From Fedora Project Wiki
No edit summary
No edit summary
Line 2: Line 2:


== Summary ==
== Summary ==
DNS Root zone is going to be signed on July 15, 2010. Fedora will bring benefit of this important feature to the end users and their workstations thus all DNS traffic will be secured by DNSSEC.
The DNS Root zone was signed about 6 months ago and there are more than 20 TLDs signed via DNSSEC. Fedora will bring benefit of this important feature to the end users and their workstations.


== Owner ==
== Owner ==
Line 15: Line 15:
== Current status ==
== Current status ==
* Targeted release: [[Releases/15 | Fedora 15]]
* Targeted release: [[Releases/15 | Fedora 15]]
* Last updated: 2010-07-13
* Last updated: 2011-Jan-25
* Percentage of completion: 15%
* Percentage of completion: 40%


== Detailed Description ==
== Detailed Description ==
All major DNS servers in Fedora run with DNSSEC validation enabled by default since Fedora 11 so we have a lot of experience from server environment. When a DNS server is installed on the workstation, NetworkManager will expose new checkbox, called DNSSEC, and if user checks it, NM will start the server and update /etc/resolv.conf. After that all DNS traffic will go through DNSSEC-validating resolver.
All major DNS servers in Fedora run with DNSSEC validation enabled by default since Fedora 11 so we have a lot of experience from server environment. When a DNS server is installed on the workstation, NetworkManager will the DNS server and update /etc/resolv.conf. After that all DNS traffic will go through DNSSEC-validating resolver.


This DNSSEC-aware environment needs only two keys, for the root zone and the ISC DLV register. Both domain administrators follow RFC 5011 so keys will be updated automatically.
This DNSSEC-aware environment needs only two keys, for the root zone and the ISC DLV register. Both domain administrators follow RFC 5011 so keys will be updated automatically.
Line 29: Line 29:
* by default, DNS server should use only servers whose are available via DHCP. This information can be easily obtained via libnmserver library from NetworkManager. This library has already passed the review process.
* by default, DNS server should use only servers whose are available via DHCP. This information can be easily obtained via libnmserver library from NetworkManager. This library has already passed the review process.


* Add new checkbox to NetworkManager which will enable/disable DNSSEC validation (this hasn't been consulted with NM developers, yet)
* NetworkManager already contains the plugin which can start the BIND DNS server and use it as a local resolver. This plugin needs to be improved a little.


== How To Test ==
== How To Test ==
* install NetworkManager and bind packages
* install NetworkManager and bind packages
* check the "dnssec" checkbox and verify /etc/resolv.conf points to localhost and named daemon runs fine
* check that DNS responses are validated (via dig utility)
* check that DNS responses are validated (via dig utility)


== User Experience ==
== User Experience ==
Although this change won't be visible to common users (except the "DNSSEC" checkbox), users will be secured from various DNS spoofing and DNS cache-poisonning attacks.
Although this change won't be visible to common users, users will be secured from various DNS spoofing and DNS cache-poisoning attacks.


== Dependencies ==
== Dependencies ==
* bind - small patch (integration with the libnmserver library) is ready and tested but not submitted to upstream, yet
* bind - small patch (integration with the libnmserver library) is ready and tested but not submitted to upstream, yet
* NetworkManager - nothing has been done, yet. New checkbox must be developed and added
* NetworkManager - little improvements for the bind plugin


== Contingency Plan ==
== Contingency Plan ==
Drop related patches from bind and NetworkManager. After that both will have same functionality as in F14.
Disable the BIND plugin by default and behavior will be same as in F14.


== Documentation ==
== Documentation ==
There is no related documentation except this page and libnmserver (https://fedorahosted.org/libnmserver) page.
* libnmserver (https://fedorahosted.org/libnmserver)
* NetworkManager (http://projects.gnome.org/NetworkManager)


== Release Notes ==
== Release Notes ==
NetworkManager got new functionality which allows to secure DNS traffic via DNSSEC technology. NetworkManager uses the BIND nameserver as a DNSSEC resolver. All received DNS responses are proved to be correct. If particular domain is signed and failed to validate then resolver returns SERFVAIL instead of invalidated response, which means something is wrong.
NetworkManager now uses the BIND nameserver as a DNSSEC resolver. All received DNS responses are proved to be correct. If particular domain is signed and failed to validate then resolver returns SERFVAIL instead of invalidated response, which means something is wrong.


== Comments and Discussion ==
== Comments and Discussion ==

Revision as of 12:35, 25 January 2011

DNSSEC on workstations

Summary

The DNS Root zone was signed about 6 months ago and there are more than 20 TLDs signed via DNSSEC. Fedora will bring benefit of this important feature to the end users and their workstations.

Owner

  • Email: atkac at redhat dot com

Current status

  • Targeted release: Fedora 15
  • Last updated: 2011-Jan-25
  • Percentage of completion: 40%

Detailed Description

All major DNS servers in Fedora run with DNSSEC validation enabled by default since Fedora 11 so we have a lot of experience from server environment. When a DNS server is installed on the workstation, NetworkManager will the DNS server and update /etc/resolv.conf. After that all DNS traffic will go through DNSSEC-validating resolver.

This DNSSEC-aware environment needs only two keys, for the root zone and the ISC DLV register. Both domain administrators follow RFC 5011 so keys will be updated automatically.

Benefit to Fedora

All DNS traffic will be secured by DNSSEC

Scope

  • by default, DNS server should use only servers whose are available via DHCP. This information can be easily obtained via libnmserver library from NetworkManager. This library has already passed the review process.
  • NetworkManager already contains the plugin which can start the BIND DNS server and use it as a local resolver. This plugin needs to be improved a little.

How To Test

  • install NetworkManager and bind packages
  • check that DNS responses are validated (via dig utility)

User Experience

Although this change won't be visible to common users, users will be secured from various DNS spoofing and DNS cache-poisoning attacks.

Dependencies

  • bind - small patch (integration with the libnmserver library) is ready and tested but not submitted to upstream, yet
  • NetworkManager - little improvements for the bind plugin

Contingency Plan

Disable the BIND plugin by default and behavior will be same as in F14.

Documentation

Release Notes

NetworkManager now uses the BIND nameserver as a DNSSEC resolver. All received DNS responses are proved to be correct. If particular domain is signed and failed to validate then resolver returns SERFVAIL instead of invalidated response, which means something is wrong.

Comments and Discussion