How To Add DNSSEC Support To Google Chrome
DNSSEC provides a method to authenticate that you are in fact communicating with the site you think you are. It uses a “chain of trust” and digital signatures to check the validity of the information your computer receives from DNS.
But how can you as an end-user see whether the DNS information is correct?
If you are a user of the Google Chrome browser, the good news is that the team at CZ.NIC Labs have released a “DNSSEC Validator” extension for Chrome that is similar to the existing add-on for Firefox and available at:
You can also visit the Czech page at: https://labs.nic.cz/en/dnssec-chrome.html
After installation of the extension into Google Chrome, you’ll now see a green “key” icon whenever you browse to a website with DNSSEC enabled, such as www.internetsociety.org and this Deploy360 site:
Note that in a difference from the Firefox add-on, the key icon shows up on the right side of the address bar in Chrome. (The correct way of displaying this icon – or even whether to display any icon – is part of a larger discussion about what the best user experience is for DNSSEC.)
Installing the Add-on
Installation is very easy. You simply click the appropriate link for your operating system on the DNSSEC Validator Extension web page and the extension will start downloading. After you confirm that you want to install the extension, Chrome will go ahead with the installation:
After the installation is done you should be good to go. You do not need to restart Chrome.
In the best case, you should now just be able to go to a site like http://www.internetsociety.org/deploy360/ and see a nice green key in your address bar:
If, so, congratulations! You can now start browsing the web and Chrome will show you the DNSSEC status of any sites you visit.
If you don’t see a green key icon, read on…
Using a DNSSEC-aware DNS Resolver
Many of you may be seeing instead a key icon with a question mark and if you click on that icon, you’ll see this message:
The issue here is that your local DNS resolver does not support DNSSEC. When your browser wants to connect to a website, it uses your local DNS resolver to retrieve the information. However, that DNS resolver needs to understand DNSSEC in order to pass back to the browser the information needed for this Add-on to work.
You have a couple of options here. If you are more technically-inclined, you might want to consider installing a new local DNS resolver such as DNSSEC-Trigger to use on your system.
However, if you just want this Extension to start working without having to install additional software, the folks at CZnic Labs nicely provided a way to tell the Chrome Extension to use another DNS resolver.
In Chrome, go to the Windows menu and choose Extensions. You’ll then see a list of extensions you have installed, including the DNSSEC Validator:
If you click on the “Options” link, you will see a window indicating that you are using your system settings:
You can then choose the second choice of using CZ.NIC’s DNSSEC validating resolvers or the third choice of using OARC’s validating resolvers. After making this choice, you should now be able to refresh the window that had the Deploy360 site in it and you should now see the green key icon:
Congratulations! You can now browse the web and see any sites that are DNSSEC-enabled. (And, unfortunately, see all the sites that are not DNSSEC-enabled.)
Note that the third Preferences choice of “Custom” is what you would use if you wanted to point to another DNSSEC-aware resolver, including one that you might install on your own system
Other Address Bar Icons
Now ideally you’ll just be browsing around the web seeing these “green key” icons indicating that domains are properly secured – or seeing the icon with the red circle indicating that the site does not use DNSSEC. Note, too, that you can click on the green key icon in your address bar to get more information:
However, you may also see a number of other icons indicating various states of DNSSEC status. The DNSSEC-Validator page for Firefox shows the list of possible states – and these appear to be similar in the Chrome extension:
Obviously the icon you do NOT want to see is the red key indicating that there is a problem. But that, again, is really the point of DNSSEC – protecting you from attackers who might hijack a site’s DNS entries to point you to a malicious site of their own.
You can test this yourself by connecting to http://www.rhybar.cz/, a site that CZ.NIC Labs has set up deliberately with a broken DNSSEC signature:
Comcast has also set up a test site to test DNSSEC failure at http://www.dnssec-failed.org/.
Please see our other list of DNSSEC test sites at:
Getting More Information
This DNSSEC-Validator Extension for Chrome is a product of CZ.NIC Labs and they maintain this page about the extension:
There is a mailing list for those wanting to ask questions or report bugs and feature requests. For those wanting the actual source code there is a git repository from which you can pull the source code.
Kudos to the CZ.NIC Labs team for creating this add-on and making it so easy to use DNSSEC with now both Mozilla Firefox and Google Chrome.
NOTE: If you know of similar DNSSEC functionality either directly in other web browsers or available as an add-on/plugin/extension, please contact us as we would like to create similar tutorial documents for those browsers/add-ons. Thank you!
P.S. To get started with DNSSEC we encourage you to visit our Start Here page to find resources tailored to your type of organization or role.