cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Wytze van der Raay <wytze AT deboca.net>
- To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
- Date: Fri, 06 Mar 2009 13:06:26 +0100
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
On 03/03/2009 12:34 PM, Teus Hagen wrote:
> I think the crit. system admin can go ahead. Give board a week to use
> possible veto right.
So tentatively going ahead at this moment:
Two important questions to be resolved for CAcert's own DNS service:
1. Who is currently administrating the zone?
I've obtained the current zone information with an AXFR from one
of the current DNS servers (just one of the four configured ones
allowed me to do so ...). We need a central location (in SVN or so)
where the required zone info is maintained. This could be under
control of the critical sysadmin team, but it could also be another
team. Propagating changes from the "master" copy to the actual
running server should be under control of the critical sysadmin team.
2. Who should we approach for running a secondary service for the
CAcert.org zone?
For proper DNS service, we need at least one, and preferably two,
DNS servers on a different network than CAcert's to run secondary
name service for CAcert.org. These servers will obtain the zone file
through standard AXFR/IXFR protocol (protected by TSIG), but
obviously they need to be considered trustworthy enough by CAcert
to do so (a a distant future when the whole world runs DNSSEC,
the trustworthiness would be less important since the digital
signatures in the zone file would prove the authenticity, but as
said that's distant ...).
Regards,
-- wytze
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Teus Hagen, 03/03/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Evaldo Gardenali, 03/04/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/09/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/09/2009
Archive powered by MHonArc 2.6.16.