Peb tham txog dab tsi DANE thev naus laus zis yog rau kev lees paub cov npe sau npe siv DNS thiab vim li cas nws tsis siv dav hauv browsers.
/unsplash/
DANE yog dab tsi
Certification Authority (CAs) yog cov koom haum uas daim ntawv pov thawj cryptographic . Lawv muab lawv lub npe kos npe hauv hluav taws xob rau lawv, lees paub lawv qhov tseeb. Txawm li cas los xij, qee zaum muaj xwm txheej tshwm sim thaum daim ntawv pov thawj raug muab ua txhaum cai. Piv txwv li, xyoo tas los Google tau pib "txoj kev tsis ntseeg" rau Symantec daim ntawv pov thawj vim tias lawv tsis txaus siab (peb tau hais txog zaj dab neeg no kom ntxaws hauv peb qhov blog - и ).
Txhawm rau zam qhov xwm txheej zoo li no, ntau xyoo dhau los IETF DANE thev naus laus zis (tab sis nws tsis yog siv dav hauv browsers - peb yuav tham txog vim li cas qhov no tshwm sim tom qab).
DANE (DNS-based Authentication of Named Entities) yog cov txheej txheem tshwj xeeb uas tso cai rau koj siv DNSSEC (Npe System Security Extensions) los tswj qhov siv tau ntawm SSL daim ntawv pov thawj. DNSSEC yog qhov txuas ntxiv mus rau Domain Name System uas txo qhov chaw nyob spoofing tawm tsam. Siv ob lub thev naus laus zis no, tus neeg saib xyuas lub vev xaib lossis tus neeg siv khoom tuaj yeem tiv tauj ib tus tswv lag luam DNS thiab lees paub qhov siv tau ntawm daim ntawv pov thawj siv.
Qhov tseem ceeb, DANE ua raws li daim ntawv pov thawj tus kheej kos npe (tus lav ntawm nws qhov kev ntseeg tau yog DNSSEC) thiab ua tiav cov haujlwm ntawm CA.
Yuav ua li cas li no ua hauj lwm
DANE specification tau piav qhia hauv . Raws li cov ntaub ntawv, hauv ib hom tshiab tau ntxiv - TLSA. Nws muaj cov ntaub ntawv hais txog daim ntawv pov thawj raug xa mus, qhov loj thiab hom ntaub ntawv raug xa mus, nrog rau cov ntaub ntawv nws tus kheej. Tus webmaster tsim ib tus ntiv tes xoo ntawm daim ntawv pov thawj, kos npe nrog DNSSEC, thiab muab tso rau hauv TLSA.
Tus neeg siv khoom txuas mus rau qhov chaw hauv Is Taws Nem thiab sib piv nws daim ntawv pov thawj nrog "daim ntawv" tau txais los ntawm tus neeg teb xov tooj DNS. Yog tias lawv phim, ces cov peev txheej raug suav hais tias ntseeg tau.
Nplooj ntawv DANE wiki muab cov piv txwv hauv qab no ntawm DNS thov rau example.org ntawm TCP chaw nres nkoj 443:
IN TLSA _443._tcp.example.orgCov lus teb zoo li no:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
DANE muaj ntau qhov txuas ntxiv uas ua haujlwm nrog cov ntaub ntawv DNS uas tsis yog TLSA. Thawj yog SSHFP DNS cov ntaub ntawv rau kev siv cov yuam sij ntawm SSH kev sib txuas. Nws tau piav qhia hauv , и . Qhov thib ob yog OPENPGPKEY nkag rau kev sib pauv tseem ceeb siv PGP (). Thaum kawg, qhov thib peb yog SMIMEA cov ntaub ntawv (tus qauv tsis raug cai hauv RFC, muaj ) rau cryptographic key pauv ntawm S/MIME.
Dab tsi yog qhov teeb meem nrog DANE
Nyob rau nruab nrab lub Tsib Hlis, lub rooj sib tham DNS-OARC tau tuav (qhov no yog lub koom haum tsis muaj txiaj ntsig uas cuam tshuam nrog kev ruaj ntseg, kev ruaj ntseg thiab kev txhim kho ntawm lub npe sau npe). Cov kws tshaj lij ntawm ib qho ntawm cov panels tias DANE thev naus laus zis hauv browsers tau ua tsis tiav (tsawg kawg hauv nws qhov kev siv tam sim no). Tam sim no ntawm lub rooj sib tham Geoff Huston, Tus Thawj Saib Xyuas Kev Tshawb Fawb , ib ntawm tsib tus neeg sau npe hauv cheeb tsam hauv Internet, hais txog DANE li "tuag technology".
Nrov browsers tsis txhawb daim ntawv pov thawj authentication siv DANE. Ntawm kev ua lag luam , uas qhia txog kev ua haujlwm ntawm TLSA cov ntaub ntawv, tab sis kuj yog lawv cov kev txhawb nqa .
Teeb meem nrog DANE kev faib tawm hauv browsers cuam tshuam nrog qhov ntev ntawm DNSSEC txheej txheem validation. Lub kaw lus raug yuam kom ua cryptographic xam kom paub tseeb tias qhov tseeb ntawm SSL daim ntawv pov thawj thiab mus los ntawm tag nrho cov saw ntawm DNS servers (los ntawm thaj chaw hauv paus mus rau tus tswv tsev) thaum thawj zaug txuas rau cov peev txheej.
/unsplash/
Mozilla sim tshem tawm qhov teeb meem no siv lub tshuab rau TLS. Nws yuav tsum tau txo tus naj npawb ntawm cov ntaub ntawv DNS uas tus neeg siv yuav tsum tau saib thaum muaj kev lees paub. Txawm li cas los xij, kev tsis sib haum xeeb tau tshwm sim hauv pab pawg txhim kho uas tsis tuaj yeem daws tau. Raws li qhov tshwm sim, qhov project raug tso tseg, txawm hais tias nws tau pom zoo los ntawm IETF thaum Lub Peb Hlis 2018.
Lwm qhov laj thawj rau qhov tsis tshua muaj npe ntawm DANE yog qhov tsawg ntawm DNSSEC hauv ntiaj teb - . Cov kws tshaj lij xav tias qhov no tsis txaus los txhawb DANE.
Feem ntau, kev lag luam yuav tsim nyob rau hauv ib qho kev sib txawv. Hloov chaw siv DNS los txheeb xyuas SSL / TLS daim ntawv pov thawj, cov neeg ua lag luam yuav hloov pauv DNS-over-TLS (DoT) thiab DNS-over-HTTPS (DoH) raws tu qauv. Peb hais qhov kawg hauv ib qho ntawm peb ntawm Habre. Lawv encrypt thiab txheeb xyuas cov neeg siv thov rau DNS server, tiv thaiv cov neeg tawm tsam los ntawm cov ntaub ntawv spoofing. Thaum pib ntawm lub xyoo, DoT twb yog lawm rau Google rau nws Public DNS. Raws li rau DANE, seb lub tshuab yuav tuaj yeem "rov qab mus rau hauv lub eeb" thiab tseem tab tom nthuav dav tseem yuav pom yav tom ntej.
Dab tsi ntxiv peb muaj rau kev nyeem ntxiv:
Tau qhov twg los: www.hab.com
