DNSSEC Validator 2.0 for web browsers
DNSSEC Validator 2.0 is an add-on for the web browsers, which allows you to check the existence and validity of DNSSEC DNS records for domain names in the address of the page currently displayed in your browser window. The result of this check is displayed using colour keys and information texts in the page’s address bar or separate toolbar. Currently, the Internet Explorer (IE), Mozilla Firefox (FF) and Google Chrome (CR) web browsers are supported.
- Unlike previous versions of older extension unifies the look and functionality for all the affected browsers.
- Validator core is based on libunbound library.
- Not limited to the use of a validating resolver. DNSSEC validation can be performed alone.
- Contains the shared cache between all browser windows and tabs.
- English, German and Czech localization are supported.
Current version 2.0 is available for download on new website of project.
Version 2.0-beta1. Extension is in beta version, so expect bugs.
Internet Explorer version
- Windows 8, 7, Vista a XP - 64-bit a 32-bit version
- 32-bit version IE6, IE7,IE8, IE9 and IE10
- Currently, 64-bit version of IE8 and IE9 are not supported
- Installation package: IE-dnssec-validator-2.0-beta1-windows.exe
- Installation guide: Follow the prompts of the installation package.
- Windows - 32-bit version of FF 4.0 or latest - installation package: FF-dnssec-validator-2.0-beta1-windows.xpi
- Linux - 32-bit, 64-bit version of FF 4.0 or latest - installation package: FF-dnssec-validator-2.0-beta1-linux.xpi
- Mac OS X - 32-bit, 64-bit version of FF 4.0 or latest – installation package: FF-dnssec-validator-2.0-beta1-macosx.xpi
- Installation guide: Load xpi archive through add-on manager in FF and restart the browser.
- Windows - 32-bit version of CR 16.0 or latest – installation package: CR-dnssec-validator-2.0-beta1-windows.tar.gz
- Linux - 32-bit, 64-bit version of CR 16.0 or latest – installation package: CR-dnssec-validator-2.0-beta1-linux.tar.gz
- Mac OS X - 32-bit, 64-bit version of CR 16.0 or latest – installation package: CR-dnssec-validator-2.0-beta1-macosx.tar.gz
- Installation guide: Unpack gz and loads directory "chrome2" into Chrome browser via Settings-> Extensions of browser. Then reboot your browser.
The result of this check is displayed using colour keys and information texts in the page’s address bar (FF and CR) or separate toolbar (IE). Detailed security information you can get by clicking the given key.
The colour of the key in the bar signals whether the domain name is secured by DNSSEC and whether the DNSSEC signatures are valid and the domain name can trusted. The following situations can happen and the key can look as follows:
An error occurred while getting the DNSSEC status of this domain name. This may be caused by loss of connection to the DNS server or the user-chosen validating resolver IP address is not an address of a validating resolver. This state can may also occur if an unexpected error during the validation process was detected.
For existing domain name means that this domain name is not secured by DNSSEC, so it is not possible to verify validity of obtained data and you are not secured against domain name spoofing. For nonexistent domain name means that the parent domain is not secured by DNSSEC, thus it was not possible to verify nonexistence of this domain name.
For existing domain name means that this domain name is correctly secured by DNSSEC. Information about the IP address of this domain name was validated using DNSSEC. Because this domain name is secured by DNSSEC, you are protected against domain name spoofing. For nonexistent domain name means that the parent domain is secured by DNSSEC, thus it was possible to successfully verify nonexistence of this domain name.
For existing domain name means that this domain name is secured by DNSSEC but invalid domain name signature has been detected or the IP address which the browser is using differs from the address obtained by the DNSSEC add-on. This may have a legitimate reason but can also point at a DNS spoofing attempt! (Difference of IP addresses can also be caused by such proxy (cache) server that your browser uses for obtaining a desired page). For nonexistent domain name means that the parent domain is secured by DNSSEC but the received domain name nonexistence response does not contain a valid signature. This may signalise a domain name spoofing attempt in order to deny the access to the domain.
Nonactive window or tab - (only for IE version).
Extension settings allow choosing the DNS resolver used for DNSSEC validation. You can specify address of an arbitrary validating resolver. Note that by default the resolver specified in system settings is used - thus if it's not validating, you need to choose a validating one. Every choice of settings can be tested on DNSSEC support.
Questions about the extensions can be sent to firstname.lastname@example.org conference. You can also report bugs and feature requests here. Please specify that you are writing about the 2.0IE, 2.0FF nebo 2.0CR.
Source code and Git Repository
- cd dnssec-validator && git checkout unbound
For compilation on the Linux just call cmake and make without any extra parameters:
- cmake .
For compilation on the MAC OS X is recommended to set explicitly the target architecture, e.g.:
- cmake -DTARGET_ARCH=x86_64 .
For compilation on the Windows:
- Build report in the IE2 folder
- (cmake . && make)