From Fedora Project Wiki
(Postponed to next Fedora)
(updated for Fedora 21)
Line 24: Line 24:
== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones.
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.


== Owner ==
== Owner ==
Line 41: Line 41:
== Current status ==
== Current status ==
* Targeted release: [[Releases/21|Fedora 21]] '''This feature was re-targeted to Fedora 21!'''
* Targeted release: [[Releases/21|Fedora 21]] '''This feature was re-targeted to Fedora 21!'''
* Last updated: 2013-10-17
* Last updated: 2014-03-20
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Bugzilla states meaning as usual:
Bugzilla states meaning as usual:
Line 51: Line 51:
-->
-->
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998522 #998522]
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998522 #998522]
* 2013-08-16: It is possible that user interface and encryption key rotation mechanism will not be finished in time for Fedora 20. In that case, the feature will stay hidden and disabled.
* 2013-10-17: Some time ago we decided to postpone this feature to Fedora 21.


== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
DNS server integrated to FreeIPA in Fedora 19 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.


== Benefit to Fedora ==
== Benefit to Fedora ==
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled and configured.
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.


== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
This change will require major rewrite of [https://fedorahosted.org/bind-dyndb-ldap/ bind-dyndb-ldap] package and some isolated changes in packages [http://www.freeipa.org/ freeipa*].
This change requires major rewrite of [https://fedorahosted.org/bind-dyndb-ldap/ bind-dyndb-ldap] package, some isolated changes in packages [http://www.freeipa.org/ freeipa*] and it's integration with OpenDNSSEC for key rotation.


* Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 79: Line 77:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
DNS zones created with older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to generate/provide DNSSEC encryption keys for each zone before enabling this feature.
DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.


== How To Test ==
== How To Test ==
Line 87: Line 85:


A good "how to test" should answer these four questions:
A good "how to test" should answer these four questions:
-->


0. What special hardware / data / etc. is needed (if any)?
0. What special hardware / data / etc. is needed (if any)?
- None.  
* None.  
   
   
1. How do I prepare my system to test this change? What packages
1. How do I prepare my system to test this change? What packages
need to be installed, config files edited, etc.?
need to be installed, config files edited, etc.?
- Necessary utilities will be part of bind-utils and freeipa-admintools packages.
* Necessary utilities will be part of <code>freeipa-admintools</code> packages.
* Use FreeIPA's user interface to create a DNS zone (e.g. <code>example.test.</code>).
* Then you need to put DS records to '''parent''' DNS zone (e.g. <code>test.</code>).


2. What specific actions do I perform to check that the change is
2. What specific actions do I perform to check that the change is
working like it's supposed to?
working like it's supposed to?
TBD
* Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
* An alternative is to use the <code>drill</code> utility (from package <code>ldns</code>) that signed DNS zones have correct signatures.


3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
* E.g. command <code>drill -S example.test.</code> should produce message <code>;; Chase successful</code>.
* Signatures are maintained after changes done via FreeIPA CLI (<code>ipa dnsrecord-mod</code> command) or FreeIPA WebUI.


<!-- REQUIRED FOR SYSTEM WIDE CHANGES
-->
# Use FreeIPA's user interface to create a DNS zone (e.g. <code>example.test.</code>).
# Generate new DNSSEC keys for the DNS zone.
# User has to put DS records to '''parent''' DNS zone (e.g. <code>test.</code>).
# Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
FreeIPA's user interface will be extended. New options will offer DNSSEC key management for each DNS zone.
FreeIPA's user interface will be extended. New options will offer DNSSEC management for each DNS zone.


== Dependencies ==
== Dependencies ==
Line 130: Line 127:
== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
* Design was discussed on [https://www.redhat.com/mailman/listinfo/freeipa-devel freeipa-devel mailing list]: See [https://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html first], [https://www.redhat.com/archives/freeipa-devel/2013-June/msg00234.html second], [https://www.redhat.com/archives/freeipa-devel/2013-July/msg00129.html third] and [https://www.redhat.com/archives/freeipa-devel/2013-August/msg00086.html fourth] part of the discussion.
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Design document for DNSSEC support in bind-dyndb-ldap]. The document references discussions, standards etc.
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/RBTDB Design document for bind-dyndb-ldap refactoring] (the necessary refactoring is the most difficult part of implementation)
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Design document for DNSSEC support in bind-dyndb-ldap (still not ready)]


== Release Notes ==
== Release Notes ==

Revision as of 09:14, 20 March 2014


DNSSEC support for FreeIPA

Summary

FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.

Owner

  • Name: Petr Špaček
  • Email: pspacek@redhat.com
  • Release notes owner: <To be assigned by docs team>

Current status

  • Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
  • Last updated: 2014-03-20
  • Tracker bug: #998522

Detailed Description

DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.

Benefit to Fedora

Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.

Scope

This change requires major rewrite of bind-dyndb-ldap package, some isolated changes in packages freeipa* and it's integration with OpenDNSSEC for key rotation.

  • Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.

How To Test

0. What special hardware / data / etc. is needed (if any)?

  • None.

1. How do I prepare my system to test this change? What packages need to be installed, config files edited, etc.?

  • Necessary utilities will be part of freeipa-admintools packages.
  • Use FreeIPA's user interface to create a DNS zone (e.g. example.test.).
  • Then you need to put DS records to parent DNS zone (e.g. test.).

2. What specific actions do I perform to check that the change is working like it's supposed to?

3. What are the expected results of those actions?

  • E.g. command drill -S example.test. should produce message ;; Chase successful.
  • Signatures are maintained after changes done via FreeIPA CLI (ipa dnsrecord-mod command) or FreeIPA WebUI.


User Experience

FreeIPA's user interface will be extended. New options will offer DNSSEC management for each DNS zone.

Dependencies

FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.

Contingency Plan

  • Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No

Documentation

Release Notes

To be completed by the Change Freeze!