[Freedombox-discuss] Should the box do DANE for PGP?

[Paul Wouters]

On 09/13/2016 01:32 PM, Sunil Mohan Adapa wrote:
> On 08/06/2016 01:19 AM, Sandy Harris wrote:

> Thank you for your invaluable inputs to the project from time to time.

Note I dont know too much about the freedombox. But I do recommend you
check out my latest Opportunistic IPsec presentation I gave at the
Linux Security Summit:

http://events.linuxfoundation.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf

> I have explored enabling DNSSEC on FreedomBox.  It appears that for
> FreedomBox's use case, dnssec-trigger and unbound are good choice.

It is, but be careful it you ship GNOME3, as they are taking over the "hotspot
detection" function and clash with unbound+dnssec_trigger.


  If I
> understand correctly, they are already enabled by default on a Fedora
> installation.

Not exactly. All DNS servers enable DNSSEC when used. but unbound+dnssec_trigger
is not yet enabled per default. Planned for F25 is the gnome3+unbound combination
that takes some code from dnssec_trigger. It also depends on NetworkManager.


  Enabling DNSSEC and using them with network manager
> should be relatively straight forward too.

Yes, and the VPN services (libreswan IPsec, openvpn, etc) have support for
reconfiguring DNS for split-DNS.

> In the recent hack call we some agreement that unbound is not a bad
> choice for authoritative server as well.
> 
> Once this is in, we can start to look at DANE and other good things that
> come with DNSSEC.

Note that unbound is NOT an authoritative server, but only a recursive/caching
server. While you can "hardcode" some responses, that's is not the same as a
nameserver that loads zonefiles and is authoritative.


I think it would be great if you could enabled Opportunistic IPsec using LetsEncrypt.
It requires only the LetsEncrypt CA certs installed on the client side, and a regular
LetsEncrypt install on the server side.

Paul