| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
| Who | What | When |
|---|---|---|
| *** | legyndir has joined #arpnetworks | [00:03] |
| ............ (idle for 58mn) | ||
| LT has joined #arpnetworks | [01:01] | |
| ............................................ (idle for 3h36mn) | ||
| bardo has joined #arpnetworks | [04:37] | |
| .... (idle for 18mn) | ||
| legyndir has quit IRC (Ping timeout: 245 seconds) | [04:55] | |
| .............................. (idle for 2h26mn) | ||
| jpalmer | just submitted my first pull request against puppet. It's minor, but for the people who use SRV records, it makes things a fair bit easier.
and.. wrong channel. | [07:21] |
| qbit | hola
console.cust.arpnetworks.com = e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36, correct? | [07:25] |
| brycec, one help plz? | [07:35] | |
| LT | 2048 e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36 console.cust.arpnetworks.com,2607:f2f8:0:102::5 (RSA) | [07:35] |
| qbit | :D
nice | [07:35] |
| brycec | hm?
qbit: I assume your question has been answered | [07:40] |
| qbit | brycec: you should totally add the fp's to BryceBot | [07:40] |
| brycec | At the very least, up_the_irons should put up sshfp records if he hasn't already | [07:44] |
| jpalmer | brycec: I have an apple radar incident about OSX failing to do sshfp records since july 2012, and it's still an issue in mavericks.
(I update it with every new OS patch/minor/major version change.) lol | [07:54] |
| brycec | heh
Whether or not the client-side observes it, at the very least one could point qbit to "dig +SSHFP console.cust.arpnetworks.com" :p I never expect the a random person's client (okay, qbit isn't random) to be configured for sshfp checking. But at least the authoritative record would be there. s/dig ./dig -t / | [07:56] |
| BryceBot | <brycec> Whether or not the client-side observes it, at the very least one could point qbit to "dig -t SSHFP console.cust.arpnetworks.com" :p | [07:58] |
| brycec | (or whatever the exact syntax is) | [07:58] |
| qbit | or that -o thinger to ssh that makes it check | [08:00] |
| dne | or host keys could be signed, and the CA certificate published on the website | [08:01] |
| ...... (idle for 27mn) | ||
| mhoran | I'd say an HTTPS endpoing with the fingerprint on a web page is probably the easiest/most trustworthy option. SSHFP can still be spoofed without DNSSEC on the zone, and up_the_irons already has an SSL certificate for HTTPS. | [08:28] |
| brycec | If we're concerned about spoofing, who's to say that arpnetworks.com isn't hijacked complete with an ssl cert from a shady CA? | [08:30] |
| .... (idle for 17mn) | ||
| mhoran | Well, I guess we're all screwed. | [08:47] |
| twobithacker | DNSSEC would be the more standard way of making the data reliable
OpenSSH will trust an SSHFP if the DNS lookup has the AD bit set | [08:48] |
| mhoran | Why do we trust DNSSEC over the CA chain? | [08:50] |
| plett | Because there are lots of CAs of questionable quality | [08:52] |
| mhoran | I suspect there are also registrars of questionable quality.
I think quality is the wrong word, but I get what you're saying. | [08:53] |
| plett | And we can trace DNSSEC trust back to the named people who all handle a part of the root key instead of having to rely on your browser vendor not including the CA belonging to the Chinese Government | [08:54] |
| LT | I guess the difference is the domain owner has a choice of registrar, whereas any CA can sign for any domain | [08:54] |
| mhoran | I don't understand how registrars work well enough to know the answer -- but couldn't a registrar just inject a rogue record into the root DNS and take over a domain?
I guess I don't see how that's different from the CA problem. | [08:56] |
| plett | No, the root zone just says that .com is served by these nameservers and that those nameservers will sign responses with these public keys
(for example) It's then down to the .com nameservers to say that arpnetworks.com is delegated to a different set of nameservers and that they will sign responses with a different set of keys | [08:58] |
| *** | LT has quit IRC (Quit: Leaving) | [09:04] |
| ..... (idle for 21mn) | ||
| brycec | In theory, couldn't a Bad Registrar (notably, the one holding arpnetworks.com) just reassign the authoritative namerservers to its own, hijacking DNS and everything else? Where does the DNSSEC magic fix come into play? | [09:25] |
| mhoran | Yeah, that's what I thought.
Just like a rogue CA. Though harder to detect I'd say. | [09:33] |
| ..... (idle for 22mn) | ||
| brycec | At the root level, you have multiple servers that should all have the same root signing key, so any alteration should be easily detected
but it's the middleman that I'd worry about (Granted I'm far from being a dnssec expert) | [09:56] |
| mhoran | Yeah.
Also, the entire infrastructure is still controlled by corporations. So we're screwed. | [09:57] |
| brycec | Wasn't there an alternate DNS system devised built on p2p?
