dnssec
joeyh at
Added DNSSEC support to propellor and enabled it for joeyh.name. Seems to be working ok, but I think I'll wait a while before converting my other domains.
It took 122 lines of code to add this to propellor, so not exactly trivial. I did like the bit where I was able to add periodic resigning of the zone (to prevent zone-walking attacks) with just 1 more line of code:
forceZoneSigned domain zonefile `period` recurrance
Not that I actually care about zone-walking attacks for my domains; all their DNS configuration is public in propellor's config.hs anyway..
Olivier Mehani, Raúl Benencia, Evan Prodromou likes this.
Also added SSHFP support to propellor. Works beautifully -- configure ssh pubkey in one place and it's both deployed to the host's /etc/ssh and to the dns server's SSHFP records.
ssh can be configured to automatically accept SSHFP keys secured with DNSSEC -- no more "host key changed" messages.
Olivier Mehani likes this.
Good grief! Remember when DNS zone files used to be human readable?
28800 SSHFP 1 1 ( 8A3EB3D9F4CB786F55558A0EA3BAFF3D873E A3A2 ) 28800 SSHFP 2 1 ( B3CD5BCD0375FD2C73EBBDA2A0E10DF77190 78F8 ) 28800 RRSIG SSHFP 8 3 28800 20150204003423 ( 20150105003423 54618 joeyh.name. ReXDKsAVfYlUUQLnnymbKPlfgnpl/YvpZ2o+ XUR26Z08Y8C6Nk2T50oatrqQ8sMaUWv4VOic onZMIdmrpjsB1ce2TNHVn0qQ3tGA8owNTb6d euyzqIFy9CKAqvp2enTkd8fxdibvDdrn/X7E L/h7AvAn/u35yTBtvkwsm+KJovlR3UeVoSak JGBCdd9TJErm2d2Ylq/NImL/IP6yPaYpCD+G pV2QTtbi6ig0vhNkvWoAHGHzDPtILHQncNJ/ 93VkWuZIsDFbwLCqiEr0xzLCzDOcx0jGi1fZ wI/e70lmUVP9nf9fJfcciGMJlQ5gRjoF9/el dPFakAacuzFm53Cilg== ) K2023PR4NPTQ6N9NFIQVIECJVM1TTFU7.joeyh.name. 28800 IN NSEC3 1 1 10 CFC2CABC10F038A5 ND61A8FETLC9T0M0PBS33PF27M9GQM8K A SSHFP RRSIG 28800 RRSIG NSEC3 8 3 28800 20150204003423 ( 20150105003423 54618 joeyh.name. MDqXKaVVXAGbuNfibixYg1RRI/84kTpnKnnD 3FTJCLBc8g4RGHTE/2wnHI8/o/QOpxNsmAIF 3nKG3zmkNYi63lBygQEKaSsjyOsM8RlabLAQ Hakh/J+qtx46ILaL/pEnCESiQit51nFrlIfT kFaf7I4+x9cqVzCYcmBuZ9MMY+PDxx3vIpzh 38p50HZXmhv5ptaBOhDoE2egTRipTL8IoEQY Zgubv2REnE+ptJJSP+47+4szYd7B+SG1WhXY l08EqvZb/oR1z+d1GkFZfFo6WIb4XYlt3mjI 8QaQ1yXCMhRtV3RgRFUp1fEUyG1ZdP4ve6PU nHDyLAeCegIMG3sQ2Q== )