Debian to start deploying DNSSEC [LWN.net]

Debian to start deploying DNSSEC

Posted Feb 16, 2010 9:12 UTC (Tue) by rahulsundaram (subscriber, #21946)
Parent article: Debian to start deploying DNSSEC

Its been the default since Fedora 11

http://fedoraproject.org/wiki/Features/DNSSEC

A bit more complication but hopefully solves some issues

(Log in to post comments)

Debian to start deploying DNSSEC

Posted Feb 16, 2010 9:58 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

I understand that fine and I was merely pointing out that since Fedora uses
it by default these days there has some concerns over the additional
complexity it brings

Debian to start deploying DNSSEC

Posted Feb 16, 2010 16:06 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

Also Fedora's infrastructure lead pointed out that Fedora has been deployed
it on it's own servers for a few months now

dig +dnssec +multiline -t key fedoraproject.org @ns1.fedoraproject.org

Debian to start deploying DNSSEC

Posted Feb 18, 2010 11:40 UTC (Thu) by akumria (subscriber, #7773) [Link]

As useful as that is, without a DS (delegated signer) record in .org (which is also signed) the fedoraproject is just an island of security.

Unless DLV (Delegation lookaside validation) is enabled in Fedora for fedoraproject.org no one is going to be benefiting.

can't get signed by org yet

Posted Feb 19, 2010 15:21 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

the org registry is not as yet (unless I'm out of date) offering to sign records of arbitrary members. When it does, either it will sign everything (in which case Fedora need take no special action) or it will advertise that this is available as a new service and some sysadmin at the Fedora project needs to get in touch. But right now it's "friends and family" testing only, if you didn't get an invite, they're not interested.

SEC spider shows the Fedora Project's DNSSEC records as live and not a testbed service, so evidently they're not as completely under the radar as you imagined.