[Freedombox-discuss] Should the box do DANE for PGP?
On 09/13/2016 01:32 PM, Sunil Mohan Adapa wrote:
> On 08/06/2016 01:19 AM, Sandy Harris wrote:
> Thank you for your invaluable inputs to the project from time to time.
Note I dont know too much about the freedombox. But I do recommend you
check out my latest Opportunistic IPsec presentation I gave at the
Linux Security Summit:
> I have explored enabling DNSSEC on FreedomBox. It appears that for
> FreedomBox's use case, dnssec-trigger and unbound are good choice.
It is, but be careful it you ship GNOME3, as they are taking over the "hotspot
detection" function and clash with unbound+dnssec_trigger.
> understand correctly, they are already enabled by default on a Fedora
Not exactly. All DNS servers enable DNSSEC when used. but unbound+dnssec_trigger
is not yet enabled per default. Planned for F25 is the gnome3+unbound combination
that takes some code from dnssec_trigger. It also depends on NetworkManager.
Enabling DNSSEC and using them with network manager
> should be relatively straight forward too.
Yes, and the VPN services (libreswan IPsec, openvpn, etc) have support for
reconfiguring DNS for split-DNS.
> In the recent hack call we some agreement that unbound is not a bad
> choice for authoritative server as well.
> Once this is in, we can start to look at DANE and other good things that
> come with DNSSEC.
Note that unbound is NOT an authoritative server, but only a recursive/caching
server. While you can "hardcode" some responses, that's is not the same as a
nameserver that loads zonefiles and is authoritative.
I think it would be great if you could enabled Opportunistic IPsec using LetsEncrypt.
It requires only the LetsEncrypt CA certs installed on the client side, and a regular
LetsEncrypt install on the server side.