XMPP Service Operators - 2024-07-09


  1. nuegia.net

    please don't use cloudflare.

  2. nuegia.net

    luca, ipv6 shouldn't be considered extra, rather bare minimum for any new network

  3. nuegia.net

    there aren't anymore ipv4 addresses to go around and that resources has been depleted a decade ago.

  4. nuegia.net

    even if your ISP doesn't support it you can get it via transition technologies

  5. nuegia.net

    however if your isp doesn't have IPv6 and you call their NOG and they say they have no ETA for IPv6 that's a huge red flag to switch ISPs

  6. nuegia.net

    regarding DNSSEC and tld support is there a list of TLDs which do or don't implement DNSSEC yet?

  7. nuegia.net

    it's good to know openfire doesn't implement DANE

  8. nuegia.net

    I would be willing to implement TLSA records for DANE as soon as everyone here says their server implements it.

  9. nuegia.net

    I do want to get away from certificate authorities as soon as practicable. Especially considering that nationstate level attack on jabber.ru not too long ago intercepting their IP

  10. unix.dog

    you can at least already put a TLSA record for your existing certificate from a CA

  11. nuegia.net

    regarding DNSSEC, I think my registars support it I just don't have it on for some domains because they required me to turn it off to be able to use third party authoritive servers

  12. unix.dog

    if you specify it by public key in the TLSA record then it should be another layer to prevent MITMs along with a CAA record

  13. unix.dog

    since you own the public-private keypair

  14. nuegia.net

    if anybody has a good guide to getting DNSSEC running with your own authoritive servers I would implement it, though it has to work with a hidden master and public secondaries. I don't want to expose my master server directly to the internet.

  15. nuegia.net

    there is one more barrier for me in that i'm waiting for my ISP to figure out how to stop dropping port 53

  16. nuegia.net

    which shouldn't be too much longer

  17. unix.dog

    with BIND there are some tools to sign a zone and then you just have to give some records to the registrar so it can delegate signing to your key

  18. unix.dog

    and since the signatures are just DNS records they should duplicate to backups fine

  19. sezuan

    Tlsa ketsencrypt

  20. sezuan

    snip

  21. jonas’

    nuegia.net, powerdns makes dnssec really easy with online signing, and it does support sending signed records over AXFR, so it should fulfill your requirements

  22. nuegia.net

    yeah, i was looking at that. can you tell me more about it?

  23. jonas’

    I suggest reading the documentation, because I don't have a lot of time to do pdns support right now and also this isn't the pdns support room :-)

  24. jonas’

    but basically you create a zone, set it to be dnssec-signed, and then pdns does the legwork.

  25. jonas’

    you still have to put the DS records somewhere at your registrar of course.

  26. luca

    > luca, ipv6 shouldn't be considered extra, rather bare minimum for any new network IPv6 is extra. You can have a network working with IPv4 just fine right now. Sure ideally everyone would have IPv6, but it's not always as easy as flipping a config value

  27. jonas’

    unfortunately, all of that is true, as much as I hate it to be true.

  28. nuegia.net

    no it's not. maybe if your isp is one of the incumbent providers who hoarded address space but if your not serviced by a megacarrier your SOL if you want a fully working internet connection

  29. nuegia.net

    what smaller ISPs are doing is natting that nat

  30. nuegia.net

    to the point publicly facing interfaces have private addreses

  31. nuegia.net

    this breaks a lot of stuff

  32. nuegia.net

    this is not what the internet is

  33. nuegia.net

    the only thing this is suitable for is browsing facebook and consuming netflix, but not if you rely of realtime media calls.

  34. nuegia.net

    stop lying to yourselves

  35. jonas’

    I know the trade-offs and the difficulties, and there are still very relevant services you cannot reach over IPv4, while all the IPv4-hacks have decently-working workarounds (TURN for instance).

  36. nuegia.net

    and even then those customers can't use a lot of services, and if they can they have to regularly go through captcha hell because entire CITIES are running off a single publicly reachable legacy address

  37. jonas’

    I know the trade-offs and the difficulties, and there are still very relevant services you cannot reach over IPv6, while all the IPv4-hacks have decently-working workarounds (TURN for instance).

  38. nuegia.net

    Hell, I am literally paying for a VPS in a datacenter just to run a router with a wireguard tunnel to be reachable on the internet

  39. nuegia.net

    stop spreading misinformation that IPv4-only is OK

  40. jonas’

    nobody said that

  41. nuegia.net

    it's not and it's harming people. People in more rural areas especially

  42. jonas’

    what was said is that you "_can_ have a network working with IPv4 just fine"

  43. nuegia.net

    my problem is with your definition of 'working'.

  44. luca

    Do you know where I can read more about IPv4 only services impacting people in the real world? This is the first i've heard of this

  45. nuegia.net

    would you call paying for a telephone service that can only make outgoing calls 'working'. If not then you can't really call not having a publicly rout-able address working.

  46. nuegia.net

    luca, not off the top of my head but i'll look tomorrow

  47. ernst.on.tour

    Internet isn't bare IPv4 *or* IPv6. You need both versions to give a working service to your customers. In Germany IPv6 is mostly spoken by mobileproviders and cable, but IPv4 by DSL. You need DSL or Fibre with full Dualstack not DualStack-Lite to offer your service.

  48. jonas’

    [citation needed]

  49. nuegia.net

    ernst.on.tour, not necessarily anymore. there's transition technologies built into ipv6

  50. jonas’

    ernst.on.tour, I'm on VDSL with IPv6, and have been since 2015 or so.

  51. jonas’

    ernst.on.tour, I'm on VDSL with IPv6+IPv4 real dual stack, and have been since 2015 or so.

  52. nuegia.net

    there's a whole /96 set aside for for nat64 so that ipv4 remains accessible to ipv6 only networks.

  53. ernst.on.tour

    Some VDSL-Providers offer IPv4 + v6, but not all. Plain DSL ("up to 16") is IPv4

  54. nuegia.net

    dualstack is only a stepping stone to ipv6-only. to really start enjoying the benefits of ipv6 though you have to finish your transition

  55. nuegia.net

    ernst.on.tour, I suspect the reasoning for that is because those networks are considered abandoned. the operators who run them are probably going to run the dslam until it blows up or the copper installed back in the 1950s fully corrodes away.

  56. jonas’

    that sounds about right.

  57. nuegia.net

    ie, not something you want to base new infrastructure off of

  58. MSavoritias (fae,ve)

    for context one of the biggest if not the biggest providers in finland also doesnt have ipv6 support at all

  59. MSavoritias (fae,ve)

    :/

  60. MSavoritias (fae,ve)

    and they have fiber

  61. jonas’

    but then again, IPv6 in the home network isn't just fairy dust either.

  62. jonas’

    my local services are all v4-only because writing firewall rules for home IPv6, where the prefix may change sometimes, is impossible.

  63. nuegia.net

    no it's not. firstly your prefix should constantly be changing that's on your isp they screwed up deployment. I suspect they brought in ipv4 assumptions and applied those to their ipv6 deployment. secondly you should be able to work around this with a zone based firewall.

  64. nuegia.net

    no it's not. firstly your prefix shouldn't constantly be changing that's on your isp they screwed up deployment. I suspect they brought in ipv4 assumptions and applied those to their ipv6 deployment. secondly you should be able to work around this with a zone based firewall.

  65. ernst.on.tour

    jonas’: How will you access IPv6-only-services ? Your ISP have to translate your v4 inside a v6

  66. nuegia.net

    ernst.on.tour, deploy ipv6

  67. nuegia.net

    there's not enough address space in v4 to fit v6 inside.

  68. jonas’

    nuegia.net, it is changing, deal with that.

  69. jonas’

    at the very least when losing power and reconnecting

  70. jonas’

    and having to rearchitect firewall rules in that case is Not Fun

  71. nuegia.net

    does your mac address change when you lose power too?

  72. jonas’

    ernst.on.tour, I have IPv6 at home, but it's not used for local services (such as the samba server or mpd)

  73. jonas’

    only for outbound traffic

  74. ernst.on.tour

    nuegia.net: ??? Deploy which v6 ? Jonas didn't get a v6, therefor his provider "must" offer nat64.

  75. jonas’

    NAT64 is for accessing IPv4 from IPv6, not the other way around.

  76. jonas-l

    > Some VDSL-Providers offer IPv4 + v6, but not all. Plain DSL ("up to 16") is IPv4 > ernst.on.tour, I suspect the reasoning for that is because those networks are considered abandoned. the operators who run them are probably going to run the dslam until it blows up or the copper installed back in the 1950s fully corrodes away. 1. up to 16 MBit offers contain dual stack in Germany since many years (this speed is not offered to new customers anymore) 2. in Germany the 16 MBit customers are migrated to VDSL with traffic shaping but the line cards support traditional DSL too

  77. nuegia.net

    ernst.on.tour, I don't understand your question. nat64 can be implemented at the provider or the customer level.

