Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc/designs: add encrypted DNS design documents #7384

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

doc/designs: add encrypted DNS design documents #7384

wants to merge 1 commit into from

Conversation

f-trivino
Copy link
Contributor

Add design page for Encrypted DNS traffic support.

Related: https://pagure.io/freeipa/issue/9605

@antoniotorresm antoniotorresm mentioned this pull request Jun 12, 2024
Open
antoniotorresm
antoniotorresm reviewed Jun 13, 2024
View reviewed changes
doc/designs/edns.md Outdated Show resolved Hide resolved
antoniotorresm
antoniotorresm reviewed Jun 13, 2024
View reviewed changes
doc/designs/edns.md

Most changes involve configuration updates. New installation options for encrypted DNS ensure the deployment and activation of DNS services to encrypt all outbound traffic.

Address of our unbound server has to be set in /etc/resolv.conf. /etc/resolv.conf nameserver 127.0.0.1
Copy link
Contributor

@antoniotorresm antoniotorresm Jun 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will be using 127.0.0.53 or 127.0.0.55 (depends on whether we disable systemd-resolved completely or not).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should deploy the simplest configuration. I would opt for Unbound and BIND instead of systemd-resolved, Unbound, and BIND. Then, I would use 127.0.0.53 because it runs on port 53, avoiding conflicts with systemd-resolved if it is enabled later by mistake or manually.

antoniotorresm
antoniotorresm reviewed Jun 13, 2024
View reviewed changes
doc/designs/edns.md Outdated Show resolved Hide resolved
antoniotorresm
antoniotorresm reviewed Jun 13, 2024
View reviewed changes
doc/designs/edns.md Outdated

### Configuration

Any configuration options? Any commands to enable/disable the feature or turn on/off its parts?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Installers will deploy a valid configuration, but can be easily edited at: /etc/unbound/conf.d/zzz-ipa.conf

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

antoniotorresm
antoniotorresm reviewed Jun 13, 2024
View reviewed changes
doc/designs/edns.md Outdated Show resolved Hide resolved
@f-trivino f-trivino force-pushed the edns-design branch 2 times, most recently from 5c13758 to f8e090e Compare June 25, 2024 17:04
@f-trivino
doc/designs: add encrypted DNS design documents
7279178 
Add design page for Encrypted DNS traffic support.

Related: https://pagure.io/freeipa/issue/9605
Signed-off-by: Francisco Trivino <[email protected]>
@f-trivino f-trivino added the needs review Pull Request is waiting for a review label Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoniotorresm antoniotorresm antoniotorresm left review comments

Assignees
No one assigned
Labels
needs review Pull Request is waiting for a review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@f-trivino @antoniotorresm