Ubuntu
bind9 package

make configuring DNSSEC validation easier

Bug #782614 reported by Anand Kumria
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: bind9

As noted here:

http://wiki.debian.org/DNSSEC#BIND9

The are some configuration changes required to enable DNSSEC validation.

I think it would be nicer if things could be made easier.

Create an empty file /etc/bind/named.conf.keys

Include the file in /etc/bind/named.conf

Include a commented out entry in /etc/bind/named.conf.options of:

     // dnssec-validation yes;

within the options section.

This would made the steps listed there even simpler.

Tags: patch
Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the bug report, which version is this with?

Regards
chuck

Changed in bind9 (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Anand Kumria (wildfire) wrote :

All versions of BIND that Ubuntu has ever published could do with improvements in making DNSSEC easier.

However, as noted in the linked instructions, the specific suggestions apply to Bind 9.7+

Which, according to http://packages.ubuntu.com/search?keywords=bind9 is Ubuntu 10.04 (Lucid) and later.

Thanks,
Anand

Anand Kumria (wildfire)
Changed in bind9 (Ubuntu):
status: Incomplete → New
Neal McBurnett (nealmcb)
Changed in bind9 (Ubuntu):
status: New → Confirmed
Revision history for this message
Anand Kumria (wildfire) wrote :
Revision history for this message
Anand Kumria (wildfire) wrote :
Revision history for this message
Anand Kumria (wildfire) wrote :
Revision history for this message
Anand Kumria (wildfire) wrote :
Revision history for this message
Anand Kumria (wildfire) wrote :

DNSSEC will place an additional burden on the network and, in particular, the infrastructure based DNS servers.

The rationale to have the root key defined here but not used is that will use some of the existing DNS infrastructure (via use of RFC5011) and allow server operators to gauge load.

I would recommend that Ubuntu 11.10 ships with DNSSEC available (i.e. root key but disabled) and Ubuntu 12.04 ships with DNSSEC enabled (i.e. root key and enabled by default), so that server operators are not overwhelmed.

Revision history for this message
Anand Kumria (wildfire) wrote :

Note, I just checked Fedora 15 and the root key is setup similarly and is *enabled* by default as well.

So you might just want to do so within Ubuntu as well.

Revision history for this message
Anand Kumria (wildfire) wrote :

Just a note on this 3 year old bug.

The gauge on the root servers has been gauged - DNSSEC was turned on many years ago.

You can enable and turn this on by default and the traffic will be neglible.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Add-a-named.conf.keys-file-for-storing-various-keys.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.