Not that I'd ever expect such a thing to become mainstream | [09:58] |
| mhoran | Sounds familiar.
djb probably wrote it. | [09:59] |
| *** | fink has joined #arpnetworks | [10:12] |
| ...... (idle for 28mn) | ||
| fink | testing out 10.1 in a virtualbox, before trying on arpnetworks
zfs on root wooo | [10:40] |
| ........ (idle for 38mn) | ||
| *** | bardo has quit IRC (Ping timeout: 250 seconds) | [11:18] |
| ..................... (idle for 1h41mn) | ||
| mercutio | taht was in freebsd 10 at least? | [12:59] |
| ......... (idle for 44mn) | ||
| hmm virtio on openbsd does seem to make tarball extractions quicker. | [13:43] | |
| m0unds1 | yea, virtio is nice | [13:50] |
| mercutio | yeah i'ma bit late to the show i think :) | [13:51] |
| m0unds1 | i'm building a rpi + arduino powered fermenter controller for home brewing
it's exciting | [14:01] |
| mercutio | cool
do you dirnk a lot of beer? | [14:02] |
| m0unds1 | similar to this, but i'm not using anything but brewpi
http://www.brewpi.com/ i drink a fair amount; i'm planning on doing small batch stuff until i get the hang of it | [14:02] |
| mercutio | the temptation when brewijng would be to drink more i imagine | [14:03] |
| m0unds1 | yields a more reasonable number of beers vs the more common fermenting size (5 gallon is more common - almost 20L)
i'm gonna be doing gallon size, so it'll be ~8-9 bottles per batch | [14:03] |
| mercutio | 20 litres hah
i drink like a litre of beer a week :) | [14:04] |
| m0unds1 | yeah, there are guys who do that and build keg rigs and stuff for storing/serving and stuff
umm, on average, i'll have maybe 6 beers a week | [14:04] |
| mercutio | but beer is better in warmer weather | [14:04] |
| m0unds1 | sometimes more, sometimes less | [14:04] |
| mercutio | i find it sedating | [14:04] |
| m0unds1 | depends on the style
we're not really using our chest freezer anymore, so i'm gonna convert it to a fermentation chamber | [14:05] |
| mercutio | i've been mostly having alcoholic ginger beer recently | [14:05] |
| m0unds1 | i was in colorado last week and did some brewery tours, so i had lots of tasters of stuff | [14:06] |
| mercutio | cool | [14:07] |
| m0unds1 | yeah, there's a silly number of good breweries up there
glad i left when i did though. two days after i got home, daytime high temp in the city i was in hit -1F/-18C | [14:08] |
| mercutio | wtf
i've never been anywhere near that cold | [14:09] |
| m0unds1 | it sucks
hahahah it was like that when i was up in CO this time last year too and windy, oof | [14:09] |
| mercutio | i used to live somewhere colder than where i am now
and in the morning windscreen on car would frost up on inside and out hah so i had a rag in my car to clean it then i moved, and i noticed i no longer needed a rag. | [14:10] |
| m0unds1 | yeah, haha | [14:11] |
| mercutio | but i didn't even realise except kind of in retrospect | [14:11] |
| m0unds1 | it gets cold enough here in the winter for that to happen, but our relative humidity is so low it's rarely an issue (the inside of the car part) | [14:11] |
| mercutio | the inside was thinner
humidity here is being annoying althouighi think i understand humidity better now sort of when people say the weather is muggy it seems to be variable about how humid it acutally is | [14:11] |
| m0unds1 | yeah | [14:13] |
| mercutio | and it tends to be when the humdity and temperature is up
but like i feel 70% humidity lower temp on my reader thing more than 60% high temp but people are more likely to call the weather muggy on the later i suppose if you cant' see any rain and it feels damp? | [14:13] |
| m0unds1 | yeah
southeastern US is like that super high humidity makes it feel like you're in a steam room | [14:14] |
| mercutio | this is relative humidity and i dunno how good the sensor is
it's about 49% atm i have 3 of them, and this is the dryest room though | [14:16] |
| ............ (idle for 56mn) | ||
| *** | toeshred has quit IRC (Quit: WeeChat 1.0.1)
toeshred has joined #arpnetworks | [15:12] |
| ....................... (idle for 1h53mn) | ||
| mhoran has quit IRC (Quit: WeeChat 1.0.1) | [17:09] | |
| .... (idle for 18mn) | ||
| mhoran has joined #arpnetworks
ChanServ sets mode: +o mhoran | [17:27] | |
| ........ (idle for 38mn) | ||
| tehfink has joined #arpnetworks
fink has quit IRC (Ping timeout: 272 seconds) tehfink is now known as fink | [18:05] | |
| ........... (idle for 53mn) | ||
| up_the_irons | what's this i hear about sshfp records?
oh i think i get it (read more scrollback) | [19:02] |
| mercutio | it sounded kind of nifty | [19:06] |
| brycec | It's a nice idea, for sure. Allows a company to advertise ssh fingerprints out-of-ssh's-band for clients to check, and ssh can do it on its own automatically
We use it for an ssh-based tool we distribute | [19:07] |
| mercutio | well it seems non ideal but better than nothing | [19:08] |
| ........... (idle for 51mn) | ||
| brycec | All depends upon your level of paranoia
In a closed, internal environment where you control the DNS as well as everything in between [and assuming that $spies haven't hijacked your internal DNS, etc], then it can make deployments much simpler. | [19:59] |
| *** | fink has quit IRC (Quit: fink) | [20:06] |
| ................... (idle for 1h30mn) | ||
| mercutio | well it's two step anyway
you have to take over the dns, and take over the hosts actually if you spoof a host it could just let you straight in? | [21:36] |
| ................. (idle for 1h23mn) | ||
| smokeping is kind of weird, even when you view the graphs of hosts it does dns lookups on all the targets.
i was wondering why speed was being variable in some places, and it was dns related. | [23:00] | |
| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |