Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by ledow on Thursday August 25 2016, @04:40PM

    by ledow (5567) on Thursday August 25 2016, @04:40PM (#393094) Homepage

    Someone please tell The Register. On much less funding you've done ten times more "IT stuff" than they have. No IPv6, no SSL\TLS, no DNSSEC and their authors still use ancient home webmail services rather than just a damn email forward.

    How do you take a geek/IT site seriously if they can't even do the things they keep telling us all off for not doing.

    P.S. my personal domain has most of the above, except DNSSEC because it's a pain in the butt.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by NCommander on Thursday August 25 2016, @06:53PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:53PM (#393134) Homepage Journal

    DNSSEC isn't bad if you're using your own BIND master. Just make a signing key and turn on inline signing. Problem solved.

    Just make sure you generate RSASHA256 keys vs. the default of SHA1 ones.

    --
    Still always moving
    • (Score: 2) by ledow on Thursday August 25 2016, @07:39PM

      by ledow (5567) on Thursday August 25 2016, @07:39PM (#393157) Homepage

      But if you're not using your own BIND master, it's an absolute pain in the butt.

      I find it disappointing that most domain hosts don't even offer it as an option at all. It's the sort of thing they should be managing for most people.

      • (Score: 2) by NCommander on Thursday August 25 2016, @09:06PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @09:06PM (#393187) Homepage Journal

        To an extent, I do get why its not common. Key management in DNSSEC is not trivial, and you don't want your signing keys controlled by a third party if it can be avoided.There's plenty of misinformation around; for example, most guides state that SHA1 is the only supporting signing algorthim. It isn't; most of the roots are signed SHA256 for instance.

        On the webUI front, Linode doesn't support it directly, but you can replicate RRSIG to their zone by AXFR. As there is no standardized interface to upload the KSK/ZSK, it becomes something of a PITA. It's also possible to put a DNSSEC frontend in front of your servers which will sign the zone in-transit if you can do online key signing. That way, you can just set the front-end as authoritive, and point your NS records at that.

        Cloudflare at the very least did it right and signed all the domains under their control (which was only possible since they're also a register I think).

        --
        Still always moving
  • (Score: 3, Funny) by NCommander on Thursday August 25 2016, @06:59PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:59PM (#393141) Homepage Journal

    Oh, on the topic of webmail, we actually use Squirrelmail still here since the staff have a preference for it, complete with frames! If The Register want to hire me for freelancer work, well, point them at my email :)

    (and honestly, I get a huge amount of kicks of replying to people saying "When will soylentnews.org support X", and linking an article from months ago that we have X. (such as every IPv6 post we have here ...))

    --
    Still always moving