Sithetha malunga nokuba yeyiphi iteknoloji ye-DANE yokuqinisekisa amagama esizinda usebenzisa i-DNS kwaye kutheni ingasetyenziswanga ngokubanzi kwiziphequluli.
/unsplash/
Yintoni iDANE
IziGunyaziso zeZiqinisekiso (CAs) yimibutho ethi isatifikethi se-cryptographic . Bafaka utyikityo lwabo lwe-elektroniki kubo, beqinisekisa ubunyani babo. Nangona kunjalo, ngamanye amaxesha kuvela iimeko xa izatifikethi zikhutshwe ngokuphulwa. Umzekelo, kulo nyaka uphelileyo uGoogle uqalise "inkqubo yokungathembeki" kwizatifikethi zeSymantec ngenxa yokulalanisa kwabo (siligubungele eli bali ngokweenkcukacha kwibhlog yethu - ΠΈ ).
Ukuphepha iimeko ezinjalo, kwiminyaka emininzi eyadlulayo i-IETF Itekhnoloji ye-DANE (kodwa ayisetyenziswa kakhulu kwizikhangeli- siza kuthetha malunga nokuba kutheni le nto yenzeke kamva).
I-DANE (i-DNS-based Authentication of Named Entities) yiseti yeenkcukacha ezikuvumela ukuba usebenzise i-DNSSEC (Izandiso zeNkqubo yoKhuseleko yeGama) ukulawula ukunyaniseka kwezatifikethi ze-SSL. I-DNSSEC lulwandiso lweNkqubo yeGama leDomain enciphisa uhlaselo lwe-spoofing yeedilesi. Ukusebenzisa ezi teknoloji zimbini, umphathi wewebhu okanye umxhasi unokuqhagamshelana nomnye wabaqhubi bezowuni ye-DNS kwaye aqinisekise ukunyaniseka kwesatifikethi esisetyenziswayo.
Ngokusisiseko, i-DANE isebenza njengesatifikethi esizisayinileyo (umqinisekisi wokuthembeka kwayo yi-DNSSEC) kwaye izalisekisa imisebenzi ye-CA.
ntoni lo msebenzi
Iinkcukacha ze-DANE zichazwe kwi . Ngokoxwebhu, kwi uhlobo olutsha longezwa - iTLSA. Iqulethe ulwazi malunga nesatifikethi esigqithiselwayo, ubungakanani kunye nodidi lwedatha ekhutshelwayo, kunye nedatha ngokwayo. Umphathi wewebhu wenza ubhontsi wedijithali wesatifikethi, usisayine nge-DNSSEC, kwaye usibeke kwi-TLSA.
Umxhasi uqhagamshela kwisayithi kwi-Intanethi kwaye uthelekisa isatifikethi sayo kunye "nekopi" efunyenwe kumqhubi we-DNS. Ukuba ziyahambelana, ngoko ke isibonelelo sithathwa njengethembekile.
Iphepha le-DANE wiki libonelela ngomzekelo olandelayo wesicelo se-DNS kumzekelo.org kwizibuko le-TCP 443:
IN TLSA _443._tcp.example.orgImpendulo ibonakala ngolu hlobo:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
I-DANE inezandiso ezininzi ezisebenza ngeerekhodi ze-DNS ngaphandle kwe-TLSA. Eyokuqala yi SSHFP DNS irekhodi yokuqinisekisa izitshixo kuqhagamshelo lwe-SSH. Ichazwe kwi , ΠΈ . Okwesibini lungeno lwe OPENPGPKEY lotshintshiselwano olungundoqo usebenzisa i PGP (). Ekugqibeleni, eyesithathu yirekhodi ye-SMIMEA (umgangatho awukho ngokusesikweni kwi-RFC, kukho ) kutshintshiselwano lwesitshixo se-cryptographic nge-S/MIME.
Yintoni ingxaki nge DANE
Phakathi koMeyi, inkomfa ye-DNS-OARC yabanjwa (le yintlangano engenzi nzuzo ejongene nokhuseleko, ukuzinza kunye nophuhliso lwenkqubo yegama lesizinda). Iingcali kwenye yeepaneli ukuba iteknoloji ye-DANE kwiziphequluli ayiphumelelanga (ubuncinane ekuphunyezweni kwayo kwangoku). Ukhoyo kwinkomfa uGeoff Huston, iNzululwazi yoPhando eNkokelayo , omnye wababhalisi be-Intanethi abahlanu, malunga ne-DANE njenge "teknoloji efileyo".
Iibhrawuza ezidumileyo azixhasi uqinisekiso lwesatifikethi kusetyenziswa i-DANE. Kwimarike , ebonisa ukusebenza kweerekhodi ze-TLSA, kodwa kunye nenkxaso yazo .
Iingxaki ngokusasazwa kwe-DANE kwizikhangeli zinxulunyaniswa nobude benkqubo yokuqinisekisa ye-DNSSEC. Inkqubo inyanzelekile ukuba yenze izibalo ze-cryptographic ukuqinisekisa ubunyani besatifikethi se-SSL kwaye idlule kwikhonkco lonke leeseva ze-DNS (ukusuka kwindawo yengcambu ukuya kwi-domain host) xa uqala ukuxhuma kwi-resource.
/unsplash/
IMozilla izamile ukuphelisa le ngxaki isebenzisa indlela ye-TLS. Bekufanele kuncitshiswe inani leerekhodi ze-DNS ekufuneka umxhasi ajonge phezulu ngexesha lokuqinisekisa. Nangona kunjalo, ukungaboni ngasonye kwavela phakathi kweqela lophuhliso elingenako ukusonjululwa. Ngenxa yoko, iprojekthi iye yashiywa, nangona yamkelwe yi-IETF ngoMatshi ka-2018.
Esinye isizathu sokuthandwa okuphantsi kwe-DANE kukuxhaphaka okuphantsi kwe-DNSSEC kwihlabathi- . Iingcali zivakalelwa kukuba oku akwanelanga ukukhuthaza i-DANE.
Okunokwenzeka, ishishini liya kuphuhlisa kwicala elahlukileyo. Esikhundleni sokusebenzisa i-DNS ukuqinisekisa izatifikethi ze-SSL/TLS, abadlali beemarike baya kukhuthaza i-DNS-over-TLS (DoT) kunye ne-DNS-over-HTTPS (DoH) protocol. Sayikhankanya le yokugqibela kwenye yethu kuHabre. Bafihla kwaye baqinisekise izicelo zabasebenzisi kwiseva ye-DNS, ukukhusela abahlaseli kwi-spoofing data. Ekuqaleni konyaka, i-DoT yayisele isele kuGoogle kwiDNS yayo yoLuntu. Ngokuphathelele i-DANE, ukuba itekhnoloji iya kukwazi "ukubuyisela isali" kwaye isasazeke isaza kubonakala kwixesha elizayo.
Yintoni enye esinayo ukuze sifunde ngakumbi:
umthombo: www.habr.com