Deploy360 20 February 2012

Fedora Project Requesting Testers of DNSSEC-Trigger

By Dan YorkDirector, Internet Technology

FedoraProjectWant to help out a Linux project with DNSSEC? In a recent message to the Fedora Project developers list, Paul Wouters from Red Hat asked for people to help test the recent addition of DNSSEC-Trigger to the “rawhide” distribution of Fedora. As he says in the email:

In our efforts to push DNSSEC to the enduser, we have packaged our
initial DNSSEC reconfiguration utility.

Basically, this makes it possible to use DNSSEC on your laptop, while
moving between networks of which some are “friendly” man in the middle
attacks on DNS via hotspots and sign-ons. Some steps are still awaiting
further network-manager integration. We hope to be able to hide almost
everything from the user, but the network manager integration is not yet
complete. But we would really like get more feedback on how well it
works in various alien and broken networks out there (especially wifi
and 3G/LTE).

First, it’s awesome to see DNSSEC-Trigger get added into a Linux distribution. Kudos to Paul and the Fedora Project team for taking that step.

Second, if you are a Fedora user, or would like to help out with this effort to promote DNSSEC usage, please do read Paul’s email message and see if you can help out with the testing.

Note that while Paul mentions the Firefox add-on to support DNSSEC there is also a similar extension to add DNSSEC support to Google Chrome.

It’s great, too, to see what they have planned for future work on Fedora:

Planned for the near future:
- Less user interaction, more network manager integration
- automatic hot spot detection
- network manager vpn plugin support for DNS forward-zone
- phasing out the applet in favour of native network-manager support
- validate TLS certificates via DNSSEC (IETF DANE support)

And I did very much enjoy how Paul ended the message:

That’s it, go break your DNS and let us know how it went!

Again, it’s excellent to see this effort and I look forward to hearing how the testing goes and seeing this further expansion of DNSSEC capabilities in Fedora.

P.S. And yes, I’m thinking about where I might have a spare box where I could install Fedora specifically to play with this…

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...