[00:03] *** legyndir has joined #arpnetworks [01:01] *** LT has joined #arpnetworks [04:37] *** bardo has joined #arpnetworks [04:55] *** legyndir has quit IRC (Ping timeout: 245 seconds) [07:21] just submitted my first pull request against puppet. It's minor, but for the people who use SRV records, it makes things a fair bit easier. [07:21] and.. wrong channel. [07:25] hola [07:25] console.cust.arpnetworks.com = e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36, correct? [07:35] brycec, one help plz? [07:35] 2048 e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36 console.cust.arpnetworks.com,2607:f2f8:0:102::5 (RSA) [07:35] :D [07:35] nice [07:40] hm? [07:40] qbit: I assume your question has been answered [07:40] brycec: you should totally add the fp's to BryceBot [07:44] At the very least, up_the_irons should put up sshfp records if he hasn't already [07:54] brycec: I have an apple radar incident about OSX failing to do sshfp records since july 2012, and it's still an issue in mavericks. [07:55] (I update it with every new OS patch/minor/major version change.) lol [07:56] heh [07:56] Whether or not the client-side observes it, at the very least one could point qbit to "dig +SSHFP console.cust.arpnetworks.com" :p [07:57] I never expect the a random person's client (okay, qbit isn't random) to be configured for sshfp checking. But at least the authoritative record would be there. [07:58] s/dig ./dig -t / [07:58] Whether or not the client-side observes it, at the very least one could point qbit to "dig -t SSHFP console.cust.arpnetworks.com" :p [07:58] (or whatever the exact syntax is) [08:00] or that -o thinger to ssh that makes it check [08:01] or host keys could be signed, and the CA certificate published on the website [08:28] I'd say an HTTPS endpoing with the fingerprint on a web page is probably the easiest/most trustworthy option. SSHFP can still be spoofed without DNSSEC on the zone, and up_the_irons already has an SSL certificate for HTTPS. [08:30] If we're concerned about spoofing, who's to say that arpnetworks.com isn't hijacked complete with an ssl cert from a shady CA? [08:47] Well, I guess we're all screwed. [08:48] DNSSEC would be the more standard way of making the data reliable [08:49] OpenSSH will trust an SSHFP if the DNS lookup has the AD bit set [08:50] Why do we trust DNSSEC over the CA chain? [08:52] Because there are lots of CAs of questionable quality [08:53] I suspect there are also registrars of questionable quality. [08:53] I think quality is the wrong word, but I get what you're saying. [08:54] And we can trace DNSSEC trust back to the named people who all handle a part of the root key instead of having to rely on your browser vendor not including the CA belonging to the Chinese Government [08:54] I guess the difference is the domain owner has a choice of registrar, whereas any CA can sign for any domain [08:56] I don't understand how registrars work well enough to know the answer -- but couldn't a registrar just inject a rogue record into the root DNS and take over a domain? [08:56] I guess I don't see how that's different from the CA problem. [08:58] No, the root zone just says that .com is served by these nameservers and that those nameservers will sign responses with these public keys [08:58] (for example) [08:59] It's then down to the .com nameservers to say that arpnetworks.com is delegated to a different set of nameservers and that they will sign responses with a different set of keys [09:04] *** LT has quit IRC (Quit: Leaving) [09:25] In theory, couldn't a Bad Registrar (notably, the one holding arpnetworks.com) just reassign the authoritative namerservers to its own, hijacking DNS and everything else? Where does the DNSSEC magic fix come into play? [09:33] Yeah, that's what I thought. [09:34] Just like a rogue CA. [09:34] Though harder to detect I'd say. [09:56] At the root level, you have multiple servers that should all have the same root signing key, so any alteration should be easily detected [09:57] but it's the middleman that I'd worry about [09:57] (Granted I'm far from being a dnssec expert) [09:57] Yeah. [09:57] Also, the entire infrastructure is still controlled by corporations. So we're screwed. [09:58] Wasn't there an alternate DNS system devised built on p2p? [09:58] Not that I'd ever expect such a thing to become mainstream [09:59] Sounds familiar. [09:59] djb probably wrote it. [10:12] *** fink has joined #arpnetworks [10:40] testing out 10.1 in a virtualbox, before trying on arpnetworks [10:40] zfs on root wooo [11:18] *** bardo has quit IRC (Ping timeout: 250 