Search domains in our environment (Proposal)
Mike McGrath
mmcgrath at redhat.com
Thu Dec 20 14:41:08 UTC 2007
Jeffrey Ollie wrote:
> On 12/19/07, Mike McGrath <mmcgrath at redhat.com> wrote:
>
>> I forgot to mention one other concern. A MitM attack or DNS poisoning.
>> This possibility does exist, but exists in our environment as is
>> anyway. This is something we should look at mitigating but other than
>> running a DNS server at every site, I'm not totally sure how to fix it.
>> I consider all of our donations as partnerships. After all, they have
>> local access to the box. At the same time though it is something we
>> should count as a risk and mitigate as much as possible.
>>
>
> I believe that DNSSEC is supposed to be the solution to the MitM/DNS
> poisoning problem. It's been a while since I messed with it, but with
> DNSSEC your DNS entries get signed with a public key and then properly
> configured systems will check the signatures on all lookups involving
> fedora*.org. Having this as a part of the standard setup in Fedora's
> BIND package would be awesomely cool because then every Fedora machine
> would be protected against someone spoofing their DNS and possibly
> causing problems.
>
> I've been meaning to set this up for my personal domain so I could
> work on the details over the holiday break...
>
If you find a solution that might work for us while you're setting it up
let us know, its certainly an avenue worth looking at.
-Mike
More information about the Fedora-infrastructure-list
mailing list