[Freeipa-devel] [WIP] DNSSEC check for DNS forwarders

Tomas Hozza thozza at redhat.com
Thu Oct 9 13:59:16 UTC 2014 

On 10/09/2014 10:50 AM, Petr Spacek wrote:
> Hello,
> 
> bad things will happen (i.e. external DNS resolution will not work) if
> configured DNS forwarders are not standard compliant, i.e. EDNS or DNSSEC
> support is not enabled.
> 
> For this reason I'm proposing to add explicit check to IPA installer and
> possibly even to dnsconfig-mod/dnszone-mod commands so forwarders are be tested
> before putting them in effect.
> 
> This check should detect failures soon and prevent surprises where IPA installs
> itself but DNS resolution doesn't work for some domains etc.
> 
> 
> Instructions for attached patch/script:
> # ./dnssec_test.py 127.127.127.127
> -> Will (likely) time-out, print a warning and return None
> - This should be a reason to abort installation because forwarder doesn't work
> at all.
> 
> # ./dnssec_test.py 10.1.2.3
> - Result depends on your local resolver.
> - In RH's network it will print a scary warning message and return False because
> internal forwarder doesn't support DNSSEC.
> - Should be a reason to abort installation. (This could be overridden by --force
> switch but then "dnssec-validation" option in /etc/named.conf has to be set to
> "no" otherwise IPA DNS will not work properly.)
> (I would rather force people to flip the switch in named.conf on forwarder so
> this could be a hidden option.)
> 
> # ./dnssec_test.py 199.7.83.42
> -> Should return True - forwarder works and DNSSEC is supported
> - Installation should continue.
> 
> Please voice your concerns ASAP.
> 

I must confirm that if using DNSSEC, it is essential to probe the
forwarder for proper DNSSEC support before using it. If the forwarder
is not able to provide all the necessary information, the validation
will not work.

This is basically the same we are already doing on the client side
where dnssec-trigger tries to determine if network-provided DNS
forwarders are DNSSEC enabled before configuring unbound server.

Therefore I agree with the idea, however it is up to IPA developers
how they end up implementing the probing.

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
Red Hat Inc.                               http://cz.redhat.com

More information about the Freeipa-devel mailing list