On 08/06/2016 01:19 AM, Sandy Harris wrote: > The draft for authenticating PGP keys via DANE (DNS Authentication of > Named Entities) has just become an RFC. Unfortunately it took three > years and it is tagged as "experimental" rather than "standards > track", but at least it is now available. > https://tools.ietf.org/html/rfc7929 > > This would let far more Box users send & receive PGP-encrypted > messages, so I'd say it is obviously a Good Thing, worth adding to Box > software. > > On the down side, it is not entirely secure without DNS-sec. Nor are > FreeS/WAN descendants which rely on DNS for authentication in IPsec. > Do we have any plan for the infrastructure to do DNS-sec on the Box?
Hello, Thank you for your invaluable inputs to the project from time to time. I have explored enabling DNSSEC on FreedomBox. It appears that for FreedomBox's use case, dnssec-trigger and unbound are good choice. If I understand correctly, they are already enabled by default on a Fedora installation. Enabling DNSSEC and using them with network manager should be relatively straight forward too. In the recent hack call we some agreement that unbound is not a bad choice for authoritative server as well. Once this is in, we can start to look at DANE and other good things that come with DNSSEC. -- Sunil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss