Post AYFYIRAuFvCP5ltJOC by portaloffreedom@social.linux.pizza
(DIR) More posts by portaloffreedom@social.linux.pizza
(DIR) Post #9jN3uSxeuMTmERl3nU by selea@social.linux.pizza
2019-05-31T13:39:10Z
0 likes, 4 repeats
ICANN recently started to recommend all domains to deploy DNSSEC as a consequence after the first successful attack against a non-signed domain.Please enable DNSSEC on your domain in order to protect your users.#mastoadmin #dns #dnssec #infosechttps://www.icann.org/news/announcement-2019-02-22-en
(DIR) Post #9jNAWtC0QbWWJgAowy by sillystring@infosec.exchange
2019-05-31T14:53:19Z
0 likes, 0 repeats
@selea Enable #DNSSEC. Please listen to this man.
(DIR) Post #9jNAsfhDHydIpP9o1I by sillystring@infosec.exchange
2019-05-31T14:57:16Z
0 likes, 0 repeats
@selea Enable #DNSSEC. Please listen to this man. #infoSec https://dnssec-analyzer.verisignlabs.com/
(DIR) Post #9jNYofHHIfQlGweGVU by tursiops@tooting.ch
2019-05-31T19:25:26Z
0 likes, 0 repeats
@selea already done since day 0
(DIR) Post #9jNf3rEpiFQ6R68HZ2 by selea@social.linux.pizza
2019-05-31T20:35:28Z
0 likes, 0 repeats
@tursiops Good :)Sadly just a small minority of instances has that enabled thou :(
(DIR) Post #9jSa4pcXBaDDjdXrhw by inditoot@inditoot.com
2019-06-03T05:33:11Z
0 likes, 0 repeats
@selea Enabled from day one
(DIR) Post #9jSa8mX0c4MpJRqPbs by inditoot@inditoot.com
2019-06-03T05:33:54Z
0 likes, 0 repeats
@selea @tursiopsAsk Gargron to add this in His Docs maybe that can increase its usage
(DIR) Post #9jSsUyrtDxLB7WLWS0 by tursiops@tooting.ch
2019-06-03T08:59:35Z
0 likes, 0 repeats
@inditoot @selea @Gargron asking him :)
(DIR) Post #9jUhkuqXEbYC6I1oSO by wowaname@anime.website
2019-06-04T06:08:15.192087Z
0 likes, 0 repeats
@selea i still hear a lot of mixed opinions about dnssec. ive considered it for a while but many people i talk to, many people i read online, they have said it's too complex and it relies on inferior crypto. please correct me if im wrong
(DIR) Post #9jUhlFOEr0OTobx0lc by wowaname@anime.website
2019-06-04T06:08:43.249681Z
0 likes, 0 repeats
@selea RTing to hopefully get more people involved in the discussion
(DIR) Post #9jUneANTgsAFy4bNDc by Wolf480pl@niu.moe
2019-06-04T07:14:39Z
2 likes, 1 repeats
@wowaname @selea Judging by [1], there are a lot of good ciphersuites supported. That default SHA1 is kinda a shame though. I wonder how well the newer ciphersuites are supported by implementations, and how widely they're deployed. But the good thing about DNSSEC (unlike CAs) is that you only need the path from the root to your domain to be secure, it doesn't matter if some random TLD that you don't use has weak keys or accidentally posts their private key on FB.[1]: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Algorithms
(DIR) Post #9jUoNAQSMIJf9FS9D6 by matrix@gameliberty.club
2019-06-04T07:22:48Z
0 likes, 0 repeats
@seleaMy TLD sadly doesn't support it
(DIR) Post #9jUoWZD9Zn5EcoiFuq by selea@social.linux.pizza
2019-06-04T07:24:29Z
0 likes, 0 repeats
@matrix It actually does, but your registrar probably suck
(DIR) Post #9jUoXeEYO70uUYsots by selea@social.linux.pizza
2019-06-04T07:24:42Z
0 likes, 0 repeats
@matrix Actually, gameliberty.club is DNSSEC signed already
(DIR) Post #9jUsuVnGKlssnBH9xA by Wolf480pl@niu.moe
2019-06-04T08:13:36Z
1 likes, 1 repeats
@wowaname @selea Hm...The ICANN article OP linked points to [krebs] which describes the attack in a vague way. It claims DNSSEC would've helped, but it didn't seem consistent with the described method of attack.So I checked [fireeye] which Krebs linked to, and AFAIK DNSSEC wouldn't prevent the attacks described there.[krebs]: https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/[fireeye]: https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
(DIR) Post #9jUtGQrVLlltrsiEk4 by Wolf480pl@niu.moe
2019-06-04T08:17:34Z
1 likes, 0 repeats
@wowaname @selea Both techniques rely on the attacker having access to your domain registrar's admin panel, and changing the records the same way a legitimate user would do.The first one is about changing an A record. If the domain has DNSSEC enabled, the registrar will sign the new A record the same way it signed the old one , and any validating clients will think it's a legit record.
