Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by NCommander on Thursday August 25 2016, @06:53PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @06:53PM (#393134) Homepage Journal

    DNSSEC isn't bad if you're using your own BIND master. Just make a signing key and turn on inline signing. Problem solved.

    Just make sure you generate RSASHA256 keys vs. the default of SHA1 ones.

    --
    Still always moving
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by ledow on Thursday August 25 2016, @07:39PM

    by ledow (5567) on Thursday August 25 2016, @07:39PM (#393157) Homepage

    But if you're not using your own BIND master, it's an absolute pain in the butt.

    I find it disappointing that most domain hosts don't even offer it as an option at all. It's the sort of thing they should be managing for most people.

    • (Score: 2) by NCommander on Thursday August 25 2016, @09:06PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Thursday August 25 2016, @09:06PM (#393187) Homepage Journal

      To an extent, I do get why its not common. Key management in DNSSEC is not trivial, and you don't want your signing keys controlled by a third party if it can be avoided.There's plenty of misinformation around; for example, most guides state that SHA1 is the only supporting signing algorthim. It isn't; most of the roots are signed SHA256 for instance.

      On the webUI front, Linode doesn't support it directly, but you can replicate RRSIG to their zone by AXFR. As there is no standardized interface to upload the KSK/ZSK, it becomes something of a PITA. It's also possible to put a DNSSEC frontend in front of your servers which will sign the zone in-transit if you can do online key signing. That way, you can just set the front-end as authoritive, and point your NS records at that.

      Cloudflare at the very least did it right and signed all the domains under their control (which was only possible since they're also a register I think).

      --
      Still always moving