(remove discussion, wrong page) |
|||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 17: | Line 17: | ||
There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at [http://www.opendnssec.org/ opendnssec.org] | There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at [http://www.opendnssec.org/ opendnssec.org] | ||
Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). [[User:pwouters|PaulWouters]]. | Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). [[User:pwouters|PaulWouters]]. | ||
== Fedora 9 and Fedora 10 == | == Fedora 9 and Fedora 10 == | ||
| Line 24: | Line 25: | ||
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run: | After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run: | ||
<pre> | |||
yum install dnssec-conf | yum install dnssec-conf | ||
dnssec-configure --dnssec=on --dlv=on | dnssec-configure --dnssec=on --dlv=on | ||
service restart bind (or unbound) | service restart bind (or unbound) | ||
</pre> | |||
--[[User:pwouters|PaulWouters]] | --[[User:pwouters|PaulWouters]] | ||
== Fedora 11 == | |||
I'm confused. Feature says 100% and target release F12, but this feature is on by default in F11 and only [http://docs.fedoraproject.org/release-notes/f11/en-US/sect-Release_Notes-Security.html vaguely mentioned] in the release notes. {{bz|504596}} also confirms it's there. So I guess it just didn't make it into the docs team in time? -- [[User:Dale|Dale]] 19:53, 17 June 2009 (UTC) | |||
Latest revision as of 22:33, 15 September 2010
Can you coordinate with other dns server packages in fedora to support this if they support dnssec? In particular: pdns and maradns are both packaged.
How does this affect dnsmasq? Does it handle dnssec ok? libvirt makes heavy use of it.
- dnsmasq forwards all the dnssec data, but it does not support to verify it. Afaik it is also not possible to enable dnssec for hostnames that are configured in /etc/hosts or in the dnsmasq config file. --Till 10:33, 11 December 2008 (UTC)
I think that "invulnerable" is a little too strong and that it should say something like "greatly hardened"
Is it already planned to get (part of) Fedora Infrastructure to use DNSSEC? This would be a nice thing to do. :-) --Till 00:24, 17 December 2008 (UTC)
It would certainly be nice to have the Fedora domains DNSSEC signed. There's a tool called zkt http://www.hznet.de/dns/zkt/ that's useful for maintaining DNSSEC signed domains. JeffOllie
There are tools in fedora to do this. The dnssec-tools package contains the "donuts" deamon. There is also an effort on its for for an opensource dnssec signer application at opendnssec.org Though with Bind 9.6.x with automated ZoneSigning, there is not too much work that still needs to be done manually more then once a year (eg similar to SSL). PaulWouters.
Fedora 9 and Fedora 10
I have a Fedora 9 server running named (bind) with DNSSEC enabled for both Internet and my local DNS names for Fedora 10 clients. I've been running this way for a month now with no ill side effects. Is there anything I can do for this feature, or must I be running rawhide? :( --Mooninite 04:57, 26 February 2009 (UTC)
After the beta, we will port things back to F-10 and F-9 (but with defaults disabled). For now, to get all the keys and DLV on your resolving nameservers, run:
yum install dnssec-conf dnssec-configure --dnssec=on --dlv=on service restart bind (or unbound)
Fedora 11
I'm confused. Feature says 100% and target release F12, but this feature is on by default in F11 and only vaguely mentioned in the release notes. RHBZ #504596 also confirms it's there. So I guess it just didn't make it into the docs team in time? -- Dale 19:53, 17 June 2009 (UTC)