Search domains in our environment (Proposal)

Mike McGrath mmcgrath at
Thu Dec 20 14:41:08 UTC 2007

Jeffrey Ollie wrote:
> On 12/19/07, Mike McGrath <mmcgrath at> wrote:
>> I forgot to mention one other concern.  A MitM attack or DNS poisoning.
>> This possibility does exist, but exists in our environment as is
>> anyway.  This is something we should look at mitigating but other than
>> running a DNS server at every site, I'm not totally sure how to fix it.
>> I consider all of our donations as partnerships.  After all, they have
>> local access to the box.  At the same time though it is something we
>> should count as a risk and mitigate as much as possible.
> I believe that DNSSEC is supposed to be the solution to the MitM/DNS
> poisoning problem.  It's been a while since I messed with it, but with
> DNSSEC your DNS entries get signed with a public key and then properly
> configured systems will check the signatures on all lookups involving
> fedora*.org.  Having this as a part of the standard setup in Fedora's
> BIND package would be awesomely cool because then every Fedora machine
> would be protected against someone spoofing their DNS and possibly
> causing problems.
> I've been meaning to set this up for my personal domain so I could
> work on the details over the holiday break...

If you find a solution that might work for us while you're setting it up 
let us know, its certainly an avenue worth looking at.


More information about the Fedora-infrastructure-list mailing list