-
mjk
nuegia.net: > is dnssec required for that? no, I was still going on about onion domains, not Tor in general. Wity onions, the domain name is the public key _and_ the address, so no PKI _and_ no DNS✎ -
mjk
nuegia.net: > is dnssec required for that? no, I was still going on about onion domains, not Tor in general. With onions, the domain name is the public key _and_ the address, so no PKI _and_ no DNS ✏
-
Menel
> You have investigated the possibility of using DNS Security [RFC4033] and DNS-Based Authentication of Named Entities (DANE) [RFC6698] to solve the problem. However, your customers and your operations team have told you that it will be several years before they will be able to deploy DNSSEC and DANE for all of your customers (because of tooling updates, slow deployment of DNSSEC at some top-level domains, etc.) Nicely written, any progress there in >7 years? 😄
-
moparisthebest
mjk, not strictly true, it's true for a domain like @hidden.onion, but not say @jabber.org that has hidden.onion in the SRV records also even in the first case you still need a cert to do SASL EXTERNAL, though any cert should do
-
mjk
moparisthebest, right
-
mimi89999
My registrar doesn't let me enable DNSSEC with external DNS servers. If I want DNSSEC, I must use their DNS servers 😞
-
Zash
Does it also cost 200% extra?
-
mimi89999
No. DNSSEC with their NS servers is default and free.
-
Zash
Wow, we're living in the future?
-
mimi89999
But they don't offer an API and records can only be changed from their web UI
-
mimi89999
That's why I switched to Cloudflare NS
-
Zash
I ended up switching to an obscure registrar and self-hosting the authoritative nameserver in order to use DNSSEC and use any record types I wanted without being limited to some web UI
-
mimi89999
I would have switched registrars, but I can't know if they support DNSSEC with *external* nameservers in advance.
-
Zash
Email and ask?
-
Zash
Also, email your TLD and ask if they support v✎ -
Zash
Also, email your TLD and ask if they support https://datatracker.ietf.org/doc/html/rfc8078 ✏
-
moparisthebest
> I ended up switching to an obscure registrar and self-hosting the authoritative nameserver in order to use DNSSEC and use any record types I wanted without being limited to some web UI Same, I use free secondaries though, my master is hidden
-
moparisthebest
mimi89999: gandi.net is who I use, they *only* support DNSSEC if you use external nameservers...
-
mimi89999
😂
-
mathieui
moparisthebest: err, no?
-
mathieui
iirc you can get DNSSEC with the internal stuff nowadays
-
mathieui
Or can you...
-
moparisthebest
It's very possible they changed it...
-
mathieui
I know that when I started using dnssec 10 years ago you could not except by setting up your own DNS infrastructure and uploading ksk/zsk there
-
mathieui
(There = at gandi)
-
Zash
My original registrar still doesn't let you enable dnssec with external hosting, but now you can bypass them with CDS / RFC 8078 (depending on TLD). Hmmm.
-
moparisthebest
mathieui: yea that's how it was last I looked too
-
mathieui
moparisthebest: it seems like it works with their "LiveDNS" service now, but not their legacy servers
-
mathieui
(On top of the external way which still works)
-
moparisthebest
Nice! Truly is the future