(DIR) Post #9jUtOnyXIamDryzgG0 by Wolf480pl@niu.moe
2019-06-04T08:19:04Z
1 likes, 0 repeats
@wowaname @selea The second technique is about changing the NS record, so that the zone is delegated to the attacker's server instead of the victim's server. But if you can change NS, you can also change DS, which holds the DNSSEC public key used to verify the delegated zone.So you can put your own key in the DS record, and sign the zone with your own key, and everyone will think it's legit.
(DIR) Post #9jUtZiZRjXy8IDShdo by Wolf480pl@niu.moe
2019-06-04T08:21:05Z
1 likes, 0 repeats
@wowaname @selea To sum up: if the attackers can log in as you to your registrar's admin panel, or pwns your registrar, or pwns the registry, then it's already too late.
(DIR) Post #9jUvwP90KJuKby2Vd2 by wowaname@anime.website
2019-06-04T08:47:31.804404Z
0 likes, 0 repeats
@Wolf480pl @selea so in essence, protect your account and nameserver, and choose a competent registrar? no need for dnssec?
(DIR) Post #9jUwJqUAq1Bk4O7Qqu by matrix@gameliberty.club
2019-06-04T08:51:51Z
0 likes, 0 repeats
@seleaHmm. That must be new or I must have overlooked something.
(DIR) Post #9jUwSlutCA8oVNs4lk by Wolf480pl@niu.moe
2019-06-04T08:53:23Z
1 likes, 0 repeats
@wowaname @selea at least against this attack.DNSSEC can protect you against downstream DNS hijacking, eg. by an evil ISP, a pwned smart TV doing ARP spoofing, a random raspi sneaked into your network closet, or any other case where the attacker is between you and the authoritative domain server.Saying "no need for DNSSEC" here is like saying "no need for HTTPS because they can pwn your webserver".
(DIR) Post #9jUwVcmVcFbl2eJNmS by Wolf480pl@niu.moe
2019-06-04T08:53:58Z
1 likes, 0 repeats
@wowaname @selea I'm actually curious how those attackers got access to the registrar in the first place.
(DIR) Post #9jUweBjLYnabkbur4a by wowaname@anime.website
2019-06-04T08:55:29.417494Z
0 likes, 0 repeats
@Wolf480pl @selea to be fair, tls incidentally provides a defence against dns attacks
(DIR) Post #9jUwwf37IAk5tUyJM0 by Wolf480pl@niu.moe
2019-06-04T08:58:48Z
1 likes, 0 repeats
@wowaname @selea Unless they get a cert from letsencrypt (which they did in this case)....But then, accessing your registrar panel through TLS protects the password to log in to that panel, and attackers not having that password prevents the dns attack from happening in the first place... unless they had other ways.Like, I'm really curious how the attackers got that access in the DNSpionage incident.
(DIR) Post #9jUx20vTNltfBvwtX6 by wowaname@anime.website
2019-06-04T08:59:50.499539Z
0 likes, 0 repeats
@Wolf480pl @selea >Unless they get a cert from letsencrypt (which they did in this case)....you misunderstand, im talking about the case where your isp or some other router closer to you is compromised, something that letsencrypt wouldnt see
(DIR) Post #9jUxH91FZfrSdTrklU by wowaname@anime.website
2019-06-04T09:02:34.391360Z
0 likes, 0 repeats
@Wolf480pl @selea regardless, dnssec looks straightforward to offer for my domain so i'll give clients the option to authenticate responses if they wish
(DIR) Post #9jUxNfRRwOrsvjENgu by inditoot@inditoot.com
2019-06-04T09:03:43Z
0 likes, 0 repeats
@matrix @seleaUsing cloudflare?
