Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]


Chronological Thread 
  • From: "Ian G (Audit)" <iang AT cacert.org>
  • To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
  • Cc: Philipp Guehring <philipp AT cacert.org>, Greg Stark <gstark AT electrorent.com>
  • Subject: Re: [Cacert-sysadm] [Fwd: Re: DNS Security Issue]
  • Date: Mon, 09 Mar 2009 12:29:49 +0100
  • Authentication-results: lists.cacert.org; dkim=neutral header.i= AT cacert.org; dkim-asp=none
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

On 8/3/09 23:29, Philipp Guehring wrote:
Hi,

There is certainly no lack of expertise here with operating a DNS service.
As for security reasons: I don't know why CAcert is not running its own
DNS service. There may be historical reasons which I don't know about.
If we are to run our own DNS, I would consider this to be part of the
critical services, together with web, database and signing.
It would not immediately require a separate physical or logical server,
but could be handled by the current web/db server.
I don't think that it's a good idea to add unnecessary services on our
critical servers, since they impose additional security risks.
If we really want to operate our own DNS service, we should do that on
servers that do not cause additional security risks for our core
infrastructure.


Wytze and I talked about the issue on Friday / Saturday, and the result was the below text in the SP. Now, looking at the SP text again with a few extra nights of sleep, there is some duplication and some cleanup required. But the essence is there: basically, the team leader may decide to put the DNS into the hands of others, or may not.

But whoever/wherever/however it is, it has to be documented, transparent and up to some standard. So, when I visit in early May, I'll be looking for that documentation. Right now the wiki has nothing on DNS (and the SP points at the wiki) so it would fall back to Wytze to run the DNS at a minimum. If he decides to run it elsewhere, I will be holding him to some doco and some standards, in a procedure doc.

As an aside, this applies to all outsourcing.

iang



https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html
===================
4.1.1.4. Outsourcing

Systems administration team leader may outsource non-critical components such as DNS servers. Outsourcing should be to Members who are Assurers, who have the appropriate technical knowledge, and are in good contact with team leader.
===================
9.6. Outsourcing

CAcert may at its option outsource critical components to other organisations, however this must not be a barrier to security. Outsourced arrangements must be transparent.

Any outsourcing arrangements must be documented. All arrangements must be:

    * subject to audit,
    * under this Policy and the Security Manual,
    * under Arbitration and DRP,
* with organisations that are Members of CAcert as organisational Members, and
    * under the spirit of the Principles of CAcert

Specifically, all involved personnel must be CAcert Assurers. Contracts should be written with the above in mind.
===================

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page