| |||||||||||||
Debian to start deploying DNSSECDebian to start deploying DNSSECPosted Feb 16, 2010 9:58 UTC (Tue) by rahulsundaram (subscriber, #21946)In reply to: Debian to start deploying DNSSEC by jo42 Parent article: Debian to start deploying DNSSEC
I understand that fine and I was merely pointing out that since Fedora uses
it by default these days there has some concerns over the additional complexity it brings
(Log in to post comments)
Debian to start deploying DNSSEC Posted Feb 16, 2010 16:06 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
Also Fedora's infrastructure lead pointed out that Fedora has been deployed
it on it's own servers for a few months now
dig +dnssec +multiline -t key fedoraproject.org @ns1.fedoraproject.org
Debian to start deploying DNSSEC Posted Feb 18, 2010 11:40 UTC (Thu) by akumria (subscriber, #7773) [Link]
As useful as that is, without a DS (delegated signer) record in .org (which is also signed) the fedoraproject is just an island of security.
Unless DLV (Delegation lookaside validation) is enabled in Fedora for fedoraproject.org no one is going to be benefiting.
can't get signed by org yet Posted Feb 19, 2010 15:21 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
the org registry is not as yet (unless I'm out of date) offering to sign records of arbitrary members. When it does, either it will sign everything (in which case Fedora need take no special action) or it will advertise that this is available as a new service and some sysadmin at the Fedora project needs to get in touch. But right now it's "friends and family" testing only, if you didn't get an invite, they're not interested.
SEC spider shows the Fedora Project's DNSSEC records as live and not a testbed service, so evidently they're not as completely under the radar as you imagined.
|
|||||||||||||