sascha-ml-reply-to-2010-3 at silbe.org
Sat Oct 9 11:42:22 EDT 2010
Excerpts from Bernie Innocenti's message of Sat Oct 09 14:17:55 +0200 2010:
> I finally implemented zone signing for sugarlabs.org and sugarlabs.net.
The only drawback is that now we all need a copy of the secret keys on
all machines we're modifying DNS data from...
Personally I'd just make sure the DNS server (i.e. BIND) is
a) running as non-root (except during init, for binding to port 53) and
b) inside a chroot
and set up both permissions and file location of the secret keys in a
way that prevents BIND (and other services) from accessing them, but
allows the post-receive hook (that runs under the user account of whoever
pushed) to use them.
I somehow doubt all our desktops combined are less vulnerable than
lightwave running just a few high-value services.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: not available
More information about the Systems