Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]


Chronological Thread 
  • From: Evaldo Gardenali <evaldo AT gardenali.biz>
  • To: teus AT theunis.org
  • Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Greg Stark <gstark AT electrorent.com>
  • Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
  • Date: Wed, 04 Mar 2009 13:51:42 -0300
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

Go ahead!

Teus Hagen wrote:
FYI

I think the crit. system admin can go ahead. Give board a week to use
possible veto right.

teus

------------------------------------------------------------------------

Subject:
Re: DNS Security Issue
From:
Teus Hagen 
<teus AT theunis.org>
Date:
Tue, 03 Mar 2009 12:21:45 +0100
To:
"'CAcert Board'" 
<cacert-board AT lists.cacert.org>

To:
"'CAcert Board'" 
<cacert-board AT lists.cacert.org>
CC:
Wytze van der Raay <wytze AT cacert.org>, Philipp Gühring <philipp AT cacert.org>, Mendel Mobach <mendel AT mobach.nl>


Proposal initiated by Greg is: CAcert should look into running own DNS
service.
Crit tech team says: We can and if needed we should run this.
Tech team suggest to run DNSsec as soon as possible.

Board to agree with this?
My input: yes and certainly DNSsec falls into the category where CAcert
should be in front.

So two (board has seven members) feedbacks are there now from the board
which say: OK
If no vetos are sent from board members this week I would say go ahead.

Can crit. team look into this and takes the lead? If board decisions are
needed on this issue please forward that to the board.

teus
On 03/03/2009 10:23 AM, Wytze van der Raay wrote:
Teus Hagen schreef:
Better to forward this question to the tech. team?

On 03/03/2009 02:50 AM, Greg Stark wrote:
Philipp, Guillaume, Evado, & Teus,
Is there a technical (lack or expertise) or security reason we do not
operate our own DNS service?  If there are none, then I would recommend that
we do so.
There is certainly no lack of expertise here with operating a DNS service.
As for security reasons: I don't know why CAcert is not running its own
DNS service. There may be historical reasons which I don't know about.
If we are to run our own DNS, I would consider this to be part of the
critical services, together with web, database and signing.
It would not immediately require a separate physical or logical server,
but could be handled by the current web/db server. Of course for future
expansion, splitting it off to a separate server would be easy.
In the future, we should also be running DNSSEC for CACert.org
(which adds some key management work and adds some load due to the
underlying cryptography). .ORG is introducing DNSSEC right now, and
general availability for .org zones is scheduled for next year (2010).

Best regards,
-- wytze
------------------------------------------------------------------------

_______________________________________________
CAcert-sysadm mailing list
CAcert-sysadm AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm





Archive powered by MHonArc 2.6.16.

Top of Page