seconds) [12:59] taht was in freebsd 10 at least? [13:43] hmm virtio on openbsd does seem to make tarball extractions quicker. [13:50] yea, virtio is nice [13:51] yeah i'ma bit late to the show i think :) [14:01] i'm building a rpi + arduino powered fermenter controller for home brewing [14:01] it's exciting [14:02] cool [14:02] do you dirnk a lot of beer? [14:02] similar to this, but i'm not using anything but brewpi [14:02] http://www.brewpi.com/ [14:02] i drink a fair amount; i'm planning on doing small batch stuff until i get the hang of it [14:03] the temptation when brewijng would be to drink more i imagine [14:03] yields a more reasonable number of beers vs the more common fermenting size (5 gallon is more common - almost 20L) [14:04] i'm gonna be doing gallon size, so it'll be ~8-9 bottles per batch [14:04] 20 litres hah [14:04] i drink like a litre of beer a week :) [14:04] yeah, there are guys who do that and build keg rigs and stuff for storing/serving and stuff [14:04] umm, on average, i'll have maybe 6 beers a week [14:04] but beer is better in warmer weather [14:04] sometimes more, sometimes less [14:04] i find it sedating [14:05] depends on the style [14:05] we're not really using our chest freezer anymore, so i'm gonna convert it to a fermentation chamber [14:05] i've been mostly having alcoholic ginger beer recently [14:06] i was in colorado last week and did some brewery tours, so i had lots of tasters of stuff [14:07] cool [14:08] yeah, there's a silly number of good breweries up there [14:08] glad i left when i did though. two days after i got home, daytime high temp in the city i was in hit -1F/-18C [14:09] wtf [14:09] i've never been anywhere near that cold [14:09] it sucks [14:09] hahahah [14:09] it was like that when i was up in CO this time last year too [14:10] and windy, oof [14:10] i used to live somewhere colder than where i am now [14:10] and in the morning windscreen on car would frost up [14:10] on inside and out hah [14:10] so i had a rag in my car to clean it [14:10] then i moved, and i noticed i no longer needed a rag. [14:11] yeah, haha [14:11] but i didn't even realise except kind of in retrospect [14:11] it gets cold enough here in the winter for that to happen, but our relative humidity is so low it's rarely an issue (the inside of the car part) [14:11] the inside was thinner [14:11] humidity here is being annoying [14:12] althouighi think i understand humidity better now sort of [14:13] when people say the weather is muggy it seems to be variable about how humid it acutally is [14:13] yeah [14:13] and it tends to be when the humdity and temperature is up [14:13] but like i feel 70% humidity lower temp on my reader thing more than 60% high temp [14:13] but people are more likely to call the weather muggy on the later [14:14] i suppose if you cant' see any rain and it feels damp? [14:14] yeah [14:14] southeastern US is like that [14:14] super high humidity makes it feel like you're in a steam room [14:16] this is relative humidity and i dunno how good the sensor is [14:16] it's about 49% atm [14:16] i have 3 of them, and this is the dryest room though [15:12] *** toeshred has quit IRC (Quit: WeeChat 1.0.1) [15:16] *** toeshred has joined #arpnetworks [17:09] *** mhoran has quit IRC (Quit: WeeChat 1.0.1) [17:27] *** mhoran has joined #arpnetworks [17:27] *** ChanServ sets mode: +o mhoran [18:05] *** tehfink has joined #arpnetworks [18:09] *** fink has quit IRC (Ping timeout: 272 seconds) [18:09] *** tehfink is now known as fink [19:02] what's this i hear about sshfp records? [19:04] oh i think i get it (read more scrollback) [19:06] it sounded kind of nifty [19:07] It's a nice idea, for sure. Allows a company to advertise ssh fingerprints out-of-ssh's-band for clients to check, and ssh can do it on its own automatically [19:07] We use it for an ssh-based tool we distribute [19:08] well it seems non ideal but better than nothing [19:59] All depends upon your level of paranoia [20:00] In a closed, internal environment where you control the DNS as well as everything in between [and assuming that $spies haven't hijacked your internal DNS, etc], then it can make deployments much simpler. [20:06] *** fink has quit IRC (Quit: fink) [21:36] well it's two step anyway [21:36] you have to take over the dns, and take over the hosts [21:37] actually if you spoof a host it could just let you straight in? [23:00] smokeping is kind of weird, even when you view the graphs of hosts it does dns lookups on all the targets. [23:00] i was wondering why speed was being variable in some places, and it was dns related.