just submitted my first pull request against puppet. It's minor, but for the people who use SRV records, it makes things a fair bit easier. and.. wrong channel. hola console.cust.arpnetworks.com = e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36, correct? brycec, one help plz? 2048 e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36 console.cust.arpnetworks.com,2607:f2f8:0:102::5 (RSA) :D nice hm? qbit: I assume your question has been answered brycec: you should totally add the fp's to BryceBot At the very least, up_the_irons should put up sshfp records if he hasn't already brycec: I have an apple radar incident about OSX failing to do sshfp records since july 2012, and it's still an issue in mavericks. (I update it with every new OS patch/minor/major version change.) lol heh Whether or not the client-side observes it, at the very least one could point qbit to "dig +SSHFP console.cust.arpnetworks.com" :p I never expect the a random person's client (okay, qbit isn't random) to be configured for sshfp checking. But at least the authoritative record would be there. s/dig ./dig -t / Whether or not the client-side observes it, at the very least one could point qbit to "dig -t SSHFP console.cust.arpnetworks.com" :p (or whatever the exact syntax is) or that -o thinger to ssh that makes it check or host keys could be signed, and the CA certificate published on the website I'd say an HTTPS endpoing with the fingerprint on a web page is probably the easiest/most trustworthy option. SSHFP can still be spoofed without DNSSEC on the zone, and up_the_irons already has an SSL certificate for HTTPS. If we're concerned about spoofing, who's to say that arpnetworks.com isn't hijacked complete with an ssl cert from a shady CA? Well, I guess we're all screwed. DNSSEC would be the more standard way of making the data reliable OpenSSH will trust an SSHFP if the DNS lookup has the AD bit set Why do we trust DNSSEC over the CA chain? Because there are lots of CAs of questionable quality I suspect there are also registrars of questionable quality. I think quality is the wrong word, but I get what you're saying. And we can trace DNSSEC trust back to the named people who all handle a part of the root key instead of having to rely on your browser vendor not including the CA belonging to the Chinese Government I guess the difference is the domain owner has a choice of registrar, whereas any CA can sign for any domain I don't understand how registrars work well enough to know the answer -- but couldn't a registrar just inject a rogue record into the root DNS and take over a domain? I guess I don't see how that's different from the CA problem. No, the root zone just says that .com is served by these nameservers and that those nameservers will sign responses with these public keys (for example) It's then down to the .com nameservers to say that arpnetworks.com is delegated to a different set of nameservers and that they will sign responses with a different set of keys In theory, couldn't a Bad Registrar (notably, the one holding arpnetworks.com) just reassign the authoritative namerservers to its own, hijacking DNS and everything else? Where does the DNSSEC magic fix come into play? Yeah, that's what I thought. Just like a rogue CA. Though harder to detect I'd say. At the root level, you have multiple servers that should all have the same root signing key, so any alteration should be easily detected but it's the middleman that I'd worry about (Granted I'm far from being a dnssec expert) Yeah. Also, the entire infrastructure is still controlled by corporations. So we're screwed. Wasn't there an alternate DNS system devised built on p2p? Not that I'd ever expect such a thing to become mainstream Sounds familiar. djb probably wrote it. testing out 10.1 in a virtualbox, before trying on arpnetworks zfs on root wooo taht was in freebsd 10 at least? hmm virtio on openbsd does seem to make tarball extractions quicker. yea, virtio is nice yeah i'ma bit late to the show i think :) i'm building a rpi + arduino powered fermenter controller for home brewing it's exciting cool do you dirnk a lot of beer? similar to this, but i'm not using anything but brewpi http://www.brewpi.com/ i drink a fair amount; i'm planning on doing small batch stuff until i get the hang of it the temptation when brewijng would be to drink more i imagine yields a more reasonable number of beers vs the more common fermenting size (5 gallon is more common - almost 20L) i'm gonna be doing gallon size, so it'll be ~8-9 bottles per batch 20 litres hah i drink like a litre of beer a week :) yeah, there are guys who do that and build keg rigs and stuff for storing/serving and stuff umm, on average, i'll have maybe 6 beers a week but beer is better in warmer weather sometimes more, sometimes less i find it sedating depends on the style we're not really using our chest freezer anymore, so i'm gonna convert it to a fermentation chamber i've been mostly having alcoholic ginger beer recently i was in colorado last week and did some brewery tours, so i had lots of tasters of stuff cool yeah, there's a silly number of good breweries up there glad i left when i did though. two days after i got home, daytime high temp in the city i was in hit -1F/-18C wtf i've never been anywhere near that cold it sucks hahahah it was like that when i was up in CO this time last year too and windy, oof i used to live somewhere colder than where i am now and in the morning windscreen on car would frost up on inside and out hah so i had a rag in my car to clean it then i moved, and i noticed i no longer needed a rag. yeah, haha but i didn't even realise except kind of in retrospect it gets cold enough here in the winter for that to happen, but our relative humidity is so low it's rarely an issue (the inside of the car part) the inside was thinner humidity here is being annoying althouighi think i understand humidity better now sort of when people say the weather is muggy it seems to be variable about how humid it acutally is yeah and it tends to be when the humdity and temperature is up but like i feel 70% humidity lower temp on my reader thing more than 60% high temp but people are more likely to call the weather muggy on the later i suppose if you cant' see any rain and it feels damp? yeah southeastern US is like that super high humidity makes it feel like you're in a steam room this is relative humidity and i dunno how good the sensor is it's about 49% atm i have 3 of them, and this is the dryest room though what's this i hear about sshfp records? oh i think i get it (read more scrollback) it sounded kind of nifty It's a nice idea, for sure. Allows a company to advertise ssh fingerprints out-of-ssh's-band for clients to check, and ssh can do it on its own automatically We use it for an ssh-based tool we distribute well it seems non ideal but better than nothing All depends upon your level of paranoia In a closed, internal environment where you control the DNS as well as everything in between [and assuming that $spies haven't hijacked your internal DNS, etc], then it can make deployments much simpler. well it's two step anyway you have to take over the dns, and take over the hosts actually if you spoof a host it could just let you straight in? smokeping is kind of weird, even when you view the graphs of hosts it does dns lookups on all the targets. i was wondering why speed was being variable in some places, and it was dns related.