Release notes

  • What's new?
  • Known problems
v1.1.5
  • — New Firefox 5 to Firefox 11 compatibility
  • — New key icon right-click popup menu with "Preferences" shortcut
  • — Validation cache is not shared between browser windows, just between browser tabs
Installv1.1.5

Installation

The DNSSEC Validator add-on is distributed using the standard method via the Mozilla Add-ons website.

Supported Browsers

Mozilla Firefox 3.0 or higher (tested on versions 3.0-11.0)

Supported Platforms

Linux i386, x86_64 (tested on Debian, Ubuntu, Fedora, CentOS)
Mac OS X 10.5, 10.6 - i386, x86_64 (tested on Mac OS X 10.5, 10.6)
Windows XP or higher - i386 (tested on Windows 7)

Help icon

Help

DNSSEC Validator is an add-on for the Mozilla Firefox web browser, which allows you to check the existence and validity of DNSSEC DNS records for domain names in the address of the page currently displayed in your browser window. The result of this check is displayed using colour keys and information texts in the page’s address bar.

Address bar with DNSSEC Validator

The colour of the key in the URL bar signals whether the domain name is secured by DNSSEC and whether the DNSSEC signatures are valid and the domain name can trusted. The following situations can happen and the key can look as follows:

Animated key
The domain name DNSSEC status resolution is pending.

Grey key
The domain name is insecure due to no DNSSEC signature.

Green key
The domain name is secured using DNSSEC technology and the integrity of the DNS report has not been breached during transmission. The browser uses IP addresses that have been validated by DNSSEC Validator using DNSSEC technology and are trusted.

Orange key
The domain name is secured with DNSSEC technology, but the DNS server resolver used cannot verify the signature validity.

Red key
WARNING! The domain name is secured by DNSSEC technology but the IP addresses to which your browser is connecting have been changed, or the DNSSEC signature validity was broken. The IP address could have been changed during transmission to your computer by an unknown attacker, or it may be a local settings conflict on your computer.

Popup window Detailed security information you can get by clicking the given key. If there is no key displayed at all, it means that the domain name is not secured using DNSSEC technology. Unfortunately, you will find this setting for the majority of domain names. If you would be happy and it is important for the DNS integrity of the domain name you use to be guaranteed in the case of important websites (banks, news, government administration, etc.), write to the operator of the website suggesting they secure their domain name using DNSSEC technology.

Other browsers

Besides an extension for Firefox, we also offer similar plug-ins for Google Chrome and Internet Explorer. These are currently in alpha stage of development.

Frequently Asked Questions

What is DNS?

DNS (Domain Name System) works like a telephone directory but for internet IP addresses. It allows you to assign a specific symbolic name, i.e. the domain name, to a numerical IP address, which the user will remember easily, and can even write intuitively, e.g. into the web browser (“I know this Czech company is called XY, so I’ll type www.XY.cz into the browser.”). The browser, like a telephone, looks at the “directory”, finds the correct entry, and automatically connects to the IP address corresponding to the domain name and the website is displayed to the user. You can find more information about DNS on the website About domains and DNS.

What is DNSSEC?

DNSSEC is the extension of the domain name system (DNS), which increases its security. DNSSEC provides users the assurance that the information the DNS has obtained has been provided by the correct source, is complete and its integrity has not been breached during transmission. DNSSEC ensures the credibility of the data obtained from the DNS. You can find more information about DNSSEC technology on the website How does DNSSEC work?

What should I do if my DNS servers do not support DNSSEC?

If your ISP does not operate DNS servers that support DNSSEC technology, you have several options to remedy this:

  1. Write to your ISP so that they begin operating DNSSEC technology on their DNS servers. You can attach a link to detailed instructions for the main platforms in your email.

  2. If you have the option of changing your system settings, you can use Open DNSSEC Validating Resolvers operated by the CZ.NIC Association for your whole system.

  3. Validator preferences If you do not have the option of changing your system settings, you can only change the settings of the DNSSEC Validator. Open the Tools menu and select the Add-ons menu item. Select DNSSEC Validator from the list of add-ons and click the Settings button. In the settings you can change the DNS resolvers that DNSSEC Validator uses, from system to CZ.NIC ODVRs (Open DNSSEC Validating Resolvers). The alternative choice is using ODVRs operated by the organization DNS-OARC or the Comcast company.

  4. A further option is to begin operating a DNSSEC validating resolver on your local computer. This choice is intended for more experienced system administrators. We recommend that regular users use CZ.NIC resolvers. In the event of using your own DNSSEC validating resolvers, it is also possible to change the IP addresses used by DNSSEC Validator in the add-on settings.

Where can I check whether the add-on is working properly?

If you have DNSSEC validating DNS resolvers set, you can verify on the website www.dnssec.cz that the domain name www.dnssec.cz is signed with a valid signature - a green key should be displayed to you. If you enter the address www.rhybar.cz into your browser, a red key should be displayed to you - the domain name www.rhybar.cz is signed with an invalid signature. The orange key can be tested, for example, on the website www.napul.cz.

Does add-on protect DNS resolving against MITM attacks?

It depends on your configuration. DNSSEC Validator relies on the Authenticated Data (AD) bit received from the validating resolver you are using. If the connection between your computer and the resolver is secured (IPsec, ...) or resolver is running locally on your computer, then you are safe and DNS records cannot be spoofed.

Where can I configure Trust Anchors (trusted keys)?

Since DNSSEC Validator does not do Chain of Trust (CoT) validation itself and relies on the resolver's AD bit, you need to manage all the keys directly in the resolver's configuration.

Where can I find more information about the add-on?

More especially technical information you can find at CZ.NIC Labs project page. There are detailed information how to configure add-on, link to source code, user support, etc.