dns-traefik-sync/SECURITY.md

22 lines
871 B
Markdown

# Security
## Reporting
Raise a private issue in Forgejo or contact the repo owner directly.
## Credentials
- Never commit keytabs, .ccache files, or .env files - all are in .gitignore
- The keytab must be stored as a Docker secret only
- The service account (dns-updater) should have no other privileges beyond DnsAdmins
- Rotate the keytab periodically - see docs/operations.md
## Threat model
| Threat | Mitigation |
|---|---|
| Keytab compromise | Scoped to DnsAdmins only; rotate via samba-tool user setpassword |
| Container escape | Runs as nobody; no capabilities; no host mounts beyond the secret |
| DNS spoofing | GSS-TSIG: updates are Kerberos-signed and verified by the KDC |
| Unauthorised DNS writes | Only the dns-updater principal can authenticate with this keytab |
| Traefik API abuse | API is read-only; no writes to Traefik from this service |