cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Wytze van der Raay <wytze AT deboca.net>
- To: Philipp Guehring <philipp AT cacert.org>
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Greg Stark <gstark AT electrorent.com>
- Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
- Date: Mon, 09 Mar 2009 08:33:45 +0100
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
On 03/08/2009 11:29 PM, Philipp Guehring wrote:
>>> There is certainly no lack of expertise here with operating a DNS service.
>>> As for security reasons: I don't know why CAcert is not running its own
>>> DNS service. There may be historical reasons which I don't know about.
>>> If we are to run our own DNS, I would consider this to be part of the
>>> critical services, together with web, database and signing.
>>> It would not immediately require a separate physical or logical server,
>>> but could be handled by the current web/db server.
>
> I don't think that it's a good idea to add unnecessary services on our
> critical servers, since they impose additional security risks.
That's true in the sense that anything extra can only increase not decrease
the risks. However, the added risk of running a security-aware up-to-date
version of nsd compared to already running outdated versions of Apache and
PHP4 seems a rather futile argument against it.
> If we really want to operate our own DNS service, we should do that on
> servers that do not cause additional security risks for our core
> infrastructure.
The DNS service will be *part of* the core infrastructure, but I agree
that using a separate server would be preferable. And in fact that is
what we are looking into now.
Best regards,
-- wytze
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Teus Hagen, 03/03/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Evaldo Gardenali, 03/04/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/06/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Philipp Guehring, 03/08/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Wytze van der Raay, 03/09/2009
- Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue], Ian G (Audit), 03/09/2009
Archive powered by MHonArc 2.6.16.