DRAFT - DNS Admin Guide
Jun Kuriyama
kuriyama at imgsrc.co.jp
Tue Jun 24 17:54:11 PDT 2003
# Though writing guideline is good thing, but we are not reached to
# write such a long article. We are at discussion stage which needs
# more simple text...
At Tue, 24 Jun 2003 13:33:37 -0400,
Ken Smith wrote:
> There are several more or less distinct groups whose function at least
> partially involves DNS. The groups are:
>
> 1) WWW site administrators
> 2) cvsup site administrators
> 3) FTP mirror site administrators
> 4) email system administrators (support for @freebsd.org email)
> 5) operations support administrators (provide machine(s) for
> release builds, ports builds, etc).
In discussion at hubs@, we should concentrate (1), (2) and (3). (4)
and (5) are operated in other area.
> Proposed Layout
> ---------------
>
> We propose identifying one [ed: two?] person who is the "Coordinator"
> of each group listed above. By default this will be the only person
> who can request DNS updates. To make things simpler for the dnsadm@
> staff there will be no explicit rules on what sorts of updates any
> individual Coordinator is allowed to request - it will be assumed each
> Coordinator knows enough about DNS to make only the requests
> appropriate to their group's needs and can be trusted to not act
> maliciously. These Coordinators may appoint other people who are
> allowed to request DNS changes but should do so conservatively.
> Keeping things simple is important. For example if the Mirror System
> is so large that the Mirror Site Coordinator feels the need to
> delegate administration of European sites s/he can request a second
> person be allowed to request DNS changes. Again, unless it becomes
> necessary, no explicit rules will be set for who is allowed to request
> specific types of changes under the assumption the people granted
> permission to make update requests know what they are doing.
>
> [ed: I can't decide if requiring PGP signatures is overkill...]
> People identified as Coordinators need to have usernames in
> freebsd.org. Messages requesting changes should be PGP signed and, if
> possible, from their @freebsd.org email address. Messages requesting
> updates should be sent to "dnsadm at freebsd.org", no matter what piece
> of the FreeBSD namespace the update is being requested for (see below).
I like Kris's suggestion, but I don't think we need a bottle neck such
as coordinator as above.
The idea in my mind is to create "name vs email" table to identify
who is authoritative of this DNS name. Like:
ftp-master.FreeBSD.org peter at FreeBSD.org
kuriyama at FreeBSD.org
cvsup-master.FreeBSD.org kuriyama at FreeBSD.org
ftp.FreeBSD.org foo at example.net
bar at example.com
ftp2.FreeBSD.org blah at example.org
and, create a collection of PGP public keys of above contactee.
If we can prepare this table, dnsadm@ can easily identify the signed
request is authorized or not.
Ah yes, we need a coordinator to collect these information with secure
and authorized way...
--
Jun Kuriyama <kuriyama at imgsrc.co.jp> // IMG SRC, Inc.
More information about the freebsd-hubs
mailing list