(Change announced on 2014-03-26) |
(Change accepted by FESCo on 2014-04-02 meeting) |
||
(One intermediate revision by the same user not shown) | |||
Line 140: | Line 140: | ||
'''To be completed by the Change Freeze!''' | '''To be completed by the Change Freeze!''' | ||
[[Category: | [[Category:ChangeAcceptedF21]] | ||
<!-- [[Category:ChangePageIncomplete]] --> | <!-- [[Category:ChangePageIncomplete]] --> | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> |
Latest revision as of 13:27, 3 April 2014
DNSSEC support for FreeIPA
Summary
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.
This first version will have only the very basic functionality with limited user interface and limited resiliency. Next versions (to be delivered in Fedora 22 time frame) will improve resiliency and user interface significantly.
Owner
- Name: Petr Špaček
- Email: pspacek@redhat.com
- Release notes owner: <To be assigned by docs team>
Current status
- Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
- Last updated: 2014-03-20
- Tracker bug: #998522
Detailed Description
DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
Benefit to Fedora
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.
Scope
This change requires major rewrite of bind-dyndb-ldap package, some isolated changes in packages freeipa* and it's integration with OpenDNSSEC for key rotation.
- Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
Upgrade/compatibility impact
DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.
How To Test
0. What special hardware / data / etc. is needed (if any)?
- None.
1. How do I prepare my system to test this change? What packages need to be installed, config files edited, etc.?
- Necessary utilities will be part of
freeipa-admintools
packages. - Use FreeIPA's user interface to create a DNS zone (e.g.
example.test.
). - Then you need to put DS records to parent DNS zone (e.g.
test.
).
2. What specific actions do I perform to check that the change is working like it's supposed to?
- Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
- An alternative is to use the
drill
utility (from packageldns
) to check that signed DNS zones have correct signatures.
3. What are the expected results of those actions?
- E.g. command
drill -S example.test.
should produce message;; Chase successful
. - Signatures are maintained after changes done via FreeIPA CLI (
ipa dnsrecord-mod
command) or FreeIPA WebUI.
User Experience
FreeIPA's user interface will be extended. There will be a new option to enable/disable DNSSEC for particular DNS zone.
Note that user interface will be very limited in this first version. More advanced user interface will be provided in Fedora 22 time frame.
Dependencies
FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.
Contingency Plan
- Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
- Design document for DNSSEC support in bind-dyndb-ldap. The document references discussions, standards etc.
Release Notes
To be completed by the Change Freeze!