How can I propose a Fedora Change, like encrypted DNS by default starting from live boot?

Thanks
I really want to ask you if i am allowed i want a small change to be implemented in f37
If it is possible to provide a encrypted dns in fedora by default.for out of the box security.

Everyone is allowed to request features, but the question really is who is going to do the necessary work. With Change proposals, the owners set out a plan of how they’re going to implement the change, for example.

So, you’re free to propose this, but you’ll need to either work on it yourself or at least find/convince people to work on it.

2 Likes

If i could i could have done that.

The process for submitting a Change proposal is in the Program Management documentation. If you have questions, feel free to email me or stop by the office hours that I hold weekly on Wednesdays at 9AM and 4PM Eastern (currently 1300 and 2000 UTC) in #fedora-meeting-1.

As Ankur said, you can’t submit a Change proposal as a feature request. If you don’t have the ability or interest to implement it yourself, you can post on the devel mailing list to seek collaborators.

1 Like

Yeh, a lot of us are in the same boat. The next best thing, when we’re unable to do things ourselves, is to convince people who can to spend their time working on it—and convincing people that our ideas are good enough so they spend their limited free time on it is usually the hardest bit in a volunteer community :slight_smile:

I understand that but i think it is easy and can be implemented if any one is interested please do it. If possible
Out of the box encrypted dns provide some shot of security

Here is a read
So i think it shoud be there in the os.

1 Like

I think more people will see it on the -devel list.

Additionally, if you know what component needs tweaking, then it’s even better to contact the maintainers of that package/spin/whatever and see what they say. Youcould even start by filing a bug against a package if this is something package specific.

While I applaud the desire to have this as a feature, this is not an ‘easy’ thing to implement. At the moment there are no discovery mechanisms which can be used to discover encrypted DNS resolvers (the IETF ADD working group is working on specs for that, but they are a long way from being deployment ready), so that means the user would have to supply the information necessary to make use of encrypted resolvers.

Next, there are at least three types of ‘encrypted DNS’ out there in the wild: DNS-over-HTTPS (DoH), DNS-over-TLS (DoT) and DNS-over-QUIC (DoQ). Work would need to be done to determine which packages in Fedora can even make use of these protocols, and then the results of that analysis would allow the implementers to decide which ones can be made available to the users of the Fedora systems.

Finally, unlike ‘regular’ DNS, encrypted DNS involves a trust relationship: the user of an encrypted DNS resolver must be able to validate that the resolver is the one they intended to use, and not a compromised or intermediate one. This requires the user to provide a name for the resolver (not just an IP address), so that the certificate provided by the resolver can be validated using the normal TLS validation processes.

All of these aspects of the problem, and likely many more, would be uncovered in the process of writing and discussing a Change proposal.

2 Likes

Yes sure i do that my self with systemd resolved.conf if you open that you could see there are 3 option to choose from we just need to unhash it by default and
Dnsovertls=true
That is all feature is already there just need tweek.
Sure there are other way to implement but i find it easy.
If anything wrong here apology for that.

It’s often the case that there are complicates beyond turning on a setting. Actually, I think, usually the case. We have lots of real users out in the world, and some of these things aren’t widely tested. We’ve done several DNS security-related improvements over the past decade and a lot of them have been kind of rough in actually landing.

That said, in this case… we actually do have a related change targetted at Fedora Linux 37:

https://fedoraproject.org/wiki/Changes/DNS_Over_TLS

1 Like

That is good but in most case it is not default but it is a nice change i would request it to be default i have seen this change in 35 36 also.
But i could not understand if it already implemented or not. Can you give me a better view what is this and will it be implemented in f37.

1 Like

While discussing this in another venue some additional concerns were raised about having Encrypted DNS enabled by default. One is that the system’s clock has to be reasonably close to correct, which can cause a chicken-and-egg issue if getting the clock correct requires using DNS to reach out to NTP servers :slight_smile:

Setting “DNSoverTLS=yes” in /etc/systemd/resolved.conf is not sufficient to actually ensure that encrypted DNS is used.

1 Like

True it need to be implemented correctly.
And i dont know about the issue in ntp server setting time could be a issue in edns.
I think i have to read about when i get some free time.

One major problem with using pki during install is that pki certificates typically expire. (Are only valid during a specific time window.)

A particular install media may be needed years after original release. And new/refurbished hardware very rarely has an accurate clock.

You can set the clock via ntp, but not if DNS is broken because certs don’t validate.

This chicken and Egg collision is a large reason why repos use plain http and gpg for package signing instead of relying on https.

I guess we could also hard code ntp servers by ip address, but I don’t like that idea.