Security

This document outlines common risks and possible best practices specifically for the DNS charms. It focuses on configurations and protections available through the charms themselves.

The overall best practice is to keep your charms updated to the latest version available.
A good understanding of the DNS system is also helpful.

Configuration

The DNS charms have security-related configurations, and misconfiguring them can lead to vulnerabilities.

bind-operator

No security-related configurations available.

dns-policy

dns-policy uses a Django application under the hood for its API and web interface. As such, it can be configured following some of Django’s configurations.

  • debug: Puts the application in debug mode.

  • allowed-hosts: Configures the hosts allowed to reach the API and web interface of the application.

dns-integrator

No security-related configurations available.

Data

Only dns-policy is using an external database to store its data, through a postgresql interface.

Back up PostgreSQL

Follow the instructions of the PostgreSQL charm:

If you plan to restore PostgreSQL in a different model or cluster, you will need to also back up the cluster passwords. See:

Restore PostgreSQL

Follow the instructions given by PostgreSQL:

Reviewers

dns-policy exposes a way to create reviewers through the create-reviewer action.
This will create a user and output its password in the terminal. Make sure to copy it to a safe location as it is the only time it will be displayed.
If someone gains reviewer access to the policy application, they will be able to accept and deny DNS record requests.

Upstream

The DNS charms use external software to work properly.
It can be useful to be aware of the security recommendations of those.

For details regarding upstream Bind configuration and broader security considerations, please refer to the official Bind documentation.

For details regarding upstream Django configuration and broader security considerations, please refer to the official Django documentation.