cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Philipp Guehring <philipp AT cacert.org>
- To: Wytze van der Raay <wytze AT deboca.net>
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
- Date: Sun, 08 Mar 2009 02:49:01 +0100
- Authentication-results: lists.cacert.org; dkim=neutral header.i= AT cacert.org; dkim-asp=none
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
Hi,
> So tentatively going ahead at this moment:
>
> Two important questions to be resolved for CAcert's own DNS service:
>
> 1. Who is currently administrating the zone?
>
Georg Markus Kainz
(kainz AT coto.at)
and me.
> I've obtained the current zone information with an AXFR from one
> of the current DNS servers (just one of the four configured ones
> allowed me to do so ...). We need a central location (in SVN or so)
> where the required zone info is maintained. This could be under
> control of the critical sysadmin team, but it could also be another
> team. Propagating changes from the "master" copy to the actual
> running server should be under control of the critical sysadmin team.
>
> 2. Who should we approach for running a secondary service for the
> CAcert.org zone?
>
Matthias Urlichs
(smurf AT smurf.noris.de)
is doing that already.
> For proper DNS service, we need at least one, and preferably two,
> DNS servers on a different network than CAcert's to run secondary
> name service for CAcert.org. These servers will obtain the zone file
> through standard AXFR/IXFR protocol (protected by TSIG), but
> obviously they need to be considered trustworthy enough by CAcert
> to do so
Yes, we have allowed AXFR access on all DNS servers for
netz.smurf.noris.de. Matthias's DNS servers are retreiving the zone
regularly, backing them up,
and can offer the zone on the whole DNS cluster there in case of a complete
outage of our primary DNS cluster.
> (a a distant future when the whole world runs DNSSEC,
> the trustworthiness would be less important since the digital
> signatures in the zone file would prove the authenticity, but as
> said that's distant ...).
>
Yes, shortly after HTTP will be secured by HTTPS. ;-)
Best regards,
Philipp
- [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Teus Hagen, 03/03/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Evaldo Gardenali, 03/04/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/09/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/09/2009
Archive powered by MHonArc 2.6.16.