Category: Linux


Fedora 21 To Have DNSSEC Validation Enabled By Default

Fedora logoBy way of a recent tweet from Red Hat’s Paul Wouters we learned the great news that the next release (21) of the Fedora operating system will include a DNSSEC-validating DNS resolver enabled by default.  According the Fedora 21 release schedule, if all goes according to plan Fedora 21 should be generally available in October 2014.  This will mark the first of the major Linux distributions that I am aware of that will offer the added security of DNSSEC validation by default.  With Linux, you can of course always add a DNSSEC-validating DNS name server such as DNSSEC-Trigger, Unbound, dnsmasq or another DNSSEC-validating DNS server, but this move by the Fedora project will have the validation occurring by default.

From the Fedora 21 Proposed System Wide Change message:

There are growing instances of discussions and debates about the need for a  trusted DNSSEC validating local resolver running on There are multiple reasons for having such a resolver, importantly security & usability. Security & protection of user’s privacy becomes paramount with the backdrop of the increasingly snooping governments and service providers world wide.

People use Fedora on portable/mobile devices which are connected to diverse networks as and when required. The automatic DNS configurations provided by these networks are never trustworthy for DNSSEC validation. As currently there is no way to establish such trust.

Apart from trust, these name servers are often known to be flaky and unreliable. Which only adds to the overall bad and at times even frustrating user experience. In such a situation, having a trusted local DNS resolver not only makes sense but is in fact badly needed. It has become a need of the hour. 

Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous, having a trusted local DNS resolver will not only be imperative but be unavoidable. Because it will perform the most important operation of establishing trust between two parties.

All DNS literature strongly recommends it. And amongst all discussions and debates about issues involved in establishing such trust, it is unanimously agreed upon and accepted that having a trusted local DNS resolver is the best solution possible. It’ll simplify and facilitate lot of other design decisions and application development in future.

This is great news for those of us who want to see the security of the Internet strengthened through DNSSEC – and definitely in keeping with part of the plan for where we need to see DNSSEC validation.

Kudos to the team at Fedora who are making this happen and we look forward to seeing it come out in Fedora 21 later this year!

Weekend Project: Test Out New DNSSEC Support In Dnsmasq

Dnsmasq iconIf you run your own small network and are comfortable working with Linux, Android, *BSD, Solaris or Mac OS X, here’s a great way you could help advance DNSSEC: Simon Kelley is looking for people to test the new DNSSEC functionality he included in his latest development version of dnsmasq.

If you are not familiar with dnsmasq, it is a DNS fowarder and DHCP server that is already included in many versions of Linux, including Debian, Suse, Fedora, Gentoo and others.  From the dnsmasq website:

Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.

Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any smallish network (up to 1000 clients is known to work) where low resource use and ease of configuration are important.

If you have a bit of time and could help Simon out with some testing, he would greatly appreciate it – and if this can mean that we’ll be able to get DNSSEC validation happening out in so many more distributions of Linux that would be a great win for making the Internet more secure!

Please read Simon’s message and you may also want to scan the email thread to see if there are any more updates or issues found.

Kudos to Simon for making this happen – and also to Comcast for providing enough funding that Simon was able to work on this full-time for a bit to get it working.

Slides – Adding DNSSEC to Fedora and Red Hat Linux

What is the status of DNSSEC being added to Fedora and Red Hat Linux?  What changes have already been made?  What changes will occur in the future?  What tools are available to help?

At the recent ICANN45 DNSSEC Deployment Workshop, Paul Wouters from Red Hat spoke about integrating DNSSEC into Linux. Paul’s slides are available for download and a video of the entire workshop is available from the main page.

Paul Wouters presentation on DNSSEC in Linux

In the presentation, Paul talks about the difference between Fedora and Red Hat Linux and then dives into what needed to be modified to support DNSSEC. He provides some insight into their experiences using DNSSEC in different configurations and with different tools.

Paul also spoke about support for the DANE protocol to use DNSSEC to validate SSL/TLS certificates and in particular his TLSA Validator add-on for the Firefox browser and his “hash-slinger” tool that generates TLSA records.  Both tools are available at his site at:

It was a great presentation to hear, and Paul is very active within the DNSSEC community working on tools such as these to help get DNSSEC further deployed. It is well worth some time checking out his tools.

Fedora Project Requesting Testers of DNSSEC-Trigger

FedoraProjectWant to help out a Linux project with DNSSEC? In a recent message to the Fedora Project developers list, Paul Wouters from Red Hat asked for people to help test the recent addition of DNSSEC-Trigger to the “rawhide” distribution of Fedora. As he says in the email:

In our efforts to push DNSSEC to the enduser, we have packaged our
initial DNSSEC reconfiguration utility.

Basically, this makes it possible to use DNSSEC on your laptop, while
moving between networks of which some are “friendly” man in the middle
attacks on DNS via hotspots and sign-ons. Some steps are still awaiting
further network-manager integration. We hope to be able to hide almost
everything from the user, but the network manager integration is not yet
complete. But we would really like get more feedback on how well it
works in various alien and broken networks out there (especially wifi
and 3G/LTE).

First, it’s awesome to see DNSSEC-Trigger get added into a Linux distribution. Kudos to Paul and the Fedora Project team for taking that step.

Second, if you are a Fedora user, or would like to help out with this effort to promote DNSSEC usage, please do read Paul’s email message and see if you can help out with the testing.

Note that while Paul mentions the Firefox add-on to support DNSSEC there is also a similar extension to add DNSSEC support to Google Chrome.

