[bind10-dev] bindctl not checking server certificate chain by default
Michal 'vorner' Vaner
michal.vaner at nic.cz
Fri Oct 19 14:26:19 UTC 2012
Hello
On Fri, Oct 19, 2012 at 04:06:51PM +0200, Jelte Jansen wrote:
> - thirdly, we could default to not running at all until the
> administrator points to a valid certificate.
I think this is bad. We need people to try bind10 out. If I get annoyed too much
too early in the beginning, I throw the software out and try an alternative. We
want the thing to at least talk to the user, not bother him by some
certificates. I think we could start asking for certificates once you connect
over network, but if you try to connect to localhost, I don't think it is
needed (the man-in-the middle attack is not that probable). Or we might want to
connect by a file socket instead of network socket, which would mean the
attacker would need a write permission to some place common users don't usually
have.
With regards
--
BOFH Excuse #430:
Mouse has out-of-cheese-error
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20121019/ebaef725/attachment.bin>
More information about the bind10-dev
mailing list