XMPP Service Operators - 2022-07-17


  1. mjk

    nuegia.net: > is dnssec required for that? no, I was still going on about onion domains, not Tor in general. Wity onions, the domain name is the public key _and_ the address, so no PKI _and_ no DNS

  2. mjk

    nuegia.net: > is dnssec required for that? no, I was still going on about onion domains, not Tor in general. With onions, the domain name is the public key _and_ the address, so no PKI _and_ no DNS

  3. Menel

    > You have investigated the possibility of using DNS Security [RFC4033] and DNS-Based Authentication of Named Entities (DANE) [RFC6698] to solve the problem. However, your customers and your operations team have told you that it will be several years before they will be able to deploy DNSSEC and DANE for all of your customers (because of tooling updates, slow deployment of DNSSEC at some top-level domains, etc.) Nicely written, any progress there in >7 years? 😄

  4. moparisthebest

    mjk, not strictly true, it's true for a domain like @hidden.onion, but not say @jabber.org that has hidden.onion in the SRV records also even in the first case you still need a cert to do SASL EXTERNAL, though any cert should do

  5. mjk

    moparisthebest, right

  6. mimi89999

    My registrar doesn't let me enable DNSSEC with external DNS servers. If I want DNSSEC, I must use their DNS servers 😞

  7. Zash

    Does it also cost 200% extra?

  8. mimi89999

    No. DNSSEC with their NS servers is default and free.

  9. Zash

    Wow, we're living in the future?

  10. mimi89999

    But they don't offer an API and records can only be changed from their web UI

  11. mimi89999

    That's why I switched to Cloudflare NS

  12. Zash

    I ended up switching to an obscure registrar and self-hosting the authoritative nameserver in order to use DNSSEC and use any record types I wanted without being limited to some web UI

  13. mimi89999

    I would have switched registrars, but I can't know if they support DNSSEC with *external* nameservers in advance.

  14. Zash

    Email and ask?

  15. Zash

    Also, email your TLD and ask if they support v

  16. Zash

    Also, email your TLD and ask if they support https://datatracker.ietf.org/doc/html/rfc8078

  17. moparisthebest

    > I ended up switching to an obscure registrar and self-hosting the authoritative nameserver in order to use DNSSEC and use any record types I wanted without being limited to some web UI Same, I use free secondaries though, my master is hidden

  18. moparisthebest

    mimi89999: gandi.net is who I use, they *only* support DNSSEC if you use external nameservers...

  19. mimi89999

    😂

  20. mathieui

    moparisthebest: err, no?

  21. mathieui

    iirc you can get DNSSEC with the internal stuff nowadays

  22. mathieui

    Or can you...

  23. moparisthebest

    It's very possible they changed it...

  24. mathieui

    I know that when I started using dnssec 10 years ago you could not except by setting up your own DNS infrastructure and uploading ksk/zsk there

  25. mathieui

    (There = at gandi)

  26. Zash

    My original registrar still doesn't let you enable dnssec with external hosting, but now you can bypass them with CDS / RFC 8078 (depending on TLD). Hmmm.

  27. moparisthebest

    mathieui: yea that's how it was last I looked too

  28. mathieui

    moparisthebest: it seems like it works with their "LiveDNS" service now, but not their legacy servers

  29. mathieui

    (On top of the external way which still works)

  30. moparisthebest

    Nice! Truly is the future