Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67912

Support for DNS over TLS (DoT) in RHEL IdM

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • ipa-4.12.2-15.el10
    • None
    • 2
    • rhel-idm-ipa
    • ssg_idm
    • 24
    • 26
    • 5
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • 2024-Q4-Bravo-S7, 2025-Q1-Alpha-S3
    • Technology Preview
    • Hide
      .DNS over TLS (DoT) in IdM deployments is available as a Technology Preview

      Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.

      To start using this functionality, install the `ipa-server-encrypted-dns` package on IdM servers and replicas, and the `ipa-client-encrypted-dns` package on IdM clients. Administrators can enable DoT during the installation by using the `--dns-over-tls` option.

      IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM.

      The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:

      * `--dot-forwarder` to specify an upstream DoT-enabled DNS server.
      * `--dns-over-tls-key` and `--dns-over-tls-cert` to configure DoT certificates.
      * `--dns-policy` to set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage.

      By default, IdM uses the `relaxed` DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new `--dns-policy` option with the `enforced` setting.

      You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service by using `ipa-dns-install` with the new DoT options.

      See link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/installing_identity_management/securing-dns-with-dot-in-idm[Securing DNS with DoT in IdM] for more details.
      Show
      .DNS over TLS (DoT) in IdM deployments is available as a Technology Preview Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers. To start using this functionality, install the `ipa-server-encrypted-dns` package on IdM servers and replicas, and the `ipa-client-encrypted-dns` package on IdM clients. Administrators can enable DoT during the installation by using the `--dns-over-tls` option. IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM. The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service: * `--dot-forwarder` to specify an upstream DoT-enabled DNS server. * `--dns-over-tls-key` and `--dns-over-tls-cert` to configure DoT certificates. * `--dns-policy` to set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage. By default, IdM uses the `relaxed` DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new `--dns-policy` option with the `enforced` setting. You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service by using `ipa-dns-install` with the new DoT options. See link: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/installing_identity_management/securing-dns-with-dot-in-idm [Securing DNS with DoT in IdM] for more details.
    • Done
    • None

      Goal

      • As an administrator, I want support for DNS over TLS (DoT) in RHEL IdM so that all DNS traffic within modern deployments can be authenticated, authorized, and encrypted, ensuring secure communication in a Zero-Trust environment.

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • Verify administrators can enable and configure DNS over TLS (DoT) for DNS zones managed by RHEL IdM.
      • Verify encrypted DNS traffic (via DoT) is logged appropriately, with no sensitive data being exposed.
      • Verify that when encrypted DNS is enforced, RHEL IdM blocks unencrypted DNS queries within the internal network.
      • Verify IdM provides a fallback mechanism to log and alert administrators when encrypted DNS traffic fails to establish.
      • Verify the system supports backward compatibility with deployments that do not use DoT.
      • Verify DNS traffic encryption settings are integrated into the IdM framework, allowing configuration via CLI.

              ftrivino@redhat.com Francisco Trivino Garcia
              ftrivino@redhat.com Francisco Trivino Garcia
              Florence Renaud Florence Renaud
              Varun Mylaraiah Varun Mylaraiah
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: