red hat development model
play

Red Hat Development Model Community driven foster relationships - PowerPoint PPT Presentation

May 13, 2023 •285 likes •413 views

OS integrating of DNSSEC Paul Wouters Senior software engineer, Red Hat October 17, 2012 1 Paul Wouters <pwouters@redhat.com> Red Hat Development Model Community driven foster relationships with upstream Fedora Linux -

  1. OS integrating of DNSSEC Paul Wouters Senior software engineer, Red Hat October 17, 2012 1 Paul Wouters <pwouters@redhat.com>

  2. Red Hat Development Model ● Community driven – foster relationships with upstream ● Fedora Linux - Freedom, Friends, Features, First ● Innovation mayhem (i.e. glibc, systemd, selinux) ● Red Hat Enterprise Linux ● Enterprise quality product ● Strong security – Common Criteria, FIPS-140 ● Long term support ● DNSSEC fits in this model ● Deploy in Fedora first ● Carefully merge into RHEL later 2 Paul Wouters <pwouters@redhat.com>

  3. The basis: Fedora and EPEL packages ● Multitude of DNSSEC packages ● resolvers: bind, unbound, libval ● authoritative: bind, nsd, pdns ● signers: bind, opendnssec ● tools: validns, dnssec-tools, dnssec-check, dnssec-system-tray, mozilla-extval, dnssec-nodes ● dnssec-trigger ● hash-slinger (formerly sshfp, now with tlsa support) ● openswan with dnssec support ● All the tools are there to build signers, resolvers, validators 3 Paul Wouters <pwouters@redhat.com>

  4. Fedora infrastructure ● First to enable DNSSEC (and DLV) per default when installing a resolving name server ● First to ship DNSSEC keys before a signed root using dnssec-conf (discovered “rollover-or-die” bug in bind) ● fedoraproject.org first signed Oct 3 2009 (DLV, no DS) ● Publishes TLSA records for fedoraproject.org ● Hotspot detection and login page at: http://fedoraproject.org/static/hotspot.txt http://hotspot-nocache.fedoraproject.org/ ● Runs open DNS resolvers on TCP (port 80 and 443) 4 Paul Wouters <pwouters@redhat.com>

  5. DNSSEC experience: #1 Captive Portals ● dnssec-trigger + unbound = okay (but not great) ● Try cache, then full resolver, then TCP 80, then TLS ● Need better integration with Network-Manager ● Monitor and act on Web and DNS hijacking together ● dnssec-trigger needs to reconfigure unbound for more aggressive retries, shorter negative caching ● unbound needs support for querying DNSSEC chains ● 1 query per HTTP/TLS connection does not work ● Excellent co-operation with NLnetlabs 5 Paul Wouters <pwouters@redhat.com>

  6. DNSSEC experience: #2 VPN using Openswan ● Openswan reconfigures unbound ● IPsec XAUTH parameters received contain domain name (“redhat.com”) and nameservers (“1.2.3.4”) ● When the VPN is established it runs unbound-control to configure forwarder, flush cache for “redhat.com” and flush request list. ● When VPN disconnects it runs unbound-control to remove forwarder, flush cache for “redhat.com” and request list ● Works very well, except when VPN silently times out (happens when using OTK, i.e. SecureID) ● Openswan patch: use libunbound not gethostbyname() 6 Paul Wouters <pwouters@redhat.com>

  7. DNSSEC experience: #3 Split DNS ● Simple split DNS (eg VPN) works ● More complicated when external and internal zones are signed – “DNS lying” is required due to DNSSEC ● Running your own resolver means using public view ● internal.redhat.com does not exist in public view ● Patched unbound to support distributing trust anchors (i.e. via puppet) ● /etc/unbound/keys.d/internal.redhat.com.key ● /etc/unbound/conf.d/internal.redhat.com.conf ● /etc/unbound/local.d/nasa-override.conf ● We need more experience with complicated DNS splits 7 Paul Wouters <pwouters@redhat.com>

  8. TLSA Validator for Firefox 8 Paul Wouters <pwouters@redhat.com>

  9. Generating TLSA and SSHFP records is easy ● yum install hash-slinger ● tlsa –create www.example.com ● sshfp -a (known_hosts) ● sshfp -a -d -d nohats.ca -n ns0.nohats.ca (axfr+scan) 9 Paul Wouters <pwouters@redhat.com>

  10. DNSSEC: RHEL integration ● Wait on more experience and stability with Fedora ● As a server OS, captive portal not as important, but RHEL as desktop gaining traction and under increased security demands ● Only allowed crypto libraries: NSS, openssl, libgcrypt ● libunbound can now use NSS instead of openssl ● The unbound daemon still requires openssl ● OpenDNSSEC uses botan which is not certified ● Running in FIPS mode still causing problems ● MD5 not available (unbound, nsd,...) 10 Paul Wouters <pwouters@redhat.com>

  11. DNSSEC: TODO list ● Support in Anaconda / NetworkManager to run validating resolver on every install (for Fedora 19?) ● resolv.conf with only 127.0.0.1 makes everyone happy! ● Integration of dnssec-trigger and NetworkManager ● DNSSEC chain support for TCP queries (IETF work) ● Single storage of root and DLV keys ● applications cannot yet be guaranteed a local resolver ● Multiple formats, multiple locations ● Long term handling of shipping DNSSEC keys, especially the root key. Grab RHEL7 from a shelve in 2020 and turn it on, will DNS still work? ● 11 Paul Wouters <pwouters@redhat.com>

  12. Questions? Find the guy with the red hat after the panel discussion 12 Paul Wouters <pwouters@redhat.com>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Development Model Organisms Model Organisms Used to study embryonic development Usually

Development Model Organisms Model Organisms Used to study embryonic development Usually

Development Model Organisms Model Organisms Used to study embryonic development Usually reproduce quickly and are easy to raise in a laboratory setting Classic model organisms include: Drosophila (fruit fly) C. elegans

598 views • 33 slides
CGE model development (2) CGE model development (2) CGE model development CGE model development

CGE model development (2) CGE model development (2) CGE model development CGE model development

CGE model development (2) CGE model development (2) CGE model development CGE model development based on U&amp;V matrix based on U&amp;V matrix Toshihiko MASUI Toshihiko MASUI National Institute for Environmental Studies National Institute

556 views • 19 slides
CGE model development (1) CGE model development (1) Concept of CGE model and Concept of CGE

CGE model development (1) CGE model development (1) Concept of CGE model and Concept of CGE

CGE model development (1) CGE model development (1) Concept of CGE model and Concept of CGE model and simple CGE model based on IO data simple CGE model based on IO data Toshihiko MASUI Toshihiko MASUI National Institute for Environmental

368 views • 21 slides
Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model

Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model

Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model Calibration Status Next Steps Schedule Public Input Purpose Inform stakeholders on status of model development Provide more detailed

325 views • 30 slides
UWM Budget Model Development Update UNIVERSITY OF WISCONSINMILWAUKEE Budget Model Update

UWM Budget Model Development Update UNIVERSITY OF WISCONSINMILWAUKEE Budget Model Update

UWM Budget Model Development Update UNIVERSITY OF WISCONSINMILWAUKEE Budget Model Update Update Outline Overview of Current Budget Model Need and Development Project Plan Requirements &amp; Campus Input Review of New

361 views • 32 slides
Xen Development Roadmap Keir Fraser / Ian Pratt Outline Development model Removing

Xen Development Roadmap Keir Fraser / Ian Pratt Outline Development model Removing

Xen Development Roadmap Keir Fraser / Ian Pratt Outline Development model Removing Linux sparse tree Target systems ABI Stability Previous roadmap scorecard New Roadmap Development Model Aim: stabilize

679 views • 24 slides
Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks

Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks

Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks 2. Dalton 3. Thomsons Plum Pudding 4. Rutherfords Gold -Foil Experiment 5. Bohrs Planetary Model 6. Chadwicks Quantum Mechanical The

206 views • 10 slides
Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks

Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks

Development of the Atomic Model 6 Major Contributors to the Atomic Model Theory 1. The Greeks 2. Dalton 3. Thomsons Plum Pudding 4. Rutherfords Gold -Foil Experiment 5. Bohrs Planetary Model 6. Chadwicks Quantum Mechanical The

219 views • 9 slides
Merced Water Resources Model (MercedWRM) Application to GSP Development May 29,2018 Meeting

Merced Water Resources Model (MercedWRM) Application to GSP Development May 29,2018 Meeting

Merced Water Resources Model (MercedWRM) Application to GSP Development May 29,2018 Meeting Agenda Introductions Review of Model Input Data Review of Model Calibration Review of Model Baseline Discussion on Model Applications

963 views • 51 slides
Development of the Danish LRAIC model for fixed networks Presentation of the 1st draft model

Development of the Danish LRAIC model for fixed networks Presentation of the 1st draft model

Development of the Danish LRAIC model for fixed networks Presentation of the 1st draft model February 2020 This document was prepared by Axon Consulting for the use of the client to whom it is addressed. No part of it may be copied or made

719 views • 59 slides
Development of the Danish LRAIC model for fixed networks Presentation of the 2nd draft model May

Development of the Danish LRAIC model for fixed networks Presentation of the 2nd draft model May

Development of the Danish LRAIC model for fixed networks Presentation of the 2nd draft model May 2020 This document was prepared by Axon Consulting for the use of the client to whom it is addressed. No part of it may be copied or made available

474 views • 31 slides
Towards A District Development Model National Technical Planning Forum CONTENT 1. Background

Towards A District Development Model National Technical Planning Forum CONTENT 1. Background

Towards A District Development Model National Technical Planning Forum CONTENT 1. Background 2. Problem Statement 3. Main Objectives of the Model 4. Principles Underpinning the New District Coordination Model 5. Visualizing the Model

1.03k views • 53 slides
NEW MODEL DEVELOPMENT Yuzuru Matsuoka Kyoto University CONTENTS 1. Roadmap of the AIM family

NEW MODEL DEVELOPMENT Yuzuru Matsuoka Kyoto University CONTENTS 1. Roadmap of the AIM family

NEW MODEL DEVELOPMENT The Seventh AIM International Workshop Program NIES, Tsukuba, Japan, 15-17 March 2002 NEW MODEL DEVELOPMENT Yuzuru Matsuoka Kyoto University CONTENTS 1. Roadmap of the AIM family AIM/Emission AIM/Impact Other AIM

463 views • 35 slides
Lecture 4 Model Selection &amp; Development Joe Zuntz Evidence Model Selection Given

Lecture 4 Model Selection &amp; Development Joe Zuntz Evidence Model Selection Given

Lecture 4 Model Selection &amp; Development Joe Zuntz Evidence Model Selection Given two models, how can we compare them? Simplest approach = compare ML Does not include uncertainty or Occams Razor Recall that all our

668 views • 37 slides
The Multilevel Change Model James H. Steiger Department of Psychology and Human Development

The Multilevel Change Model James H. Steiger Department of Psychology and Human Development

Introduction The General Polynomial Growth Model A Linear Growth Model An Example Early Childhood Intervention Multilevel Modeling Results Plotting Model Trends Examining Model Assumptions The Multilevel Change Model James H. Steiger

555 views • 41 slides
R vs. SAS in model based drug development Michael OKelly Quintiles Centre for Statistics in

R vs. SAS in model based drug development Michael OKelly Quintiles Centre for Statistics in

R vs. SAS in model based drug development Michael OKelly Quintiles Centre for Statistics in Drug Development UseR! 2009 Overview Introduction to model based drug development 1. An example 2. Current practice in the pharmaceutical

914 views • 30 slides
Introduction to Computer Security David Brumley dbrumley@cmu.edu Carnegie Mellon University

Introduction to Computer Security David Brumley dbrumley@cmu.edu Carnegie Mellon University

Introduction to Computer Security David Brumley dbrumley@cmu.edu Carnegie Mellon University Today: Overview Course Staff Trusting Trust Course Overview Example Applications Course Mechanics CMU CTF Team 2 You will find

1.37k views • 78 slides
AGM GM 20 2018 18 1. Welcome and apologies 2. 2017 AGM minutes Treasurers report 3. 4.

AGM GM 20 2018 18 1. Welcome and apologies 2. 2017 AGM minutes Treasurers report 3. 4.

June une 20 2018 18 SCIENNES PAR SCIENNES ARENT ENT CO COUN UNCIL CIL AGM GM 20 2018 18 1. Welcome and apologies 2. 2017 AGM minutes Treasurers report 3. 4. Group reports Head teachers report and school finances 5. 6.

363 views • 18 slides
May 29, 2015 The District is an Outstanding and Awarded Operator with an Excellent Compliance

May 29, 2015 The District is an Outstanding and Awarded Operator with an Excellent Compliance

May 29, 2015 The District is an Outstanding and Awarded Operator with an Excellent Compliance History The October 2012 Incident was a One-Time, Short-Duration Loss of Chlorination Event That Posed no Actual or Potential Harm Was

402 views • 19 slides
THE PENALTY BOX T HE L AW , R EQUIREMENTS A ND D EALING WITH T AXPAYERS THE PENALTY BOX T HE L AW

THE PENALTY BOX T HE L AW , R EQUIREMENTS A ND D EALING WITH T AXPAYERS THE PENALTY BOX T HE L AW

THE PENALTY BOX T HE L AW , R EQUIREMENTS A ND D EALING WITH T AXPAYERS THE PENALTY BOX T HE L AW , R EQUIREMENTS A ND D EALING WITH T AXPAYERS JEFFREY MAD DOG SCHARF &amp; GARY DR. HOOK SABEAN TAXING AUTHORITY CONSULTING SERVICES,

773 views • 62 slides
MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous

MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous

MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous Vehicles 2 | URTC Transportation Technology Symposium November 15, 2016 Mobility as a Service 3 | URTC Transportation Technology Symposium November

595 views • 20 slides
Renee MacDermott macdermottr@wantaghschools.org www.wantaghhorizons.weebly.com Twitter:

Renee MacDermott macdermottr@wantaghschools.org www.wantaghhorizons.weebly.com Twitter:

Renee MacDermott macdermottr@wantaghschools.org www.wantaghhorizons.weebly.com Twitter: @WantaghHorizons Hands-on Experiences in the Elementary Classroom Contact information for a littleBits representative... Allison Vannatta:

743 views • 35 slides
Watan ki Fikr

Watan ki Fikr

23 July 2017 Dr Syed Zafar Mahmood Convener Watan ki Fikr

743 views • 47 slides
OpenAFS development a.k.a. That thing lurking just over the hill is version 1.4 Derrick

OpenAFS development a.k.a. That thing lurking just over the hill is version 1.4 Derrick

OpenAFS development a.k.a. That thing lurking just over the hill is version 1.4 Derrick Brashear The OpenAFS project 26 March 2004 Weve come so far... Large file support now also in the server (currently namei only) HP-UX

435 views • 15 slides

More recommend