ProHoster > Blog > Utongi > Pane maonero: DANE tekinoroji yemabhurawuza yatadza

Pane maonero: DANE tekinoroji yemabhurawuza yatadza

Isu tinotaura nezve iyo DANE tekinoroji ndeyekutendesa mazita emadomasi uchishandisa DNS uye nei isiri kushandiswa zvakanyanya mumabhurawuza.

Pane maonero: DANE tekinoroji yemabhurawuza yatadza
/Unssplash/ Paulius Dragunas

Chii chinonzi DANE

Certification Authorities (CAs) masangano ayo vakavimbisana kuroorana cryptographic certificate SSL zvitupa. Vanoisa siginicha yavo yemagetsi pavari, vachisimbisa huchokwadi hwavo. Nekudaro, dzimwe nguva mamiriro anomuka kana zvitupa zvinopihwa nekutyorwa. Semuenzaniso, gore rapfuura Google yakatanga "detrust process" yeSymantec zvitupa nekuda kwekukanganisa kwavo (takataura nyaya iyi zvakadzama mublog redu - nguva ΠΈ Π΄Π²Π°).

Kuti udzivise mamiriro ezvinhu akadaro, makore akati wandei apfuura IETF akatanga kusimukira DANE tekinoroji (asi haisi kushandiswa zvakanyanya mumabhurawuza - isu tichataura nezve nei izvi zvakaitika gare gare).

DANE (DNS-based Authentication of Named Entities) seti yezvakatemwa zvinokutendera kushandisa DNSSEC (Zita System Security Extensions) kudzora kuve kwechokwadi kweSSL zvitupa. DNSSEC ndeyekuwedzera kune iyo Domain Name System iyo inoderedza kero spoofing kurwiswa. Uchishandisa matekinoroji maviri aya, webmaster kana mutengi anogona kubata mumwe weDNS zone operators uye osimbisa huchokwadi hwechitupa chiri kushandiswa.

Chaizvoizvo, DANE inoshanda sechitupa chakasaina (iyo inovimbisa kuvimbika kwayo iDNSSEC) uye inozadzisa mabasa eCA.

Sei basa iri

Iyo DANE yakatarwa inotsanangurwa mukati RFC6698. Maererano negwaro, in DNS zvinyorwa zvinyorwa mhando itsva yakawedzerwa - TLSA. Iyo ine ruzivo nezve chitupa chiri kutamiswa, saizi uye mhando yedata iri kutamiswa, pamwe neiyo data pachayo. Webhusaiti anogadzira chigunwe chedhijitari chechitupa, ochisaina neDNSSEC, ochiisa muTLSA.

Mutengi anobatana nesaiti paInternet uye anoenzanisa chitupa chayo ne "kopi" yakagamuchirwa kubva kuDNS opareta. Kana vakaenderana, saka sosi yacho inoonekwa seyakavimbika.

Iyo DANE wiki peji inopa unotevera muenzaniso wechikumbiro cheDNS kumuenzaniso.org paTCP port 443:

IN TLSA _443._tcp.example.org

Mhinduro inotaridzika seiyi:

 _443._tcp.example.com. IN TLSA (
   3 0 0 30820307308201efa003020102020... )

DANE ine akati wandei ekuwedzera anoshanda neDNS marekodhi kunze kweTLSA. Yekutanga ndiyo SSHFP DNS rekodhi yekusimbisa makiyi paSSH yekubatanidza. Inotsanangurwa mu RFC4255RFC6594 ΠΈ RFC7479. Yechipiri ndeye OPENPGPKEY yekupinda yekutsinhanisa kiyi uchishandisa PGP (RFC7929) Chekupedzisira, yechitatu ndeye SMIMEA rekodhi (iyo chiyero haina kunyoreswa muRFC, iripo chidimbu chayo chete) ye cryptographic kiyi yekutsinhana kuburikidza neS/MIME.

