Hi people, Adam Tkac and I maintain the two recursive nameservers in Fedora. We need to decide before the beta freeze whether we want recursing caching nameservers to enable or disable DNSSEC per default. For some details on how this is implemented, please see: http://fedoraproject.org/wiki/Features/DNSSEC There are two questions: For Fedora-11: 1) Should we enable DNSSEC when a recursing nameserver is installed? 2) If we do, should we enable DLV support? (The only real DLV being http://dlv.isc.org/) DNSSEC software has been run for a long time. It is mature, stable and runs in production on many systems, including Fedora. What's been slow has been the signing of the root and TLD deployments. This however, is quickly gaining speed. A few days ago .gov was signed into production. With the root not signed, key management is the hardest part of DNSSEC, but we now have the required packages in Fedora to distribute and update these. Pro's: - It adds much needed security to DNS - Newly installed resolvers would use DNSSEC out of the box with all known DNSSEC keys preconfigured. These closely resemble the current ICANN/IANA Trust Anchor Repository at https://itar.iana.org/ - TLD Key management is taken care of (via autotrust and dnssec-conf) - DLV will allow every DNS administrator to start taking advantage of DNSSEC - even within unsigned TLD's such as .com and .org. - Everyone can start using SSHFP records with their ssh client. - Fedora contains all the tools to create and serve signed zones already. (bind, bind-utils, ldns) - Fedora contains two DNSSEC capable resolvers (bind and unbound) and libraries to add DNSSEC to applications (bind or unbound-libs) - Trivial to enable/disable dnssec-configure (and soon system-config-dnssec) - Bind and Unbound are both very stable DNSSEC capable resolvers. - Fedora shows it is a front runner when it comes to deploying new technology :) - It will make many TLD's, DNSSEC people, and the .gov people very happy. Cons: - It's perhaps technically too late for feature freeze. Though we are not talking about putting new code in, just flipping a switch. So we could do this in time for beta freeze. - Support for using DNSSEC forwarders for endusers via NetworkManager is not yet done (though support for on-the-fly reconfiguring forwarders was added to unbound in preparation for this already). So using DNSSEC via a resolv.conf using localhost for desktops/laptop clients is not ready yet. - DNSSEC requires EDNS0 and stupid firewall administrators might be blocking TCP port 53 and UDP packets > 512 bytes, possibly causing DNS problems if these are located in front of DNSSEC capable resolvers. - Some NAT router brands drop DNS packets with DNSSEC options enabled. If using a cheap NAT router as forwarder for your DNSSEC enabled Fedora machine, DNS connectivity might cause intermittent problems. Both Adam and I think we are ready to enable DNSSEC per default for those Fedora installs that install a recursive nameservers. The DLV has not been very active yet. Likely it contains many keys that DNS administrators once submitted but then forgot about. Those people would lose their domains when DLV is used, and could wrongly blame Fedora for that. I would recommend leaving the DLV disabled for now. Though in the future, I would like to see all fedora installs use a local DNSSEC nameserver using the DNS servers presented by Network Manager as forwarders, I would not recommend doing that at this point. Please, let me know what you think. Feel free to ask any questions. I would like to hear what people think, and then we can make a collective decision on how to proceed. Paul -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
