29 Apr
2011
29 Apr
'11
14:41
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c0
Summary: Consider to DNSSEC sign the opensuse.org domain
Classification: openSUSE
Product: openSUSE.org
Version: unspecified
Platform: Other
OS/Version: Other
Status: NEW
Severity: Enhancement
Priority: P5 - None
Component: Infrastructure
AssignedTo: mrueckert(a)novell.com
ReportedBy: burnus(a)gmx.de
QAContact: lrupp(a)novell.com
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0)
Gecko/20100101 Firefox/4.0
Currently, the opensuse.org domain is not secured using DNSSEC:
http://dnsviz.net/d/opensuse.org/dnssec/
It would be useful, if it could be signed. Other domains are already signed
such as:
- Fedora: http://dnsviz.net/d/fedoraproject.org/dnssec/
- Mozilla: http://dnsviz.net/d/wiki.mozilla.org/dnssec/
(Side remark: In Firefox, the plugin http://www.dnssec-validator.cz/ can be
used to see the DNSSEC status.)
Reproducible: Always
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15 May
15 May
15:52
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c4
Lars Vogdt <lrupp(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 - None |P3 - Medium
Status|NEW |ASSIGNED
Platform|Other |All
Found By|--- |Community User
--- Comment #4 from Lars Vogdt <lrupp(a)novell.com> 2011-05-15 14:52:48 UTC ---
Thanks for bringing this up!
Increasing Prio to P3 as this is really an important topic. But we might need
some time for coordination with our provider and for setting things up
properly. We will come back to this bug once we made some progress.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
31 Aug
31 Aug
08:53
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c6
--- Comment #6 from Tobias Burnus <burnus(a)gmx.de> 2011-08-31 07:53:27 UTC ---
Do you have already an update?
As follow up, you could consider validating the TLS certificates via DNSSEC.
Cf. http://tools.ietf.org/html/draft-ietf-dane-protocol and, e.g.,
https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Background . The
usefulness has been proven by the recent DigiNotar and Comodo incidents.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11 Jan
11 Jan
21:55
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c9
Lars Vogdt <lrupp(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |estellnb(a)elstel.org
--- Comment #9 from Lars Vogdt <lrupp(a)suse.com> 2014-01-11 22:55:29 CET ---
*** Bug 858407 has been marked as a duplicate of this bug. ***
http://bugzilla.novell.com/show_bug.cgi?id=858407
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
21:57
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c10
Lars Vogdt <lrupp(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
InfoProvider| |venu(a)novell.com
--- Comment #10 from Lars Vogdt <lrupp(a)suse.com> 2014-01-11 22:57:38 CET ---
Venu, can you please have a look?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
12 Jan
12 Jan
05:00
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c11
Christian Deckelmann <deckel(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
InfoProvider|venu(a)novell.com |
--- Comment #11 from Christian Deckelmann <deckel(a)novell.com> 2014-01-12 05:00:42
UTC ---
IB (the DNS management solution) can do DNSSEC.
It needs to be verigifed wether the three external (and registered DNS servers)
can handle DNSSEC signed zones. As they are running bind, I don´t think this is
an issue.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
31 Jul
31 Jul
12:30
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c12
--- Comment #12 from Elmar Stellnberger <estellnb(a)elstel.org> 2014-07-31 11:30:54
UTC ---
What about this issue? I believe we should not only support DNSSEC for
opensuse.org but even more important for download.opensuse.org (horrifyingly it
does currently not even support https). How else will someone know that he gets
a pristine openSUSE if he has no possiblilty to authenticatedly fetch the
public gpg-key for all the repos?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
14:18
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c13
--- Comment #13 from Marcus Rückert <mrueckert(a)suse.com> 2014-07-31 13:18:15 UTC
---
curl https://api.opensuse.org/public/source/<project name>/_pubkey
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
17:51
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c14
--- Comment #14 from Elmar Stellnberger <estellnb(a)elstel.org> 2014-07-31 16:51:45
UTC ---
Hmm, that requires some login data. I have planned to program some repository
downloader for yum & yast repositories for offline use. It would need to fetch
these keys anonymously but with a high degree of authenticity (at best with
DNSSEC). Marcus Meissner has offered me to make at least the repomd.xml.key /
repomd.xml available via https to the public (Bug 889754) which will already
solve a lot of problems.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
23:10
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c15
--- Comment #15 from Marcus Rückert <mrueckert(a)suse.com> 2014-07-31 22:10:27 UTC
---
1. yes it might be. but doing that for a machine that has 400-1000r/s requires
some proper planning
2. you are wrong on the claim it will require a password. did you even try it?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
1 Aug
1 Aug
09:28
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
https://bugzilla.novell.com/show_bug.cgi?id=690867
https://bugzilla.novell.com/show_bug.cgi?id=690867#c16
--- Comment #16 from Elmar Stellnberger <estellnb(a)elstel.org> 2014-08-01 08:28:06
UTC ---
In deed that works given the right url (but not with my web browser):
curl https://api.opensuse.org/public/source/X11/_pubkey
However is there a common way to determine that _pubkey-URL given a repository
path under http://download.opensuse.org/repositories/ (there are sub-repos like
home:estellnb:elstel and so on)?
How to fetch the key for
http://download.opensuse.org/distribution/13.1/repo/oss/?
Secondly I would also welcome the repository description itself i.e. repomd.xml
to be downloadable directly via SSL because the SSL certificate provides
another security layer in addition to the gpg key.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
28 Mar
28 Mar
17:47
New subject: [Bug 690867] Consider to DNSSEC sign the opensuse.org domain
http://bugzilla.novell.com/show_bug.cgi?id=690867
http://bugzilla.novell.com/show_bug.cgi?id=690867#c17
--- Comment #17 from Elmar Stellnberger <estellnb(a)elstel.org> ---
Hi, would anyone in deed mind to implement this? DANE is of high value and
with proper DANE support I would consider switching back to openSUSE! There has
also been a recent discussion about it on debian-security (see
debcheckroot/atea at
https://lists.debian.org/debian-security/2020/03/threads.html).
--
You are receiving this mail because:
You are on the CC list for the bug.
540
days inactive
3796
days old
11 comments
1 participants
participants (1)
-
bugzilla_noreply@novell.com