By way of a recent tweet from Red Hat’s Paul Wouters we learned the great news that the next release (21) of the Fedora operating system will include a DNSSEC-validating DNS resolver enabled by default. According the Fedora 21 release schedule, if all goes according to plan Fedora 21 should be generally available in October 2014. This will mark the first of the major Linux distributions that I am aware of that will offer the added security of DNSSEC validation by default. With Linux, you can of course always add a DNSSEC-validating DNS name server such as DNSSEC-Trigger, Unbound, dnsmasq or another DNSSEC-validating DNS server, but this move by the Fedora project will have the validation occurring by default.
From the Fedora 21 Proposed System Wide Change message:
There are growing instances of discussions and debates about the need for a trusted DNSSEC validating local resolver running on 127.0.0.1:53. There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user’s privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.
People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.
Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour.
Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.
All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It’ll simplify and facilitate lot of other design decisions and application development in future.
This is great news for those of us who want to see the security of the Internet strengthened through DNSSEC – and definitely in keeping with part of the plan for where we need to see DNSSEC validation.
Kudos to the team at Fedora who are making this happen and we look forward to seeing it come out in Fedora 21 later this year!