***: LT has joined #arpnetworks
bardo has joined #arpnetworks
legyndir has quit IRC (Ping timeout: 245 seconds) jpalmer: just submitted my first pull request against puppet. It's minor, but for the people who use SRV records, it makes things a fair bit easier.
and.. wrong channel. qbit: hola
console.cust.arpnetworks.com = e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36, correct?
brycec, one help plz? LT: 2048 e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36 console.cust.arpnetworks.com,2607:f2f8:0:102::5 (RSA) qbit: :D
nice brycec: hm?
qbit: I assume your question has been answered qbit: brycec: you should totally add the fp's to BryceBot brycec: At the very least, up_the_irons should put up sshfp records if he hasn't already jpalmer: brycec: I have an apple radar incident about OSX failing to do sshfp records since july 2012, and it's still an issue in mavericks.
(I update it with every new OS patch/minor/major version change.) lol brycec: heh
Whether or not the client-side observes it, at the very least one could point qbit to "dig +SSHFP console.cust.arpnetworks.com" :p
I never expect the a random person's client (okay, qbit isn't random) to be configured for sshfp checking. But at least the authoritative record would be there.
s/dig ./dig -t / BryceBot: <brycec> Whether or not the client-side observes it, at the very least one could point qbit to "dig -t SSHFP console.cust.arpnetworks.com" :p brycec: (or whatever the exact syntax is) qbit: or that -o thinger to ssh that makes it check dne: or host keys could be signed, and the CA certificate published on the website mhoran: I'd say an HTTPS endpoing with the fingerprint on a web page is probably the easiest/most trustworthy option. SSHFP can still be spoofed without DNSSEC on the zone, and up_the_irons already has an SSL certificate for HTTPS. brycec: If we're concerned about spoofing, who's to say that arpnetworks.com isn't hijacked complete with an ssl cert from a shady CA? mhoran: Well, I guess we're all screwed. twobithacker: DNSSEC would be the more standard way of making the data reliable
OpenSSH will trust an SSHFP if the DNS lookup has the AD bit set mhoran: Why do we trust DNSSEC over the CA chain? plett: Because there are lots of CAs of questionable quality mhoran: I suspect there are also registrars of questionable quality.
I think quality is the wrong word, but I get what you're saying. plett: And we can trace DNSSEC trust back to the named people who all handle a part of the root key instead of having to rely on your browser vendor not including the CA belonging to the Chinese Government LT: I guess the difference is the domain owner has a choice of registrar, whereas any CA can sign for any domain mhoran: I don't understand how registrars work well enough to know the answer -- but couldn't a registrar just inject a rogue record into the root DNS and take over a domain?
I guess I don't see how that's different from the CA problem. plett: No, the root zone just says that .com is served by these nameservers and that those nameservers will sign responses with these public keys
(for example)
It's then down to the .com nameservers to say that arpnetworks.com is delegated to a different set of nameservers and that they will sign responses with a different set of keys ***: LT has quit IRC (Quit: Leaving) brycec: In theory, couldn't a Bad Registrar (notably, the one holding arpnetworks.com) just reassign the authoritative namerservers to its own, hijacking DNS and everything else? Where does the DNSSEC magic fix come into play? mhoran: Yeah, that's what I thought.
Just like a rogue CA.
Though harder to detect I'd say. brycec: At the root level, you have multiple servers that should all have the same root signing key, so any alteration should be easily detected
but it's the middleman that I'd worry about
(Granted I'm far from being a dnssec expert) mhoran: Yeah.
Also, the entire infrastructure is still controlled by corporations. So we're screwed. brycec: Wasn't there an alternate DNS system devised built on p2p?
