DNSSEC support for FreeIPA
FreeIPA with integrated DNS server will support serving of DNSSEC secured zones and automatic DNSSEC key maintenance.
This first version will have only the very basic functionality with limited user interface and limited resiliency. Next versions (to be delivered in Fedora 22 time frame) will improve resiliency and user interface significantly.
- Name: Petr Špaček
- Email: email@example.com
- Release notes owner: <To be assigned by docs team>
- Targeted release: Fedora 21 This feature was re-targeted to Fedora 21!
- Last updated: 2014-03-20
- Tracker bug: #998522
DNS server integrated to FreeIPA in Fedora 20 is not able to serve signed DNS zones. New version of FreeIPA and bind-dyndb-ldap adds support for DNSSEC. Zone maintenance (like perioding zone re-signing etc.) will be handled automatically, so the administrative overhead should be minimal.
Benefit to Fedora
Environments with FreeIPA server with integrated DNS will be resilient against DNS spoofing attacks if DNSSEC support if enabled on servers and clients.
This change requires major rewrite of bind-dyndb-ldap package, some isolated changes in packages freeipa* and it's integration with OpenDNSSEC for key rotation.
- Other developers: FreeIPA team has to prepare user interface for this feature. (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
DNS zones created with an older version of FreeIPA/bind-dyndb-ldap will continue to work. User has to explicitly enable DNSSEC for each DNS zone.
How To Test
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this change? What packages need to be installed, config files edited, etc.?
- Necessary utilities will be part of
- Use FreeIPA's user interface to create a DNS zone (e.g.
- Then you need to put DS records to parent DNS zone (e.g.
2. What specific actions do I perform to check that the change is working like it's supposed to?
- Now all standard DNSSEC utilities can be used for signature validation. E.g. http://backreference.org/2010/11/17/dnssec-verification-with-dig/
- An alternative is to use the
drillutility (from package
ldns) to check that signed DNS zones have correct signatures.
3. What are the expected results of those actions?
- E.g. command
drill -S example.test.should produce message
;; Chase successful.
- Signatures are maintained after changes done via FreeIPA CLI (
ipa dnsrecord-modcommand) or FreeIPA WebUI.
FreeIPA's user interface will be extended. There will be a new option to enable/disable DNSSEC for particular DNS zone.
Note that user interface will be very limited in this first version. More advanced user interface will be provided in Fedora 22 time frame.
FreeIPA packages have to be updated to provide user interface for DNSSEC key management etc. Required changes should be relatively small and isolated. Feature owner is member of FreeIPA team so coordination should be relatively simple.
- Contingency mechanism: Do not expose new feature in FreeIPA's user interface (i.e. revert patches for user interface)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
- Design document for DNSSEC support in bind-dyndb-ldap. The document references discussions, standards etc.
To be completed by the Change Freeze!