By default DNSSEC is enabled with automatic keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Opinion
|
Wishlist
|
Unassigned | ||
bind9 (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
The default setting for DNSSEC in MaaS is to enable it with automatic keys - I'd argue that it will break DNS for more setups than it fixes. If you have ingress and egress filtering (a very common situation in corporate environments) and don't have DNSSEC on your upstream servers (more common than you'd ideally want), you need to explicitly disable this setting.
I would suggest a better default would be to disable DNSSEC - anyone who has set it up will know, and can flip the setting over to what they need. Current statistics from http://
This testing was done with MaaS 1.8 from the stable PPA, and the latest Trusty.
$ lsb_release -d
Description: Ubuntu 14.04.3 LTS
$ dpkg-query -W maas
maas 1.8.2+bzr4041-
Please let us know if you have any further questions.
summary: |
- Changing MaaS default behaviour for DNSSEC + DNSSEC should be disabled in MAAS by default |
Changed in bind9 (Ubuntu): | |
importance: | Undecided → Medium |
I can't dispute the data, but I disagree with the suggested fix.
Reasoning:
(1) MAAS "takes over" existing BIND configuration files in order to provide DNS.
(2) If a user was running BIND on the machine that is becoming the region controller, (or running a previous version of MAAS) they may expect DNSSEC to work properly. (as per the BIND default)
(3) Due to (1) and (2), if we disable DNSSEC by default, then a properly configured upstream DNSSEC will *SILENTLY BREAK* when installing MAAS.
So we have two options:
Option A: Keep existing behavior, which properly migrates BIND's default values for DNSSEC configuration to MAAS.
Option B: Change existing behavior as suggested, which will silently break DNSSEC configurations upon installation of MAAS, and open a potential attack vector for security-conscious organizations running MAAS.
Perhaps a compromise solution would be for a future version of MAAS to include a guided install process, which could detect this situation and ask the user what to do.