-
nuegia.net
please don't use cloudflare.
-
nuegia.net
luca, ipv6 shouldn't be considered extra, rather bare minimum for any new network
-
nuegia.net
there aren't anymore ipv4 addresses to go around and that resources has been depleted a decade ago.
-
nuegia.net
even if your ISP doesn't support it you can get it via transition technologies
-
nuegia.net
however if your isp doesn't have IPv6 and you call their NOG and they say they have no ETA for IPv6 that's a huge red flag to switch ISPs
-
nuegia.net
regarding DNSSEC and tld support is there a list of TLDs which do or don't implement DNSSEC yet?
-
nuegia.net
it's good to know openfire doesn't implement DANE
-
nuegia.net
I would be willing to implement TLSA records for DANE as soon as everyone here says their server implements it.
-
nuegia.net
I do want to get away from certificate authorities as soon as practicable. Especially considering that nationstate level attack on jabber.ru not too long ago intercepting their IP
-
unix.dog
you can at least already put a TLSA record for your existing certificate from a CA
-
nuegia.net
regarding DNSSEC, I think my registars support it I just don't have it on for some domains because they required me to turn it off to be able to use third party authoritive servers
-
unix.dog
if you specify it by public key in the TLSA record then it should be another layer to prevent MITMs along with a CAA record
-
unix.dog
since you own the public-private keypair
-
nuegia.net
if anybody has a good guide to getting DNSSEC running with your own authoritive servers I would implement it, though it has to work with a hidden master and public secondaries. I don't want to expose my master server directly to the internet.
-
nuegia.net
there is one more barrier for me in that i'm waiting for my ISP to figure out how to stop dropping port 53
-
nuegia.net
which shouldn't be too much longer
-
unix.dog
with BIND there are some tools to sign a zone and then you just have to give some records to the registrar so it can delegate signing to your key
-
unix.dog
and since the signatures are just DNS records they should duplicate to backups fine
-
sezuan
Tlsa ketsencrypt✎ -
sezuan
snip ✏
-
jonas’
nuegia.net, powerdns makes dnssec really easy with online signing, and it does support sending signed records over AXFR, so it should fulfill your requirements
-
nuegia.net
yeah, i was looking at that. can you tell me more about it?
-
jonas’
I suggest reading the documentation, because I don't have a lot of time to do pdns support right now and also this isn't the pdns support room :-)
-
jonas’
but basically you create a zone, set it to be dnssec-signed, and then pdns does the legwork.
-
jonas’
you still have to put the DS records somewhere at your registrar of course.
-
luca
> luca, ipv6 shouldn't be considered extra, rather bare minimum for any new network IPv6 is extra. You can have a network working with IPv4 just fine right now. Sure ideally everyone would have IPv6, but it's not always as easy as flipping a config value ↺
-
jonas’
unfortunately, all of that is true, as much as I hate it to be true.
-
nuegia.net
no it's not. maybe if your isp is one of the incumbent providers who hoarded address space but if your not serviced by a megacarrier your SOL if you want a fully working internet connection
-
nuegia.net
what smaller ISPs are doing is natting that nat
-
nuegia.net
to the point publicly facing interfaces have private addreses
-
nuegia.net
this breaks a lot of stuff
-
nuegia.net
this is not what the internet is
-
nuegia.net
the only thing this is suitable for is browsing facebook and consuming netflix, but not if you rely of realtime media calls.
-
nuegia.net
stop lying to yourselves
-
jonas’
I know the trade-offs and the difficulties, and there are still very relevant services you cannot reach over IPv4, while all the IPv4-hacks have decently-working workarounds (TURN for instance).✎ -
nuegia.net
and even then those customers can't use a lot of services, and if they can they have to regularly go through captcha hell because entire CITIES are running off a single publicly reachable legacy address
-
jonas’
I know the trade-offs and the difficulties, and there are still very relevant services you cannot reach over IPv6, while all the IPv4-hacks have decently-working workarounds (TURN for instance). ✏
-
nuegia.net
Hell, I am literally paying for a VPS in a datacenter just to run a router with a wireguard tunnel to be reachable on the internet
-
nuegia.net
stop spreading misinformation that IPv4-only is OK
-
jonas’
nobody said that
-
nuegia.net
it's not and it's harming people. People in more rural areas especially
-
jonas’
what was said is that you "_can_ have a network working with IPv4 just fine"
-
nuegia.net
my problem is with your definition of 'working'.
