|
| From: | bo0od |
| Subject: | bug#47823: Hardenize Guix website TLS/DNS |
| Date: | Tue, 25 May 2021 16:37:47 +0000 |
https://github.com/systemd/systemd/issues/9867This ticket show clearly that the operators of gnu.org didnt fix their bad DNSSEC configuration despite being pointed out to them.
https://danwin1210.me e.g This domain use DNSSEC where is the problem connecting to it? Julien Lepiller:
No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :) Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :Then dont use systemd to do that. There many other methods/tools to achieve having it. Marius Bakke:Julien Lepiller <julien@lepiller.eu> skriver:Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari<leo@famulari.name> a écrit :On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:Scanning Guix website gave many missing security features whichmodernsecurity needs them to be available: * TLS and DNS: looking at: https://www.hardenize.com/report/guix.gnu.org/1618568751 https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.orgThanks!- DNS: DNSSEC support missing (important)Hm, is it important? My impression is that it's an idea whose timehaspassed without significant adoption. But maybe we could enable it if the costs are not too great.gnu.org does not have dnssec, so we'd need them to work on thatfirst.gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN on machines with systemd-resolved: https://github.com/systemd/systemd/issues/9867
| [Prev in Thread] | Current Thread | [Next in Thread] |