Yes, way to go - install named caching name server on your work station, and use libnss-lwres stub resolver ("hosts files lwres" in /etc/nsswitch.conf)to bypass any problems with your libc resolver. You can then make make ssh not ask questions about new host key fingerprints by turning on ValidateHostKeysDNS yes and setting up DNSSEC signed SSHFP records (after disabling ecdsa host keys....)On 28/05/12 20:55, Craig Whitmore wrote:It's a chicken-and-egg problem. 1. Why should I sign my domain if no one will be able to validate it? 2. Why should I enable a validating nameserver? It will cause more troubles, and no one will use it because there are few signed domains The short answer is to learn! In the same way you Craig have been exploring DNSSEC, and signing your domains, and likely running a validating nameserver on your workstation.
http://www.imperialviolet.org/2011/06/16/dnssecchrome.htmlCheers!
In the last few months, every time we had a meeting with an ISP, we mentioned: "We are going to sign the second level domains, we are implementing DNSSEC, you should try to run your own validating nameserver, even for a small controlled population". If Comcast could do it, why not a smaller ISP in NZ? >From an end-user perspective, you can try dnssec-trigger, or the browser-specific plug-ins that validate answers (such as http://www.dnssec-validator.cz/) I'm wondering at this point how much help could NZRS provide towards that objective. Do geeks in NZ need more reading material? More testing environments? More meetings? Cheers,
Craig Geek _______________________________________________ NZNOG mailing list NZNOG@list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Regards, Phone: 0800 5000 24 | +64 3 962 9510 |
||
Voice & Data www.voyager.co.nz |
Hosting & Cloud www.net24.co.nz |
Domains & Email www.1stdomains.co.nz |