DNSSEC support for FreeIPA

Summary

FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.

This first version will have only the very basic functionality with limited user interface and limited resiliency. Next versions (to be delivered in Fedora 22 time frame) will improve resiliency and user interface significantly.

Owner

• Name: Petr Špaček
• Email: pspacek@redhat.com
• Release notes owner: <To be assigned by docs team>

Current status

• Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
• Last updated: 2014-03-20
• Tracker bug: #998522

Detailed Description

DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.

Benefit to Fedora

Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.

Scope

This change requires major rewrite of bind-dyndb-ldap package, some isolated changes in packages freeipa* and it's integration with OpenDNSSEC for key rotation.

• Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)

• Release engineering: N/A (not a System Wide Change)

• Policies and guidelines: N/A (not a System Wide Change)

Upgrade/compatibility impact

DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.

How To Test

0. What special hardware / data / etc. is needed (if any)?

• None.

1. How do I prepare my system to test this change? What packages need to be installed, config files edited, etc.?

• Necessary utilities will be part of freeipa-admintools packages.
• Use FreeIPA's user interface to create a DNS zone (e.g. example.test.).
• Then you need to put DS records to parent DNS zone (e.g. test.).

2. What specific actions do I perform to check that the change is working like it's supposed to?

• Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
• An alternative is to use the drill utility (from package ldns) to check that signed DNS zones have correct signatures.

3. What are the expected results of those actions?

• E.g. command drill -S example.test. should produce message ;; Chase successful.
• Signatures are maintained after changes done via FreeIPA CLI (ipa dnsrecord-mod command) or FreeIPA WebUI.

User Experience

FreeIPA's user interface will be extended. There will be a new option to enable/disable DNSSEC for particular DNS zone.

Note that user interface will be very limited in this first version. More advanced user interface will be provided in Fedora 22 time frame.

Dependencies

FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.

Contingency Plan

• Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? No

Documentation

• Design document for DNSSEC support in bind-dyndb-ldap. The document references discussions, standards etc.

Release Notes

To be completed by the Change Freeze!