Talk:Features/DNSSEC

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
m (notes on dnssec software)
(Fedora 9 and Fedora 10)
Line 21: Line 21:
  
 
I have a Fedora 9 server running named  (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --[[User:Mooninite|Mooninite]] 04:57, 26 February 2009 (UTC)
 
I have a Fedora 9 server running named  (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --[[User:Mooninite|Mooninite]] 04:57, 26 February 2009 (UTC)
 +
 +
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:
 +
 +
yum install dnssec-conf
 +
dnssec-configure --dnssec=on --dlv=on
 +
service restart bind (or unbound)
 +
--[[User:pwouters|PaulWouters]]

Revision as of 19:47, 17 March 2009

Can you coordinate with other dns server packages in fedora to support this if they support dnssec? In particular: pdns and maradns are both packaged.

How does this affect dnsmasq? Does it handle dnssec ok? libvirt makes heavy use of it.

- User:kevin

dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --Till 10:33, 11 December 2008 (UTC)

I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"

- User:Ausil

Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --Till 00:24, 17 December 2008 (UTC)

It would certainly be nice to have the Fedora domains DNSSEC signed. There's a tool called zkt http://www.hznet.de/dns/zkt/ that's useful for maintaining DNSSEC signed domains. JeffOllie

There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at opendnssec.org Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). PaulWouters.

Fedora 9 and Fedora 10

I have a Fedora 9 server running named (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --Mooninite 04:57, 26 February 2009 (UTC)

After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:

yum install dnssec-conf dnssec-configure --dnssec=on --dlv=on service restart bind (or unbound) --PaulWouters