[bind10-dev] bindctl not checking server certificate chain by default
Francis Dupont
fdupont at isc.org
Fri Oct 19 15:53:53 UTC 2012
> On Fri, Oct 19, 2012 at 04:06:51PM +0200, Jelte Jansen wrote:
> > - thirdly, we could default to not running at all until the
> > administrator points to a valid certificate.
>
> I think this is bad. We need people to try bind10 out. If I get
> annoyed too much too early in the beginning, I throw the software
> out and try an alternative. We want the thing to at least talk to
> the user, not bother him by some certificates. I think we could
> start asking for certificates once you connect over network, but if
> you try to connect to localhost, I don't think it is needed (the
> man-in-the middle attack is not that probable). Or we might want to
> connect by a file socket instead of network socket, which would
> mean the attacker would need a write permission to some place
> common users don't usually have.
=> I had the same problem to solve for the AFTR. I considered to add
the SSL server support but in fact it was both complex to code (and
I know well to how to use crypto) and hairy on the client side.
So I decided to limit the control connection to the local host
(simply by binding server sockets to 127.0.0.1 and ::1) and to use
a tool like nc or ssh tunnelling for remote access, i.e., to ask
the tool which handles the remote access to manage the security too.
BTW I object to a "file socket" as the only way because it is not
available in all systems (e.g., Windows). Of course it can be an
alternative (the AFTR has it in option and as far as I remember I
used it only for testing this particular feature :-).
Regards
Francis Dupont <fdupont at isc.org>
More information about the bind10-dev
mailing list