From Fedora Project Wiki
(→‎How To Test: extended with information about dnssec-trigger)
Line 85: Line 85:
  sudo systemctl start dnssec-triggerd.service
  sudo systemctl start dnssec-triggerd.service
* Now it should ''just work''. Please file a bug against [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnssec-trigger dnssec-trigger component in Fedora] if it doesn't.
* Now it should ''just work''. Please file a bug against [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnssec-trigger dnssec-trigger component in Fedora] if it doesn't.
* Validation failues should be recorded to the system log:
journalctl -f -l -u unbound.service
unbound[1062]: [1062:0] info: validation failure <www.dnssec-failed.org. A IN>: no keys have a DS with algorithm RSASHA1 from 192.168.2.1 for key dnssec-failed.org. while building chain of trust
* See dnssec-trigger documentation for more details: http://www.nlnetlabs.nl/projects/dnssec-trigger/
* See dnssec-trigger documentation for more details: http://www.nlnetlabs.nl/projects/dnssec-trigger/



Revision as of 10:30, 15 April 2014

Default Local DNS Resolver

Summary

To install a local DNS resolver trusted for the DNSSEC validation running on 127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf.

The automatic name server entries received via dhcp/vpn/wireless configurations should be stored separately, as transitory name servers to be used by the trusted local resolver. In all cases, DNSSEC validation will be done locally.

Owner

  • Name: P J P
  • Email: P J P <pjp@fedoraproject.org>
  • Release notes owner:

Current status

  • Targeted release: Fedora 22
  • Last updated: 2014-04-11
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

There are growing instances of discussions and debates about the need for a trusted DNSSEC validating local resolver running on 127.0.0.1:53. There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user's privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.

People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.

Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour. (See: [1], [2], [3])

Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.

All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It'll simplify and facilitate lot of other design decisions and application development in future. (See: [1], [2], [3])

---
[1] https://www.ietf.org/mail-archive/web/dane/current/msg06469.html
[2] https://www.ietf.org/mail-archive/web/dane/current/msg06658.html
[3] https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html

Benefit to Fedora

What is the benefit to the platform?

Fedora distribution has been the industry leader when it comes to shipping the best and latest of the software to its users. In many cases Fedora has been the trend setter in accepting new technologies like Systemd. With the trusted local DNS resolver running on 127.0.0.1:53, Fedora will not only provide greater security and usability to its users, but will also take an important step towards the secure by default computing future. Wherein users do not have to worry about privacy, security and trust.

Scope

  • Proposal owners: Proposal owners shall have to
    • define the syntax and semantics for new configuration parameters/files.
    • persuade and coordinate with the other package owners to incorporate new changes/workflow in their applications.
  • Other developers: (especially NetworkManager and the likes)
    • would have to implement the new features/workflow for their applications adhering to the new configurations and assuming the availability of the trusted local DNS resolver.
    • NetworkManager already has features & capability to support local DNS resolvers. Though few details are still under development, but are expected to realize in near future. Please see -> https://lists.fedoraproject.org/pipermail/devel/2014-April/197848.html
  • Release engineering:
    • would have to ensure that trusted local DNS resolver is available throughout the installation stage and the same is installed on all installations including LiveCDs etc.
  • Policies and guidelines:
    • the chosen trusted DNS resolver package(ex dnsmasq or dnssec-trigger etc.) would have to ensure that their DNS resolver starts at boot time and works out of the box without any user intervention.
    • NetworkManager and others would have to be told to not tamper with the local nameserver entries in '/etc/resolv.conf' and save the dynamic nameserver entries in a separate configuration file.

Upgrade/compatibility impact

As long as the new packages, which do the Network and DNS configurations are installed and they know about the local DNS resolver; None of the other packages need any changes. Because they'll continue to access name servers in '/etc/resolv.conf'.

How To Test

Expectations

Everything should work as usual, out of the box. You should be (automatically) protected when visiting DNSSEC-secured DNS domains.

DNSSEC-secured DNS domains which fail data validation (e.g. because you are under DNS spoofing attack) should be unreachable.

Site http://www.dnssec-failed.org/ has intentionally invalid DNSSEC signatures to simulate an attack. The site should not be reachable if your configuration is correct.

Option 1 - Use experimental implementation available in Fedora 20

  • Install and enable dnssec-trigger daemon:
sudo yum install dnssec-trigger
sudo systemctl enable dnssec-triggerd.service
sudo systemctl start dnssec-triggerd.service
journalctl -f -l -u unbound.service
unbound[1062]: [1062:0] info: validation failure <www.dnssec-failed.org. A IN>: no keys have a DS with algorithm RSASHA1 from 192.168.2.1 for key dnssec-failed.org. while building chain of trust

Option 2 - Configure local resolver manually

  • Make sure local DNS resolver (e.g. unbound or BIND) is running on 127.0.0.1:53.
  • Make sure it is the only name server entry in /etc/resolv.conf.
  • Make sure that DNSSEC validation is enabled on your resolver.
  • Make sure that applications are able to resolve domain names with such setup. (Try browsing few sites on the Internet.)
  • Add domain specific name server entries (aka forwards) into local name server's configuration file and ensure that applications are able to resolve internal (company wide) domain names too. (Try connecting to company mail/IRC server.)
  • Make sure that NetworkManager/vpnc/dhcp etc. programs do NOT tamper with the primary name server entry in /etc/resolv.conf.

User Experience

It is not something user would notice really.

Dependencies

  • N/A

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?)
    • At the minimum, if we only manage to install a local DNS resolver and enable it to run at boot up and configure it to be the primary name server in /etc/resolv.conf, we will be in the safe. Because other applications won't notice any change as long as they are able to resolve domain names.
    • If NetworkManager/dhcp/vpnc etc. are not able to incorporate new syntax/semantic changes, worst case, they'll continue to over-write the name server configuration in /etc/resolv.conf, even in that scenario, user/application won't notice any difference for they will continue to be able to resolve domain names and access internet.
    • Only drawback would be that it won't be as safe as using the trusted local resolver.
  • Contingency deadline: Beta freeze.
  • Blocks release? - No
  • Blocks product? product - No

Documentation

  • There is no documentation yet. I'll write one and link it here asap.

Release Notes