Jeffrey Ollie wrote:
On 12/19/07, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote:
I forgot to mention one other concern. A MitM attack or DNS poisoning.
This possibility does exist, but exists in our environment as is
anyway. This is something we should look at mitigating but other than
running a DNS server at every site, I'm not totally sure how to fix it.
I consider all of our donations as partnerships. After all, they have
local access to the box. At the same time though it is something we
should count as a risk and mitigate as much as possible.
I believe that DNSSEC is supposed to be the solution to the MitM/DNS
poisoning problem. It's been a while since I messed with it, but with
DNSSEC your DNS entries get signed with a public key and then properly
configured systems will check the signatures on all lookups involving
fedora*.org. Having this as a part of the standard setup in Fedora's
BIND package would be awesomely cool because then every Fedora machine
would be protected against someone spoofing their DNS and possibly
causing problems.
I've been meaning to set this up for my personal domain so I could
work on the details over the holiday break...
Also it appears that Paul Wounters is giving a session at FUDCon called
"Integrating DNSSEC -- Proposal and demonstration of DNSSEC aware
software.
-Mike
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list