[Systems] DNSSEC

Sascha Silbe sascha-ml-reply-to-2010-3 at silbe.org
Sat Oct 9 11:42:22 EDT 2010


Excerpts from Bernie Innocenti's message of Sat Oct 09 14:17:55 +0200 2010:

> I finally implemented zone signing for sugarlabs.org and sugarlabs.net.

Yay!
The only drawback is that now we all need a copy of the secret keys on
all machines we're modifying DNS data from...

Personally I'd just make sure the DNS server (i.e. BIND) is
a) running as non-root (except during init, for binding to port 53) and
b) inside a chroot
and set up both permissions and file location of the secret keys in a
way that prevents BIND (and other services) from accessing them, but
allows the post-receive hook (that runs under the user account of whoever
pushed) to use them.

I somehow doubt all our desktops combined are less vulnerable than
lightwave running just a few high-value services.

Sascha

--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.sugarlabs.org/private/systems/attachments/20101009/7e26591a/attachment.pgp>


More information about the Systems mailing list