Not that I'd ever expect such a thing to become mainstream mhoran: Sounds familiar.
djb probably wrote it. ***: fink has joined #arpnetworks fink: testing out 10.1 in a virtualbox, before trying on arpnetworks
zfs on root wooo ***: bardo has quit IRC (Ping timeout: 250 seconds) mercutio: taht was in freebsd 10 at least?
hmm virtio on openbsd does seem to make tarball extractions quicker. m0unds1: yea, virtio is nice mercutio: yeah i'ma bit late to the show i think :) m0unds1: i'm building a rpi + arduino powered fermenter controller for home brewing
it's exciting mercutio: cool
do you dirnk a lot of beer? m0unds1: similar to this, but i'm not using anything but brewpi
http://www.brewpi.com/
i drink a fair amount; i'm planning on doing small batch stuff until i get the hang of it mercutio: the temptation when brewijng would be to drink more i imagine m0unds1: yields a more reasonable number of beers vs the more common fermenting size (5 gallon is more common - almost 20L)
i'm gonna be doing gallon size, so it'll be ~8-9 bottles per batch mercutio: 20 litres hah
i drink like a litre of beer a week :) m0unds1: yeah, there are guys who do that and build keg rigs and stuff for storing/serving and stuff
umm, on average, i'll have maybe 6 beers a week mercutio: but beer is better in warmer weather m0unds1: sometimes more, sometimes less mercutio: i find it sedating m0unds1: depends on the style
we're not really using our chest freezer anymore, so i'm gonna convert it to a fermentation chamber mercutio: i've been mostly having alcoholic ginger beer recently m0unds1: i was in colorado last week and did some brewery tours, so i had lots of tasters of stuff mercutio: cool m0unds1: yeah, there's a silly number of good breweries up there
glad i left when i did though. two days after i got home, daytime high temp in the city i was in hit -1F/-18C mercutio: wtf
i've never been anywhere near that cold m0unds1: it sucks
hahahah
it was like that when i was up in CO this time last year too
and windy, oof mercutio: i used to live somewhere colder than where i am now
and in the morning windscreen on car would frost up
on inside and out hah
so i had a rag in my car to clean it
then i moved, and i noticed i no longer needed a rag. m0unds1: yeah, haha mercutio: but i didn't even realise except kind of in retrospect m0unds1: it gets cold enough here in the winter for that to happen, but our relative humidity is so low it's rarely an issue (the inside of the car part) mercutio: the inside was thinner
humidity here is being annoying
althouighi think i understand humidity better now sort of
when people say the weather is muggy it seems to be variable about how humid it acutally is m0unds1: yeah mercutio: and it tends to be when the humdity and temperature is up
but like i feel 70% humidity lower temp on my reader thing more than 60% high temp
but people are more likely to call the weather muggy on the later
i suppose if you cant' see any rain and it feels damp? m0unds1: yeah
southeastern US is like that
super high humidity makes it feel like you're in a steam room mercutio: this is relative humidity and i dunno how good the sensor is
it's about 49% atm
i have 3 of them, and this is the dryest room though ***: toeshred has quit IRC (Quit: WeeChat 1.0.1)
toeshred has joined #arpnetworks
mhoran has quit IRC (Quit: WeeChat 1.0.1)
mhoran has joined #arpnetworks
ChanServ sets mode: +o mhoran
tehfink has joined #arpnetworks
fink has quit IRC (Ping timeout: 272 seconds)
tehfink is now known as fink up_the_irons: what's this i hear about sshfp records?
oh i think i get it (read more scrollback) mercutio: it sounded kind of nifty brycec: It's a nice idea, for sure. Allows a company to advertise ssh fingerprints out-of-ssh's-band for clients to check, and ssh can do it on its own automatically
We use it for an ssh-based tool we distribute mercutio: well it seems non ideal but better than nothing brycec: All depends upon your level of paranoia
In a closed, internal environment where you control the DNS as well as everything in between [and assuming that $spies haven't hijacked your internal DNS, etc], then it can make deployments much simpler. ***: fink has quit IRC (Quit: fink) mercutio: well it's two step anyway
you have to take over the dns, and take over the hosts
actually if you spoof a host it could just let you straight in?
smokeping is kind of weird, even when you view the graphs of hosts it does dns lookups on all the targets.
i was wondering why speed was being variable in some places, and it was dns related.