Date: Wed, 25 Jun 2003 09:54:07 +0900 From: Jun Kuriyama <kuriyama@imgsrc.co.jp> To: freebsd-hubs@freebsd.org Subject: Re: DRAFT - DNS Admin Guide Message-ID: <7m7k7b564w.wl@black.imgsrc.co.jp> In-Reply-To: <20030624173337.GD11784@electra.cse.Buffalo.EDU> References: <20030624173337.GD11784@electra.cse.Buffalo.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
# Though writing guideline is good thing, but we are not reached to # write such a long article. We are at discussion stage which needs # more simple text... At Tue, 24 Jun 2003 13:33:37 -0400, Ken Smith wrote: > There are several more or less distinct groups whose function at least > partially involves DNS. The groups are: > > 1) WWW site administrators > 2) cvsup site administrators > 3) FTP mirror site administrators > 4) email system administrators (support for @freebsd.org email) > 5) operations support administrators (provide machine(s) for > release builds, ports builds, etc). In discussion at hubs@, we should concentrate (1), (2) and (3). (4) and (5) are operated in other area. > Proposed Layout > --------------- > > We propose identifying one [ed: two?] person who is the "Coordinator" > of each group listed above. By default this will be the only person > who can request DNS updates. To make things simpler for the dnsadm@ > staff there will be no explicit rules on what sorts of updates any > individual Coordinator is allowed to request - it will be assumed each > Coordinator knows enough about DNS to make only the requests > appropriate to their group's needs and can be trusted to not act > maliciously. These Coordinators may appoint other people who are > allowed to request DNS changes but should do so conservatively. > Keeping things simple is important. For example if the Mirror System > is so large that the Mirror Site Coordinator feels the need to > delegate administration of European sites s/he can request a second > person be allowed to request DNS changes. Again, unless it becomes > necessary, no explicit rules will be set for who is allowed to request > specific types of changes under the assumption the people granted > permission to make update requests know what they are doing. > > [ed: I can't decide if requiring PGP signatures is overkill...] > People identified as Coordinators need to have usernames in > freebsd.org. Messages requesting changes should be PGP signed and, if > possible, from their @freebsd.org email address. Messages requesting > updates should be sent to "dnsadm@freebsd.org", no matter what piece > of the FreeBSD namespace the update is being requested for (see below). I like Kris's suggestion, but I don't think we need a bottle neck such as coordinator as above. The idea in my mind is to create "name vs email" table to identify who is authoritative of this DNS name. Like: ftp-master.FreeBSD.org peter@FreeBSD.org kuriyama@FreeBSD.org cvsup-master.FreeBSD.org kuriyama@FreeBSD.org ftp.FreeBSD.org foo@example.net bar@example.com ftp2.FreeBSD.org blah@example.org and, create a collection of PGP public keys of above contactee. If we can prepare this table, dnsadm@ can easily identify the signed request is authorized or not. Ah yes, we need a coordinator to collect these information with secure and authorized way... -- Jun Kuriyama <kuriyama@imgsrc.co.jp> // IMG SRC, Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7m7k7b564w.wl>