DNSSEC and Geodns

Nigel Jones dev at nigelj.com
Sat Nov 21 05:24:22 UTC 2009


At the moment? Nothing.

On 21/11/2009, Mike McGrath <mmcgrath at redhat.com> wrote:
> On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>
>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath at redhat.com>
>> wrote:
>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
>> >
>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath at redhat.com>
>> >> wrote:
>> >> >
>> >> > So, for example 'fedoraproject.org' wouldn't be signed, but
>> >> > 'us.fedoraproject.org' would be?  I *think* that's possible but I
>> >> > haven't
>> >> > gotten it to work.  If I can get that to work though I guess that
>> >> > makes
>> >> > sense because A) it'd work for now and B) I'm sure over time pdns's
>> >> > dnssec
>> >> > will continue to mature.
>> >>
>> >> No, that wouldn't really work, because then you couldn't trust lookups
>> >> from the fedoraproject.org zone, which would include delegations to
>> >> the subdomains, the main website itself, MX records, etc.
>> >>
>> >
>> > But if fedoraproject.org pointed to some place that wasn't signed or was
>> > signed incorrectly, wouldn't that fail?
>>
>> fedoraproject.org can't be a CNAME because it has other records like
>> MX, NS, SOA, etc.  We'd have to switch to using
>> 'www.fedoraproject.org' which could be a CNAME into an unsigned
>> subzone.
>>
>> But then you'd still have the problem of relying on an unsigned zone
>> serving up DNS data, eventually no one is going to trust it.
>>
>
> At this very moment, what is dnssec buying us?
>
> 	-Mike

-- 
Sent from my mobile device

-- Nigel Jones




More information about the Fedora-infrastructure-list mailing list