[Freedombox-discuss] Should the box do DANE for PGP?
Sunil Mohan Adapa
sunil at medhas.org
Tue Sep 13 17:32:38 UTC 2016
On 08/06/2016 01:19 AM, Sandy Harris wrote:
> The draft for authenticating PGP keys via DANE (DNS Authentication of
> Named Entities) has just become an RFC. Unfortunately it took three
> years and it is tagged as "experimental" rather than "standards
> track", but at least it is now available.
> https://tools.ietf.org/html/rfc7929
>
> This would let far more Box users send & receive PGP-encrypted
> messages, so I'd say it is obviously a Good Thing, worth adding to Box
> software.
>
> On the down side, it is not entirely secure without DNS-sec. Nor are
> FreeS/WAN descendants which rely on DNS for authentication in IPsec.
> Do we have any plan for the infrastructure to do DNS-sec on the Box?
Hello,
Thank you for your invaluable inputs to the project from time to time.
I have explored enabling DNSSEC on FreedomBox. It appears that for
FreedomBox's use case, dnssec-trigger and unbound are good choice. If I
understand correctly, they are already enabled by default on a Fedora
installation. Enabling DNSSEC and using them with network manager
should be relatively straight forward too.
In the recent hack call we some agreement that unbound is not a bad
choice for authoritative server as well.
Once this is in, we can start to look at DANE and other good things that
come with DNSSEC.
--
Sunil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20160913/46317bc9/attachment.sig>
More information about the Freedombox-discuss
mailing list