DNSSEC in Fedora-11: Enable or Disable?
Chuck Anderson
cra at WPI.EDU
Thu Mar 5 05:08:34 UTC 2009
On Wed, Mar 04, 2009 at 11:20:30PM -0500, Paul Wouters wrote:
> 1) Should we enable DNSSEC when a recursing nameserver is installed?
> 2) If we do, should we enable DLV support?
> (The only real DLV being http://dlv.isc.org/)
> Both Adam and I think we are ready to enable DNSSEC per default for
> those Fedora installs that install a recursive nameservers.
>
> The DLV has not been very active yet. Likely it contains many keys that
> DNS administrators once submitted but then forgot about. Those people
> would lose their domains when DLV is used, and could wrongly blame
> Fedora for that. I would recommend leaving the DLV disabled for now.
>
> Though in the future, I would like to see all fedora installs use a
> local DNSSEC nameserver using the DNS servers presented by Network
> Manager as forwarders, I would not recommend doing that at this point.
>
> Please, let me know what you think. Feel free to ask any questions. I
> would like to hear what people think, and then we can make a collective
> decision on how to proceed.
I'm not that knowledgeable with DNSSEC, so I defer to your best
judgement, but it sounds like you've done a good job, covered all the
bases, documented this well, and I think the world needs a push
towards DNSSEC, so I say go for it! I agree that the exposure is
limited right now since this will not be used as default local caching
resolver.
You've gotten me all excited now so I'll have to go test this feature
right away.
More information about the fedora-devel-list
mailing list