Securing DNS traffic with DNSSEC in Red Hat 9 ?
Hi to the Red Hat community,
I would like to find information please about Red Hat 9 that would, essentially, cover the same topics as the one covered here in the Red Hat 7 security guide.
So far, I could check :
- this post on the Red Hat Sysadmin blog about Unbound ;
- different Red Hat 9 guides such as here ;
- the Red Hat 8 and 9 Release notes in search for deprecated packages to find what about 'dnssec-trigger', as it is available in Fedora but can't find it in Red Hat 9.
Many thanks in advance,
Alexandre
Responses
Red Hat
Active Contributor
251 points
Hi Alexandre,
The RHEL 7 docs are feature-based comprehensive guides. In the time of the RHEL 8 Alpha release, we started from scratch with the completely different approach. We identify real-world user stories (topics), we prioritize them based on the feedback from customers, and we are covering them. As such, the RHEL 8 (and 9) docs cannot be complete, and it cannot be our goal. Until your post, we haven't received any feedback that would include some demand for DNSSEC topics.
However, I made some research:
- The
dnssec-triggerpackage has been removed from RHEL 9 as documented in Considerations of adopting RHEL 9 [1] - RHEL 9 provides the
bind-dnssec-utils[2] andopendnssec[3] packages - The Bind 9 project documentation [4] and the OpenDNSSEC documentation [5] provides guidance for configuring DNSSEC
Hope that the aforementioned helps at least a bit.
Kind regards, --Mirek
[3] https://access.redhat.com/downloads/content/opendnssec/2.1.8-4.el9/x86_64/fd431d51/package
Red Hat
Active Contributor
251 points
Hi Alexandre,
I'm glad that my findings helped. If we see that more customers are struggling with deployment and configuring DNSSEC on RHEL, we will cover this topic in the RHEL 8 and 9 product documentation (the Securing networks document most probably) for sure.
Have a nice weekend, --Mirek
drill command has moved with more useful DNS utilities from main ldns package into ldns-utils package before RHEL 8 was forked from Fedora. That would be a reason why it is not mentioned explicitly in RHEL documentation. It was part of ldns package in RHEL 7, but it is separate since beginning of RHEL8. ldns package contains just ldns library build, which is required only by opendnssec package.
There was a change in RHEL 9.1, which moved ldns-utils and some ldns bindings for other languages into Content Ready Builder (CRB) repository. After CRB repository is enabled, they should be available. Unfortunately it seems similar change does not exist for RHEL 8. I doubt however it was ever shipped in official RHEL 8 repository. We have internal builds of it. but they are not accessible to our customers. If you want to use anything from ldns-utils, please request moving them to some public repository by a customer request. It would take some time, it is too late for RHEL 8.8.
Most of actions could be solved by dig or delv commands from bind-utils. Those are excellent tools and are similar to ldns drill utility. Part on unbound package is also unbound-host command, which might help too.
You can rebuild your own ldns with all subpackages yourself. It may work a bit better.
$ dnf install rpm-build
$ dnf download --source ldns
$ dnf builddep --enablerepo='*CRB' ldns*.src.rpm
$ rpmbuild --rebuild ldns*.src.rpm
This should create you a set of packages from our current sources. One of them would be also ldns-utils.