can I remove `cloudron._domainkey`?

potemkin_ai

Can I remove cloudron._domainkey or change replace 'cloudron' with something else?

Don't want to expose the system I'm using via DNS name.

girish

@potemkin_ai the DNS entry is required for DKIM which is used to verify email signature when sending mails. If you don't need any of your apps sending email, you can delete the key. Otherwise, currently, it cannot be renamed but I guess you can raise a feature request to make it renameable.

potemkin_ai

@girish thank you. But why it has to have 'cloudron' prefix? It could be 'dkim._domainkey', isn't it?

If so, where do I raise a feature request? And what are the chances it will be implemented anytime soon?

nebulon

@girish correct me if I'm wrong, but I guess the cloudron tag is there to avoid potential overlap with existing DNS records. Adding cloudron makes it very unlikely that such a record already exists, which we would overwrite.

potemkin_ai

@nebulon thank you for the explanation!
If so, I guess it shall be indeed unique and to make sure it doesn't expose software running on the server - rename-able...

girish

@nebulon yes, pretty much. 'cloudron' is just a way to avoid conflicts with existing DNS keys.

@potemkin_ai Can you raise a feature request here - https://forum.cloudron.io/category/97/feature-requests ? Also, see https://forum.cloudron.io/topic/4655/change-to-the-dkim-record-hostname-in-recent-version-caused-by-new-feature-or-from-using-no-ip-domain-provider for a previous related discussion.

potemkin_ai

@girish thank you! Done.

murgero

@potemkin_ai There is no security risk by having the name "Cloudron" in a dns record - cloudron is pretty branded and emails, apps, etc all have cloudron somewhere on them. Not to mention the login screen which is accessible everywhere.

scooke

@murgero It may not be for risk-aversion, but more that the person is providing a service without telling the customers that it is Cloudron (I'm not judging here, just postulating). So if customers could see that it was a Cloudron, and how simple it is, hey... they might skip the provider and use Cloudron themselves!

potemkin_ai

@scooke negative; customers knowing how to query DNS to see DKIM and understand that ‘cloudron’ is not some other tech voodoo is not my client; and those who won’t, won’t bother either.

potemkin_ai

@murgero there is always a security risk; no software is safe from vulnerabilities, especially if security is not it’s primary focus (for example, like OpenBSD or qmail)

murgero

@potemkin_ai I would recommend you re-read my response to you my friend. I did not say there was "no security risk in Cloudron".

potemkin_ai

@murgero re-read, my response remains the same, sorry.

You know the way security scanners (or script-kiddies) works, it's to scan the network (Internet), get hosts and they software; if there is zero-day on CloudRon or other not disclosed vulnerability, apply it across the hosts.
Having DNS records showing that there is CloudRon here means you don't even need to scan for the ports, which just simplify things.

Hope that helps to understand my response here.