-
luca
Do you know where I can read more about IPv4 only services impacting people in the real world? This is the first i've heard of this
-
nuegia.net
would you call paying for a telephone service that can only make outgoing calls 'working'. If not then you can't really call not having a publicly rout-able address working.
-
nuegia.net
luca, not off the top of my head but i'll look tomorrow
-
ernst.on.tour
Internet isn't bare IPv4 *or* IPv6. You need both versions to give a working service to your customers. In Germany IPv6 is mostly spoken by mobileproviders and cable, but IPv4 by DSL. You need DSL or Fibre with full Dualstack not DualStack-Lite to offer your service.
-
jonas’
[citation needed]
-
nuegia.net
ernst.on.tour, not necessarily anymore. there's transition technologies built into ipv6
-
jonas’
ernst.on.tour, I'm on VDSL with IPv6, and have been since 2015 or so.✎ -
jonas’
ernst.on.tour, I'm on VDSL with IPv6+IPv4 real dual stack, and have been since 2015 or so. ✏
-
nuegia.net
there's a whole /96 set aside for for nat64 so that ipv4 remains accessible to ipv6 only networks.
-
ernst.on.tour
Some VDSL-Providers offer IPv4 + v6, but not all. Plain DSL ("up to 16") is IPv4
-
nuegia.net
dualstack is only a stepping stone to ipv6-only. to really start enjoying the benefits of ipv6 though you have to finish your transition
-
nuegia.net
ernst.on.tour, I suspect the reasoning for that is because those networks are considered abandoned. the operators who run them are probably going to run the dslam until it blows up or the copper installed back in the 1950s fully corrodes away.
-
jonas’
that sounds about right.
-
nuegia.net
ie, not something you want to base new infrastructure off of
-
MSavoritias (fae,ve)
for context one of the biggest if not the biggest providers in finland also doesnt have ipv6 support at all
-
MSavoritias (fae,ve)
:/
-
MSavoritias (fae,ve)
and they have fiber
-
jonas’
but then again, IPv6 in the home network isn't just fairy dust either.
-
jonas’
my local services are all v4-only because writing firewall rules for home IPv6, where the prefix may change sometimes, is impossible.
-
nuegia.net
no it's not. firstly your prefix should constantly be changing that's on your isp they screwed up deployment. I suspect they brought in ipv4 assumptions and applied those to their ipv6 deployment. secondly you should be able to work around this with a zone based firewall.✎ -
nuegia.net
no it's not. firstly your prefix shouldn't constantly be changing that's on your isp they screwed up deployment. I suspect they brought in ipv4 assumptions and applied those to their ipv6 deployment. secondly you should be able to work around this with a zone based firewall. ✏
-
ernst.on.tour
jonas’: How will you access IPv6-only-services ? Your ISP have to translate your v4 inside a v6
-
nuegia.net
ernst.on.tour, deploy ipv6
-
nuegia.net
there's not enough address space in v4 to fit v6 inside.
-
jonas’
nuegia.net, it is changing, deal with that.
-
jonas’
at the very least when losing power and reconnecting
-
jonas’
and having to rearchitect firewall rules in that case is Not Fun
-
nuegia.net
does your mac address change when you lose power too?
-
jonas’
ernst.on.tour, I have IPv6 at home, but it's not used for local services (such as the samba server or mpd)
-
jonas’
only for outbound traffic
-
ernst.on.tour
nuegia.net: ??? Deploy which v6 ? Jonas didn't get a v6, therefor his provider "must" offer nat64.
-
jonas’
NAT64 is for accessing IPv4 from IPv6, not the other way around.
-
jonas-l
> Some VDSL-Providers offer IPv4 + v6, but not all. Plain DSL ("up to 16") is IPv4 > ernst.on.tour, I suspect the reasoning for that is because those networks are considered abandoned. the operators who run them are probably going to run the dslam until it blows up or the copper installed back in the 1950s fully corrodes away. 1. up to 16 MBit offers contain dual stack in Germany since many years (this speed is not offered to new customers anymore) 2. in Germany the 16 MBit customers are migrated to VDSL with traffic shaping but the line cards support traditional DSL too
-
nuegia.net
ernst.on.tour, I don't understand your question. nat64 can be implemented at the provider or the customer level.
