DNSSEC in Fedora-11: Enable or Disable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi people,

Adam Tkac and I maintain the two recursive nameservers in Fedora. We need
to decide before the beta freeze whether we want recursing caching
nameservers to enable or disable DNSSEC per default.

For some details on how this is implemented, please see:
http://fedoraproject.org/wiki/Features/DNSSEC

There are two questions:

For Fedora-11:

1) Should we enable DNSSEC when a recursing nameserver is installed?
2) If we do, should we enable DLV support?
   (The only real DLV being http://dlv.isc.org/)

DNSSEC software has been run for a long time. It is mature, stable and
runs in production on many systems, including Fedora. What's been slow
has been the signing of the root and TLD deployments. This however,
is quickly gaining speed. A few days ago .gov was signed into production.
With the root not signed, key management is the hardest part of DNSSEC,
but we now have the required packages in Fedora to distribute and update
these.

Pro's:
- It adds much needed security to DNS
- Newly installed resolvers would use DNSSEC out of the box with all
  known DNSSEC keys preconfigured. These closely resemble the current
  ICANN/IANA Trust Anchor Repository at https://itar.iana.org/
- TLD Key management is taken care of (via autotrust and dnssec-conf)
- DLV will allow every DNS administrator to start taking advantage of
  DNSSEC - even within unsigned TLD's such as .com and .org.
- Everyone can start using SSHFP records with their ssh client.
- Fedora contains all the tools to create and serve signed zones already.
  (bind, bind-utils, ldns)
- Fedora contains two DNSSEC capable resolvers (bind and unbound) and
  libraries to add DNSSEC to applications (bind or unbound-libs)
- Trivial to enable/disable dnssec-configure (and soon system-config-dnssec)
- Bind and Unbound are both very stable DNSSEC capable resolvers.
- Fedora shows it is a front runner when it comes to deploying new
  technology :)
- It will make many TLD's, DNSSEC people, and the .gov people very happy.

Cons:
- It's perhaps technically too late for feature freeze. Though we are not
  talking about putting new code in, just flipping a switch. So we could
  do this in time for beta freeze.
- Support for using DNSSEC forwarders for endusers via NetworkManager is
  not yet done (though support for on-the-fly reconfiguring forwarders
  was added to unbound in preparation for this already). So using DNSSEC
  via a resolv.conf using localhost for desktops/laptop clients is not
  ready yet.
- DNSSEC requires EDNS0 and stupid firewall administrators might be blocking
  TCP port 53 and UDP packets > 512 bytes, possibly causing DNS problems if
  these are located in front of DNSSEC capable resolvers.
- Some NAT router brands drop DNS packets with DNSSEC options enabled. If
  using a cheap NAT router as forwarder for your DNSSEC enabled Fedora
  machine, DNS connectivity might cause intermittent problems.

Both Adam and I think we are ready to enable DNSSEC per default for
those Fedora installs that install a recursive nameservers.

The DLV has not been very active yet. Likely it contains many keys that
DNS administrators once submitted but then forgot about. Those people
would lose their domains when DLV is used, and could wrongly blame
Fedora for that. I would recommend leaving the DLV disabled for now.

Though in the future, I would like to see all fedora installs use a
local DNSSEC nameserver using the DNS servers presented by Network
Manager as forwarders, I would not recommend doing that at this point.

Please, let me know what you think. Feel free to ask any questions. I
would like to hear what people think, and then we can make a collective
decision on how to proceed.

Paul

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux