[Systems] DNSSEC, SOA (was: Re: [Systems-logs] [DNS] Sugar Labs DNS zone data branch, master, updated. 120de113578fbcae14b8363dcd07d3f07abc2655)

Bernie Innocenti bernie at codewiz.org
Sun Sep 5 19:16:13 EDT 2010

El Sun, 05-09-2010 a las 12:06 +0200, Sascha Silbe escribió:
> I've seen you're putting the post-processed (i.e. signed) zones in git
> (for codewiz.org). If we have the keys in git (and thus on lightwave)
> anyway, how about we do the signing automatically on lightwave and
> only store the source files in git?

This was *especially* intended to avoid storing the private keys on
lightwave or in git.

This way, while multiple people can have access the same DNS
configuration files, only I could make changes to codewiz.org and only
the Sugar Labs hostmasters could make changes to sugarlabs.org. Not even
the master DNS would have to be trusted.

Of course this sort of security relies DNSSEC being widely deployed
which won't be true for a few more years.

> And since we don't seem to be switching to tinydns format, what do you
> think about automatically creating the SOA to avoid the need for bumping
> the serial number (which we all keep forgetting to do)?

This is a good idea, we could have a little script that automates the
entire procedure:

 * update SOA
 * sign the zone
 * commit changes
 * push changes

   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/

More information about the Systems mailing list