[Bug 690867] New: Consider to DNSSEC sign the opensuse.org domain

List overview All Threads
Download

newer

older

[Bug 1167465] New: GCC 10:...

[Bug 1139948] New: LVM LV cannot...

bugzilla_noreply＠novell.com

29 Apr 2011 29 Apr '11

13:41

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c0

Summary: Consider to DNSSEC sign the opensuse.org domain Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Infrastructure AssignedTo: mrueckert@novell.com ReportedBy: burnus@gmx.de QAContact: lrupp@novell.com Found By: --- Blocker: ---

User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0) Gecko/20100101 Firefox/4.0

Currently, the opensuse.org domain is not secured using DNSSEC: http://dnsviz.net/d/opensuse.org/dnssec/

It would be useful, if it could be signed. Other domains are already signed such as: - Fedora: http://dnsviz.net/d/fedoraproject.org/dnssec/ - Mozilla: http://dnsviz.net/d/wiki.mozilla.org/dnssec/

(Side remark: In Firefox, the plugin http://www.dnssec-validator.cz/ can be used to see the DNSSEC status.)

Reproducible: Always

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

15 May 15 May

14:52

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c4

Lars Vogdt lrupp@novell.com changed:

--- Comment #4 from Lars Vogdt lrupp@novell.com 2011-05-15 14:52:48 UTC --- Thanks for bringing this up!

Increasing Prio to P3 as this is really an important topic. But we might need some time for coordination with our provider and for setting things up properly. We will come back to this bug once we made some progress.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

31 Aug 31 Aug

07:53

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c6

--- Comment #6 from Tobias Burnus burnus@gmx.de 2011-08-31 07:53:27 UTC --- Do you have already an update?

As follow up, you could consider validating the TLS certificates via DNSSEC. Cf. http://tools.ietf.org/html/draft-ietf-dane-protocol and, e.g., https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Background . The usefulness has been proven by the recent DigiNotar and Comodo incidents.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Jan 11 Jan

21:55

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c9

Lars Vogdt lrupp@suse.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |estellnb@elstel.org

--- Comment #9 from Lars Vogdt lrupp@suse.com 2014-01-11 22:55:29 CET --- *** Bug 858407 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=858407

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:57

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c10

Lars Vogdt lrupp@suse.com changed:

--- Comment #10 from Lars Vogdt lrupp@suse.com 2014-01-11 22:57:38 CET --- Venu, can you please have a look?

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Jan 12 Jan

05:00

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c11

Christian Deckelmann deckel@novell.com changed:

--- Comment #11 from Christian Deckelmann deckel@novell.com 2014-01-12 05:00:42 UTC --- IB (the DNS management solution) can do DNSSEC. It needs to be verigifed wether the three external (and registered DNS servers) can handle DNSSEC signed zones. As they are running bind, I don´t think this is an issue.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

31 Jul 31 Jul

11:30

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c12

--- Comment #12 from Elmar Stellnberger estellnb@elstel.org 2014-07-31 11:30:54 UTC --- What about this issue? I believe we should not only support DNSSEC for opensuse.org but even more important for download.opensuse.org (horrifyingly it does currently not even support https). How else will someone know that he gets a pristine openSUSE if he has no possiblilty to authenticatedly fetch the public gpg-key for all the repos?

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:18

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c13

--- Comment #13 from Marcus Rückert mrueckert@suse.com 2014-07-31 13:18:15 UTC --- curl https://api.opensuse.org/public/source/<project name>/_pubkey

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16:51

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c14

--- Comment #14 from Elmar Stellnberger estellnb@elstel.org 2014-07-31 16:51:45 UTC --- Hmm, that requires some login data. I have planned to program some repository downloader for yum & yast repositories for offline use. It would need to fetch these keys anonymously but with a high degree of authenticity (at best with DNSSEC). Marcus Meissner has offered me to make at least the repomd.xml.key / repomd.xml available via https to the public (Bug 889754) which will already solve a lot of problems.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

22:10

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c15

--- Comment #15 from Marcus Rückert mrueckert@suse.com 2014-07-31 22:10:27 UTC --- 1. yes it might be. but doing that for a machine that has 400-1000r/s requires some proper planning 2. you are wrong on the claim it will require a password. did you even try it?

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

1 Aug 1 Aug

08:28

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

https://bugzilla.novell.com/show_bug.cgi?id=690867

https://bugzilla.novell.com/show_bug.cgi?id=690867#c16

--- Comment #16 from Elmar Stellnberger estellnb@elstel.org 2014-08-01 08:28:06 UTC --- In deed that works given the right url (but not with my web browser): curl https://api.opensuse.org/public/source/X11/_pubkey

However is there a common way to determine that _pubkey-URL given a repository path under http://download.opensuse.org/repositories/ (there are sub-repos like home:estellnb:elstel and so on)? How to fetch the key for http://download.opensuse.org/distribution/13.1/repo/oss/?

Secondly I would also welcome the repository description itself i.e. repomd.xml to be downloadable directly via SSL because the SSL certificate provides another security layer in addition to the gpg key.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

28 Mar 28 Mar

17:47

New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain

http://bugzilla.novell.com/show_bug.cgi?id=690867 http://bugzilla.novell.com/show_bug.cgi?id=690867#c17

--- Comment #17 from Elmar Stellnberger estellnb@elstel.org --- Hi, would anyone in deed mind to implement this? DANE is of high value and with proper DANE support I would consider switching back to openSUSE! There has also been a recent discussion about it on debian-security (see debcheckroot/atea at https://lists.debian.org/debian-security/2020/03/threads.html).

-- You are receiving this mail because: You are on the CC list for the bug.

819

days inactive

4075

days old

bugs@lists.opensuse.org

11 comments

participants

tags (0)

participants (1)

bugzilla_noreply＠novell.com