How do I enable DNSSec on OSX? (Or DNSCurve)

security network dns encryption osx-server

I want to support encrypted IPSec communications, and DANE certs in DNS. Notably, DNSSSec is a prerequisite is IPSec (secure IP addresses from DNS)

How can I configure my OS X computer to use DNSSec when available, and to refuse incorrect responses.

I understand that DNSSec is best done on a server, and have your workstation point to THAT, however, this also applies to OS X Server.


Solution 1:

You should install unbound and have that be your dns resolver on Mac OS X. Unbound supports DNSSEC. Next, you need whatever apps you want to use, to be aware of and respect the results of the DNSSEC validation that unbound does. As an example, SSH can use DNSSEC along with SSHFP to validate the fingerprint of the server that you are connecting to.

Here is a blog post that details how to install unbound. https://spatof.org/blog/2013/8/unbound-on-osx/

As to having IPSec using DANE, I believe that is still something that it being worked out. https://datatracker.ietf.org/doc/html/draft-osterweil-dane-ipsec-02

Related

How do I depend on a specific version of a homebrew formula
Simultaneous left and right click with trackpad
WhatsApp Web in Fluid throws JavaScript exception
Shuffle by album on iOS-devices?
iCloud Photo Library not fully syncing on iOS
Cannot turn on Bluetooth - Exhausted all options [duplicate]
How to register AppleScript as default web browser in Yosemite?
How to disable calling back from notification when iPhone is locked?
Preview print dialog defaults to Scale to Fit or Print Entire Image
Safari cannot be forced to quit
Set custom date format on iOS
does WiFi Assist of iOS 9 work when cellular data is turned off?