[Systems] DNSSEC

Bernie Innocenti bernie at codewiz.org
Sat Oct 9 13:40:21 EDT 2010


On Sat, 2010-10-09 at 17:42 +0200, Sascha Silbe wrote:
> Yay!
> The only drawback is that now we all need a copy of the secret keys on
> all machines we're modifying DNS data from..

Well, it's more granular than this: the codewiz.org keys needs to be
only on my laptop, the ole.org keys belong only to Chris Rowe, the
paraguayeduca.org key belongs to their sysadmin...

...and sugarlabs.org? Well, there are just 3 admins listed in the wiki,
but Raul and Steven also have access. I think I'll lazily hand the key
to whoever needs to make changes. Note that DNSSEC keys can be *easily*
rolled over or replaced.

The situation is no worse than it is today, where everyone can change
everything.


> Personally I'd just make sure the DNS server (i.e. BIND) is
> a) running as non-root (except during init, for binding to port 53) and
> b) inside a chroot

Ok, this is already the case (both non-root and chroot)


> and set up both permissions and file location of the secret keys in a
> way that prevents BIND (and other services) from accessing them, but
> allows the post-receive hook (that runs under the user account of whoever
> pushed) to use them.

I'm ok with this plan if you can think of a scheme to keep everyone from
seeing all the keys... and implement it too :-)


> I somehow doubt all our desktops combined are less vulnerable than
> lightwave running just a few high-value services.

I agree, but if our desktops get compromised, lightwave is compromised
as well: our ssh keys are also there. Yes, ssh keys ought to be
encrypted, but we could encrypt the DNSSEC keys too.

There's no limit to paranoia, but the hard truth remains that any server
is only as secure as its sysadmin's laptop. The good news is that,
contrary to common wisdom, Linux clients are usually a lot more secure
than Linux servers: their attack surface approaches zero, they're
usually kept up to date by their owners and they spend most of the time
behind NAT gateways.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/



More information about the Systems mailing list