[New: openFATE 310044] Validating DNSSEC support
Feature added by: Tobias Burnus (burnus) Feature #310044, revision 1 Title: Validating DNSSEC support openSUSE-11.3: Unconfirmed Priority Requester: Desirable Requested by: Tobias Burnus (burnus) Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). -- openSUSE Feature: https://features.opensuse.org/310044
Feature changed by: Stanislav Visnovsky (visnov) Feature #310044, revision 2 Title: Validating DNSSEC support - openSUSE-11.3: Unconfirmed + openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov) + reject reason: 11.3 out now. Priority Requester: Desirable + openSUSE Distribution: Unconfirmed + Priority + Requester: Desirable Requested by: Tobias Burnus (burnus) Partner organization: openSUSE.org Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). -- openSUSE Feature: https://features.opensuse.org/310044
Feature changed by: Marcus Meissner (msmeissn) Feature #310044, revision 3 Title: Validating DNSSEC support openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov) reject reason: 11.3 out now. Priority Requester: Desirable + openSUSE-11.4: New + Priority + Requester: Important openSUSE Distribution: Unconfirmed Priority Requester: Desirable + Requested by: Marcus Meissner (msmeissn) Requested by: Tobias Burnus (burnus) + Technical Contact: (Novell) Partner organization: openSUSE.org Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). -- openSUSE Feature: https://features.opensuse.org/310044
Feature changed by: Petr Baudis (pbaudis) Feature #310044, revision 4 Title: Validating DNSSEC support openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov) reject reason: 11.3 out now. Priority Requester: Desirable openSUSE-11.4: New Priority Requester: Important openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: Marcus Meissner (msmeissn) Requested by: Tobias Burnus (burnus) Technical Contact: (Novell) Partner organization: openSUSE.org Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). + Discussion: + #1: Petr Baudis (pbaudis) (2011-01-13 20:12:27) + Note that I do not think this has anything to do with me; AIUI, this + would be implemented in bind, which would in turn serve as the + caching+verifying nameserver for localhost? -- openSUSE Feature: https://features.opensuse.org/310044
Feature changed by: Marcus Meissner (msmeissn) Feature #310044, revision 5 Title: Validating DNSSEC support openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov) reject reason: 11.3 out now. Priority Requester: Desirable openSUSE-11.4: New Priority Requester: Important openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: Marcus Meissner (msmeissn) Requested by: Tobias Burnus (burnus) Technical Contact: (Novell) Partner organization: openSUSE.org Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). Discussion: #1: Petr Baudis (pbaudis) (2011-01-13 20:12:27) Note that I do not think this has anything to do with me; AIUI, this would be implemented in bind, which would in turn serve as the caching+verifying nameserver for localhost? + #2: Marcus Meissner (msmeissn) (2011-01-26 13:53:06) (reply to #1) + Do we really want to have a heavy weight local resolvers for this? + If this could be done in the glibc resolver it would make it work for + all hosts without being heavy weight... hmm -- openSUSE Feature: https://features.opensuse.org/310044
Feature changed by: Marcus Meissner (msmeissn) Feature #310044, revision 7 Title: Validating DNSSEC support openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov) reject reason: 11.3 out now. Priority Requester: Desirable - openSUSE-11.4: New + openSUSE-11.4: Rejected by Marcus Meissner (msmeissn) + reject reason: wasnt done Priority Requester: Important openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: Marcus Meissner (msmeissn) Requested by: Tobias Burnus (burnus) Partner organization: openSUSE.org Description: DNSSEC (http://en.wikipedia.org/wiki/DNSSEC) (Domain Name System Security) is mechanism which provides integrity and authenticity of DNS data. It became more important after new Kaminsky DNS poisoning attacks were found in early 2008. The domain-name organizations start to support them for regular usage. Especially: ROOT (.) (http://www.root-dnssec.org/) will be signed starting from July 15, 2010. ARPA is offers signing since 17 March 2010. And several country TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se, .ch, .de, .pm, .us, (soon:) .eu, .fr, etc.). It should be thus possible to enable a validating DNSSEC lookup (cf. also Fedora's DNSSEC implementation (http://fedoraproject.org/wiki/Features/DNSSEC) , which pre-dates the DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely implemented and since issues like key rollover or lost interest occur, the checking should be easily dis-/enable - and probably not be enabled by default, yet. Another reason for not enabling it by default is that some internet home gateways have caching PROXI DNS servers which cannot handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC 1035 to RFC 2671). Discussion: #1: Petr Baudis (pbaudis) (2011-01-13 20:12:27) Note that I do not think this has anything to do with me; AIUI, this would be implemented in bind, which would in turn serve as the caching+verifying nameserver for localhost? #2: Marcus Meissner (msmeissn) (2011-01-26 13:53:06) (reply to #1) Do we really want to have a heavy weight local resolvers for this? If this could be done in the glibc resolver it would make it work for all hosts without being heavy weight... hmm -- openSUSE Feature: https://features.opensuse.org/310044
participants (1)
-
fate_noreply@suse.de