Changes/IPAv3DNSSEC

From FedoraProject

< Changes(Difference between revisions)
Jump to: navigation, search
(Change Proposal ready for 2013-07-24 FESCo meeting (#1140))
(Change accepted by FESCo on 2014-04-02 meeting)
 
(13 intermediate revisions by 2 users not shown)
Line 24: Line 24:
 
== Summary ==
 
== Summary ==
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
 
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones.
+
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.
 +
 
 +
'''This first version will have only the very basic functionality with limited user interface and limited resiliency. Next versions (to be delivered in Fedora 22 time frame) will improve resiliency and user interface significantly.'''
  
 
== Owner ==
 
== Owner ==
Line 40: Line 42:
  
 
== Current status ==
 
== Current status ==
* Targeted release: [[Releases/20|Fedora 20]]  
+
* Targeted release: [[Releases/21|Fedora 21]] '''This feature was re-targeted to Fedora 21!'''
* Last updated: 2013-07-11
+
* Last updated: 2014-03-20
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
 
Bugzilla states meaning as usual:
 
Bugzilla states meaning as usual:
Line 50: Line 52:
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
-->
 
-->
* Tracker bug: <will be assigned by the Wrangler>
+
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=998522 #998522]
  
 
== Detailed Description ==
 
== Detailed Description ==
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
DNS server integrated to FreeIPA in Fedora 19 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
+
DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled and configured.
+
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.
  
 
== Scope ==
 
== Scope ==
 
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
This change will require major rewrite of [https://fedorahosted.org/bind-dyndb-ldap/ bind-dyndb-ldap] package and some isolated changes in packages [http://www.freeipa.org/ freeipa*].
+
This change requires major rewrite of [https://fedorahosted.org/bind-dyndb-ldap/ bind-dyndb-ldap] package, some isolated changes in packages [http://www.freeipa.org/ freeipa*] and it's integration with OpenDNSSEC for key rotation.
  
 
* Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
* Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 77: Line 79:
  
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
DNS zones created with older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to generate/provide DNSSEC encryption keys for each zone before enabling this feature.
+
DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.
  
 
== How To Test ==
 
== How To Test ==
Line 85: Line 87:
  
 
A good "how to test" should answer these four questions:
 
A good "how to test" should answer these four questions:
 +
-->
  
 
0. What special hardware / data / etc. is needed (if any)?
 
0. What special hardware / data / etc. is needed (if any)?
- None.  
+
* None.  
 
   
 
   
 
1. How do I prepare my system to test this change? What packages
 
1. How do I prepare my system to test this change? What packages
 
need to be installed, config files edited, etc.?
 
need to be installed, config files edited, etc.?
- Necessary utilities will be part of bind-utils and freeipa-admintools packages.
+
* Necessary utilities will be part of <code>freeipa-admintools</code> packages.
 +
* Use FreeIPA's user interface to create a DNS zone (e.g. <code>example.test.</code>).
 +
* Then you need to put DS records to '''parent''' DNS zone (e.g. <code>test.</code>).
  
 
2. What specific actions do I perform to check that the change is
 
2. What specific actions do I perform to check that the change is
 
working like it's supposed to?
 
working like it's supposed to?
TBD
+
* Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
 +
* An alternative is to use the <code>drill</code> utility (from package <code>ldns</code>) to check that signed DNS zones have correct signatures.
  
 
3. What are the expected results of those actions?
 
3. What are the expected results of those actions?
-->
+
* E.g. command <code>drill -S example.test.</code> should produce message <code>;; Chase successful</code>.
 
+
* Signatures are maintained after changes done via FreeIPA CLI (<code>ipa dnsrecord-mod</code> command) or FreeIPA WebUI.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES
+
-->
+
# Use FreeIPA's user interface to create a DNS zone (e.g. <code>example.test.</code>).
+
# Generate new DNSSEC keys for the DNS zone.
+
# User has to put DS records to '''parent''' DNS zone (e.g. <code>test.</code>).
+
# Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
+
  
 
== User Experience ==
 
== User Experience ==
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
FreeIPA's user interface will be extended. New options will offer DNSSEC key management for each DNS zone.
+
FreeIPA's user interface will be extended. There will be a new option to enable/disable DNSSEC for particular DNS zone.
 +
 
 +
'''Note that user interface will be very limited in this first version.''' More advanced user interface will be provided in Fedora 22 time frame.
  
 
== Dependencies ==
 
== Dependencies ==
Line 128: Line 130:
 
== Documentation ==
 
== Documentation ==
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
 
<!-- Is there upstream documentation on this change, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
* Design was discussed on [https://www.redhat.com/mailman/listinfo/freeipa-devel freeipa-devel mailing list]: See [https://www.redhat.com/archives/freeipa-devel/2013-May/msg00177.html first] and [https://www.redhat.com/archives/freeipa-devel/2013-June/msg00234.html second] part of the discussion.
+
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Design document for DNSSEC support in bind-dyndb-ldap]. The document references discussions, standards etc.
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/RBTDB Design document for bind-dyndb-ldap refactoring] (the necessary refactoring is the most difficult part of implementation)
+
* [https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Design document for DNSSEC support in bind-dyndb-ldap (still not ready)]
+
  
 
== Release Notes ==
 
== Release Notes ==
Line 140: Line 140:
 
'''To be completed by the Change Freeze!'''
 
'''To be completed by the Change Freeze!'''
  
[[Category:ChangeReadyForFesco]]
+
[[Category:ChangeAcceptedF21]]
 
<!-- [[Category:ChangePageIncomplete]] -->
 
<!-- [[Category:ChangePageIncomplete]] -->
 
<!-- When your change proposal page is completed and ready for review and announcement -->
 
<!-- When your change proposal page is completed and ready for review and announcement -->

Latest revision as of 13:27, 3 April 2014


Contents

[edit] DNSSEC support for FreeIPA

[edit] Summary

FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.

This first version will have only the very basic functionality with limited user interface and limited resiliency. Next versions (to be delivered in Fedora 22 time frame) will improve resiliency and user interface significantly.

[edit] Owner

  • Name: Petr Špaček
  • Email: pspacek@redhat.com
  • Release notes owner: <To be assigned by docs team>

[edit] Current status

  • Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
  • Last updated: 2014-03-20
  • Tracker bug: #998522

[edit] Detailed Description

DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.

[edit] Benefit to Fedora

Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.

[edit] Scope

This change requires major rewrite of bind-dyndb-ldap package, some isolated changes in packages freeipa* and it's integration with OpenDNSSEC for key rotation.

  • Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)
  • Release engineering: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)

[edit] Upgrade/compatibility impact

DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.

[edit] How To Test

0. What special hardware / data / etc. is needed (if any)?

  • None.

1. How do I prepare my system to test this change? What packages need to be installed, config files edited, etc.?

  • Necessary utilities will be part of freeipa-admintools packages.
  • Use FreeIPA's user interface to create a DNS zone (e.g. example.test.).
  • Then you need to put DS records to parent DNS zone (e.g. test.).

2. What specific actions do I perform to check that the change is working like it's supposed to?

3. What are the expected results of those actions?

  • E.g. command drill -S example.test. should produce message ;; Chase successful.
  • Signatures are maintained after changes done via FreeIPA CLI (ipa dnsrecord-mod command) or FreeIPA WebUI.

[edit] User Experience

FreeIPA's user interface will be extended. There will be a new option to enable/disable DNSSEC for particular DNS zone.

Note that user interface will be very limited in this first version. More advanced user interface will be provided in Fedora 22 time frame.

[edit] Dependencies

FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.

[edit] Contingency Plan

  • Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No

[edit] Documentation

[edit] Release Notes

To be completed by the Change Freeze!