‹ Back
Deploy360 2 May 2014

Fedora 21 To Have DNSSEC Validation Enabled By Default

Dan York
By Dan YorkDirector of Web Strategy

Fedora logoBy way of a recent tweet from Red Hat’s Paul Wouters we learned the great news that the next release (21) of the Fedora operating system will include a DNSSEC-validating DNS resolver enabled by default.  According the Fedora 21 release schedule, if all goes according to plan Fedora 21 should be generally available in October 2014.  This will mark the first of the major Linux distributions that I am aware of that will offer the added security of DNSSEC validation by default.  With Linux, you can of course always add a DNSSEC-validating DNS name server such as DNSSEC-Trigger, Unbound, dnsmasq or another DNSSEC-validating DNS server, but this move by the Fedora project will have the validation occurring by default.

From the Fedora 21 Proposed System Wide Change message:

There are growing instances of discussions and debates about the need for a  trusted DNSSEC validating local resolver running on There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user’s privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.

People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.

Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour. 

Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.

All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It’ll simplify and facilitate lot of other design decisions and application development in future.

This is great news for those of us who want to see the security of the Internet strengthened through DNSSEC – and definitely in keeping with part of the plan for where we need to see DNSSEC validation.

Kudos to the team at Fedora who are making this happen and we look forward to seeing it come out in Fedora 21 later this year!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Excellent whitepaper/tutorial from SURFnet on deploying DNSSEC-validating DNS servers
Deploy36023 October 2012

Excellent whitepaper/tutorial from SURFnet on deploying DNSSEC-validating DNS servers

How do you get started with deploying DNSSEC-validating DNS servers on your network?  What kind of planning should you undertake? ...

Google Clarifies DNSSEC Support - Opt In Now, Full Validation Coming Soon
Deploy36022 March 2013

Google Clarifies DNSSEC Support – Opt In Now, Full Validation Coming Soon

After Google's announcement earlier this week of DNSSEC validation support in their Public DNS service, there was some concern and...

How Do We Measure DNSSEC Deployment?
Deploy3602 October 2012

How Do We Measure DNSSEC Deployment?

How do we measure the actual deployment of DNSSEC?  How can we know how many domain name holders have signed...

Join the conversation with Internet Society members around the world