(DIR) Post #9jUxp02vRTOGeVnEI4 by matrix@gameliberty.club
2019-06-04T09:08:41Z
0 likes, 0 repeats
@inditootNope@selea
(DIR) Post #9jUyOl2Yi9OqXNfk12 by Wolf480pl@niu.moe
2019-06-04T09:15:08Z
0 likes, 0 repeats
@wowaname @selea oh, yeah, indeed.OTOH, I was hoping DNSSEC could help fix the multiple-SPOF problem of CAs. We can use TLSA records to publish TLS fingerprints in DNSSEC.Then you can check a TLS cert's validity through CAs, or through DNSSEC, or both.
(DIR) Post #AYFWQDY8bA6RF5L79k by samuel@social.spejset.org
2023-07-31T09:37:59Z
0 likes, 0 repeats
@selea Finns det nån bra howto för sånt?
(DIR) Post #AYFWlHK7lItb1opMdE by portaloffreedom@social.linux.pizza
2023-07-31T09:41:51Z
0 likes, 0 repeats
@selea should I worry even if I only deploy a couple of personal websites and a matrix server?
(DIR) Post #AYFY7YScpLIcVFzQnI by selea@social.linux.pizza
2023-07-31T09:57:07Z
0 likes, 0 repeats
@samuel Processen ser lite olika ut beroende på registrar och DNS-leverantör.Ser att ni använder nja.la - så det _borde_ finnas någon inställning där.Alternativt kolla med deras support :)
(DIR) Post #AYFYERrtjgEO5I68y8 by selea@social.linux.pizza
2023-07-31T09:58:22Z
0 likes, 0 repeats
@portaloffreedom well you can have SSHFP support and also TLSA support :)
(DIR) Post #AYFYIRAuFvCP5ltJOC by portaloffreedom@social.linux.pizza
2023-07-31T09:59:06Z
0 likes, 0 repeats
@selea now I have even more questions than before XD
(DIR) Post #AYFYLB56Y1ZM30U4wq by aryak@social.projectsegfau.lt
2023-07-31T09:50:16.146657Z
0 likes, 0 repeats
@selea ovh still doesn't let me add dnssec on .lt :(
(DIR) Post #AYFYLBn3uajOFL3BSq by selea@social.linux.pizza
2023-07-31T09:59:35Z
0 likes, 0 repeats
@aryak that's kinda sad
(DIR) Post #AYFZ1LG961atmDko4W by selea@social.linux.pizza
2023-07-31T10:07:09Z
0 likes, 0 repeats
@portaloffreedom Lets start with this one https://en.m.wikipedia.org/wiki/SSHFP_record:D
(DIR) Post #AYFZ8OsY2OyD1s596G by portaloffreedom@social.linux.pizza
2023-07-31T10:08:28Z
0 likes, 0 repeats
@selea basically, to remove that first moment of trust, when ssh says "it's the first time you connect to this. The public key si aaaaaaaaaaaaa. Do you trust it?"
(DIR) Post #AYFZI36jpxdsP3JvF2 by selea@social.linux.pizza
2023-07-31T10:10:12Z
0 likes, 0 repeats
@portaloffreedom Yep,
(DIR) Post #AYFZJpIa9KTa9dhvyS by selea@social.linux.pizza
2023-07-31T10:10:33Z
0 likes, 0 repeats
@portaloffreedom And it will refuse to connect if the keys differ
(DIR) Post #AYFdoAVMGnVGQbPJGC by Suiseiseki@freesoftwareextremist.com
2023-07-31T11:00:48.697376Z
0 likes, 0 repeats
@selea DNSSEC is well and good until you reach the stage where you have to get DNSSEC working on BIND.
(DIR) Post #AYFe8XiperjYE8QP6u by selea@social.linux.pizza
2023-07-31T11:04:31Z
0 likes, 0 repeats
@Suiseiseki It works well with bind9.However, powerDNS makes it much more easier with all zsk and ksk rollovers automatically
(DIR) Post #AYFfCLYGwtYFasra64 by Suiseiseki@freesoftwareextremist.com
2023-07-31T11:16:24.715660Z
0 likes, 0 repeats
@selea Once you go through the pain of getting it working, yes it works well, as I found out.
(DIR) Post #AYFfH37QuRaFsCYGno by Suiseiseki@freesoftwareextremist.com
2023-07-31T11:17:16.498755Z
0 likes, 0 repeats
@selea BIND does support automatic ZSK and KSK rollovers as well, but you need to set that manually.
(DIR) Post #AYFjmkzwDXtwkuQ9nE by feld@bikeshed.party
2023-07-31T12:07:26.943636Z
0 likes, 0 repeats
Don't enable DNSSEC if your zone has a record being used for NTP server purposes though :laugh: