[Bug 690867] New: Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c0 Summary: Consider to DNSSEC sign the opensuse.org domain Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Infrastructure AssignedTo: mrueckert@novell.com ReportedBy: burnus@gmx.de QAContact: lrupp@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0) Gecko/20100101 Firefox/4.0 Currently, the opensuse.org domain is not secured using DNSSEC: http://dnsviz.net/d/opensuse.org/dnssec/ It would be useful, if it could be signed. Other domains are already signed such as: - Fedora: http://dnsviz.net/d/fedoraproject.org/dnssec/ - Mozilla: http://dnsviz.net/d/wiki.mozilla.org/dnssec/ (Side remark: In Firefox, the plugin http://www.dnssec-validator.cz/ can be used to see the DNSSEC status.) Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c4 Lars Vogdt <lrupp@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED Platform|Other |All Found By|--- |Community User --- Comment #4 from Lars Vogdt <lrupp@novell.com> 2011-05-15 14:52:48 UTC --- Thanks for bringing this up! Increasing Prio to P3 as this is really an important topic. But we might need some time for coordination with our provider and for setting things up properly. We will come back to this bug once we made some progress. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c6 --- Comment #6 from Tobias Burnus <burnus@gmx.de> 2011-08-31 07:53:27 UTC --- Do you have already an update? As follow up, you could consider validating the TLS certificates via DNSSEC. Cf. http://tools.ietf.org/html/draft-ietf-dane-protocol and, e.g., https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Background . The usefulness has been proven by the recent DigiNotar and Comodo incidents. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c9 Lars Vogdt <lrupp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |estellnb@elstel.org --- Comment #9 from Lars Vogdt <lrupp@suse.com> 2014-01-11 22:55:29 CET --- *** Bug 858407 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=858407 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c10 Lars Vogdt <lrupp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |venu@novell.com --- Comment #10 from Lars Vogdt <lrupp@suse.com> 2014-01-11 22:57:38 CET --- Venu, can you please have a look? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c11 Christian Deckelmann <deckel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|venu@novell.com | --- Comment #11 from Christian Deckelmann <deckel@novell.com> 2014-01-12 05:00:42 UTC --- IB (the DNS management solution) can do DNSSEC. It needs to be verigifed wether the three external (and registered DNS servers) can handle DNSSEC signed zones. As they are running bind, I don´t think this is an issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c12 --- Comment #12 from Elmar Stellnberger <estellnb@elstel.org> 2014-07-31 11:30:54 UTC --- What about this issue? I believe we should not only support DNSSEC for opensuse.org but even more important for download.opensuse.org (horrifyingly it does currently not even support https). How else will someone know that he gets a pristine openSUSE if he has no possiblilty to authenticatedly fetch the public gpg-key for all the repos? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c13 --- Comment #13 from Marcus Rückert <mrueckert@suse.com> 2014-07-31 13:18:15 UTC --- curl https://api.opensuse.org/public/source/<project name>/_pubkey -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c14 --- Comment #14 from Elmar Stellnberger <estellnb@elstel.org> 2014-07-31 16:51:45 UTC --- Hmm, that requires some login data. I have planned to program some repository downloader for yum & yast repositories for offline use. It would need to fetch these keys anonymously but with a high degree of authenticity (at best with DNSSEC). Marcus Meissner has offered me to make at least the repomd.xml.key / repomd.xml available via https to the public (Bug 889754) which will already solve a lot of problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c15 --- Comment #15 from Marcus Rückert <mrueckert@suse.com> 2014-07-31 22:10:27 UTC --- 1. yes it might be. but doing that for a machine that has 400-1000r/s requires some proper planning 2. you are wrong on the claim it will require a password. did you even try it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=690867 https://bugzilla.novell.com/show_bug.cgi?id=690867#c16 --- Comment #16 from Elmar Stellnberger <estellnb@elstel.org> 2014-08-01 08:28:06 UTC --- In deed that works given the right url (but not with my web browser): curl https://api.opensuse.org/public/source/X11/_pubkey However is there a common way to determine that _pubkey-URL given a repository path under http://download.opensuse.org/repositories/ (there are sub-repos like home:estellnb:elstel and so on)? How to fetch the key for http://download.opensuse.org/distribution/13.1/repo/oss/? Secondly I would also welcome the repository description itself i.e. repomd.xml to be downloadable directly via SSL because the SSL certificate provides another security layer in addition to the gpg key. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=690867 http://bugzilla.novell.com/show_bug.cgi?id=690867#c17 --- Comment #17 from Elmar Stellnberger <estellnb@elstel.org> --- Hi, would anyone in deed mind to implement this? DANE is of high value and with proper DANE support I would consider switching back to openSUSE! There has also been a recent discussion about it on debian-security (see debcheckroot/atea at https://lists.debian.org/debian-security/2020/03/threads.html). -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com