rpms / dnssec-trigger

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c8-beta el6 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 master
  1.   f20
  2.   dnssec-trigger-0.12-dnssec-conf.patch
Blob Blame History Raw 
diff --git a/dnssec.conf b/dnssec.conf
index 4d9dbfb..bf896d3 100644
--- a/dnssec.conf
+++ b/dnssec.conf
@@ -1,54 +1,115 @@
+# The options configured in this file are supported by dnssec-trigger-script
+# which is called due to various events in related services including
+# dnssec-trigger and NetworkManager. As a result, dnssec-trigger-script,
+# together with the dnssec-trigger daemon, reconfigures a running instance
+# of Unbound, your local validating resolver.
+#
+# Changes in this file are typically applied on the next network change. To
+# make them work immediately, restart the dnssec-trigger service. On many
+# systems this is achieved by the following command:
+#
+#     systemctl restart dnssec-triggerd
+#
+# To achieve a clean state of Unbound, you can just restart the unbound
+# service and dnssec-trigger gets restarted automatically. Note that some
+# other services like VPN clients may have reconfigured unbound at runtime
+# and thus may need to be restarted as well.
+#
+#     systemctl restart unbound
+#
+# In future some of the options may be interpretted by other services as well,
+# so be careful to restart all of them. One such service may be a future
+# version of NetworkManager.
+#
+#     systemctl restart NetworkManager
+#
+
 # validate_connection_provided_zones:
 # -----------------------------------
-# Setts if forward zones added into unbound by dnssec-trigger script
-# will be DNSSEC validated or NOT. Note that this setting is global
-# for all added forward zones..
-# Possible options are:
-#
-# validate_connection_provided_zones=yes - All connection provided zones
-#                                          configured as forward zones into
-#                                          unbound WILL BE DNSSEC validated
-#                                          (NOTE: If connection provided DNS
-#                                          servers are NOT DNSSEC capable, the
-#                                          resolving of provided zones will
-#                                          NOT work!)
-#
-# validate_connection_provided_zones=no - All connection provided zones
-#                                         configured as forward zones into
-#                                         unbound will NOT be DNSSEC validated
-#
-#
-# NOTICE: if you turn the validation OFF then all forward zones added by
-# dnssec-trigger script will NOT be DNSSEC validated. If you turn the
-# validation ON, only newly added forward zones will be DNSSEC validated.
-# Forward zones added before the change will still NOT be DNSSEC validated.
-# To force validation of previously added forward zone you need to restart
-# it. For VPNs this can be done by restart NetworkManager.
+# Ensures that foward zones provided by NetworkManager connections will be
+# validated by Unbound.
+#
+# Security notes:
+#
+#  - If this option is turned off, the network you're connecting to
+#    can provide you a list of spoofed domains e.g. via DHCP. Those domains
+#    are then configured as insecure forward zones in your local validating
+#    resolver, constituting a downgrade attack on DNSSEC validation.
+#
+#  - See also security notes on the `add_wifi_provided_zones` option.
+#
+# validate_connection_provided_zones=yes
+#
+#  - Connection provided zones will be configured in Unbound as secure forward
+#    zones, validated using DNSSEC.
+#
+#    If the DNS servers for such a connection are not capable of forwarding
+#    DNSSEC queries and responses or the local zone is required to be signed
+#    according to the global DNSSEC database, local resources will not be
+#    resolved correctly and will appear inaccessible.
+#
+#    Many networks use fake top level domains which fail DNSSEC validation
+#    as there is no way to validate them at all. Do not use this strict
+#    option if you want to access resources on such networks.
+#
+# validate_connection_provided_zones=no
+#
+#  - Connection provided zones will be configured in Unbound as insecure
+#    forward zones, not validated using DNSSEC. This allows you to access
+#    local resources on networks with non-compliant DNS servers as well
+#    as networks that hijack domains that are either not in the global DNS
+#    tree at all or are required to be signed.
+#
+#    Turning this option off has security implications, See the security
+#    notice above.
+#
 validate_connection_provided_zones=yes
 
 # add_wifi_provided_zones:
 # ------------------------
-# Setts if domains provided by WiFi connection are configured as forward zones
-# into unbound.
-# Possible options are:
-#
-# add_wifi_provided_zones=yes - Domains provided by ANY WiFi connection will
-#                               be configured as forward zones into unbound.
-#                               (NOTE: See the possible security implications
-#                               stated below!)
-#
-# add_wifi_provided_zones=no - Domains provided by ANY WiFi connection will
-#                              NOT be configured as forward zones into unbound.
-#                              (NOTE: Forward zones will be still configured
-#                              for any other type of connection!)
-#
-# NOTICE: Turning ON the addition of WiFi provided domains as forward zones
-# into unbound may have SECURITY implications such as:
-# - A WiFi access point can intentionally provide you a domain via DHCP for
-#   which it does not have authority and route all your DNS queries to its
-#   DNS servers.
-# - In addition to the previous point, if you have the DNSSEC validation
-#   of forward zones turned OFF, the WiFi provided DNS servers can spoof
-#   the IP address for domain names from the provided domain WITHOUT YOU
-#   KNOWING IT! 
+# Ensures that wifi provided zones are accepted by dnssec-trigger-script just
+# as any other connection provided zones. Wireless ethernet is special in
+# that you often connect to network with no authentication or authentication
+# based on a shared secret.
+#
+# Security notes:
+#
+#  - Anyone knowing such a shared secret can set up an access point for the
+#    network and provide you a spoofed domain list via DHCP. When this option
+#    is turned on, the spoofed domains are configured as forward zones in your
+#    local validating resolver.
+#
+#  - See also security notes on the `validate_connection_provided_zones` option.
+#
+# add_wifi_provided_zones=yes
+#
+#  - Domains provided by WiFi connections will be configured as forward zones
+#    in your local validating resolver. See the security notice above.
+#
+# add_wifi_provided_zones=no
+#
+#  - Domains provided by WiFi connection will be ignored.
+#
 add_wifi_provided_zones=no
+
+# set_search_domains:
+# -------------------
+# Enable or disable writing of search domains to `/etc/resolv.conf`.
+#
+# set_search_domains=yes - Search domains are written to `/etc/resolv.conf`.
+#
+# set_search_domains=no - Search domains are not written to `/etc/resolv.conf`.
+#
+set_search_domains=no
+
+# use_private_address_ranges:
+# ---------------------------
+# Enable or disable adding reverse name resolution zones derived from
+# private IP addresses as defined in RFC 1918 and RFC 4193.
+#
+# use_private_address_ranges=yes - Use standard private IP address ranges to build
+#                                  reverse name resolution zones using the global
+#                                  forwarders.
+#
+# use_private_address_ranges=no - Ignore standard IP address ranges.
+use_private_address_ranges=yes

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation