dns-traefik-sync/SECURITY.md
root 473855e59a
Some checks are pending
build / build (push) Waiting to run
docs: README, changelog, contributing, security, deployment, operations, CI
2026-05-24 18:21:04 +01:00

871 B

Security

Reporting

Raise a private issue in Forgejo or contact the repo owner directly.

Credentials

  • Never commit keytabs, .ccache files, or .env files - all are in .gitignore
  • The keytab must be stored as a Docker secret only
  • The service account (dns-updater) should have no other privileges beyond DnsAdmins
  • Rotate the keytab periodically - see docs/operations.md

Threat model

Threat Mitigation
Keytab compromise Scoped to DnsAdmins only; rotate via samba-tool user setpassword
Container escape Runs as nobody; no capabilities; no host mounts beyond the secret
DNS spoofing GSS-TSIG: updates are Kerberos-signed and verified by the KDC
Unauthorised DNS writes Only the dns-updater principal can authenticate with this keytab
Traefik API abuse API is read-only; no writes to Traefik from this service