On 12/19/07, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > > I forgot to mention one other concern. A MitM attack or DNS poisoning. > This possibility does exist, but exists in our environment as is > anyway. This is something we should look at mitigating but other than > running a DNS server at every site, I'm not totally sure how to fix it. > I consider all of our donations as partnerships. After all, they have > local access to the box. At the same time though it is something we > should count as a risk and mitigate as much as possible. I believe that DNSSEC is supposed to be the solution to the MitM/DNS poisoning problem. It's been a while since I messed with it, but with DNSSEC your DNS entries get signed with a public key and then properly configured systems will check the signatures on all lookups involving fedora*.org. Having this as a part of the standard setup in Fedora's BIND package would be awesomely cool because then every Fedora machine would be protected against someone spoofing their DNS and possibly causing problems. I've been meaning to set this up for my personal domain so I could work on the details over the holiday break... Jeff _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
