[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] Should the box do DANE for PGP?

On 08/06/2016 01:19 AM, Sandy Harris wrote:
> The draft for authenticating PGP keys via DANE (DNS Authentication of
> Named Entities) has just become an RFC. Unfortunately it took three
> years and it is tagged as "experimental" rather than "standards
> track", but at least it is now available.
> https://tools.ietf.org/html/rfc7929
> This would let far more Box users send & receive PGP-encrypted
> messages, so I'd say it is obviously a Good Thing, worth adding to Box
> software.
> On the down side, it is not entirely secure without DNS-sec. Nor are
> FreeS/WAN descendants which rely on DNS for authentication in IPsec.
> Do we have any plan for the infrastructure to do DNS-sec on the Box?


Thank you for your invaluable inputs to the project from time to time.

I have explored enabling DNSSEC on FreedomBox.  It appears that for
FreedomBox's use case, dnssec-trigger and unbound are good choice.  If I
understand correctly, they are already enabled by default on a Fedora
installation.  Enabling DNSSEC and using them with network manager
should be relatively straight forward too.

In the recent hack call we some agreement that unbound is not a bad
choice for authoritative server as well.

Once this is in, we can start to look at DANE and other good things that
come with DNSSEC.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20160913/46317bc9/attachment.sig>

Reply to: