Feature Name
DNSSEC - Secure our DNS servers
Summary
DNSSEC (DNS SECurity) is mechanism which can prove integrity and autenticity of DNS data. It became more important after new DNS poisoning attacks were found recently. The most widely used name servers should be DNSSEC aware by default (bind, unbound)
Owner
- Name: Adam Tkac
- Name: Paul Wouters
Current status
- Targeted release: Fedora 42
- Last updated: 2008-12-02
- Percentage of completion: 80%
Detailed Description
Important servers already support DNSSEC. Main problem is key distribution.
Those problems have to be solved:
- supply initial set of DNSSEC keys - especially as long as the Root is not signed (via dnssec-keys package)
- allow easy way to enable/disable DNSSEC (via dnssec-configure and some system-config-dnssec tool)
- allow to use ISC DLV registry (via dnssec-configure from dnssec-keys package)
- support for automated updates of DNSSEC trust anchors (via autotrust package)
Benefit to Fedora
Our servers will be "invulnerable" against cache poisonning, spoofing and other known DNS attacks
Scope
- create and add package which will supply initial set of DNSSEC keys
- enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
- add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
- create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)
How To Test
Check that DNSSEC aware servers work fine. Make sure /etc/resolv.conf points to a DNSSEC enabled nameserver (eg localhost), then run:
dig +multiline +dnssec forged.test.xelerance.com @yournameserverip
This should produce a ServFail answer. Run:
dig +multiline +dnssec +cd forged.test.xelerance.com @yournameserverip
This should produce the forged/broken answer despite its known forgery.
dig +multiline +dnssec dnssec.se
This should produce an answer with the Authenticated Data bit ("ad") set:
;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23220 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
User Experience
Easy setup and maintenance of DNSSEC aware resolver
Related Packages
Dependencies
None
Contingency Plan
Disable DNSSEC by default
Documentation
Release Notes
BIND and unbound (recursive DNS servers) have enabled DNSSEC validation in their default configuration. When domain supplies DNSSEC data then that data will be validated on recursive server. If validation fails then certain domain will be unreachable for clients because it indicates attack (or, unfortunately, admin's misconfiguration). DNSSEC is crucial part and next step to make Internet more secure for end users.
Comments and Discussion