Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, - - PowerPoint PPT Presentation

fedora
SMART_READER_LITE
LIVE PREVIEW

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, - - PowerPoint PPT Presentation

Feb 13, 2023 587 likes •672 views

Fedora and DNSSEC Presented by Paul Wouters Fedora Packager, DNSSEC Advisor Creative Commons Attribution 3.0 https://fedoraproject.org/ What is Fedora Fedora is a fast, stable, and powerful

slide-1
SLIDE 1

and DNSSEC

Paul Wouters

Presented by

Fedora Packager, DNSSEC Advisor

Creative Commons Attribution 3.0 https://fedoraproject.org/

Fedora

slide-2
SLIDE 2

Fedora is a fast, stable, and powerful operating system for everyday use built by a worldwide community of friends. It's completely free to use, share, modify Innovative, Cutting edge, Leading 25,000 packages, 250,000 contributors Forms the basis for Red Hat Enterprise Linux (RHEL) but also CentOS, OLPC, Moblin, etc

What is Fedora

slide-3
SLIDE 3

Servers: bind9, nsd, unbound, powerdns Tools: ldns, libunbound, dnssec-tools, sshfp, autotrust, bind-pkcs11, OpenCryptoki, perl-Net-DNS-SEC

Non-Fedora addons: Sun SCA 6000 HSM drivers for Linux kernel Firefox DNSSEC labs.nic.cz (Tools->Extensions) SPARTA patches for native DNSSEC in

Firefox,Postfix, Sendmail, ejabberd, gaim,etc

DNSSEC packages in Fedora

slide-4
SLIDE 4

March 2009: unbound and bind ship with TLD trust anchors and DNSSEC & DLV validation enabled per default (Fedora 11) February 2010: RIPE DDoS incident in some branches of Fedora due to stale RIPE keys (AKA “Rollover or die” incident) December 2010: Ship DNSSEC root key for bind and unbound. Phased out all shipped TLD trust anchors and stopped using dnssec-conf. DLV still enabled.

DNSSEC with Fedora

slide-5
SLIDE 5

Fedora domains signed with DNSSEC since March 12, 2010

(fedoraproject.org, fedorahosted.org, etc)

Signing using custom script based on bind's dnssec-signzone, keys restricted to ops DNSSEC keys are published in the DLV DS record support from Fedora's domain Registrar is expected soon Two auth name servers sign zones, with different Bind Views for GEO-IPS

DNSSEC with Fedora

slide-6
SLIDE 6

DNSSEC resolving for all Fedora installs

NetworkManager integration, compatible with virt- manager/KVM (currently dnsmasq) Should use DHCP obtained caching name server as forwarder (only unbound can do this – not bind) What to do when ISP DNS is broken?

TLSA / HASTLS support tool (IETF DANE)

SSL certificate validation via DNSSEC (without CAs)

  • pendnssec support (dependancy packaging)

fix ssh client VerifyHostKeyDNS=ask

DNSSEC developments

slide-7
SLIDE 7

Questions?

Creative Commons Attribution 3.0 https://fedoraproject.org/

pwouters@fedoraproject.org paul@xelerance.com

Contact: Paul Wouters