From Fedora Project Wiki
No edit summary
No edit summary
Line 3: Line 3:


== Summary ==
== Summary ==
DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became important after new DNS poisonning attacks which were found recently. The most widely used servers should be DNSSEC aware by default (bind, nsd, unbound)
DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became important after new DNS poisonning attacks which were found recently. The most widely used servers should be DNSSEC aware by default (bind, unbound)


== Owner ==
== Owner ==
Line 13: Line 13:
== Current status ==
== Current status ==
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
* Targeted release: [[Releases/{{FedoraVersion||next}} | {{FedoraVersion|long|next}} ]]  
* Last updated: (DATE)
* Last updated: 2008-12-02
* Percentage of completion: XX%
* Percentage of completion: 10%


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
== Detailed Description ==
Important servers already support DNSSEC. Main problem is key distribution.


== Detailed Description ==
Those problems has to be solved:
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
* supply initial set of DNSSEC keys
* allow to use ISC DLV registry
* support for automated updates of DNSSEC trust anchors


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
Our servers will be "invulnerable" against cache poisonning, spoofing and other known DNS attacks


== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
- create and add package which will supply initial set of DNSSEC keys
- enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
- add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
- create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The QA team will turn this information into a more complete test plan.  The more specific you can be, the better the final test plan will be.
Check that DNSSEC aware servers work fine
 
Remember that you are writing this test plan for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
 
A good Test Plan should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this feature? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the feature is
working like it's supposed to?
3. What are the expected results of those actions?
 
-->


== User Experience ==
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
Easy setup and maintenance of DNSSEC aware resolver


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
None


== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
Disable DNSSEC by default


== Documentation ==
== Documentation ==

Revision as of 12:00, 2 December 2008

Feature Name

DNSSEC - Secure our DNS servers

Summary

DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became important after new DNS poisonning attacks which were found recently. The most widely used servers should be DNSSEC aware by default (bind, unbound)

Owner

  • email: <your email address so we can contact you, invite you to meetings, etc.>

Current status

  • Targeted release: Fedora 42
  • Last updated: 2008-12-02
  • Percentage of completion: 10%

Detailed Description

Important servers already support DNSSEC. Main problem is key distribution.

Those problems has to be solved:

  • supply initial set of DNSSEC keys
  • allow to use ISC DLV registry
  • support for automated updates of DNSSEC trust anchors

Benefit to Fedora

Our servers will be "invulnerable" against cache poisonning, spoofing and other known DNS attacks

Scope

- create and add package which will supply initial set of DNSSEC keys - enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys - add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors - create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)

How To Test

Check that DNSSEC aware servers work fine

User Experience

Easy setup and maintenance of DNSSEC aware resolver

Dependencies

None

Contingency Plan

Disable DNSSEC by default

Documentation

Release Notes

Comments and Discussion