On 29/05/12 08:36, Sebastian Castro wrote:
On 28/05/12 20:55, Craig Whitmore wrote: It's a chicken-and-egg problem.
1. Why should I sign my domain if no one will be able to validate it? 2. Why should I enable a validating nameserver? It will cause more troubles, and no one will use it because there are few signed domains
The short answer is to learn! In the same way you Craig have been exploring DNSSEC, and signing your domains, and likely running a validating nameserver on your workstation. Yes, way to go - install named caching name server on your work station, and use libnss-lwres stub resolver ("hosts files lwres" in /etc/nsswitch.conf)to bypass any problems with your libc resolver. You can then make make ssh not ask questions about new host key fingerprints by turning on ValidateHostKeysDNS yes and setting up DNSSEC signed SSHFP records (after disabling ecdsa host keys....)
Another trick is to set up IPSEC to use DNSSEC signed public key certificates and do away with the need for CRL lists on your VPN servers! Works for racoon as far as I know... And then get latest Google Chrome with the new HTTPS pubkey in DNSSEC thingy Have a look at http://www.imperialviolet.org/2011/06/16/dnssecchrome.html Cheers! Matthew Grant
In the last few months, every time we had a meeting with an ISP, we mentioned: "We are going to sign the second level domains, we are implementing DNSSEC, you should try to run your own validating nameserver, even for a small controlled population". If Comcast could do it, why not a smaller ISP in NZ?
From an end-user perspective, you can try dnssec-trigger, or the browser-specific plug-ins that validate answers (such as http://www.dnssec-validator.cz/)
I'm wondering at this point how much help could NZRS provide towards that objective. Do geeks in NZ need more reading material? More testing environments? More meetings?
Cheers,
Craig Geek
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Regards, Matthew Grant | Systems Engineer *Phone:* 0800 5000 24 | +64 3 962 9510 http://www.voyager.co.nz Voice & Data www.voyager.co.nz http://www.voyager.co.nz/ +64 9 444 4444 http://www.net24.co.nz Hosting & Cloud www.net24.co.nz http://www.net24.co.nz/ 0800 5000 24 http://www.1stdomains.co.nz Domains & Email www.1stdomains.co.nz http://www.1stdomains.co.nz/ +64 3 962 9520