Dambudziko nderei neDANE

Pakati paMay, musangano weDNS-OARC wakaitwa (iyi isangano risingabatsiri rinobata nekuchengeteka, kugadzikana uye kuvandudza kwezita rezita rezita). Nyanzvi pane imwe yemapanera akasvika pamhedzisoiyo tekinoroji yeDANE mumabhurawuza yakundikana (zvirinani mukuitwa kwayo ikozvino). Ndiripo pamusangano Geoff Huston, Anotungamira Tsvagiridzo Sainzi APnic, mumwe wevashanu vedunhu Internet registrars, akapindura nezveDANE se "teknolojia yakafa".

Mabhurawuza ane mukurumbira haatsigire chitupa chechokwadi uchishandisa DANE. Pamusika kune akakosha plugins, iyo inoratidza kushanda kweTLSA zvinyorwa, asiwo rutsigiro rwavo zvishoma nezvishoma mira.

Matambudziko nekugoverwa kweDANE mumabhurawuza anoenderana nehurefu hweiyo DNSSEC yekusimbisa maitiro. Iyo sisitimu inomanikidzwa kuita cryptographic macalculation kuti isimbise huchokwadi hweSSL chitupa uye kuburikidza neketani yese yeDNS maseva (kubva kumidzi yenzvimbo kuenda kune iyo host domain) paunotanga kubatana kune sosi.

Pane maonero: DANE tekinoroji yemabhurawuza yatadza
/Unssplash/ Kaley Dykstra

Mozilla yakaedza kubvisa iyi dhizaini ichishandisa michina DNSSEC Chain Kuwedzerwa zve TLS. Yaifanirwa kudzikisa huwandu hweDNS marekodhi ayo mutengi aifanira kutarisa kumusoro panguva yekusimbisa. Zvisinei, kusawirirana kwakamuka mukati meboka rebudiriro iro raisagona kugadziriswa. Nekuda kweizvozvo, chirongwa ichi chakasiiwa, kunyangwe chakabvumidzwa neIETF munaKurume 2018.

Chimwe chikonzero chekuzivikanwa kwakaderera kweDANE kuderera kweDNSSEC pasirese - 19% chete yezviwanikwa inoshanda nayo. Nyanzvi dzakafunga kuti izvi hazvina kukwana kusimudzira DANE.

Zvingangodaro, indasitiri inokura mune imwe nzira. Panzvimbo pekushandisa DNS kuona zvitupa zveSSL/TLS, vatambi vemusika vanosimudzira DNS-over-TLS (DoT) uye DNS-over-HTTPS (DoH) protocol. Takataura ekupedzisira mune imwe yedu yapfuura zvinhu pana HabrΓ©. Vanonyora uye vanosimbisa zvikumbiro zvevashandisi kuDNS server, kudzivirira vanorwisa kubva mukubira data. Pakutanga kwegore, DoT yakanga yatove itwa kuGoogle kune iyo Public DNS. Kana iri DANE, kana tekinoroji ichakwanisa "kudzokera muchigaro" uye ichiri kupararira inoramba ichionekwa mune ramangwana.

Ndezvipi zvimwe zvatinazvo zvekuwedzera kuverenga:

Pane maonero: DANE tekinoroji yemabhurawuza yatadza Maitiro ekuita otomatiki IT zvivakwa manejimendi - kukurukura matatu maitiro
Pane maonero: DANE tekinoroji yemabhurawuza yatadza JMAP - yakavhurika protocol inotsiva IMAP kana uchichinjana maemail

Pane maonero: DANE tekinoroji yemabhurawuza yatadza Maitiro Ekuchengetedza neApplication Programming Interface
Pane maonero: DANE tekinoroji yemabhurawuza yatadza DevOps mubasa regore uchishandisa muenzaniso we1cloud.ru
Pane maonero: DANE tekinoroji yemabhurawuza yatadza Evolution ye1cloud cloud architecture

Pane maonero: DANE tekinoroji yemabhurawuza yatadza 1cloud technical support inoshanda sei?
Pane maonero: DANE tekinoroji yemabhurawuza yatadza Ngano pamusoro pemakore tekinoroji

Source: www.habr.com

Voeg