XMPP Service Operators - 2023-07-15

no. that's DNS in general. Authoritative DNS is the source of truth for a name in the DNS. With '.' being a DNS name, there is obviously a bootstrapping problem.

but an auth DNS doesn't care, it just serves the names it knows

sagaracharya, and the remainder of authoritative DNS is recursive resolution. Recursive is the method that your browser will go thru to get the translation of example.org. into a number it can use. Recursive because it starts at the . (also known as, root). The root server will only supply a resolution for the next name down or below ., in this case, org. So the resolution has start from . and resolved to org, a .org. Another auth DNS host will respond with example, thus completeing the resolution and returning the result. ✏

sagaracharya, generally, you run separte auth and recursive DNS hosts for isolation/separation.

Good practice is also to hide the master auth DNS host (called hidden master), in a private network or via an air gap, this host then updates auth DNS hosts on the public net to serve the records. ✏

Fully agree with that except can't do air gap with dnssec and everyone who can should do dnssec

how not? only denials become impossible airgapped

You have to resign regularly

So I said impossible and more accurately it could be described as "you are gonna forget and hose your domain"

what? how often do you really need to re-sign

Rrsigs expire after... I can't check but iirc about every 2 weeks?

> Fully agree with that except can't do air gap with dnssec and everyone who can should do dnssec Yes you can, OpenDNSSEC and OpenHSM even support and recommend that. ↺

Oh wait

Sorry, you are right

Wait, it has been too long since I setup DNS, and I think you can air gap DNSSEC signers, OpenDNSSEC being one of them

> So I said impossible and more accurately it could be described as "you are gonna forget and hose your domain" That I bet is exactly what happens 100% of the time ✏ ↺

1 year, and once or twice a month respectivily

It's like manually renewing LE certs but more often, I can't speak for everyone but I'd 100% break my domains

> Rrsigs expire after... I can't check but iirc about every 2 weeks? Yeah from memory, OpenDNSSEC does every 2 weeks from memory, it transfer via XFR, disk, or whatever the admin configures. ↺

And threat model... If someone owns my hidden DNS master they already have everything else so...

> It's like manually renewing LE certs but more often, I can't speak for everyone but I'd 100% break my domains It can be automated, believe me, I once automating the whole thing with Bind 10 years ago, it was a nightmare. I then moved to Unbound, NSD, and OpenDNSSEC. I I had OpenDNSSEC at home, it would update the auth DNS on the remote server via XFR over SSH. ↺

> And threat model... If someone owns my hidden DNS master they already have everything else so... You are not meant to inform your kids on your hidden master either ↺

I'm glad Njalla supports DNSSEC now

Here's my opinion on the subject of domain names… 1. DNS resolves to an ip: "I know a guy who knows a guy … who might knows what you are looking for". 2. DNSSEC resolves to an ip in hope that it is the correct ip: "I know a guy who has a certificate who knows a guy that has a certificate who might know what you are looking for." The problem is not the certificate. It's the *guy*. In both systems, you will need human input which is the main source of bugs. With DNSSEC, you will need even more human input than the normal DNS system. (1.) the guy does less work and so less error. (2.) the guy has to do more work hence very likely to make more errors. So if the goal is a nice memoriable domain name to promote your brand, just do normal DNS. Data encryption technology such as OMEMO and PGP will hopefully secure communication. If you are aiming for absolute minimum error, I would say use .onion or tor. A few commands and every routes will all be based on pure math. If you want both, then do both dns and tor 😁.

Onion services are incredibly easy to setup. I can't think of any reason to not have one for users that want that extra bit of privacy and/or security

onions have many non-privacy benefits: https://matt.traudt.xyz/posts/2022-11-09-tor-is-not-just-for-anonymity/

agh: So to resolve address of any site, one needs recursive DNS

And for having a DNS service like freedns.afraid.org , one needs authoritative DNS

?

>> And threat model... If someone owns my hidden DNS master they already have everything else so... > You are not meant to inform your kids on your hidden master either Lol :P

Also, my network is ipv6 only. Does authoritative server even make sense? Or is it network type independent?

> agh: So to resolve address of any site, one needs recursive DNS Yep.

> Also, my network is ipv6 only. Does authoritative server even make sense? Or is it network type independent? DNS is for assigned name and IP number translation, so it for IPv6 too.

DNS can work over carrier pigeon

So DNS is for numbers to names, and names to numbers, as well as other neat tricks

DNS is a key to value store

A distributed key/value store

>> Also, my network is ipv6 only. Does authoritative server even make sense? Or is it network type independent? > > DNS is for assigned name and IP number translation, so it for IPv6 too. Yes, I mean if I want to make this dns resolution service for public, can it work with IPv6 only?

Network

It can, but many won't be able to reach you

Better invest a few ¥¢€$ more and have Ipv4 and ipv6. Servers are still expected to have ipv4

11 years since https://en.wikipedia.org/wiki/World_IPv6_Day_and_World_IPv6_Launch_Day , my ISP was a top sponsor, since then they've rolled out and pulled back ipv6 support twice, currently still without it

I've the strangest thing.. My home is currently dslite, but I can't reach ipv6 only servers. I've to wireguard to my dualstack server and that one can reach everything.

I mean, I don't even have a real Ipv4, only ipv6 but can't reach ipv6 networks?

My area barely has IPv6. AT&T provides it and that's it. All the other ISPs, including one that provides fibre, in my area don't support IPv6

USA has so many Ipv4 addresses in contrast to the rest of the world, I think it will stay Ipv4 the longest. The other regions just can't do real Ipv4 anymore. That's why they are on DS-lite now.

Menel: the funny/sad thing is since there are only like 3 ISPs in all of USA it should be pretty easy

Not like 500 different ISPs need to collaborate

I have ipv6 through https://tunnelbroker.net/

Really sad, true. It's would be so easy to have real dualstack in the USA... But any effort at all is too much for these companys I guess.

So long story short. Apparently a lot of the USA people won't be able to connect to your server sagaracharya. If it is only for you, ipv6 only might be jsut the right thing

I run my server behind Njalla's VPN, which gives it an IPv6 address, similar to mopar's tunnelbroker. Running an Onion Service would also give users a way around that limitation

switch from ipv4 to ipv6 all depends on ISPs. If they really want to switch, they would hand out both when you sign the contract with them for a static ip. But to them that doesn't sound like profit really so… but marketing campaign for ipv6 is nice 😁 brand promotion everywhere why not

Hello, folks. I just now hosted a DNS recursor server

How do I broadcast it to public?

So how will the world use my recursive dns server?

Oh the bots will find it soon enough to abuse it in reflected DDoS

Will the bots abuse it or you will in name of bots?

what do you mean?

I'm getting spammed with false positives from o.j.n.

nuegia.net: could you forward some to the mail address on the website?

I can only take a look tomorrow

ok