Bug 43293 - Support for DNSSEC
Support for DNSSEC
Status: NEW
Product: UCS
Classification: Unclassified
Component: DNS
UCS 4.4
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: UCS maintainers
:
: 49572 (view as bug list)
Depends on: 18262 49572
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-05 07:53 CET by Stefan Gohmann
Modified: 2023-05-23 16:32 CEST (History)
8 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2015072921000483, 2018110121000351, 2018110621001136, 2019052821000811
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2017-01-05 07:53:50 CET
+++ This bug was initially created as a clone of Bug #18262 +++

In der gestrigen Schulung wurde nach Support für DNSSEC in univention-bind gefragt. Das sollten wir langfristig auch unterstützen.
Comment 1 Jens Thorp-Hansen univentionstaff 2017-01-05 08:08:05 CET
partner asked in the forums if the status changed (see linked ticket#)
Comment 2 Christina Scheinig univentionstaff 2018-11-02 15:48:08 CET
This is now requested again by a customer
Comment 3 Philipp Hahn univentionstaff 2018-11-02 15:56:06 CET
/etc/bind/named.conf.proxy:
  options {
    dnssec-enable yes;
  }

We neither have a UCRV to set this nor a generic mechanism to set arbitrary UCRVs.
Comment 5 Arvid Requate univentionstaff 2019-05-29 11:00:13 CEST
*** Bug 49572 has been marked as a duplicate of this bug. ***
Comment 6 Christian Völker univentionstaff 2019-05-29 14:28:44 CEST
As DNSSEC is becomming more and more important (see graphs for .ch here: https://www.nic.ch/de/statistics/dnssec/) and gets widely implemented (DENIC since 2010) it is an improvement to our product.

Further more, NOT offering DNSSEC in will be a disadvantage for us in relation to competitors.
Comment 7 Stefan Gohmann univentionstaff 2019-06-03 07:50:36 CEST
(In reply to Christian Völker from comment #6)
> As DNSSEC is becomming more and more important (see graphs for .ch here:
> https://www.nic.ch/de/statistics/dnssec/) and gets widely implemented (DENIC
> since 2010) it is an improvement to our product.
> 
> Further more, NOT offering DNSSEC in will be a disadvantage for us in
> relation to competitors.

You are right but it is still a feature request.
Comment 8 univention 2020-09-06 09:50:54 CEST
Art. 32 GDPR/DSGVO requires state of the art technology for the security of data processing. DNSSEC validation standards and necessary software are available for ten years now. The additional processing power for DNSSEC validation is insignificant.

I suggest to enable

/etc/bind/named.conf.proxy:
  options {
    dnssec-enable yes;
  }

by default.
Comment 10 Thomas Heinrichsdobler univentionstaff 2023-05-23 16:32:55 CEST
Another customer (SKB) inquired about DNSSEC support today.