Timalankhula zaukadaulo wa DANE wotsimikizira mayina a mayina pogwiritsa ntchito DNS komanso chifukwa chake sichigwiritsidwa ntchito kwambiri pakusakatula.
/Chotsani /
Kodi DANE ndi chiyani
Certification Authorities (CAs) ndi mabungwe omwe satifiketi ya cryptographic . Amayika siginecha yawo yamagetsi pa iwo, kutsimikizira kuti ndi yowona. Komabe, nthawi zina zimachitika pamene satifiketi amaperekedwa ndi kuphwanya. Mwachitsanzo, chaka chatha Google idayambitsa "ndondomeko yoyimitsa" ziphaso za Symantec chifukwa cha kunyengerera kwawo (tidafotokoza nkhaniyi mwatsatanetsatane mubulogu yathu - ΠΈ ).
Pofuna kupewa izi, zaka zingapo zapitazo IETF Ukadaulo wa DANE (koma sugwiritsidwa ntchito kwambiri pakusakatula - tikambirana chifukwa chake izi zidachitika pambuyo pake).
DANE (DNS-based Authentication of Named Entities) ndi mndandanda wazomwe zimakulolani kugwiritsa ntchito DNSSEC (Name System Security Extensions) kuti muwongolere kutsimikizika kwa ziphaso za SSL. DNSSEC ndiyowonjezera ku Domain Name System yomwe imachepetsa kuwononga ma adilesi. Pogwiritsa ntchito matekinoloje awiriwa, woyang'anira webusayiti kapena kasitomala atha kulumikizana ndi m'modzi wa oyendetsa zone ya DNS ndikutsimikizira kutsimikizika kwa satifiketi yomwe ikugwiritsidwa ntchito.
Kwenikweni, DANE imakhala ngati satifiketi yodzisainira yokha (yotsimikizira kudalirika kwake ndi DNSSEC) ndikukwaniritsa ntchito za CA.
Kodi ntchito
Mafotokozedwe a DANE akufotokozedwa mu . Malinga ndi chikalatacho, mu mtundu watsopano unawonjezedwa - TLSA. Lili ndi chidziwitso chokhudza satifiketi yomwe imasamutsidwa, kukula ndi mtundu wa data yomwe imasamutsidwa, komanso deta yomwe. Woyang'anira webusayiti amapanga chithunzithunzi cha digito cha satifiketi, amasayina ndi DNSSEC, ndikuyika mu TLSA.
Makasitomala amalumikizana ndi tsamba la intaneti ndikufanizira satifiketi yake ndi "kopi" yolandilidwa kuchokera kwa wogwiritsa ntchito DNS. Ngati zikugwirizana, ndiye kuti gwerolo limaonedwa kuti ndi lodalirika.
Tsamba la DANE wiki limapereka chitsanzo chotsatira cha pempho la DNS ku example.org pa TCP port 443:
IN TLSA _443._tcp.example.orgYankho likuwoneka motere:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
DANE ili ndi zowonjezera zingapo zomwe zimagwira ntchito ndi zolemba za DNS kupatula TLSA. Yoyamba ndi mbiri ya SSHFP DNS yotsimikizira makiyi pamalumikizidwe a SSH. Izo zikufotokozedwa mu , ΠΈ . Yachiwiri ndi kulowa kwa OPENPGPKEY pakusinthanitsa makiyi pogwiritsa ntchito PGP (). Pomaliza, chachitatu ndi mbiri ya SMIMEA (muyezo sunakhazikitsidwe mu RFC, ulipo ) posinthanitsa makiyi a cryptographic kudzera pa S/MIME.
Vuto ndi chiyani ndi DANE
Pakati pa mwezi wa May, msonkhano wa DNS-OARC unachitika (ili ndi bungwe lopanda phindu lomwe limayang'anira chitetezo, kukhazikika ndi chitukuko cha dongosolo la dzina lachidziwitso). Akatswiri pa imodzi mwa mapanelo kuti ukadaulo wa DANE mumasakatuli walephera (osachepera pakukhazikitsidwa kwake pano). Apezeka pamsonkhanowo Geoff Huston, Wasayansi Wotsogola Wofufuza , m'modzi mwa olembetsa pa intaneti asanu, za DANE ngati "teknoloji yakufa".
Asakatuli otchuka samathandizira kutsimikizika kwa satifiketi pogwiritsa ntchito DANE. Pamsika , zomwe zimawulula magwiridwe antchito a zolemba za TLSA, komanso thandizo lawo .
Mavuto ndi kugawa kwa DANE mu asakatuli amalumikizidwa ndi kutalika kwa njira yovomerezeka ya DNSSEC. Dongosolo limakakamizika kupanga mawerengero a cryptographic kuti atsimikizire kutsimikizika kwa satifiketi ya SSL ndikudutsa mumndandanda wonse wa maseva a DNS (kuchokera kugawo la mizu kupita kumalo osungira) mukamalumikizana koyamba ndi gwero.
/Chotsani /
Mozilla adayesa kuthetsa vutoli pogwiritsa ntchito makinawo za TLS. Zinkayenera kuchepetsa chiwerengero cha ma DNS records omwe kasitomala amayenera kuyang'ana pamene akutsimikizira. Komabe, kusagwirizana kunabuka mkati mwa gulu lachitukuko lomwe silinathe kuthetsedwa. Zotsatira zake, ntchitoyi idasiyidwa, ngakhale idavomerezedwa ndi IETF mu Marichi 2018.
Chifukwa china cha kutchuka kwa DANE ndikuchepa kwa DNSSEC padziko lapansi - . Akatswiri adawona kuti izi sizokwanira kulimbikitsa DANE mwachangu.
Mwachidziwikire, bizinesiyo idzakula mwanjira ina. M'malo mogwiritsa ntchito DNS kutsimikizira ziphaso za SSL/TLS, osewera pamsika azilimbikitsa ma protocol a DNS-over-TLS (DoT) ndi DNS-over-HTTPS (DoH). Tinatchula zotsirizirazo mu umodzi mwa wathu pa Habre. Amalemba ndikutsimikizira zopempha za ogwiritsa ntchito ku seva ya DNS, kuletsa omwe akuukira kuti asawononge deta. Kumayambiriro kwa chaka, DoT inali kale kwa Google kwa Public DNS yake. Ponena za DANE, ngati ukadaulo udzatha "kubwereranso mu chishalo" ndikukhalabe kufalikira zikuwonekerabe mtsogolo.
Chinanso chomwe tili nacho popitilira kuwerenga:
Source: www.habr.com