Muna magana game da abin da fasahar DANE ke don tabbatar da sunayen yanki ta amfani da DNS da kuma dalilin da yasa ba a amfani da shi sosai a cikin masu bincike.
/Unsplash/
Menene DANE
Hukumomin Takaddun shaida (CAs) ƙungiyoyi ne waɗanda takardar shaidar sirri . Sun sanya sa hannunsu na lantarki a kansu, suna tabbatar da sahihancinsu. Koyaya, wani lokacin yanayi yana tasowa lokacin da aka ba da takaddun shaida tare da cin zarafi. Misali, a shekarar da ta gabata Google ya kaddamar da "hanyar rashin amana" don takaddun shaida na Symantec saboda sasantawarsu (mun rufe wannan labarin daki-daki a cikin shafinmu - и ).
Don guje wa irin waɗannan yanayi, shekaru da yawa da suka gabata IETF Fasahar DANE (amma ba a amfani da ita sosai a cikin masu bincike - za mu yi magana game da dalilin da yasa hakan ya faru daga baya).
DANE (Tabbas na tushen DNS na Ƙungiyoyin Masu Suna) saiti ne na ƙayyadaddun bayanai waɗanda ke ba ku damar amfani da DNSSEC (Kare Tsaron Tsarin Suna) don sarrafa ingancin takaddun shaida na SSL. DNSSEC wani tsawo ne ga Tsarin Sunan Domain wanda ke rage hare-haren lalata adireshin. Amfani da waɗannan fasahohin guda biyu, mai kula da gidan yanar gizo ko abokin ciniki na iya tuntuɓar ɗaya daga cikin ma'aikatan yankin DNS kuma su tabbatar da ingancin takardar shaidar da ake amfani da ita.
Mahimmanci, DANE yana aiki azaman takardar shaidar sa hannu (mai garantin amincin sa shine DNSSEC) kuma ya cika ayyukan CA.
Ta yaya wannan aikin
An bayyana ƙayyadaddun DANE a cikin . A cewar takardar, in an ƙara sabon nau'in - TLSA. Ya ƙunshi bayanai game da takardar shaidar da ake canjawa wuri, girman da nau'in bayanan da ake canjawa wuri, da kuma bayanan kanta. Mai kula da gidan yanar gizo yana ƙirƙira babban yatsan yatsan dijital na takaddun shaida, sanya hannu tare da DNSSEC, kuma ya sanya shi a cikin TLSA.
Abokin ciniki yana haɗi zuwa wani shafi akan Intanet kuma yana kwatanta takardar shaidarsa tare da "kwafin" da aka karɓa daga mai aiki na DNS. Idan sun dace, to ana ɗaukar albarkatun amintacce.
Shafin DANE wiki yana ba da misali mai zuwa na buƙatar DNS zuwa example.org akan tashar TCP 443:
IN TLSA _443._tcp.example.orgAmsar tana kamar haka:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
DANE yana da kari da yawa waɗanda ke aiki tare da bayanan DNS ban da TLSA. Na farko shine rikodin SSHFP DNS don inganta maɓalli akan haɗin SSH. An bayyana shi a cikin , и . Na biyu shi ne shigarwar OPENPGPKEY don musayar maɓalli ta amfani da PGP (). A ƙarshe, na uku shine rikodin SMIMEA (ba a tsara ma'auni a cikin RFC ba, akwai ) don musayar maɓalli ta hanyar S/MIME.
Menene matsalar DANE
A tsakiyar watan Mayu, an gudanar da taron DNS-OARC (wannan ƙungiya ce mai zaman kanta wacce ke hulɗar tsaro, kwanciyar hankali da haɓaka tsarin sunan yankin). Masana a daya daga cikin bangarorin cewa fasahar DANE a cikin masu bincike ta gaza (akalla a aiwatar da ita a halin yanzu). Gabatar da taron Geoff Huston, Jagoran Masanin Kimiyyar Bincike , ɗaya daga cikin masu rajistar Intanet na yanki guda biyar, game da DANE a matsayin "fasahar matattu".
Shahararrun masu bincike ba sa goyan bayan tabbatar da takaddun shaida ta amfani da DANE. A kasuwa , wanda ke bayyana ayyukan bayanan TLSA, amma kuma goyon bayan su .
Matsaloli tare da rarraba DANE a cikin masu bincike suna da alaƙa da tsawon aikin tabbatarwa na DNSSEC. An tilasta tsarin yin ƙididdige ƙididdiga don tabbatar da sahihancin takardar shaidar SSL kuma ta shiga cikin dukkan jerin sabar DNS (daga tushen tushen zuwa yankin mai masaukin baki) lokacin da aka fara haɗawa zuwa hanya.
/Unsplash/
Mozilla yayi ƙoƙarin kawar da wannan koma baya ta amfani da tsarin za TLS. Ya kamata a rage adadin bayanan DNS da abokin ciniki ya duba yayin tantancewa. Duk da haka, rashin jituwa ya taso a cikin ƙungiyar ci gaban da ba a iya warwarewa ba. Sakamakon haka, an yi watsi da aikin, kodayake IETF ta amince da shi a cikin Maris 2018.
Wani dalili na ƙarancin shaharar DANE shine ƙarancin yaduwar DNSSEC a duniya - . Masana sun ji cewa wannan bai isa ba don haɓaka DANE sosai.
Mafi mahimmanci, masana'antar za ta haɓaka ta wata hanya dabam. Maimakon amfani da DNS don tabbatar da takaddun shaida na SSL/TLS, 'yan wasan kasuwa za su inganta ka'idojin DNS-over-TLS (DoT) da DNS-over-HTTPS (DoH). Mun ambaci karshen a daya daga cikin mu ku Habre. Suna ɓoyewa da kuma tabbatar da buƙatun mai amfani zuwa uwar garken DNS, suna hana masu kai hari daga ɓarna bayanai. A farkon shekara, DoT ya riga ya kasance zuwa Google don jama'a DNS. Dangane da DANE, ko fasahar za ta iya "komawa cikin sirdi" kuma har yanzu ta zama tartsatsi da za a gani a nan gaba.
Me kuma muke da shi don ƙarin karatu:
source: www.habr.com