSEC validation is an absolute requirement to verify DANE enabled TLS sessions. DANE was recently added as a mandatory standard of the Dutch government by Forum Standaardisatie together with startTLS. Applications that employ DANE to setup TLS connections need to be able to retrieve and verify DNSSEC records reliably. New work in TLS, embedding DANE in an extension, needs to be able to validate DNSSEC to authenticate a TLS session (see: https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension-01).

Because of the technical complexity of DNSSEC, DANE support has so far been quite complex for developers to work with. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). One of the key features of getdns is the ability to deliver DNSSEC as a building block in harsh environments. In the project we implement a number of essential components to this library, and work on mechanisms to make it easy to integrate the library also at a system level.

Run by NLnet Labs

Logo NLnet: abstract logo of four people seen from above Logo Netherlands Ministry of Economic Affairs and Climate Policy

This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy.