Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Fedora 21 To Have DNSSEC Validation Enabled By Default

Fedora logoBy way of a recent tweet from Red Hat’s Paul Wouters we learned the great news that the next release (21) of the Fedora operating system will include a DNSSEC-validating DNS resolver enabled by default.  According the Fedora 21 release schedule, if all goes according to plan Fedora 21 should be generally available in October 2014.  This will mark the first of the major Linux distributions that I am aware of that will offer the added security of DNSSEC validation by default.  With Linux, you can of course always add a DNSSEC-validating DNS name server such as DNSSEC-Trigger, Unbound, dnsmasq or another DNSSEC-validating DNS server, but this move by the Fedora project will have the validation occurring by default.

From the Fedora 21 Proposed System Wide Change message:

There are growing instances of discussions and debates about the need for a  trusted DNSSEC validating local resolver running on 127.0.0.1:53. There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user’s privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.

People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.

Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour. 

Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.

All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It’ll simplify and facilitate lot of other design decisions and application development in future.

This is great news for those of us who want to see the security of the Internet strengthened through DNSSEC – and definitely in keeping with part of the plan for where we need to see DNSSEC validation.

Kudos to the team at Fedora who are making this happen and we look forward to seeing it come out in Fedora 21 later this year!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Fedora Project Requesting Testers of DNSSEC-Trigger

FedoraProjectWant to help out a Linux project with DNSSEC? In a recent message to the Fedora Project developers list, Paul Wouters from Red Hat asked for people to help test the recent addition of DNSSEC-Trigger to the “rawhide” distribution of Fedora. As he says in the email:

In our efforts to push DNSSEC to the enduser, we have packaged our
initial DNSSEC reconfiguration utility.

Basically, this makes it possible to use DNSSEC on your laptop, while
moving between networks of which some are “friendly” man in the middle
attacks on DNS via hotspots and sign-ons. Some steps are still awaiting
further network-manager integration. We hope to be able to hide almost
everything from the user, but the network manager integration is not yet
complete. But we would really like get more feedback on how well it
works in various alien and broken networks out there (especially wifi
and 3G/LTE).

First, it’s awesome to see DNSSEC-Trigger get added into a Linux distribution. Kudos to Paul and the Fedora Project team for taking that step.

Second, if you are a Fedora user, or would like to help out with this effort to promote DNSSEC usage, please do read Paul’s email message and see if you can help out with the testing.

Note that while Paul mentions the Firefox add-on to support DNSSEC there is also a similar extension to add DNSSEC support to Google Chrome.

It’s great, too, to see what they have planned for future work on Fedora:

Planned for the near future:
- Less user interaction, more network manager integration
- automatic hot spot detection
- network manager vpn plugin support for DNS forward-zone
- phasing out the applet in favour of native network-manager support
- validate TLS certificates via DNSSEC (IETF DANE support)

And I did very much enjoy how Paul ended the message:

That’s it, go break your DNS and let us know how it went!

Again, it’s excellent to see this effort and I look forward to hearing how the testing goes and seeing this further expansion of DNSSEC capabilities in Fedora.

P.S. And yes, I’m thinking about where I might have a spare box where I could install Fedora specifically to play with this…

Categories
Deploy360 IPv6

Slides: The Status of IPv6 and Open Source/Free Operating systems

What is the status of IPv6 support in free / open source operating systems? Recently Olle Johansson gave a presentation in Sweden where he provided, in his own words:

A status report from a brief test of IPv6 support (including DHCPv6 and SLAAC) in OpenBSD, FreeBSD, Debian, Ubuntu, Fedora compared with Windows 7 and OS/X

His testing focused on trying to answer these questions:

  • Can I install a desktop operating system over IPv6?
  • Can I add and install packages over IPv6?
  • Can I configure it with combinations of Router Solicitations/Advertisements and DHCPv6?
Basically, his goal was to see – how ready are we to run IPv6 single-stack?

Olle was quite up front, too, in saying that he was doing this testing as a beginner with the operating systems because he believes it should be that easy to deploy.  While his conclusions are that there is still a good bit of work to do, his testing at least provides some pointers for where work needs to be done within the operating systems.

Olle’s nicely made his slides available for us to see in SlideShare:

Categories
IPv6

Slides: The Status of IPv6 and Open Source/Free Operating systems

What is the status of IPv6 support in free / open source operating systems? Recently Olle Johansson gave a presentation in Sweden where he provided, in his own words:

A status report from a brief test of IPv6 support (including DHCPv6 and SLAAC) in OpenBSD, FreeBSD, Debian, Ubuntu, Fedora compared with Windows 7 and OS/X

His testing focused on trying to answer these questions:

  • Can I install a desktop operating system over IPv6?
  • Can I add and install packages over IPv6?
  • Can I configure it with combinations of Router Solicitations/Advertisements and DHCPv6?
Basically, his goal was to see – how ready are we to run IPv6 single-stack?

Olle was quite up front, too, in saying that he was doing this testing as a beginner with the operating systems because he believes it should be that easy to deploy.  While his conclusions are that there is still a good bit of work to do, his testing at least provides some pointers for where work needs to be done within the operating systems.

Olle’s nicely made his slides available for us to see in SlideShare: