From Fedora Project Wiki

(DNSSEC for Fedora Infrastructure?)
(remove discussion, wrong page)
 
(9 intermediate revisions by 6 users not shown)
Line 7: Line 7:
: dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --[[User:Till|Till]] 10:33, 11 December 2008 (UTC)
: dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --[[User:Till|Till]] 10:33, 11 December 2008 (UTC)


I think that "invulnerable" is a little to strong and that it should say something like "greatly hardened"
I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"


- [[User:Ausil]]
- [[User:Ausil]]


Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --[[User:Till|Till]] 00:24, 17 December 2008 (UTC)
Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --[[User:Till|Till]] 00:24, 17 December 2008 (UTC)
It would certainly be nice to have the Fedora domains DNSSEC signed.  There's a tool called zkt http://www.hznet.de/dns/zkt/ that's useful for maintaining DNSSEC signed domains.  [[User:Jcollie|JeffOllie]]
There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at [http://www.opendnssec.org/ opendnssec.org]
Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). [[User:pwouters|PaulWouters]].
== Fedora 9 and Fedora 10 ==
I have a Fedora 9 server running named  (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --[[User:Mooninite|Mooninite]] 04:57, 26 February 2009 (UTC)
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:
<pre>
yum install dnssec-conf
dnssec-configure --dnssec=on --dlv=on
service restart bind (or unbound)
</pre>
--[[User:pwouters|PaulWouters]]
== Fedora 11 ==
I'm confused. Feature says 100% and target release F12, but this feature is on by default in F11 and only [http://docs.fedoraproject.org/release-notes/f11/en-US/sect-Release_Notes-Security.html vaguely mentioned] in the release notes. {{bz|504596}} also confirms it's there. So I guess it just didn't make it into the docs team in time? -- [[User:Dale|Dale]] 19:53, 17 June 2009 (UTC)

Latest revision as of 22:33, 15 September 2010

Can you coordinate with other dns server packages in fedora to support this if they support dnssec? In particular: pdns and maradns are both packaged.

How does this affect dnsmasq? Does it handle dnssec ok? libvirt makes heavy use of it.

- User:kevin

dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --Till 10:33, 11 December 2008 (UTC)

I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"

- User:Ausil

Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --Till 00:24, 17 December 2008 (UTC)

It would certainly be nice to have the Fedora domains DNSSEC signed. There's a tool called zkt http://www.hznet.de/dns/zkt/ that's useful for maintaining DNSSEC signed domains. JeffOllie

There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at opendnssec.org Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). PaulWouters.


Fedora 9 and Fedora 10

I have a Fedora 9 server running named (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --Mooninite 04:57, 26 February 2009 (UTC)

After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:

yum install dnssec-conf
dnssec-configure --dnssec=on --dlv=on
service restart bind (or unbound)

--PaulWouters

Fedora 11

I'm confused. Feature says 100% and target release F12, but this feature is on by default in F11 and only vaguely mentioned in the release notes. RHBZ #504596 also confirms it's there. So I guess it just didn't make it into the docs team in time? -- Dale 19:53, 17 June 2009 (UTC)