From Fedora Project Wiki
No edit summary
No edit summary
Line 16: Line 16:
Important servers already support DNSSEC. Main problem is key distribution.
Important servers already support DNSSEC. Main problem is key distribution.


Those problems has to be solved:
Those problems have to be solved:
* supply initial set of DNSSEC keys
* supply initial set of DNSSEC keys
* allow to use ISC DLV registry
* allow to use ISC DLV registry
Line 25: Line 25:


== Scope ==
== Scope ==
- create and add package which will supply initial set of DNSSEC keys
* create and add package which will supply initial set of DNSSEC keys
- enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
* enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
- add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
* add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
- create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)
* create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)


== How To Test ==
== How To Test ==

Revision as of 12:02, 2 December 2008

Feature Name

DNSSEC - Secure our DNS servers

Summary

DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became important after new DNS poisonning attacks which were found recently. The most widely used servers should be DNSSEC aware by default (bind, unbound)

Owner

Current status

  • Targeted release: Fedora 42
  • Last updated: 2008-12-02
  • Percentage of completion: 10%

Detailed Description

Important servers already support DNSSEC. Main problem is key distribution.

Those problems have to be solved:

  • supply initial set of DNSSEC keys
  • allow to use ISC DLV registry
  • support for automated updates of DNSSEC trust anchors

Benefit to Fedora

Our servers will be "invulnerable" against cache poisonning, spoofing and other known DNS attacks

Scope

  • create and add package which will supply initial set of DNSSEC keys
  • enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
  • add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
  • create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)

How To Test

Check that DNSSEC aware servers work fine

User Experience

Easy setup and maintenance of DNSSEC aware resolver

Dependencies

None

Contingency Plan

Disable DNSSEC by default

Documentation

Release Notes

Comments and Discussion