[Freedombox-discuss] Should the box do DANE for PGP?
- Subject: [Freedombox-discuss] Should the box do DANE for PGP?
- From: email@example.com (Sunil Mohan Adapa)
- Date: Tue, 13 Sep 2016 23:02:38 +0530
- Message-id: <[🔎] firstname.lastname@example.org>
- In-reply-to: <CACXcFmnaOOvqcZJ6oeBniCont3N9zCksy1kzVYS2qY_s==03Sg@mail.gmail.com>
- References: <CACXcFmnaOOvqcZJ6oeBniCont3N9zCksy1kzVYS2qY_s==03Sg@mail.gmail.com>
On 08/06/2016 01:19 AM, Sandy Harris wrote:
> The draft for authenticating PGP keys via DANE (DNS Authentication of
> Named Entities) has just become an RFC. Unfortunately it took three
> years and it is tagged as "experimental" rather than "standards
> track", but at least it is now available.
> This would let far more Box users send & receive PGP-encrypted
> messages, so I'd say it is obviously a Good Thing, worth adding to Box
> On the down side, it is not entirely secure without DNS-sec. Nor are
> FreeS/WAN descendants which rely on DNS for authentication in IPsec.
> Do we have any plan for the infrastructure to do DNS-sec on the Box?
Thank you for your invaluable inputs to the project from time to time.
I have explored enabling DNSSEC on FreedomBox. It appears that for
FreedomBox's use case, dnssec-trigger and unbound are good choice. If I
understand correctly, they are already enabled by default on a Fedora
installation. Enabling DNSSEC and using them with network manager
should be relatively straight forward too.
In the recent hack call we some agreement that unbound is not a bad
choice for authoritative server as well.
Once this is in, we can start to look at DANE and other good things that
come with DNSSEC.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature