Search domains in our environment (Proposal)
mmcgrath at redhat.com
Thu Dec 20 16:40:39 UTC 2007
Jeffrey Ollie wrote:
> On 12/19/07, Mike McGrath <mmcgrath at redhat.com> wrote:
>> I forgot to mention one other concern. A MitM attack or DNS poisoning.
>> This possibility does exist, but exists in our environment as is
>> anyway. This is something we should look at mitigating but other than
>> running a DNS server at every site, I'm not totally sure how to fix it.
>> I consider all of our donations as partnerships. After all, they have
>> local access to the box. At the same time though it is something we
>> should count as a risk and mitigate as much as possible.
> I believe that DNSSEC is supposed to be the solution to the MitM/DNS
> poisoning problem. It's been a while since I messed with it, but with
> DNSSEC your DNS entries get signed with a public key and then properly
> configured systems will check the signatures on all lookups involving
> fedora*.org. Having this as a part of the standard setup in Fedora's
> BIND package would be awesomely cool because then every Fedora machine
> would be protected against someone spoofing their DNS and possibly
> causing problems.
> I've been meaning to set this up for my personal domain so I could
> work on the details over the holiday break...
Also it appears that Paul Wounters is giving a session at FUDCon called
"Integrating DNSSEC -- Proposal and demonstration of DNSSEC aware
More information about the Fedora-infrastructure-list