[Dnssec-trigger] Extracting hot-spot detection and servers probing code into a library

Paul Wouters pwouters at redhat.com
Wed May 14 14:19:57 UTC 2014


On 05/14/2014 10:09 AM, Petr Spacek wrote:

>> This can be used for a new test for https://bugzilla.redhat.com/show_bug.cgi?id=1096240
> 
> I think we should:
> - Make test names/records configurable in the library.
> - Deploy own Fedora-sub-tree dedicated to DNS-tests. It can be something like dnstest.fedoraproject.org. and put all necessary records there.
> 
> This allows every distributor to build the library with it's own set of names. This avoids single point of failure (from the perspective of all library users)
> and removes dependency on external entity.

I do not agree. The tests are carefully selected to

1) be run against very stable zones (hence TLD sized zones)

2) not have a privacy impact (hence TLD sized zones)

3) not have all eggs in one basket

fedoraproject.org has already proven to be too unstable when they changed CA provider without updating their TLSA record after heartbleed.

Having different tests also means all different library users have their own bugs, their own false positives, and no one gets the advantage of new test cases
found in the wild, some of which might be difficult to reproduce in other zones.

Paul






More information about the dnssec-trigger mailing list