DNSSEC Drill: Extension for Firefox« Back to the Drill Project page
This extension performs DNSSEC lookups for the main hostname of the current page in firefox. It uses Drill to chase the signatures up to a trusted key. The user can specify trusted keys by putting them in a directory of his choice (see usage).
If you run it now, you'll get insecure on almost all websites, because since the DNS root is not signed, there is no way to verify that a result is verifiably insecure.
DisclaimersThis extension is just a small proof of concept for visualising DNSSEC.
The current release is 0.7.1, for firefox 3.0.x, is here: drill-0.7.1.xpi.
For firefox 2.x and before, please use 0.7: drill-0.7.xpi.
Don't forget to install drill, from the ldns library. It needs that to do the actual verification.
After installing the extension, the statusbar shows a new icon: normally, for unverified pages, the icon will be:
If the hostname record in the DNS is signed and can be traced up to a trusted key, the icon will look like this:
By clicking on preferences in the extension menu, or just clicking on the icon, you will get to the preferences dialog:
The first entry is the location of the drill executable (full path). The second entry is the address or hostname of a DNSSEC enable caching forwarder. For instance BIND 9 with the dnssec-enable option set to yes. The last entry is a directory on your filesystem that contains public key files. The name of these files must end with ".key" and they must be of the following form:
jelte.nlnetlabs.nl. IN DNSKEY 256 3 5 AQOraLfzarHAlFskVGwAGnX0LRjlcOiO6y5WM4Kz+QvZ9vX28h4lOvnfd5tkxnZm 7ERLTAJoFq+1w/wl7VXs2Isz75BSZ7LQh3OT2xXnS6VT5ZxXko/UCOdoGiKZZ63j HZ0jNSTCYy8+5rfvwRD8s3gGuErp5KcHg3V8VLUKSDNNEQ==You can put any number of keys in this directory. They will be used if their filename ends with '.key'.
With the key from the example you can try and visit http://www.jelte.nlnetlabs.nl. If all is well, the icon should switch to 'verified' after the page has been loaded.