For a general description of the features made available in
Bloodhound and for screenshots describing these features,
please see this
Bloodhound adds local DNSSEC validation support. This means
that DNSSEC validation status information for all names
looked up while loading a web page is determined within the
browser itself (as opposed to on a validating recursive name
server elsewhere on the network). This provides more
assurance that the DNSSEC responses were not tampered with
between the points where they were validated and where they
were used. Enabling local validation is especially useful in
the context of protocols such as DANE, where
information validated using DNSSEC is used as a trust anchor
bootstrapping mechanism within other protocols.
Since DNSSEC adds some overhead in the number of additional
lookups that must be performed in order to validate DNS
responses, Bloodhound uses the asynchronous lookup capability
in dnsval to speed up this operation. With this feature
Bloodhound is able to perform a number of lookup operations in
parallel without the need to spawn additional threads.
By default, Bloodhound will use a pre-configured validation
policy, but you may override it by defining your own validator
configuration in /usr/local/opt/etc/dnssec-tools/dnsval.conf.
For instance, the in-built validator configuration file does
not have DLV enabled, so you could enable DLV configuration in
your custom validator configuration file as described here.
By default, Bloodhound will look at the /etc/resolv.conf file
for recursive name server information. If name servers in
/etc/resolv.conf are not DNSSEC-capable, Bloodhound will try
to work around the problem by doing iterative queries from
Root to fetch the right set of data. However, depending on the
specific failure and how broken the environment is, this
fallback technique may or may not work. You can define a new
resolv.conf file in
/usr/local/opt/etc/dnssec-tools/resolv.conf to have Bloodhound
use a different recursive name server if necessary. If you
define an "empty" resolv.conf file (size = 0) in
/usr/local/opt/etc/dnssec-tools/resolv.conf Bloodhound will
use the iterative lookup process for all query resolutions,
caching results internally where necessary.
The DNSSEC-Status extension for Bloodhound (also available
from the download
page) will listen for DNSSEC-related events generated by
Bloodhound and will provide appropriate messages to the user
when it detects validation errors. For further information
please see this
The DANE implementation originally started out as an
extension to Matt McCutchen's patch
but has changed significantly since then.
DANE support in Bloodhound is enabled through the DNSSEC-Tools dnsval package, specifically the libval and libsres libraries. DANE support is still under development and should be considered experimental for now.
For a list of DANE test sites please see this page from the Deploy360 effort. Note that the DANE TLSA record for some of these websites can only be validated using DLV, so ensure that DLV is enabled in your validator configuration file as described here.
This work was funded in part by the U.S. Department of
Homeland Security/Science & Technology (S&T).
Please read the COPYING file distributed with the
dnssec-tools package for copyright and general disclaimer
Bloodhound is an experimental piece of software. It is being
provided to the community in order to encourage further
discussion on the need for DNSSEC validation within
applications, demonstrate innovative ways to use DNSSEC (such
as within the DANE protocol), and ways to communicate DNSSEC
related errors to the user.
Bloodhound is a re-branded and patched version of the Mozilla
Firefox browser. That is, it contains changes to the
Firefox code-base that result in new code paths, and
consequently increases the potential for new bugs. While we
will try and make periodic updates to Bloodhound available, it
is important to note that the version of Bloodhound made
available on our website may not always be in sync with the
latest patched version of Firefox. Please visit the Mozilla website if you are
looking for the latest version of Firefox.