On 29/05/12 08:36, Sebastian Castro wrote:
On 28/05/12 20:55, Craig Whitmore wrote:
It's a chicken-and-egg problem.

1. Why should I sign my domain if no one will be able to validate it?
2. Why should I enable a validating nameserver? It will cause more
troubles, and no one will use it because there are few signed domains

The short answer is to learn! In the same way you Craig have been
exploring DNSSEC, and signing your domains, and likely running a
validating nameserver on your workstation.
Yes, way to go - install named caching name server on your work station, and use libnss-lwres stub resolver ("hosts files lwres" in /etc/nsswitch.conf)to bypass any problems with your libc resolver.  You can then make make ssh not ask questions about new host key fingerprints by turning on ValidateHostKeysDNS yes and setting up DNSSEC signed SSHFP records (after disabling ecdsa host keys....)

Another trick is to set up IPSEC to use DNSSEC signed public key certificates and do away with the need for CRL lists on your VPN servers!  Works for racoon as far as I know...

And then get latest Google Chrome with the new HTTPS pubkey in DNSSEC thingy Have a look at
http://www.imperialviolet.org/2011/06/16/dnssecchrome.html
Cheers!

Matthew Grant
In the last few months, every time we had a meeting with an ISP, we
mentioned: "We are going to sign the second level domains, we are
implementing DNSSEC, you should try to run your own validating
nameserver, even for a small controlled population". If Comcast could do
it, why not a smaller ISP in NZ?

>From an end-user perspective, you can try dnssec-trigger, or the
browser-specific plug-ins that validate answers (such as
http://www.dnssec-validator.cz/)

I'm wondering at this point how much help could NZRS provide towards
that objective. Do geeks in NZ need more reading material? More testing
environments? More meetings?

Cheers,

Craig
Geek

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog



--
HTML Signature

Regards,
Matthew Grant | Systems Engineer

Phone: 0800 5000 24 | +64 3 962 9510

Voice & Data

www.voyager.co.nz
+64 9 444 4444

Hosting & Cloud

www.net24.co.nz
0800 5000 24

Domains & Email

www.1stdomains.co.nz
+64 3 962 9520