DNSSEC in Fedora-11: Enable or Disable?

Paul Wouters paul at xelerance.com
Thu Mar 5 04:20:30 UTC 2009 

Hi people,

Adam Tkac and I maintain the two recursive nameservers in Fedora. We need
to decide before the beta freeze whether we want recursing caching
nameservers to enable or disable DNSSEC per default.

For some details on how this is implemented, please see:
http://fedoraproject.org/wiki/Features/DNSSEC

There are two questions:

For Fedora-11:

1) Should we enable DNSSEC when a recursing nameserver is installed?
2) If we do, should we enable DLV support?
    (The only real DLV being http://dlv.isc.org/)

DNSSEC software has been run for a long time. It is mature, stable and
runs in production on many systems, including Fedora. What's been slow
has been the signing of the root and TLD deployments. This however,
is quickly gaining speed. A few days ago .gov was signed into production.
With the root not signed, key management is the hardest part of DNSSEC,
but we now have the required packages in Fedora to distribute and update
these.

Pro's:
- It adds much needed security to DNS
- Newly installed resolvers would use DNSSEC out of the box with all
   known DNSSEC keys preconfigured. These closely resemble the current
   ICANN/IANA Trust Anchor Repository at https://itar.iana.org/
- TLD Key management is taken care of (via autotrust and dnssec-conf)
- DLV will allow every DNS administrator to start taking advantage of
   DNSSEC - even within unsigned TLD's such as .com and .org.
- Everyone can start using SSHFP records with their ssh client.
- Fedora contains all the tools to create and serve signed zones already.
   (bind, bind-utils, ldns)
- Fedora contains two DNSSEC capable resolvers (bind and unbound) and
   libraries to add DNSSEC to applications (bind or unbound-libs)
- Trivial to enable/disable dnssec-configure (and soon system-config-dnssec)
- Bind and Unbound are both very stable DNSSEC capable resolvers.
- Fedora shows it is a front runner when it comes to deploying new
   technology :)
- It will make many TLD's, DNSSEC people, and the .gov people very happy.

Cons:
- It's perhaps technically too late for feature freeze. Though we are not
   talking about putting new code in, just flipping a switch. So we could
   do this in time for beta freeze.
- Support for using DNSSEC forwarders for endusers via NetworkManager is
   not yet done (though support for on-the-fly reconfiguring forwarders
   was added to unbound in preparation for this already). So using DNSSEC
   via a resolv.conf using localhost for desktops/laptop clients is not
   ready yet.
- DNSSEC requires EDNS0 and stupid firewall administrators might be blocking
   TCP port 53 and UDP packets > 512 bytes, possibly causing DNS problems if
   these are located in front of DNSSEC capable resolvers.
- Some NAT router brands drop DNS packets with DNSSEC options enabled. If
   using a cheap NAT router as forwarder for your DNSSEC enabled Fedora
   machine, DNS connectivity might cause intermittent problems.

Both Adam and I think we are ready to enable DNSSEC per default for
those Fedora installs that install a recursive nameservers.

The DLV has not been very active yet. Likely it contains many keys that
DNS administrators once submitted but then forgot about. Those people
would lose their domains when DLV is used, and could wrongly blame
Fedora for that. I would recommend leaving the DLV disabled for now.

Though in the future, I would like to see all fedora installs use a
local DNSSEC nameserver using the DNS servers presented by Network
Manager as forwarders, I would not recommend doing that at this point.

Please, let me know what you think. Feel free to ask any questions. I
would like to hear what people think, and then we can make a collective
decision on how to proceed.

Paul

More information about the fedora-devel-list mailing list