From Fedora Project Wiki

< Features

Revision as of 19:22, 3 March 2009 by Atkac (talk | contribs)

Feature Name

DNSSEC - Enable DNSSEC and DLV security extensions for DNS


DNSSEC (DNS SECurity) is mechanism which can provide integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The most widely used name servers support DNSSEC, though it is only (bind, unbound)


Current status

  • Targeted release: Fedora 30
  • Last updated: 2009-03-03
  • Percentage of completion: 90%

Detailed Description

Important servers already support DNSSEC. Main problem is key distribution.

Those problems have to be solved:

  • supply initial set of DNSSEC keys - especially as long as the Root is not signed (via dnssec-conf ReviewRequest)
  • allow easy way to enable/disable DNSSEC (via dnssec-configure and system-config-dnssec tool)
  • allow to use ISC DLV registry (via dnssec-configure from dnssec-conf package)
  • support for automated updates from DNS for DNSSEC trust anchors (via autotrust package using the RFC5011 update mechanism). But also allow updates via dnssec-conf package.

Benefit to Fedora

Our servers 9and clients) will be "invulnerable" against cache poisoning, Kaminsky attacks, spoofing and other known DNS attacks.


  • create and add package which will supply initial set of DNSSEC keys (completed)
  • enable DNSSEC in bind and unbound default configurations and include supplied DNSSEC keys
  • add "autotrust" tool which is implementation of RFC 5011 - Automated Updates of DNS Security (DNSSEC) Trust Anchors
  • create commandline tool which will easily enable/disable DNSSEC and which allows to switch between DLV and supplied DNSSEC keys (= trust anchors)
  • create system-config-dnssec tool to enable / disable the most important features (30% done)

How To Test

Check that DNSSEC aware servers work fine. Make sure /etc/resolv.conf points to a DNSSEC enabled nameserver (eg localhost), then run:

 dig +multiline +dnssec @yournameserverip

This should produce a ServFail answer. Run:

 dig +multiline +dnssec +cd @yournameserverip

This should produce the forged/broken answer despite its known forgery.

 dig +multiline +dnssec

This should produce an answer with the Authenticated Data bit ("ad") set:

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23220
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

User Experience

Easy setup and maintenance of DNSSEC aware resolver

Related Packages



Contingency Plan

Disable DNSSEC by default


Release Notes

BIND and unbound (recursive DNS servers) have enabled DNSSEC validation in their default configuration. When domain supplies DNSSEC data then that data will be validated on recursive server. If validation fails then certain domain will be unreachable for clients because it indicates attack (or, unfortunately, admin's misconfiguration). DNSSEC is crucial part and next step to make Internet more secure for end users.

Comments and Discussion