Sikhuluma ngokuthi buyini ubuchwepheshe be-DANE bokuqinisekisa amagama wesizinda usebenzisa i-DNS nokuthi kungani bungasetshenziswa kakhulu kuziphequluli.
/Vula/
Yini i-DANE
Iziphathimandla Zokugunyazwa (ama-CA) yizinhlangano ezithi isitifiketi se-cryptographic . Bafaka isiginesha yabo ye-elekthronikhi kuzo, eqinisekisa ubuqiniso bazo. Kodwa-ke, ngezinye izikhathi izimo ziphakama lapho izitifiketi zikhishwa ngokuphulwa. Isibonelo, ngonyaka odlule i-Google iqale “inqubo yokungathembi” izitifiketi ze-Symantec ngenxa yokuhlehla kwazo (sifake le ndaba ngokuningiliziwe kubhulogi yethu - и ).
Ukuze ugweme izimo ezinjalo, eminyakeni embalwa edlule i-IETF Ubuchwepheshe be-DANE (kodwa abusetshenziswa kakhulu kuziphequluli - sizokhuluma ngokuthi kungani lokhu kwenzeka kamuva).
I-DANE (Ukuqinisekiswa Okususelwe ku-DNS Kwamabhizinisi Aqanjwe Ngamagama) isethi yezicaciso ezikuvumela ukuthi usebenzise i-DNSSEC (Izandiso Zokuvikela Zegama Lesistimu) ukuze ulawule ukufaneleka kwezitifiketi ze-SSL. I-DNSSEC iyisandiso Sohlelo Lwegama Lesizinda esinciphisa ukuhlaselwa kokukhwabanisa kwamakheli. Ngokusebenzisa lobu buchwepheshe obubili, umphathi wewebhu noma iklayenti angathinta omunye wabaqhubi bezoni ye-DNS futhi aqinisekise ukufaneleka kwesitifiketi esisetshenziswayo.
Empeleni, i-DANE isebenza njengesitifiketi esizisayinele wena (isiqiniseko sokuthembeka kwaso yi-DNSSEC) futhi siphelelisa imisebenzi ye-CA.
Kanjani lo msebenzi
Ukucaciswa kwe-DANE kuchazwe ku . Ngokusho kombhalo, ku uhlobo olusha lwengeziwe - i-TLSA. Iqukethe ulwazi mayelana nesitifiketi esidluliswayo, usayizi nohlobo lwedatha edluliswayo, kanye nedatha ngokwayo. Umphathi wewebhusayithi wenza isithupha sedijithali sesitifiketi, asisayine nge-DNSSEC, futhi asibeke ku-TLSA.
Iklayenti lixhuma kusayithi eku-inthanethi futhi liqhathanise isitifiketi salo “nekhophi” elitholwe ku-opharetha we-DNS. Uma zifana, khona-ke insiza ibhekwa njengethembekile.
Ikhasi le-DANE wiki linikeza isibonelo esilandelayo sesicelo se-DNS ku-example.org ku-TCP port 443:
IN TLSA _443._tcp.example.orgImpendulo ibukeka kanje:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
I-DANE inezandiso ezimbalwa ezisebenza namarekhodi e-DNS ngaphandle kwe-TLSA. Elokuqala irekhodi le-SSHFP DNS lokuqinisekisa okhiye ekuxhumekeni kwe-SSH. Ichazwa ku , и . Okwesibili ukufakwa kwe-OPENGPKEY kokushintshaniswa kokhiye kusetshenziswa i-PGP (). Okokugcina, eyesithathu irekhodi le-SMIMEA (izinga alenziwa ngokusemthethweni ku-RFC, likhona ) ngokushintshanisa ukhiye we-cryptographic nge-S/MIME.
Yini inkinga nge-DANE
Maphakathi noMeyi, ingqungquthela ye-DNS-OARC yabanjwa (lena yinhlangano engenzi nzuzo ebhekene nokuphepha, ukuzinza nokuthuthukiswa kwesistimu yegama lesizinda). Ochwepheshe kwelinye lamaphaneli ukuthi ubuchwepheshe be-DANE ezipheqululini buhlulekile (okungenani ekusebenziseni kwabo kwamanje). Wethula engqungqutheleni uGeoff Huston, Usosayensi Oholayo Wocwaningo , omunye wababhalisi be-inthanethi abayisihlanu besifunda, mayelana ne-DANE “njengobuchwepheshe obufile”.
Iziphequluli ezidumile azikusekeli ukuqinisekiswa kwesitifiketi kusetshenziswa i-DANE. Emakethe , eveza ukusebenza kwamarekhodi e-TLSA, kodwa nokusekela kwawo .
Izinkinga ngokusabalalisa kwe-DANE kuziphequluli zihlotshaniswa nobude benqubo yokuqinisekisa ye-DNSSEC. Isistimu iphoqeleka ukuthi yenze izibalo ze-cryptographic ukuze iqinisekise ubuqiniso besitifiketi se-SSL futhi idlule kulo lonke uchungechunge lwamaseva e-DNS (kusuka endaweni yempande kuya esizindeni somsingathi) lapho ixhunywa okokuqala kusisetshenziswa.
/Vula/
IMozilla izamile ukuqeda le nkinga isebenzisa umshini kwe-TLS. Bekufanele yehlise inani lamarekhodi e-DNS iklayenti okufanele liwabheke ngesikhathi sokuqinisekisa. Kodwa-ke, ukungaboni ngaso linye kwavela eqenjini lezokuthuthukiswa okungakwazanga ukuxazululwa. Ngenxa yalokho, iphrojekthi iye yashiywa, nakuba yagunyazwa yi-IETF ngoNdasa wezi-2018.
Esinye isizathu sokuduma okuphansi kwe-DANE ukusabalala okuphansi kwe-DNSSEC emhlabeni - . Ochwepheshe babone sengathi lokhu akwanele ukukhuthaza i-DANE.
Ngokunokwenzeka, imboni izothuthuka ngendlela ehlukile. Esikhundleni sokusebenzisa i-DNS ukuze uqinisekise izitifiketi ze-SSL/TLS, abadlali bemakethe bazothuthukisa i-DNS-over-TLS (DoT) kanye nephrothokholi ye-DNS-over-HTTPS (DoH). Sishilo lokhu kokugcina kwenye yethu kuHabre. Babhala ngemfihlo futhi baqinisekise izicelo zabasebenzisi kuseva ye-DNS, bavimbele abahlaseli ekukhohliseni idatha. Ekuqaleni konyaka, i-DoT yayisivele ku-Google nge-DNS yayo Yomphakathi. Ngokuqondene ne-DANE, ukuthi ubuchwepheshe buzokwazi yini “ukubuyela esihlalweni” futhi bube busabalele kusazobonakala esikhathini esizayo.
Yini enye esingayifunda ngokuqhubekayo:
Source: www.habr.com