Vantages Logo Trust-Anchor Learning and Verification Tutorial Internet Research Lab Logo Colorado State Logo

Home | Applications | libvdns | Download | Known Issues | Documentation | Bug Tracker & Feature Requests | People

Vataged tutorial

How to set up the DNSKEY learning and verification application in your vantaged daemon (in general), and how to configure it to automatically learn keys. We will also cover adding your own keys.
Note: The following all assume that you already have Vantages installed on your machine.

Tutorials Sections

Setting up vantaged.conf:

First off make sure vantaged (the Vatages daemon) is not running. If you are using Linux the easiest way to do this is run the vantaged.sh.linux script that came with the software the syntax is 
          vantaged.sh.linux stop

Now lets edit the vantaged.conf file.
Uncomment the option 'dnskey_app_enabled = yes' if its commented out. In an unaltered conf file this option should be on/near line 52.
if dnskey_app_enabled is set to 'no' change it to 'yes'. This will enable the trust-anchor application of vantaged.

We need a location for the trust-anchor file. The options for that is ta_file = ... (located around line 64)
uncommant this option and set it to a good location.

Setting up the auto-learning feature:
In the vantaged.conf file the following options need to be uncommented and set.
The options from dnskey_pcap_... are the options we need to edit, there should be tree of them located around lines 84 to 99.

The options are:

  • key_pcap_enable This need to be uncommanted and set to yes for automatic learning of zones.

  • dnskey_pcap_dev This options need to be uncommented and set if the above is set to yes.
    The value you set for this key should be the interface that your machine listens on where vantaged overhear DNS queries to learn zones (such as the interface that your recursive resolver listens on). On linux this will very often be: 
              dnskey_pcap_dev = eth0
    On systems like FreeBSD, you may have to use ifconfig to see what the name of your interface is.
  • dnskey_pcap_program This variable gives vantaged a libpcap "program" to run.
    libpcap will capture all the traffic that matches the "program".
    The example that exists in the sample condig file shoule suffice for almost all users. 
              dnskey_pcap_program = udp port 53

Set the above three options for your system.
Now start up the vataged daemon!


Admin Website Interface

Now lets start using the web front end of vantaged.
Open a web browser and point it to the system that is running vantaged
For this example ill be using localhost 127.0.0.1 so I'll point my browser to 
      127.0.0.1:9080/dnskey-admin
You'll need to enter something like the following into your browser. 
     [yourbox]:9080/dnskey-admin
When you do this you should see the main dnskey-admin website that looks like the screen shot to the right.

Note: If you done want just anyone accessing your dnskey-admin page uncomment the follow option in the vantaged.conf file.
dnskey_admin_pass should point to a htdigest file for password protecting the dnskey-admin web front end. Note: an htdigest file can be generated with Apache's command like tool: 
     htdigest






Submitting New Data: to manually add a zone for monitoring, use this link on the adimistrative page. The three main field you should fill out are:
  • Name of zone: reminder, you need to a . at the end of the zone name. (example: somezone.edu.)

  • URL of zone:This field need the follow format. You can add zones to be polled over DNS or webpages that host DNSKEY's. For DNS queries, use a URL of the form: 
        dnssec:[zonename]?type=48

  • Scraper ID: This is a drop down box of scraper IDs pick the one most applicable
    As you can see in the image below, I chose DNSSEC because I issued my query over DNS. If you specified a web link (such as SecSpider's web page), then you should use one of the built in perl-parsers, or specify your own perl script in the text area.
When your done click the "Insert" button at the bottom of the screen.
Your submit form should look something like this.

Building a Trust-Anchor file

From the main page click the link that reads "Trust-Anchor Config".
At this point you should see a page with two options that read
  • Unbound file (unbound is very resilient and able to support more types of DNSKEYs)
  • BIND file (most versions of bind do not function well with newer key algos).
And a "Set" button.

Pick the TA file format that will work best for you and click "Set"
a new trust-anchor file should be created in the location specified by your vantaged.conf.

Adding friends

Adding friends is quite simple. If you have there GPG public key all you have to do is from the dnskey-admin home page click the link to "Friends"
Enter in the two fields.
  • Friends Name: This should be an identifying name, like Bob
  • Friends URL: this is the URL for your friends Vantages sight
    http://[bob's domain:Bob's port]/dnskey

    • Finlay paste in the GPG public key into to textbox given and click the "Add" button.

Once you added a friend your screen should look like this.



(Contact us at tools@netsec.colostate.edu)