You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
Integration of AWS Secrets Manager for DNSSEC key management within the CoreDNS DNSSEC plugin. This feature should enable the DNSSEC plugin to retrieve cryptographic keys directly from AWS Secrets Manager, moving away from the dependency on locally stored key files.
Why is this needed:
The current implementation of the DNSSEC plugin in CoreDNS requires cryptographic keys to be stored in local files. This approach can inadvertently lead to insecure practices, such as embedding keys in container images or including them in version control systems, to simplify deployment processes. Such practices expose keys to higher risks of unauthorized access and potential leakage.
Integrating AWS Secrets Manager can mitigate these risks by providing a secure and centralized key management solution, which offers:
Secure Storage and Access: Keys are stored securely in the cloud with encryption at rest and are accessed over encrypted channels, minimizing the risk of exposure during storage and transmission.
Elimination of Insecure Practices: By fetching keys directly from a managed service, there's no need to store keys within the application's operational environment or codebase. This reduces the temptation to use insecure shortcuts in key management during deployment.
Best Practices: Using a managed service like AWS Secrets Manager helps in adhering to security best practices.
This enhancement could improve the security of CoreDNS deployments by providing a more secure method to manage cryptographic keys, aligning with best practices for secure software deployment.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
Integration of AWS Secrets Manager for DNSSEC key management within the CoreDNS DNSSEC plugin. This feature should enable the DNSSEC plugin to retrieve cryptographic keys directly from AWS Secrets Manager, moving away from the dependency on locally stored key files.
Why is this needed:
The current implementation of the DNSSEC plugin in CoreDNS requires cryptographic keys to be stored in local files. This approach can inadvertently lead to insecure practices, such as embedding keys in container images or including them in version control systems, to simplify deployment processes. Such practices expose keys to higher risks of unauthorized access and potential leakage.
Integrating AWS Secrets Manager can mitigate these risks by providing a secure and centralized key management solution, which offers:
Secure Storage and Access: Keys are stored securely in the cloud with encryption at rest and are accessed over encrypted channels, minimizing the risk of exposure during storage and transmission.
Elimination of Insecure Practices: By fetching keys directly from a managed service, there's no need to store keys within the application's operational environment or codebase. This reduces the temptation to use insecure shortcuts in key management during deployment.
Best Practices: Using a managed service like AWS Secrets Manager helps in adhering to security best practices.
This enhancement could improve the security of CoreDNS deployments by providing a more secure method to manage cryptographic keys, aligning with best practices for secure software deployment.
The text was updated successfully, but these errors were encountered: