(Add tracker bug) |
(→Current status: postponed to Fedora 21) |
||
| Line 40: | Line 40: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/21|Fedora 21]] '''This feature was re-targeted to Fedora 21!''' | ||
* Last updated: 2013- | * Last updated: 2013-10-17 | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Bugzilla states meaning as usual: | Bugzilla states meaning as usual: | ||
| Line 52: | Line 52: | ||
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998522 #998522] | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998522 #998522] | ||
* 2013-08-16: It is possible that user interface and encryption key rotation mechanism will not be finished in time for Fedora 20. In that case, the feature will stay hidden and disabled. | * 2013-08-16: It is possible that user interface and encryption key rotation mechanism will not be finished in time for Fedora 20. In that case, the feature will stay hidden and disabled. | ||
* 2013-10-17: Some time ago we decided to postpone this feature to Fedora 21. | |||
== Detailed Description == | == Detailed Description == | ||
Revision as of 09:57, 17 October 2013
DNSSEC support for FreeIPA
Summary
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones.
Owner
- Name: Petr Špaček
- Email: pspacek@redhat.com
- Release notes owner: <To be assigned by docs team>
Current status
- Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
- Last updated: 2013-10-17
- Tracker bug: #998522
- 2013-08-16: It is possible that user interface and encryption key rotation mechanism will not be finished in time for Fedora 20. In that case, the feature will stay hidden and disabled.
- 2013-10-17: Some time ago we decided to postpone this feature to Fedora 21.
Detailed Description
DNS server integrated to FreeIPA in Fedora 19 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
Benefit to Fedora
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled and configured.
Scope
This change will require major rewrite of bind-dyndb-ldap package and some isolated changes in packages freeipa*.
- Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
Upgrade/compatibility impact
DNS zones created with older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to generate/provide DNSSEC encryption keys for each zone before enabling this feature.
How To Test
- Use FreeIPA's user interface to create a DNS zone (e.g.
example.test.). - Generate new DNSSEC keys for the DNS zone.
- User has to put DS records to parent DNS zone (e.g.
test.). - Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
User Experience
FreeIPA's user interface will be extended. New options will offer DNSSEC key management for each DNS zone.
Dependencies
FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.
Contingency Plan
- Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
- Design was discussed on freeipa-devel mailing list: See first, second, third and fourth part of the discussion.
- Design document for bind-dyndb-ldap refactoring (the necessary refactoring is the most difficult part of implementation)
- Design document for DNSSEC support in bind-dyndb-ldap (still not ready)
Release Notes
To be completed by the Change Freeze!