We were pleased to see an announcement from the IPFire open source firewall distribution indicating that DNSSEC validation had been added to their most recent “IPFire 2.15 – Core Update 80” yesterday. More intriguing to me, perhaps, was that the DNSSEC validation was added to the software distribution via a crowdfunding initiative for their “wishlist”. While I realize this is not unique among software products, it was great to see that some number of IPFire users felt DNSSEC was important enough to donate to prioritize this task. [Tip for IPFire: It would be nice to know how many users donated rather than just the total amount.]
I will admit I’d not heard of IPFire prior to seeing a tweet about the DNSSEC addition this morning, but in looking at their “About IPFire” page it seems to have the kind of services that I would want in a system like this. (I run a similar type of hardened Linux distribution on my own home server/gateway.)
This news about IPFire is important because getting DNSSEC validation to happen on the edge of local networks is a critical step in the plan for where DNSSEC validation needs to happen. Ideally, of course, we’d get the validation happening in the device operating systems and even applications, but getting the validation on the edge of the local network does minimize the attack surface significantly!
Kudos to the team at IPFire for doing this work – and for the IPFire users who crowdfunded it!
P.S. Do you know of another firewall software distribution that we should add to our list on the plan for DNSSEC validation? Please do let us know as we’d definitely like to expand the list we have there. And if you don’t know much about DNSSEC, check out our “Start Here” page to learn how to get started…