https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c0
Summary: Consider to DNSSEC sign the opensuse.org domain Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Infrastructure AssignedTo: mrueckert@novell.com ReportedBy: burnus@gmx.de QAContact: lrupp@novell.com Found By: --- Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0) Gecko/20100101 Firefox/4.0
Currently, the opensuse.org domain is not secured using DNSSEC: http://dnsviz.net/d/opensuse.org/dnssec/
It would be useful, if it could be signed. Other domains are already signed such as: - Fedora: http://dnsviz.net/d/fedoraproject.org/dnssec/ - Mozilla: http://dnsviz.net/d/wiki.mozilla.org/dnssec/
(Side remark: In Firefox, the plugin http://www.dnssec-validator.cz/ can be used to see the DNSSEC status.)
Reproducible: Always
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c4
Lars Vogdt lrupp@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED Platform|Other |All Found By|--- |Community User
--- Comment #4 from Lars Vogdt lrupp@novell.com 2011-05-15 14:52:48 UTC --- Thanks for bringing this up!
Increasing Prio to P3 as this is really an important topic. But we might need some time for coordination with our provider and for setting things up properly. We will come back to this bug once we made some progress.
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c6
--- Comment #6 from Tobias Burnus burnus@gmx.de 2011-08-31 07:53:27 UTC --- Do you have already an update?
As follow up, you could consider validating the TLS certificates via DNSSEC. Cf. http://tools.ietf.org/html/draft-ietf-dane-protocol and, e.g., https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Background . The usefulness has been proven by the recent DigiNotar and Comodo incidents.
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c9
Lars Vogdt lrupp@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |estellnb@elstel.org
--- Comment #9 from Lars Vogdt lrupp@suse.com 2014-01-11 22:55:29 CET --- *** Bug 858407 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=858407
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c10
Lars Vogdt lrupp@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |venu@novell.com
--- Comment #10 from Lars Vogdt lrupp@suse.com 2014-01-11 22:57:38 CET --- Venu, can you please have a look?
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c11
Christian Deckelmann deckel@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|venu@novell.com |
--- Comment #11 from Christian Deckelmann deckel@novell.com 2014-01-12 05:00:42 UTC --- IB (the DNS management solution) can do DNSSEC. It needs to be verigifed wether the three external (and registered DNS servers) can handle DNSSEC signed zones. As they are running bind, I don´t think this is an issue.
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c12
--- Comment #12 from Elmar Stellnberger estellnb@elstel.org 2014-07-31 11:30:54 UTC --- What about this issue? I believe we should not only support DNSSEC for opensuse.org but even more important for download.opensuse.org (horrifyingly it does currently not even support https). How else will someone know that he gets a pristine openSUSE if he has no possiblilty to authenticatedly fetch the public gpg-key for all the repos?
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c13
--- Comment #13 from Marcus Rückert mrueckert@suse.com 2014-07-31 13:18:15 UTC --- curl https://api.opensuse.org/public/source/<project name>/_pubkey
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c14
--- Comment #14 from Elmar Stellnberger estellnb@elstel.org 2014-07-31 16:51:45 UTC --- Hmm, that requires some login data. I have planned to program some repository downloader for yum & yast repositories for offline use. It would need to fetch these keys anonymously but with a high degree of authenticity (at best with DNSSEC). Marcus Meissner has offered me to make at least the repomd.xml.key / repomd.xml available via https to the public (Bug 889754) which will already solve a lot of problems.
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c15
--- Comment #15 from Marcus Rückert mrueckert@suse.com 2014-07-31 22:10:27 UTC --- 1. yes it might be. but doing that for a machine that has 400-1000r/s requires some proper planning 2. you are wrong on the claim it will require a password. did you even try it?
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c16
--- Comment #16 from Elmar Stellnberger estellnb@elstel.org 2014-08-01 08:28:06 UTC --- In deed that works given the right url (but not with my web browser): curl https://api.opensuse.org/public/source/X11/_pubkey
However is there a common way to determine that _pubkey-URL given a repository path under http://download.opensuse.org/repositories/ (there are sub-repos like home:estellnb:elstel and so on)? How to fetch the key for http://download.opensuse.org/distribution/13.1/repo/oss/?
Secondly I would also welcome the repository description itself i.e. repomd.xml to be downloadable directly via SSL because the SSL certificate provides another security layer in addition to the gpg key.
http://bugzilla.novell.com/show_bug.cgi?id=690867 http://bugzilla.novell.com/show_bug.cgi?id=690867#c17
--- Comment #17 from Elmar Stellnberger estellnb@elstel.org --- Hi, would anyone in deed mind to implement this? DANE is of high value and with proper DANE support I would consider switching back to openSUSE! There has also been a recent discussion about it on debian-security (see debcheckroot/atea at https://lists.debian.org/debian-security/2020/03/threads.html).