Stories
Slash Boxes
Comments

SoylentNews is people

soylentnews.org is now DNSSEC signed

posted by NCommander on Thursday August 25 2016, @01:00PM   Printer-friendly
from the you-can-haz-RRSIG dept.

In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.

Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.

~ NCommander

 
This discussion has been archived. No new comments can be posted.
soylentnews.org is now DNSSEC signed | Log In/Create an Account | Top | 36 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by Mike on Friday August 26 2016, @04:05PM

    by Mike (823) on Friday August 26 2016, @04:05PM (#393539)

    Did you look at dnssec-tools?... https://www.dnssec-tools.org/ [dnssec-tools.org]

    In particular, rollerd handles automated key rollovers. It'll roll zone signing keys without needing input. Key signing key rollovers still need some manual handling as you have to get the dsset to your register then run a short command. IIRC, depending on key/signature life time you may still need to script resigning zones periodically, but that's fairly simple (e.g. a cron job of 'rollctrl -signzone zone-name').

  • (Score: 2) by NCommander on Sunday August 28 2016, @08:20PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Sunday August 28 2016, @08:20PM (#394320) Homepage Journal

    Belated reply; that won't work with inline signing in BIND, and rechecking the config, BIND actually does roll the ZSK automatically (which I thought it did: https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html). [isc.org] We don't bother rolling over the KSK; I'll probably do it once in awhile by hand.

    I uploaded both the KSK and ZSK to the register when I signed the zone which in hinsight was a mistake (though not a fatal one, as one as the KSK validates the chain of trust, DNSSEC will accept it. Lingering keys are supported to allow rollover in the light of propigation delays; what you're supposed to do is add the new key, then resign so any clients that have a mix of old and new can still validate a chain of trust).

    --
    Still always moving