Mailinglist Archive: opensuse-features (411 mails)

< Previous Next >
[openFATE 310044] Validating DNSSEC support
Feature changed by: Petr Baudis (pbaudis)
Feature #310044, revision 4
Title: Validating DNSSEC support

openSUSE-11.3: Rejected by Stanislav Visnovsky (visnov)
reject reason: 11.3 out now.
Requester: Desirable

openSUSE-11.4: New
Requester: Important

openSUSE Distribution: Unconfirmed
Requester: Desirable

Requested by: Marcus Meissner (msmeissn)
Requested by: Tobias Burnus (burnus)
Technical Contact: (Novell)
Partner organization:

DNSSEC ( (Domain Name System
Security) is mechanism which provides integrity and authenticity of DNS
data. It became more important after new Kaminsky DNS poisoning attacks
were found in early 2008. The domain-name organizations start to
support them for regular usage. Especially: ROOT (.)
( will be signed starting from July 15,
2010. ARPA is offers signing since 17 March 2010. And several country
TLD already use or have test-bed DNSSEC implementations (e.g. .cz, .se,
.ch, .de, .pm, .us, (soon:) .eu, .fr, etc.).
It should be thus possible to enable a validating DNSSEC lookup (cf.
also Fedora's DNSSEC implementation
( , which pre-dates the
DNS-ROOT signing and thus is a bit arkward). As DNSSEC is not widely
implemented and since issues like key rollover or lost interest occur,
the checking should be easily dis-/enable - and probably not be enabled
by default, yet. Another reason for not enabling it by default is that
some internet home gateways have caching PROXI DNS servers which cannot
handle UDP DNS for packages larger than 512 Bytes (cf. change from RFC
1035 to RFC 2671).

+ Discussion:
+ #1: Petr Baudis (pbaudis) (2011-01-13 20:12:27)
+ Note that I do not think this has anything to do with me; AIUI, this
+ would be implemented in bind, which would in turn serve as the
+ caching+verifying nameserver for localhost?

openSUSE Feature:

< Previous Next >
This Thread