Talk:Features/DNSSEC

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Fedora 9 and Fedora 10)
m (Fedora 9 and Fedora 10)
Line 24: Line 24:
 
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:
 
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:
  
 +
<pre>
 
yum install dnssec-conf
 
yum install dnssec-conf
 
dnssec-configure --dnssec=on --dlv=on
 
dnssec-configure --dnssec=on --dlv=on
 
service restart bind (or unbound)
 
service restart bind (or unbound)
 +
</pre>
 
--[[User:pwouters|PaulWouters]]
 
--[[User:pwouters|PaulWouters]]

Revision as of 19:49, 17 March 2009

Can you coordinate with other dns server packages in fedora to support this if they support dnssec? In particular: pdns and maradns are both packaged.

How does this affect dnsmasq? Does it handle dnssec ok? libvirt makes heavy use of it.

- User:kevin

dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --Till 10:33, 11 December 2008 (UTC)

I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"

- User:Ausil

Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --Till 00:24, 17 December 2008 (UTC)

It would certainly be nice to have the Fedora domains DNSSEC signed. There's a tool called zkt http://www.hznet.de/dns/zkt/ that's useful for maintaining DNSSEC signed domains. JeffOllie

There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at opendnssec.org Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). PaulWouters.

Fedora 9 and Fedora 10

I have a Fedora 9 server running named (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --Mooninite 04:57, 26 February 2009 (UTC)

After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:

yum install dnssec-conf
dnssec-configure --dnssec=on --dlv=on
service restart bind (or unbound)

--PaulWouters