From Fedora Project Wiki
No edit summary
Line 75: Line 75:


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
http://www.dnssec.net/
 


== Release Notes ==
== Release Notes ==
 
BIND and unbound (recursive DNS servers) have enabled DNSSEC validation in their default configuration. When domain supplies DNSSEC data then that data will be validated on recursive server. If validation fails then certain domain will be unreachable for clients because it indicates attack (or, unfortunately, admin's misconfiguration). DNSSEC is crucial part and next step to make Internet more secure for end users.
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->


== Comments and Discussion ==
== Comments and Discussion ==
Line 90: Line 87:
----
----


[[Category:FeaturePageIncomplete]]
[[Category:FeatureReadyForWrangler]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 11:46, 5 December 2008

Feature Name

DNSSEC - Secure our DNS servers

Summary

DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became important after new DNS poisonning attacks which were found recently. The most widely used servers should be DNSSEC aware by default (bind, unbound)

Owner

Current status

  • Targeted release: Fedora 42
  • Last updated: 2008-12-02
  • Percentage of completion: 80%

Detailed Description

Important servers already support DNSSEC. Main problem is key distribution.

Those problems have to be solved:

  • supply initial set of DNSSEC keys - especially as long as the Root is not signed (via dnssec-keys package)
  • allow easy way to enable/disable DNSSEC (via dnssec-configure and some system-config-dnssec tool)
  • allow to use ISC DLV registry (via dnssec-configure from dnssec-keys package)
  • support for automated updates of DNSSEC trust anchors (via autotrust package)

Benefit to Fedora

Our servers will be "invulnerable" against cache poisonning, spoofing and other known DNS attacks

Scope

  • create and add package which will supply initial set of DNSSEC keys
  • enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
  • add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
  • create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)

How To Test

Check that DNSSEC aware servers work fine. Make sure /etc/resolv.conf points to a DNSSEC enabled nameserver (eg localhost), then run: 

 dig +multiline +dnssec forged.test.xelerance.com @yournameserverip

This should produce a ServFail answer. Run: 

 dig +multiline +dnssec +cd forged.test.xelerance.com @yournameserverip

This should produce the forged/broken answer despite its known forgery. 

 dig +multiline +dnssec dnssec.se

This should produce an answer with the Authenticated Data bit ("ad") set: 

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23220
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

User Experience

Easy setup and maintenance of DNSSEC aware resolver

Related Packages

ldns unbound bind nsd autotrust sshfp dnssec-keys system-config-dnssec

Dependencies

None

Contingency Plan

Disable DNSSEC by default

Documentation

http://www.dnssec.net/

Release Notes

BIND and unbound (recursive DNS servers) have enabled DNSSEC validation in their default configuration. When domain supplies DNSSEC data then that data will be validated on recursive server. If validation fails then certain domain will be unreachable for clients because it indicates attack (or, unfortunately, admin's misconfiguration). DNSSEC is crucial part and next step to make Internet more secure for end users.

Comments and Discussion


Retrieved from "https://fedoraproject.org/w/index.php?title=Features/DNSSEC&oldid=63403"