It’s great, too, to see what they have planned for future work on Fedora:

Planned for the near future:
- Less user interaction, more network manager integration
- automatic hot spot detection
- network manager vpn plugin support for DNS forward-zone
- phasing out the applet in favour of native network-manager support
- validate TLS certificates via DNSSEC (IETF DANE support)

And I did very much enjoy how Paul ended the message:

That’s it, go break your DNS and let us know how it went!

Again, it’s excellent to see this effort and I look forward to hearing how the testing goes and seeing this further expansion of DNSSEC capabilities in Fedora.

P.S. And yes, I’m thinking about where I might have a spare box where I could install Fedora specifically to play with this…

Slides: The Status of IPv6 and Open Source/Free Operating systems

What is the status of IPv6 support in free / open source operating systems? Recently Olle Johansson gave a presentation in Sweden where he provided, in his own words:

A status report from a brief test of IPv6 support (including DHCPv6 and SLAAC) in OpenBSD, FreeBSD, Debian, Ubuntu, Fedora compared with Windows 7 and OS/X

His testing focused on trying to answer these questions:

  • Can I install a desktop operating system over IPv6?
  • Can I add and install packages over IPv6?
  • Can I configure it with combinations of Router Solicitations/Advertisements and DHCPv6?
Basically, his goal was to see – how ready are we to run IPv6 single-stack?

Olle was quite up front, too, in saying that he was doing this testing as a beginner with the operating systems because he believes it should be that easy to deploy.  While his conclusions are that there is still a good bit of work to do, his testing at least provides some pointers for where work needs to be done within the operating systems.

Olle’s nicely made his slides available for us to see in SlideShare:

Fun Tool to Run a Linux Computer IN Your Browser Using JavaScript

Here’s a fun little JavaScript experiment… go to:

Watch the boot sequence… and… ta da… you’ve got a Linux root prompt! Use basic Linux commands, edit files with vi, compile apps in C using “tcc”.


Fabrice Bellard explains why he wrote this JavaScript PC emulator.

My immediate thought was how this could be used for teaching people Linux. Regardless of what it is used for or whether it’s just a fun experiment, it’s very cool to see that JavaScript engines in the latest browsers can support this type of more complex activity. Kudos to Fabrice Bellard for writing this!

Also check out:

And So The Groklaw Era Draws To A Close May 16, 2011…

GroklawAnd so must all good things come to an end… Pamela Jones announced over the weekend that she would be ending new posts to Groklaw on May 16, 2011, the eighth anniversary of the site.

For those of us who spent a good bit of time in the Linux world, Groklaw became a critical resource to stay up on the latest follies in the ongoing SCO lawsuit. “PJ”, as Pamela Jones preferred to be called, and the community of passionate helpers she soon attracted were there to rapidly research and debunk any claims that SCO put forward.

SCO has faded to pretty much irrelevance in 2011… but 8 years ago their lawsuit was extremely serious and a cause for great concern for anyone working with Linux. At the time of the initial lawsuit, I was a product manager at Mitel for a Linux-based product, so the whole issue was very definitely something I paid attention to… and Groklaw was definitely on my frequent reading list.

[NOTE: If you have never heard of Groklaw, I would start with the mission statement and the various links off that page.]

And now PJ writes:

In a simple sentence, the reason is this: the crisis SCO initiated over Linux is over, and Linux won. SCO as we knew it is no more.

There will be other battles, and there already are, because the same people that propped SCO up are still going to try to destroy Linux, but the battlefield has shifted, and I don’t feel Groklaw is needed in the new battlefield the way it was in the SCO v. Linux wars.

Remember that when I started Groklaw, I had no intention to create something as huge as Groklaw became. I really was just trying to learn how to blog. When all of you showed up, I saw what we could accomplish together, and we did. But to do it, I had to set aside a lot of things that are important to me too. I’d like to go back to being nobody, just living a normal life again.

I kept going all these years because when SCO attacked in the media and in the courtrooms, there was nobody to do what we did. Only the community could have answered SCO, technically, because you guys lived the history of UNIX and Linux and you knew what they were saying was not true. So we spoke up and explained over and over until everyone understood.

And she ends with:

I always told you that I didn’t do Groklaw for money or for fame or as a career move. I did it to be effective. That’s all I wanted. And I told you that when it was over, I’d go back to my normal pre-Groklaw life. And now you know by this decision that I told you the truth.

No matter what happens next, I know that we changed the course of history. How many people get to say that? I never expected it, frankly, and I am grinning just thinking about how much fun we’ve had doing it. Our work will be available for historians permanently, so the impact we had isn’t over today, and someday we’ll tell our grandkids that we were part of this, part of Groklaw. We are in the history books. Our work will continue as long as anyone cares about this unique time period in the history of computer software, a history that we are a part of forever. And that is a long, long time.

Thanks to you, PJ, for all the insane amount of work that you and your community did and continued to do. We all out in the larger community owe you all an incredible amount of gratitude and thanks… you helped shine the light into dark corners and helped provide a means to focus the energy and passion of the greater community. Without all that Groklaw did, the SCO follies might have gone much differently.

And kudos to you, PJ, for what I’m sure is an incredibly hard decision to put a period at the end of the sentence and end the era of Groklaw. It’s super easy to simply let a project continue… there is a certain inertia that is hard to fight… and so projects and organizations continue to go on and on, even when their reason for being is no longer there.

Thank you for all you and your community did – and best wishes for whatever comes next!

P.S. Her full blog post is very much worth a read… as well as the many comments.