  78. ernst.on.tour

    nuegia.net: Please implement it by my grandma or by they schoolfriends of my son/daughter, because their provider didn't do it.

  79. nuegia.net

    jonas’, does your mac address change on reset?

  80. jonas’

    nuegia.net, why does that matter?

  81. jonas’

    (and it might, #privacyExtensions)

  82. nuegia.net

    it could be why you addresses keep changing

  83. jonas’

    I said prefix

  84. MSavoritias (fae,ve)

    isnt mac addresses meaningless with ipv6 anyway?

  85. jonas’

    I know the difference :)

  86. MSavoritias (fae,ve)

    so the question about mac is moot

  87. nuegia.net

    MSavoritias (fae,ve), no

  88. MSavoritias (fae,ve)

    but ipv6 was supposed to replace the hack that mac addresses are

  89. nuegia.net

    jonas’, oh

  90. MSavoritias (fae,ve)

    idk if that has changed recently tho. i heard there is nat too in ipv6 now for some reason

  91. nuegia.net

    MSavoritias (fae,ve), i don't know where your getting that

  92. nuegia.net

    MSavoritias (fae,ve), to provide compatibility with ipv

  93. nuegia.net

    4

  94. nuegia.net

    https://www.jool.mx/en/run-nat64.html

  95. MSavoritias (fae,ve)

    anyway i guess a bit offtopic

  96. nuegia.net

    >Tue Jul 9 01:43:47 2024 - jonas’: I said prefix sorry, idk then i think it's on your isp's end

  97. nuegia.net

    it sounds bizzare

  98. Guus

    Why must the tone here be so combative? It takes away from any sensible discussion that's to be had on otherwise interesting subjects.

  99. nuegia.net

    Hey Guus, I agree. I sensed it too. If there's anything I could of done better please tell me via private message.

  100. jonas-l

    >>Tue Jul 9 01:43:47 2024 - jonas’: I said prefix > sorry, idk then i think it's on your isp's end The providers rotate the ipv6 prefixes like ipv4 adresses for consumers; if you pay more then you can get a static one

  101. luca

    On an unrelated topic, has anyone managed to set up the frontend https://prose.org/ on an existing XMPP server?

  102. luca

    I've given it a shot myself, but got some crypting error, so I wanted to ask first if it's possible or if I _have_ to use their fork of prosody

  103. MattJ

    You should probably be asking them

  104. luca

    They don't have an XMPP room as far as I can tell :P

  105. Kris

    They have and I got it working with my ejabberd server

  106. MattJ

    That still doesn't make this the right place :)

  107. luca

    Ok, thanks Kris!

  108. ukko

    another openssh rce https://lwn.net/Articles/981287/#Comments https://lwn.net/ml/all/20240708162106.GA4920@openwall.com/

  109. jonas’

    only on RHEL and only in the unprivileged child, FWIW

  110. jonas’

    see also https://security-tracker.debian.org/tracker/CVE-2024-6409

  111. moparisthebest

    > I would be willing to implement TLSA records for DANE as soon as everyone here says their server implements it. nuegia.net: why wait? You can do it now and get immediate benefits without waiting for anything or losing any compatibility

  112. unix.dog

    ^ beyond figuring out how to enable DNSSEC with your authoritative nameservers

  113. moparisthebest

    Mainly saying waiting for everyone else is silly and not needed, it's not breaking in any way, so just do it. If everyone waits for everyone else it'll never happen. (:

  114. nuegia.net

    I don't really think it's worth the effort until servers start actually implementing it and will use it.

  115. nuegia.net

    ounce a majority of servers implement it, then i'll do it.

  116. nuegia.net

    otherwise what benefits are there?

  117. moparisthebest

    nuegia.net: more security when connecting between servers who have implemented it, with no downsides

  118. moparisthebest

    Also more security for clients connecting to your server

  119. Polarian

    _if the client supports DANE_

  120. Polarian

    which iirc, very few do

  121. Polarian

    I believe cheogram does and monocles does... I am not sure about blabber/conversations and I don't know if gajim or dino does... I am going to go with they don't

  122. unix.dog

    does ejabberd support DANE by default? I haven't seen the option

  123. moparisthebest

    Again whether ejabberd supports validating Dane when connecting with other servers has nothing to do with the fact you can add tlsa records for your ejabberd servers for other clients and servers to use connecting to it

  124. unix.dog

    yeah but I am curious because I do want to enable it

  125. moparisthebest

    A quick search doesn't find anything, ask in ejabberd room I guess