Security/DNSSEC-TLS-nginx: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 1: Line 1:
This page details how to set up a virtual machine running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions.
This page details how to set up a server running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions. It's probably safest to do this in a virtual machine. However, for the brave, simply skip the VM-specific steps.


# Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
# Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
Line 5: Line 5:
# Install and set up bind9:
# Install and set up bind9:
## 'apt-get install bind' or bind9 or something
## 'apt-get install bind' or bind9 or something
## Set up keys and zone files (see [https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone here], except using dnssec-keygen and dnssec-signzone instead of zonesigner) (NB: for testing purposes, you'll probably want to create an entire fake hierarchy, including root keys. Whatever your root key is, it'll have to be trusted by your client program. For firefox, this means modifying root_keys in security/dnssec/rootkeys.h (the plural there is unintentional and should probably be changed)).
## Set up keys and zone files (see [https://www.dnssec-tools.org/wiki/index.php/Sign_Your_Zone here], except using dnssec-keygen and dnssec-signzone instead of zonesigner). This will involve getting your DS set signed by your zone's parent.
## Make a self-signed certificate
## Make a self-signed certificate
## Make a TLSA record using [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/cert2dane.sh cert2tlsa.sh] (and put this in your zone file)
## Make a TLSA record using [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/cert2dane.sh cert2tlsa.sh] (and put this in your zone file)
## Sign the zones
## Sign the zones
## Start the server
## Start the dns server
# Get sources:
# Get sources:
## [http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.10.tar.gz ldns-1.6.10.tar.gz]
## [http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.10.tar.gz ldns-1.6.10.tar.gz]
Line 21: Line 21:
## Run './configure --disable-gost --prefix=$HOME/local'
## Run './configure --disable-gost --prefix=$HOME/local'
## Run 'make', 'make install'
## Run 'make', 'make install'
## (If you prefer, simply build it without installing and link against the static libs when necessary.)
# Use [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/generate.c generate.c] to make a dnssec chain
# Use [http://hg.mozilla.org/users/dkeeler_mozilla.com/dnssec-tls/file/tip/generate.c generate.c] to make a dnssec chain
# Unpack and patch a local copy of openssl:
# Unpack and patch a local copy of openssl:
## Untar the archive and cd to the directory
## Untar the archive and cd to the directory
## Apply the patch
## Apply the patch
## You don't actually have to config/compile/install (nginx does that for you)
## You don't actually have to config/compile/install (nginx just does what it needs with this openssl directory)
# Build nginx:
# Build nginx:
## Untar the archive and cd to the directory
## Untar the archive and cd to the directory

Revision as of 20:49, 11 August 2011

This page details how to set up a server running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions. It's probably safest to do this in a virtual machine. However, for the brave, simply skip the VM-specific steps.

  1. Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
  2. In that VM, do the following:
  3. Install and set up bind9:
    1. 'apt-get install bind' or bind9 or something
    2. Set up keys and zone files (see here, except using dnssec-keygen and dnssec-signzone instead of zonesigner). This will involve getting your DS set signed by your zone's parent.
    3. Make a self-signed certificate
    4. Make a TLSA record using cert2tlsa.sh (and put this in your zone file)
    5. Sign the zones
    6. Start the dns server
  4. Get sources:
    1. ldns-1.6.10.tar.gz
    2. nginx-1.0.5.tar.gz
    3. openssl-1.0.0d.tar.gz
  5. Get patches:
    1. nginx-1.0.5-dnssectls.patch
    2. openssl-1.0.0d-dnssectls.patch
  6. Install a local copy of ldns:
    1. Untar the archive and cd to the directory
    2. Run './configure --disable-gost --prefix=$HOME/local'
    3. Run 'make', 'make install'
    4. (If you prefer, simply build it without installing and link against the static libs when necessary.)
  7. Use generate.c to make a dnssec chain
  8. Unpack and patch a local copy of openssl:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. You don't actually have to config/compile/install (nginx just does what it needs with this openssl directory)
  9. Build nginx:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. Run './configure --with-openssl=$HOME/openssl-1.0.0d --with-http_ssl_module --without-http_rewrite_module --prefix=`pwd`', 'make'
  10. 'mkdir logs' to make nginx happy
  11. Make sure you don't have other webservers running on the machine (Ubuntu seems to have one by default)
  12. Put the paths to the appropriate certificate files in conf/nginx.conf (i.e. the certificate indicated by the TLSA record)
  13. Put the path to the appropriate dnssec chain file in conf/nginx.conf (created using generate.c, above)
  14. Start nginx: 'sudo ./obj/nginx'
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/DNSSEC-TLS-nginx&oldid=338873"