FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 11-21-2009, 04:05 AM
Mike McGrath
 
Default DNSSEC and Geodns

On Fri, 20 Nov 2009, Jeffrey Ollie wrote:

> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> >
> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@redhat.com> wrote:
> >> >
> >> > So, for example 'fedoraproject.org' wouldn't be signed, but
> >> > 'us.fedoraproject.org' would be? *I *think* that's possible but I haven't
> >> > gotten it to work. *If I can get that to work though I guess that makes
> >> > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
> >> > will continue to mature.
> >>
> >> No, that wouldn't really work, because then you couldn't trust lookups
> >> from the fedoraproject.org zone, which would include delegations to
> >> the subdomains, the main website itself, MX records, etc.
> >>
> >
> > But if fedoraproject.org pointed to some place that wasn't signed or was
> > signed incorrectly, wouldn't that fail?
>
> fedoraproject.org can't be a CNAME because it has other records like
> MX, NS, SOA, etc. We'd have to switch to using
> 'www.fedoraproject.org' which could be a CNAME into an unsigned
> subzone.
>
> But then you'd still have the problem of relying on an unsigned zone
> serving up DNS data, eventually no one is going to trust it.
>

At this very moment, what is dnssec buying us?

-Mike______________________________________________ _
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 04:24 AM
Nigel Jones
 
Default DNSSEC and Geodns

At the moment? Nothing.

On 21/11/2009, Mike McGrath <mmcgrath@redhat.com> wrote:
> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>
>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@redhat.com>
>> wrote:
>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>> >
>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@redhat.com>
>> >> wrote:
>> >> >
>> >> > So, for example 'fedoraproject.org' wouldn't be signed, but
>> >> > 'us.fedoraproject.org' would be? *I *think* that's possible but I
>> >> > haven't
>> >> > gotten it to work. *If I can get that to work though I guess that
>> >> > makes
>> >> > sense because A) it'd work for now and B) I'm sure over time pdns's
>> >> > dnssec
>> >> > will continue to mature.
>> >>
>> >> No, that wouldn't really work, because then you couldn't trust lookups
>> >> from the fedoraproject.org zone, which would include delegations to
>> >> the subdomains, the main website itself, MX records, etc.
>> >>
>> >
>> > But if fedoraproject.org pointed to some place that wasn't signed or was
>> > signed incorrectly, wouldn't that fail?
>>
>> fedoraproject.org can't be a CNAME because it has other records like
>> MX, NS, SOA, etc. We'd have to switch to using
>> 'www.fedoraproject.org' which could be a CNAME into an unsigned
>> subzone.
>>
>> But then you'd still have the problem of relying on an unsigned zone
>> serving up DNS data, eventually no one is going to trust it.
>>
>
> At this very moment, what is dnssec buying us?
>
> -Mike

--
Sent from my mobile device

-- Nigel Jones

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-21-2009, 04:27 AM
Nigel Jones
 
Default DNSSEC and Geodns

Actually it does buy us some trust but as the roots aren't signed it's
fairly moot.

On 21/11/2009, Nigel Jones <dev@nigelj.com> wrote:
> At the moment? Nothing.
>
> On 21/11/2009, Mike McGrath <mmcgrath@redhat.com> wrote:
>> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>>
>>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@redhat.com>
>>> wrote:
>>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>>> >
>>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@redhat.com>
>>> >> wrote:
>>> >> >
>>> >> > So, for example 'fedoraproject.org' wouldn't be signed, but
>>> >> > 'us.fedoraproject.org' would be? *I *think* that's possible but I
>>> >> > haven't
>>> >> > gotten it to work. *If I can get that to work though I guess that
>>> >> > makes
>>> >> > sense because A) it'd work for now and B) I'm sure over time pdns's
>>> >> > dnssec
>>> >> > will continue to mature.
>>> >>
>>> >> No, that wouldn't really work, because then you couldn't trust
>>> >> lookups
>>> >> from the fedoraproject.org zone, which would include delegations to
>>> >> the subdomains, the main website itself, MX records, etc.
>>> >>
>>> >
>>> > But if fedoraproject.org pointed to some place that wasn't signed or
>>> > was
>>> > signed incorrectly, wouldn't that fail?
>>>
>>> fedoraproject.org can't be a CNAME because it has other records like
>>> MX, NS, SOA, etc. We'd have to switch to using
>>> 'www.fedoraproject.org' which could be a CNAME into an unsigned
>>> subzone.
>>>
>>> But then you'd still have the problem of relying on an unsigned zone
>>> serving up DNS data, eventually no one is going to trust it.
>>>
>>
>> At this very moment, what is dnssec buying us?
>>
>> -Mike
>
> --
> Sent from my mobile device
>
> -- Nigel Jones
>

--
Sent from my mobile device

-- Nigel Jones

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 09:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org