joeyh

dnssec

joeyh at

Added DNSSEC support to propellor and enabled it for joeyh.name. Seems to be working ok, but I think I'll wait a while before converting my other domains.

It took 122 lines of code to add this to propellor, so not exactly trivial. I did like the bit where I was able to add periodic resigning of the zone (to prevent zone-walking attacks) with just 1 more line of code:

forceZoneSigned domain zonefile `period` recurrance

Not that I actually care about zone-walking attacks for my domains; all their DNS configuration is public in propellor's config.hs anyway..

Olivier Mehani, Raúl Benencia, Evan Prodromou likes this.

Also added SSHFP support to propellor. Works beautifully -- configure ssh pubkey in one place and it's both deployed to the host's /etc/ssh and to the dns server's SSHFP records.

ssh can be configured to automatically accept SSHFP keys secured with DNSSEC -- no more "host key changed" messages.

joeyh at 2015-01-04T23:57:15Z

Olivier Mehani likes this.

Good grief! Remember when DNS zone files used to be human readable?

                        28800   SSHFP   1 1 (
                                        8A3EB3D9F4CB786F55558A0EA3BAFF3D873E
                                        A3A2 )
                        28800   SSHFP   2 1 (
                                        B3CD5BCD0375FD2C73EBBDA2A0E10DF77190
                                        78F8 )
                        28800   RRSIG   SSHFP 8 3 28800 20150204003423 (
                                        20150105003423 54618 joeyh.name.
                                        ReXDKsAVfYlUUQLnnymbKPlfgnpl/YvpZ2o+
                                        XUR26Z08Y8C6Nk2T50oatrqQ8sMaUWv4VOic
                                        onZMIdmrpjsB1ce2TNHVn0qQ3tGA8owNTb6d
                                        euyzqIFy9CKAqvp2enTkd8fxdibvDdrn/X7E
                                        L/h7AvAn/u35yTBtvkwsm+KJovlR3UeVoSak
                                        JGBCdd9TJErm2d2Ylq/NImL/IP6yPaYpCD+G
                                        pV2QTtbi6ig0vhNkvWoAHGHzDPtILHQncNJ/
                                        93VkWuZIsDFbwLCqiEr0xzLCzDOcx0jGi1fZ
                                        wI/e70lmUVP9nf9fJfcciGMJlQ5gRjoF9/el
                                        dPFakAacuzFm53Cilg== )
K2023PR4NPTQ6N9NFIQVIECJVM1TTFU7.joeyh.name. 28800 IN NSEC3 1 1 10 CFC2CABC10F038A5 ND61A8FETLC9T0M0PBS33PF27M9GQM8K A SSHFP RRSIG
                        28800   RRSIG   NSEC3 8 3 28800 20150204003423 (
                                        20150105003423 54618 joeyh.name.
                                        MDqXKaVVXAGbuNfibixYg1RRI/84kTpnKnnD
                                        3FTJCLBc8g4RGHTE/2wnHI8/o/QOpxNsmAIF
                                        3nKG3zmkNYi63lBygQEKaSsjyOsM8RlabLAQ
                                        Hakh/J+qtx46ILaL/pEnCESiQit51nFrlIfT
                                        kFaf7I4+x9cqVzCYcmBuZ9MMY+PDxx3vIpzh
                                        38p50HZXmhv5ptaBOhDoE2egTRipTL8IoEQY
                                        Zgubv2REnE+ptJJSP+47+4szYd7B+SG1WhXY
                                        l08EqvZb/oR1z+d1GkFZfFo6WIb4XYlt3mjI
                                        8QaQ1yXCMhRtV3RgRFUp1fEUyG1ZdP4ve6PU
                                        nHDyLAeCegIMG3sQ2Q== )

joeyh at 2015-01-05T01:39:11Z