DNSSEC and Geodns
Jeffrey Ollie
jeff at ocjtech.us
Sat Nov 21 04:34:20 UTC 2009
On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>
>> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>> >
>> > So, for example 'fedoraproject.org' wouldn't be signed, but
>> > 'us.fedoraproject.org' would be? I *think* that's possible but I haven't
>> > gotten it to work. If I can get that to work though I guess that makes
>> > sense because A) it'd work for now and B) I'm sure over time pdns's dnssec
>> > will continue to mature.
>>
>> No, that wouldn't really work, because then you couldn't trust lookups
>> from the fedoraproject.org zone, which would include delegations to
>> the subdomains, the main website itself, MX records, etc.
>>
>
> But if fedoraproject.org pointed to some place that wasn't signed or was
> signed incorrectly, wouldn't that fail?
fedoraproject.org can't be a CNAME because it has other records like
MX, NS, SOA, etc. We'd have to switch to using
'www.fedoraproject.org' which could be a CNAME into an unsigned
subzone.
But then you'd still have the problem of relying on an unsigned zone
serving up DNS data, eventually no one is going to trust it.
--
Jeff Ollie
More information about the Fedora-infrastructure-list
mailing list