Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]


Chronological Thread 
  • From: Wytze van der Raay <wytze AT deboca.net>
  • To: Philipp Guehring <philipp AT cacert.org>
  • Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Greg Stark <gstark AT electrorent.com>
  • Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
  • Date: Mon, 09 Mar 2009 08:33:45 +0100
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

On 03/08/2009 11:29 PM, Philipp Guehring wrote:
>>> There is certainly no lack of expertise here with operating a DNS service.
>>> As for security reasons: I don't know why CAcert is not running its own
>>> DNS service. There may be historical reasons which I don't know about.
>>> If we are to run our own DNS, I would consider this to be part of the
>>> critical services, together with web, database and signing.
>>> It would not immediately require a separate physical or logical server,
>>> but could be handled by the current web/db server. 
>
> I don't think that it's a good idea to add unnecessary services on our
> critical servers, since they impose additional security risks.

That's true in the sense that anything extra can only increase not decrease
the risks. However, the added risk of running a security-aware up-to-date
version of nsd compared to already running outdated versions of Apache and
PHP4 seems a rather futile argument against it.

> If we really want to operate our own DNS service, we should do that on
> servers that do not cause additional security risks for our core
> infrastructure.

The DNS service will be *part of* the core infrastructure, but I agree
that using a separate server would be preferable. And in fact that is
what we are looking into now.

Best regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page