Search
72 results for “pemensik”
-
@bagder I think #HappyEyeballs in curl should be mentioned. Very useful on lacking IPv6 connectivity. Https DNS record support is not it WGet, is it?
-
@michal mě podráždilo povídání o #dnsmasq. Ano, Simon Kelley to provozuje na svém old school serveru. Není to taky žádný mladíček. Že běží bez služeb jakéhokoliv korporátu, včetně našeho, je dnes nezvyk. Ale není to tak, že by to dělal úplně sám. Já mám v Dnsmasq svoje commity, aniž bych měl právo zápisu. Přispěvatelů je celá řada, nejsem sám. Ale je nás víc, co ten kód zná a sleduje. To dokazuje třeba dispute nedávno přiřazeného CVE od lidí z Oraclu. Závěr byl prostě špatně.
-
@arichtman well yes. Then the problem is caused by ndots:5 option of resolv.conf. is it recommended by kubernetes documentation? Also .local domain is reserved for #mdns. Including subdomains. Asks for more issues this way.
-
#avahi has one important limitation on multicast resolution. It expects host has only one important address on AF. At least that is offered by simple protocol used by nss-mdns. It cannot send multiple addresses on single name. That is often wrong. Is there potential contributor able to design fix for that? #mdns
-
@bagder quite interesting details about quic support. It affects also DNS over QUIC, not only HTTPS/3. At least unbound and bind9 are compiled with OpenSSL on Fedora. Unbound has added recently server support via #ngtcp2. But it gets weird and inappropriate, linking two different crypto stacks into single binary. The reason is similar to curl. Normal TLS from OpenSSL, quic via gnutls. If it should be enabled, then this way...
-
@jinna until you use any form of encrypted DNS, your ISP can read everything. No matter what server you choose. Use #DoT or #DoH or #DoQ. But in the free world you should order a new ISP contract, if possible. They may still know something, but they should not be able to tamper with responses at least. You want also #ECH in you browser enabled.
-
@letoams Similarly may publish #SSHFP record of #gitlab users. Both gitlab.isc.org and gitlab.nic.cz are on DNSSEC signed domains. Gitlab knows SSH keys of their users, very often used. They could export them for outer verification, just some way of mapping SSH key to username is required. We have that concepts for OPENPGPKEY and SMIMEA records. Would a new draft for SSHFP make sense too? Should it include public key directly in DNSKEY/KEY record?
-
@soatok @letoams For example mastodns.net is a Fedi server on #DNSSEC signed zone, algorithms 13 or 8 used only. I see no weakness if they would allow publishing of keys, RFC 7929 style. But with #SSHFP RR digests, to prove my identity of git ssh signed software, just like you have proposed. Just choose well your TLD and that's it. Append only log is important to prove no other CA made cert for my name. But we have just one parent domain key in #DNS. Give it a chance, it is not so bad. 😀
-
@letoams @soatok Hmm, perhaps we could map SSH keys identity to people very similar way as OPENPGPKEY record in #DANE, but with #SSHFP instead. We could reuse the algorithm for owner name creation, just use different record. But does not match how I use my SSH keys. I have each per machine, not one per person. I think I do them how I should, right?
-
I thought systemd-resolved is slowly improving. Well, tested fresh @fedora 41 with DNSSEC=yes on https://rootcanary.org/test.html. Too much red, too much failures. Not ready for SHA1 disabling in the same release. They should finally mark their #dnssec #validator as experimental. It clearly is not of #production #quality.
But it improved in other areas. -
I had a presentation about registering #hostname on #ipv6, when #SLAAC is used. Is there any attempt to register name to local #dns server, when I am on IPv6 only network? I think dynamic update over TCP would be similar to #dhcp based registration Dnsmasq does automatically. Is there any system attempting it already?
-
I had a presentation about registering #hostname on #ipv6, when #SLAAC is used. Is there any attempt to register name to local #dns server, when I am on IPv6 only network? I think dynamic update over TCP would be similar to #dhcp based registration Dnsmasq does automatically. Is there any system attempting it already?
-
I had a presentation about registering #hostname on #ipv6, when #SLAAC is used. Is there any attempt to register name to local #dns server, when I am on IPv6 only network? I think dynamic update over TCP would be similar to #dhcp based registration Dnsmasq does automatically. Is there any system attempting it already?
-
I had a presentation about registering #hostname on #ipv6, when #SLAAC is used. Is there any attempt to register name to local #dns server, when I am on IPv6 only network? I think dynamic update over TCP would be similar to #dhcp based registration Dnsmasq does automatically. Is there any system attempting it already?
-
I had a presentation about registering #hostname on #ipv6, when #SLAAC is used. Is there any attempt to register name to local #dns server, when I am on IPv6 only network? I think dynamic update over TCP would be similar to #dhcp based registration Dnsmasq does automatically. Is there any system attempting it already?
-
@fedora @centos @almalinux @rockylinux Great thing is F41 finally stopped blocking #dnssec validators. We had validation of gpg keys in dnf3. It finally works in default installation, but is not in #dnf5 anymore.
-
Post-Quantum #poq #dnssec presentation at #ripe89 was great. But I do not understand proposed Merkle Tree solution well. It is not clear how exactly should signatures records look like. What structure would a validator need to create? Obviously it significantly reduces size of common records. It does not reduce DNSKEYs itself, which is understandable. In the mean time, we should fix issues with broken middle boxes anyway. https://ripe89.ripe.net/archives/video/1436/
-
-
-
-
@nlnetlabs @fedora First discovery is that we do not have even #ngtcp2 library in Fedora yet. That man openssl-quic can already provide client connection API, but server API is not yet available via #OpenSSL releases. There is openssl+quic fork, which is unlikely to ever be in Fedora. We could end with unbound linked to openssl, but libngtcp2 linked to gnutls. Definitely not as straight forward as I have expected.
-
@letoams we have made #unresolved package to clean the mess, even prevent the return of resolved. Yes, as soon as dnsconfd is mature enough, I plan to propose it as default solution for Fedora and RHEL.
-
@letoams try installing #unresolved package. Has subpackage not letting systemd-resolved in. Admit I have not tried it directly from anaconda.
-
@[email protected] @[email protected] @mypdns @Alonely0 @floppy_bv no, I mean #IXFR. That is incremental zone transfer. #Bind9 can do it, not sure #Unbound has that too. Allows to just receiving changes compared to previous version, but need to store journal containing each change at primary and secondary server. Using AXFR is similar to downloading hosts file over http. I think PiHole uses own modified dnsmasq build, which provides webui integration.