From Fedora Project Wiki

Revision as of 22:30, 15 September 2010 by Dcbw (talk | contribs)

Can you coordinate with other dns server packages in fedora to support this if they support dnssec? In particular: pdns and maradns are both packaged.

How does this affect dnsmasq? Does it handle dnssec ok? libvirt makes heavy use of it.

- User:kevin

dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --Till 10:33, 11 December 2008 (UTC)

I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"

- User:Ausil

Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --Till 00:24, 17 December 2008 (UTC)

It would certainly be nice to have the Fedora domains DNSSEC signed. There's a tool called zkt that's useful for maintaining DNSSEC signed domains. JeffOllie

There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). PaulWouters.

- User:dcbw

I'd prefer to use dnsmasq if at all possible, by potentially fixing whatever issues it has with DNSSEC. While I know BIND can do DNSSEC out of the box it's quite heavy-weight for what we really want it for. dnsmasq is already deployed pretty much everywhere since it's capable and tiny.

That said, I'm adding caching nameserver support to NetworkManager right now on the cachingdns branch. dnsmasq support is already written, and I'm working on BIND support right now. I'd prefer if we could set the Fedora NetworkManager to use dnsmasq by default, and if users really want BIND for some reason they could enable that through /etc/NetworkManager/NetworkManager.conf.

I'm also highly allergic to Yet Another Checkbox. If we can avoid adding more UI for this (by turning DNSSEC on by default) then we should do so. However, we first need to determine the failure cases and just how bad they'd be before I'd entertain the idea of adding a UI on/off switch for it.

Fedora 9 and Fedora 10

I have a Fedora 9 server running named (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --Mooninite 04:57, 26 February 2009 (UTC)

After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:

yum install dnssec-conf
dnssec-configure --dnssec=on --dlv=on
service restart bind (or unbound)


Fedora 11

I'm confused. Feature says 100% and target release F12, but this feature is on by default in F11 and only vaguely mentioned in the release notes. RHBZ #504596 also confirms it's there. So I guess it just didn't make it into the docs team in time? -- Dale 19:53, 17 June 2009 (UTC)