Ticket #1314 (new enhancement)

Opened 8 years ago

Last modified 8 years ago

debathena-dns-config should provide a DNSSEC-validating resolver

Reported by: achernya Owned by:
Priority: high Milestone: Current Semester
Component: paranoia Keywords:
Cc: Fixed in version:
Upstream bug:


MIT's current nameservers do not do any DNSSEC validation, and even if they did, MIT's network is sufficiently wide-area that it would be unwise to trust their responses. Instead, we should ship a DNSSEC-aware caching resolving, such as bind9 or unbound. dnsmasq is not sufficient as it does not have any code to do the validation.

This will provide benefits to any and all applications that are using DNS by stripping records with invalid signatures of all deployments that have DNSSEC keys. No further application support is needed, and will even provide benefit to Hesiod.

A version of bind9 with DNSSEC-validation is currently running on linerva-dev, with manual modifications based on the version of debathena-dns-config that was shipped for Squeeze.

It looks like unbound will do DNSSEC out-of-the-box when I tried it on my Wheezy VM.

Note that this conflicts with #1131.

Change History

comment:1 Changed 8 years ago by jdreed

So, bind9 and resolvconf didn't play nice before, which is why we wanted to kill it off. If there is a compelling reason to keep it, I'll consider it, but I do not really want to make our lives more difficult. Also consider that dns-config is only in workstation and higher. The goal with #1131 was "make the network configuration for -workstation the same as stock Ubuntu." I'm not hearing a compelling reason for a drastically different network configuration for -workstation users. (I think am hearing a compelling reason why this should be some sort of server configuration or best practice, but that is not the same thing.) In short, "Why is the default Ubuntu DNS configuration good enough for stock users, and -standard, -login, and -login-graphical, but not -workstation?" (I am deliberately excluding cluster -- we fully own cluster, it's easier to do exceptions and deal with screw cases.)

comment:2 Changed 8 years ago by achernya

The world I envision involves Network deploying DNSSEC, and therefore debathena-login (and higher) would deploy some sort of DNSSEC-verifying resolver. ghudson pointed on on Zephyr that Fedora chose unbound for this purpose. Presumably debathena-clients can be the only metapackage to not include this, because whoever is installing it is probably of a sufficiently pointy hat to decide if they want DNSSEC or not.

comment:3 Changed 8 years ago by andersk

comment:4 Changed 8 years ago by jdreed

What Anders said. I'm particularly hesitant to roll our own thing if Ubuntu is going to deal in 13.{04,10}.

Note: See TracTickets for help on using tickets.