[Openstack-security] instance-data sinkholing
Florian Weimer
fw at deneb.enyo.de
Sun Jan 5 19:25:31 UTC 2014
* Thierry Carrez:
> Bryan D. Payne wrote:
>> Interesting. Sounds like a useful thing to continue. We should find
>> someone that can pick up this effort. Anyone out there able to help
>> with this?
>
> If all else fails, I could probably ask the Foundation if they would be
> OK to hold those domains -- although at this point they don't have (yet)
> a resource to actively exploit data coming from it.
>
> IIUC this is not OpenStack-specific but more EC2-metadata specific ?
It's a bit complicated. I haven't tested if EC2 actually supports the
DNS-based approach, their documentation suggests to use the hard-coded
169.254.169.254 instead. And you don't necessarily need code in the
hosting environment for that, you only need to configure a root zone
which has an A record a suitable delegation.
More information about the Openstack-security
mailing list