How To Add DNSSEC Support To Google Chrome

DNSSEC provides a method to authenticate that you are in fact communicating with the site you think you are. It uses a “chain of trust” and digital signatures to check the validity of the information your computer receives from DNS.

But how can you as an end-user see whether the DNS information is correct?

If you are looking for information about how to secure TLS using the DANE protocol, please visit our DANE resource page.

If you are a user of the Google Chrome browser, the good news is that the team at CZ.NIC Labs have released a “DNSSEC Validator” extension for Chrome that is similar to the existing add-on for Firefox and available at:

https://chrome.google.com/webstore/search/dnssec

You can also visit the Czech page at: https://labs.nic.cz/en/dnssec-chrome.html

After installation of the extension into Google Chrome, you’ll now see a green “key” icon whenever you browse to a website with DNSSEC enabled, such as www.internetsociety.org and this Deploy360 site:

DNSSEC icon Chrome

Note that in a difference from the Firefox add-on, the key icon shows up on the right side of the address bar in Chrome. (The correct way of displaying this icon – or even whether to display any icon – is part of a larger discussion about what the best user experience is for DNSSEC.)

Installing the Add-on

Installation is very easy. You simply click the appropriate link for your operating system on the DNSSEC Validator Extension web page and the extension will start downloading. After you confirm that you want to install the extension, Chrome will go ahead with the installation:

CZ NIC Labs  DNSSEC Validator extension for Google Chrome

After the installation is done you should be good to go. You do not need to restart Chrome.

In the best case, you should now just be able to go to a site like http://www.internetsociety.org/deploy360/ and see a nice green key in your address bar:

DNSSEC icon Chrome

If, so, congratulations! You can now start browsing the web and Chrome will show you the DNSSEC status of any sites you visit.

If you don’t see a green key icon, read on…

Using a DNSSEC-aware DNS Resolver

Many of you may be seeing instead a key icon with a question mark and if you click on that icon, you’ll see this message:

Chrome dnssec error

The issue here is that your local DNS resolver does not support DNSSEC. When your browser wants to connect to a website, it uses your local DNS resolver to retrieve the information. However, that DNS resolver needs to understand DNSSEC in order to pass back to the browser the information needed for this Add-on to work.

You have a couple of options here. If you are more technically-inclined, you might want to consider installing a new local DNS resolver such as DNSSEC-Trigger to use on your system.

However, if you just want this Extension to start working without having to install additional software, the folks at CZnic Labs nicely provided a way to tell the Chrome Extension to use another DNS resolver.

In Chrome, go to the Windows menu and choose Extensions. You’ll then see a list of extensions you have installed, including the DNSSEC Validator:

Chrome dnssec validator extension

If you click on the “Options” link, you will see a window indicating that you are using your system settings:

Chrome dnssec validator options 1
You can then choose the second choice of using CZ.NIC’s DNSSEC validating resolvers or the third choice of using OARC’s validating resolvers. After making this choice, you should now be able to refresh the window that had the Deploy360 site in it and you should now see the green key icon:

DNSSEC icon Chrome

Congratulations! You can now browse the web and see any sites that are DNSSEC-enabled. (And, unfortunately, see all the sites that are not DNSSEC-enabled.)

Note that the third Preferences choice of “Custom” is what you would use if you wanted to point to another DNSSEC-aware resolver, including one that you might install on your own system

Other Address Bar Icons

Now ideally you’ll just be browsing around the web seeing these “green key” icons indicating that domains are properly secured – or seeing the icon with the red circle indicating that the site does not use DNSSEC. Note, too, that you can click on the green key icon in your address bar to get more information:

DNSSEC Validation Success

However, you may also see a number of other icons indicating various states of DNSSEC status. The DNSSEC-Validator page for Firefox shows the list of possible states – and these appear to be similar in the Chrome extension:

DNSSEC Validation Icon States

Obviously the icon you do NOT want to see is the red key indicating that there is a problem. But that, again, is really the point of DNSSEC – protecting you from attackers who might hijack a site’s DNS entries to point you to a malicious site of their own.

You can test this yourself by connecting to http://www.rhybar.cz/, a site that CZ.NIC Labs has set up deliberately with a broken DNSSEC signature:

Dnssec failed icon

Comcast has also set up a test site to test DNSSEC failure at http://www.dnssec-failed.org/.

Please see our other list of DNSSEC test sites at:

http://www.internetsociety.org/deploy360/resources/dnssec-test-sites/

Getting More Information

This DNSSEC-Validator Extension for Chrome is a product of CZ.NIC Labs and they maintain this page about the extension:

https://labs.nic.cz/en/dnssec-chrome.html

There is a mailing list for those wanting to ask questions or report bugs and feature requests. For those wanting the actual source code there is a git repository from which you can pull the source code.

Kudos to the CZ.NIC Labs team for creating this add-on and making it so easy to use DNSSEC with now both Mozilla Firefox and Google Chrome.

NOTE: If you know of similar DNSSEC functionality either directly in other web browsers or available as an add-on/plugin/extension, please contact us as we would like to create similar tutorial documents for those browsers/add-ons. Thank you!

P.S. To get started with DNSSEC we encourage you to visit our Start Here page to find resources tailored to your type of organization or role.

January 18th, 2012 by | Posted in DNSSEC, Tools | Tags: | 8 Comments

8 Responses to How To Add DNSSEC Support To Google Chrome

  1. […] at CZ.NIC Labs have launched a DNSSEC validation extension for Internet Explorer similar to the Google Chrome DNSSEC extension and Mozilla Firefox DNSSEC Add-on they have previously released.  Details can be found at: […]

  2. […] At this time there are DNSSEC extensions for Firefox and Internet Explorer. There’s also a Chrome DNSSEC extension, which helps make it clearer when you’re visiting a site that’s been authenticated by […]

  3. Mitch B. says:

    the URL does not work now, should change to https://chrome.google.com/webstore/search/dnssec

  4. I am unable to install current chrome extension under Mac, the extension crashes all the time….

    I think that I am not the only one that have experience this (a simple google search will tell you).

    As far as I know, Chrome developers are not keen of DNSSEC, so our last option is to get this extension working.

    Please don’t forget Mac users, and I hope a working DNSSEC plugin will soon be available for us….

  5. […] Chrome does not use DANE but uses an add-on [9] for support. Mozilla Firefox also uses an add-on [10] to check the existence and validity of […]

  6. You actually make it seem so easy with your presentation however I find this topic to be actually something which I think
    I would never understand. It seems too complicated and extremely extensive for me.
    I am having a look ahead ffor your net submit, I’ll attempt to
    get the dangle of it! Nha khoa uy tin nieng rang, rang su, lam trang rang, cay ghep
    rang Implant TPHCM, , rang su, boc rang su, lam
    rang su, trong rang gia.

Leave a Reply

Your email address will not be published. Required fields are marked *