Search domains in our environment (Proposal)
Jeffrey Ollie
jeff at ocjtech.us
Thu Dec 20 14:12:02 UTC 2007
On 12/19/07, Mike McGrath <mmcgrath at redhat.com> wrote:
>
> I forgot to mention one other concern. A MitM attack or DNS poisoning.
> This possibility does exist, but exists in our environment as is
> anyway. This is something we should look at mitigating but other than
> running a DNS server at every site, I'm not totally sure how to fix it.
> I consider all of our donations as partnerships. After all, they have
> local access to the box. At the same time though it is something we
> should count as a risk and mitigate as much as possible.
I believe that DNSSEC is supposed to be the solution to the MitM/DNS
poisoning problem. It's been a while since I messed with it, but with
DNSSEC your DNS entries get signed with a public key and then properly
configured systems will check the signatures on all lookups involving
fedora*.org. Having this as a part of the standard setup in Fedora's
BIND package would be awesomely cool because then every Fedora machine
would be protected against someone spoofing their DNS and possibly
causing problems.
I've been meaning to set this up for my personal domain so I could
work on the details over the holiday break...
Jeff
More information about the Fedora-infrastructure-list
mailing list