wget DNSSEC HOWTO ===================== (Version 0.1) Introduction ============ This HOWTO describes the installation, configuration and execution steps for adding DNSSEC validation to the wget application. The patch in this directory has been tested on the wget-1.10.2 source. It may also work on similar versions of wget. Note: Currently, This patch only works on systems that support IPv6. The local machine does not need to actually use IPv6, but the system's TCP/IP stack does need to support it for this patch to function properly. Installation ============ Download wget-1.10.2.tar.gz from http://ftp.gnu.org/pub/gnu/wget/ Unzip and untar it by: tar -xvzf wget-1.10.2.tar.gz Go to the wget-1.10.2 directory: cd wget-1.10.2/ Apply the wget-1.10.2_dnssec_patch.txt in this directory by: patch -p 1 -b -z .orig </path/to/patch/wget-1.10.2_dnssec_patch.txt This will apply the patch and store the original files with a .orig suffix. This patch requires the 'libval' library for DNSSEC validation. This library can be found at http://dnssec-tools.sourceforge.net/. You must install this library before compiling the patched wget source. Build and install wget as per the instructions given in the INSTALL files within the wget source code. On most systems this should just require the following commands: ./configure ./make ./make install Configuration ============= All DNS queries are now checked using the dnssec-tools libval libraries. Attempts to send mail to untrusted sites will fail and bounce with an applicable message. Configuration of site trust is done by editing the dnssec-tools' dnsval.conf file. The default location of this file is /usr/local/etc/dnssec-tools/dnsval.conf on linux distributions, but this path is dependent on how dnssec-tools was built. Execution ========= Start and run wget as normal. To Test ======= (I) Basic Scenarios: DNSSEC validation of wget ---------------------------------------------------- 1. Create a patched wget. 2. Try to pull a file from a host domain whose records can be DNSSEC validated and where validation is required. Verify that the file was copied to the local machine properly. 3. Try to pull a file from a host domain whose records cannot be DNSSEC validated and where validation is required. Verify that the wget command failed with a DNSEC error. -----------------------------------------------------------------------