-
ernst.on.tour
nuegia.net: Please implement it by my grandma or by they schoolfriends of my son/daughter, because their provider didn't do it.
-
nuegia.net
jonas’, does your mac address change on reset?
-
jonas’
nuegia.net, why does that matter?
-
jonas’
(and it might, #privacyExtensions)
-
nuegia.net
it could be why you addresses keep changing
-
jonas’
I said prefix
-
MSavoritias (fae,ve)
isnt mac addresses meaningless with ipv6 anyway?
-
jonas’
I know the difference :)
-
MSavoritias (fae,ve)
so the question about mac is moot
-
nuegia.net
MSavoritias (fae,ve), no
-
MSavoritias (fae,ve)
but ipv6 was supposed to replace the hack that mac addresses are
-
nuegia.net
jonas’, oh
-
MSavoritias (fae,ve)
idk if that has changed recently tho. i heard there is nat too in ipv6 now for some reason
-
nuegia.net
MSavoritias (fae,ve), i don't know where your getting that
-
nuegia.net
MSavoritias (fae,ve), to provide compatibility with ipv
-
nuegia.net
4
-
nuegia.net
https://www.jool.mx/en/run-nat64.html
-
MSavoritias (fae,ve)
anyway i guess a bit offtopic
-
nuegia.net
>Tue Jul 9 01:43:47 2024 - jonas’: I said prefix sorry, idk then i think it's on your isp's end
-
nuegia.net
it sounds bizzare
-
Guus
Why must the tone here be so combative? It takes away from any sensible discussion that's to be had on otherwise interesting subjects.
-
nuegia.net
Hey Guus, I agree. I sensed it too. If there's anything I could of done better please tell me via private message.
-
jonas-l
>>Tue Jul 9 01:43:47 2024 - jonas’: I said prefix > sorry, idk then i think it's on your isp's end The providers rotate the ipv6 prefixes like ipv4 adresses for consumers; if you pay more then you can get a static one
-
luca
On an unrelated topic, has anyone managed to set up the frontend https://prose.org/ on an existing XMPP server?
-
luca
I've given it a shot myself, but got some crypting error, so I wanted to ask first if it's possible or if I _have_ to use their fork of prosody
-
MattJ
You should probably be asking them
-
luca
They don't have an XMPP room as far as I can tell :P
-
Kris
They have and I got it working with my ejabberd server
-
MattJ
That still doesn't make this the right place :)
-
luca
Ok, thanks Kris!
-
ukko
another openssh rce https://lwn.net/Articles/981287/#Comments https://lwn.net/ml/all/20240708162106.GA4920@openwall.com/
-
jonas’
only on RHEL and only in the unprivileged child, FWIW
-
jonas’
see also https://security-tracker.debian.org/tracker/CVE-2024-6409
-
moparisthebest
> I would be willing to implement TLSA records for DANE as soon as everyone here says their server implements it. nuegia.net: why wait? You can do it now and get immediate benefits without waiting for anything or losing any compatibility ↺
-
unix.dog
^ beyond figuring out how to enable DNSSEC with your authoritative nameservers
-
moparisthebest
Mainly saying waiting for everyone else is silly and not needed, it's not breaking in any way, so just do it. If everyone waits for everyone else it'll never happen. (:
-
nuegia.net
I don't really think it's worth the effort until servers start actually implementing it and will use it.
-
nuegia.net
ounce a majority of servers implement it, then i'll do it.
-
nuegia.net
otherwise what benefits are there?
-
moparisthebest
nuegia.net: more security when connecting between servers who have implemented it, with no downsides
-
moparisthebest
Also more security for clients connecting to your server
-
Polarian
_if the client supports DANE_
-
Polarian
which iirc, very few do
-
Polarian
I believe cheogram does and monocles does... I am not sure about blabber/conversations and I don't know if gajim or dino does... I am going to go with they don't
-
unix.dog
does ejabberd support DANE by default? I haven't seen the option
-
moparisthebest
Again whether ejabberd supports validating Dane when connecting with other servers has nothing to do with the fact you can add tlsa records for your ejabberd servers for other clients and servers to use connecting to it
-
unix.dog
yeah but I am curious because I do want to enable it
-
moparisthebest
A quick search doesn't find anything, ask in ejabberd room I guess