[Freeipa-devel] [PATCH] [WIP] DNSSEC support - preview

Simo Sorce ssorce at redhat.com
Thu Oct 16 19:32:49 UTC 2014 

On Thu, 16 Oct 2014 20:39:05 +0200
Martin Kosek <mkosek at redhat.com> wrote:

> On 10/16/2014 08:01 PM, Petr Spacek wrote:
> ....
> >> 1)
> >>
> >> I'm not sure if failing on DNSSEC-disabled forwarders by default
> >> is a good idea. Perhaps there could be some auto-detection code?
> >> Something along the lines of:
> >>
> >>     if forwarders_support_dnssec:
> >>         if not options.no_dnssec_validation:
> >>             enable_dnssec_in_ipa()
> >>     else:
> >>         print "WARNING: DNSSEC will not be enabled"
> >
> > We have discussed this with Martin
> 
> ... Martin Basti/Martin2... Given there are more Martins in the team,
> you should be more specific :-)
> 
> > and the intent is to tell people that their
> > infrastructure is broken and has to be fixed - sooner is better.
> >
> > There is an option --no-dnssec-validation for people who like broken
> > infrastructure.
> 
> Broken infrastructure is rather strong word for the situation when
> just DNSSEC is not configured (it may work for the customer
> otherwise). "Infrastructure does not follow most up to date
> standards" may be more precise.
> 
>  From my POV, this may be too strict. People may already use
> ipa-server-install in their scripts and it suddenly requiring new
> option may be seen as breakage.
> 
> So maybe it would be better to just print big fat warning including
> [yes|no] question to continue during ipa-server-install and just
> print warning in unattended mode (and disable DNSEC validation)
> 
> We can always be more strict in next release. CCing Simo and Rob in
> case they have different opinions.

My opinion is that DNSSEC is too new to make it required by default in
any way.

For the first release it should be completely optional and opt in. Once
we sort out the initial hurdles we can slowly add warnings and what not
and at some point in the future switch the defaults and start
complaining.

We have to assume that most forwarders will be broken, so perhaps the
correct course of action if someone decides to try DNSSEC and the
forwarders do not support it is to give a fat warning and disable
DNSSEC for non-managed zones.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list