SoylentNews is people
SoylentNews
In the ongoing battle of site improvements and shoring up security, I finally managed to scratch a long-standing itch and signed the soylentnews.org domain. As of right now, our chain is fully validated and pushed to all our end-points.
Right now, I'm getting ready to dig in with TheMightyBuzzard to work on improving XSS protection for the site, and starting to lay out new site features (which will be in a future post). As with any meta post, I'll be reading your comments below.
~ NCommander
This discussion has been archived.
No new comments can be posted.
soylentnews.org is now DNSSEC signed
|
Log In/Create an Account
| Top
| 36 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Is that really YOU that is reading this?
(Score: 2) by VLM on Thursday August 25 2016, @02:24PM
So, after a ridiculous collection of village people stopped singing YMCA and finally got down to work, the VIP hobbit picked up the ring, then they walked a hell of a long way, and threw the ring in the volcano, and alls well that ends well. (Sorry if that's a spoiler to some of you?)
Anyway just saying stories of epic sysadmin battle are best told in detail. And how did you slay the demon of expiring RRSIGs? I hope its not something really boring like "redo 'em by hand every 30 days". I mean that works and success has a glory all its own regardless of technique, but there should be at least some cool battle stories and side quests along the path...
(Score: 2) by Azuma Hazuki on Thursday August 25 2016, @04:19PM
By hand? No, a tiny shell script with a generous sprinkling of rand(); works for that. Sysadmins, remember? We have tools for that sort of thing =P
I am "that girl" your mother warned you about...
(Score: 2) by NCommander on Thursday August 25 2016, @07:06PM
Short version: BIND9 inline signing, and not bothering with key rotation (we're signed using SHA256).
BIND will automatically regenerate the RRSIG records as needed and bump the serial on the fly to make it happen. Both the KSK and ZSK are SHA256 keys. I could script key replacement on the fly, but given that SHA256 + 2048 bytes is safe enough for the general web without constant rotation, its something I'm not going to loose sleep over.
NSEC3 resigning happens automatically by BIND, but I'm not really worried about zone enumeration either; our public facing services are public. Private stuff goes into the li694-22 pseudo-TLD we use (which also needs to be signed, but since its a fake TLD, I'll have to do DNSSEC DLV to make that fly which is all sorts of 'fun'. I should probably do it though cause we use Hesiod, and then locally validate DNSSEC chains).
Still always moving
(Score: 1) by Mike on Friday August 26 2016, @04:05PM
Did you look at dnssec-tools?... https://www.dnssec-tools.org/ [dnssec-tools.org]
In particular, rollerd handles automated key rollovers. It'll roll zone signing keys without needing input. Key signing key rollovers still need some manual handling as you have to get the dsset to your register then run a short command. IIRC, depending on key/signature life time you may still need to script resigning zones periodically, but that's fairly simple (e.g. a cron job of 'rollctrl -signzone zone-name').
(Score: 2) by NCommander on Sunday August 28 2016, @08:20PM
Belated reply; that won't work with inline signing in BIND, and rechecking the config, BIND actually does roll the ZSK automatically (which I thought it did: https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html). [isc.org] We don't bother rolling over the KSK; I'll probably do it once in awhile by hand.
I uploaded both the KSK and ZSK to the register when I signed the zone which in hinsight was a mistake (though not a fatal one, as one as the KSK validates the chain of trust, DNSSEC will accept it. Lingering keys are supported to allow rollover in the light of propigation delays; what you're supposed to do is add the new key, then resign so any clients that have a mix of old and new can still validate a chain of trust).
Still always moving