Hackathon at TNW-2014

At NLnet Labs we believe that DNSSEC allows for security innovations that will change the global security and privacy landscape.


3 min read

By Wouter Wijngaards and Olaf Kolkman

Context

Innovations like DANE, a technology that allows people to use the global DNS to bootstrap a encrypted channel, are only the start of currently unimaginable technical innovation.

The deployment of DNSSEC is a typical collective action problem and we are trying to make a difference by providing the tools that help to reduce costs or bring value for those who want to provision, provide, and use secured DNS data.

The GETDNS API plays in that space. It is an attempt to provide applications a tool to get DNSSEC information that will aid the improvement of security and privacy.

The GETDNS API

The GETDNS API is an API description designed by application developers for accessing DNS asynchronously with DNSSEC and DANE functionality. The GETDNS API is implemented in a collaboration effort by Verisign and NLnet Labs in the getdns library.

The TNW 2014 conference in Amsterdam, the Netherlands, hosted a Hack Battle this year. Participants made ‘hacks’: apps or tools; using provided APIs and their own tools and competed in this contest. The contest ran for 36 hours and with 146 participants produced a number of contest entries. Verisign Labs and NLnet Labs promoted the use of the GETDNS.API library for DNSSEC, security, privacy and DANE implementation. This library and thus the API was available to the participants. In the contest the C API, the node.js API and the python API were available.

Four entries have been made using the GETDNS.API, those participants received GetDNS Tshirts. The other teams in the back battle can be viewed here.

The presentations of the teams are on video, youtube link.

verify’EM

By Ruslan Mavlyutov, Arvind Narayanan and Bhavna Soman.

This entry created a plugin for Thunderbird, in python, that checks the DNSSEC credentials of DKIM record associated with an email. The user can see the status of the email.

This entry won the prize given by NLnet Labs (Raspberry Pi™ kits)!

hackerleague link

Bootstrapping Trust with DANE

By Sathya Gunasekaran and Iain Learmonth.

This entry adds DNSSEC secured OTR-key lookups to the python-based gajim XMPP client. This project allows people that use OTR in their jabber client to check if the fingerprint of a key matches the fingerprints published in the DNS. They built a python library that uses getdnsapi to fetch OTR, openPGP and S/MIME fingerprints.

This team was interviewed by the Dutch Tweakers website, video link.

Github python dnskeys library link.

Github gajim branch.

DANE Doctor

By Hynek Schlawack and Richard Wall.

This entry is a website for debugging DANE. It shows diagnostics and highlights errors.

They also integrated the python bindings for getdns with the asynchronous python framework Twisted. They hope to be able to contribute this as a DANE enabled TLS client API to the Twisted framework.

Github link.

DNSSEC name and shame!

By Tom Cuddy and Joel Purra.

This entry wants to highlight which contest sponsors do the right thing to protect DNS data and shame the ones that do it wrong.

This team won the prize given by PayPal, because of the importance of protecting DNS data.

Github link and website link.


The GETDNS API specification is edited by Paul Hoffman. Verisign Labs and NLnet Labs are cooperating on the implementation of the API using code and expertise from the Unbound and ldns projects. The getdnsapi implementation website, twitter.

Related Articles

Moving RPKI Beyond Routing Security
4 min read
SAD DNS and NLnet Labs DNS software
5 min read
Journeying into XDP Part 1: Augmenting DNS
12 min read
DNS-over-HTTPS in Unbound
6 min read
Some Country for Old Men
4 min read
Journeying into XDP: Part 0
10 min read

GO TOP