Anyị na-ekwu maka ihe teknụzụ DANE bụ maka ịchọpụta aha ngalaba site na iji DNS yana ihe kpatara ejighi ya na ihe nchọgharị.
/Akụkụba/
Kedu ihe bụ DANE
Asambodo ikike (CAs) bụ òtù ndị akwụkwọ cryptographic . Ha tinyere mbinye aka eletrọnịkị ha, na-egosi na ha bụ eziokwu. Agbanyeghị, mgbe ụfọdụ ọnọdụ na-ebilite mgbe enyere asambodo na mmebi iwu. Dịka ọmụmaatụ, n'afọ gara aga Google malitere "usoro enweghị ntụkwasị obi" maka asambodo Symantec n'ihi nkwenye ha (anyị kpuchiri akụkọ a n'ụzọ zuru ezu na blọọgụ anyị - и ).
Iji zere ọnọdụ ndị dị otú ahụ, ọtụtụ afọ gara aga IETF Teknụzụ DANE (mana anaghị eji ya eme ihe na ihe nchọgharị - anyị ga-ekwu maka ihe kpatara nke a ji eme ma emechaa).
DANE (DNS dabeere na nkwenye nke aha aha) bụ set nke nkọwa na-enye gị ohere iji DNSSEC (Aha System Nche Extensions) iji jikwaa ndaba nke SSL asambodo. DNSSEC bụ ndọtị na ngalaba Aha Sistemụ nke na-ebelata mwakpo mkpachapụ adreesị. Iji teknụzụ abụọ a, onye na-ahụ maka webụsaịtị ma ọ bụ onye ahịa nwere ike ịkpọtụrụ otu n'ime ndị na-ahụ maka mpaghara DNS wee gosi izi ezi nke asambodo a na-eji.
N'ụzọ bụ isi, DANE na-arụ ọrụ dị ka akwụkwọ aka aka aka (onye na-ekwe nkwa ntụkwasị obi ya bụ DNSSEC) ma mejuo ọrụ nke CA.
Olee otú nke a na-arụ ọrụ
A kọwapụtara nkọwapụta DANE na . Dị ka akwụkwọ ahụ si kwuo, in agbakwunyere ụdị ọhụrụ - TLSA. O nwere ozi gbasara akwụkwọ a na-ebufe, nha na ụdị data a na-ebufe, yana data n'onwe ya. Onye nwe webụsaịtị na-emepụta akara mkpịsị aka dijitalụ nke asambodo ahụ, bịanye aka na ya na DNSSEC, wee tinye ya na TLSA.
Onye ahịa na-ejikọ na saịtị na ịntanetị wee jiri asambodo ya na “mbipụta” enwetara n'aka onye na-ahụ maka DNS. Ọ bụrụ na ha dakọtara, mgbe ahụ, a na-ahụta akụrụngwa a tụkwasịrị obi.
Ibe wiki DANE na-enye ihe atụ na-esonụ nke arịrịọ DNS na example.org na ọdụ ụgbọ mmiri TCP 443:
IN TLSA _443._tcp.example.orgAzịza ya dị ka nke a:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
DANE nwere ọtụtụ ndọtị na-arụ ọrụ na ndekọ DNS na-abụghị TLSA. Nke mbụ bụ ndekọ SSHFP DNS maka imezi igodo na njikọ SSH. A kọwara ya na , и . Nke abụọ bụ ntinye OPENPGPKEY maka mgbanwe isi site na iji PGP (). N'ikpeazụ, nke atọ bụ ndekọ SMIMEA (ọkọlọtọ adịghị ahazi na RFC, e nwere ) maka mgbanwe igodo cryptographic site na S/MIME.
Kedu ihe bụ nsogbu na DANE
N'etiti ọnwa Mee, a na-enwe ogbako DNS-OARC (nke a bụ ụlọ ọrụ anaghị akwụ ụgwọ nke na-ahụ maka nchekwa, nkwụsi ike na mmepe nke usoro aha ngalaba). Ndị ọkachamara na otu panel na teknụzụ DANE na ihe nchọgharị adaala (opekata mpe na mmejuputa ya ugbu a). Na-abịa na ogbako Geoff Huston, Onye Ọkachamara Nchọpụta Nchọpụta , otu n'ime ndị na-edeba aha ịntanetị ise, banyere DANE dị ka "teknụzụ nwụrụ anwụ".
Ihe nchọgharị ndị ama ama anaghị akwado njirimara asambodo site na iji DANE. Na ahịa , nke na-ekpughe ọrụ nke ndekọ TLSA, kamakwa nkwado ha .
A na-ejikọta nsogbu na nkesa DANE na ihe nchọgharị na ogologo nke usoro nkwado DNSSEC. A na-amanye usoro ahụ ịme mgbakọ cryptographic iji kwado izi ezi nke akwụkwọ SSL wee banye n'ime agbụ niile nke sava DNS (site na mpaghara mgbọrọgwụ ruo na ngalaba nnabata) mgbe mbụ ị na-ejikọta na akụ.
/Akụkụba/
Mozilla gbalịrị iji usoro ahụ wepụ ihe ndọghachi azụ a maka TLS. O kwesiri ibelata ọnụọgụ ndekọ DNS nke onye ahịa ga-enyocha n'oge nyocha. Agbanyeghị, esemokwu bilitere n'ime otu mmepe nke enweghị ike idozi. N'ihi ya, a gbahapụrụ ọrụ ahụ, n'agbanyeghị na IETF kwadoro ya na March 2018.
Ihe ọzọ kpatara ewu ewu nke DANE dị ala bụ obere mgbasa nke DNSSEC n'ụwa - . Ndị ọkachamara chere na nke a ezughị iji kwalite DANE nke ọma.
O yikarịrị, ụlọ ọrụ ahụ ga-etolite n'ụzọ dị iche. Kama iji DNS iji nyochaa asambodo SSL/TLS, ndị egwuregwu ahịa ga-akwalite ụkpụrụ DNS-over-TLS (DoT) na DNS-over-HTTPS (DoH). Anyị kwuru nke a n'otu n'ime anyị na Habre. Ha na-ezochi ma nyochaa arịrịọ onye ọrụ na sava DNS, na-egbochi ndị na-awakpo ịza data. Ná mmalite nke afọ, DoT adịlarị gaa na Google maka DNS ọha ya. Banyere DANE, ma teknụzụ ọ ga-enwe ike "ịlaghachi n'ime sadulu" ma bụrụ nke zuru ebe niile ka a ga-ahụ n'ọdịnihu.
Kedu ihe ọzọ anyị nwere maka ịgụ ọzọ:
isi: www.habr.com