#arpnetworks 2014-11-14,Fri

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***legyndir has joined #arpnetworks [00:03]
............ (idle for 58mn)
LT has joined #arpnetworks [01:01]
............................................ (idle for 3h36mn)
bardo has joined #arpnetworks [04:37]
.... (idle for 18mn)
legyndir has quit IRC (Ping timeout: 245 seconds) [04:55]
.............................. (idle for 2h26mn)
jpalmerjust submitted my first pull request against puppet. It's minor, but for the people who use SRV records, it makes things a fair bit easier.
and.. wrong channel.
[07:21]
qbithola
console.cust.arpnetworks.com = e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36, correct?
[07:25]
brycec, one help plz? [07:35]
LT2048 e2:64:38:88:83:58:56:09:71:a8:0f:fd:6d:e2:e7:36 console.cust.arpnetworks.com,2607:f2f8:0:102::5 (RSA) [07:35]
qbit:D
nice
[07:35]
brycechm?
qbit: I assume your question has been answered
[07:40]
qbitbrycec: you should totally add the fp's to BryceBot [07:40]
brycecAt the very least, up_the_irons should put up sshfp records if he hasn't already [07:44]
jpalmerbrycec: I have an apple radar incident about OSX failing to do sshfp records since july 2012, and it's still an issue in mavericks.
(I update it with every new OS patch/minor/major version change.) lol
[07:54]
brycecheh
Whether or not the client-side observes it, at the very least one could point qbit to "dig +SSHFP console.cust.arpnetworks.com" :p
I never expect the a random person's client (okay, qbit isn't random) to be configured for sshfp checking. But at least the authoritative record would be there.
s/dig ./dig -t /
[07:56]
BryceBot<brycec> Whether or not the client-side observes it, at the very least one could point qbit to "dig -t SSHFP console.cust.arpnetworks.com" :p [07:58]
brycec(or whatever the exact syntax is) [07:58]
qbitor that -o thinger to ssh that makes it check [08:00]
dneor host keys could be signed, and the CA certificate published on the website [08:01]
...... (idle for 27mn)
mhoranI'd say an HTTPS endpoing with the fingerprint on a web page is probably the easiest/most trustworthy option. SSHFP can still be spoofed without DNSSEC on the zone, and up_the_irons already has an SSL certificate for HTTPS. [08:28]
brycecIf we're concerned about spoofing, who's to say that arpnetworks.com isn't hijacked complete with an ssl cert from a shady CA? [08:30]
.... (idle for 17mn)
mhoranWell, I guess we're all screwed. [08:47]
twobithackerDNSSEC would be the more standard way of making the data reliable
OpenSSH will trust an SSHFP if the DNS lookup has the AD bit set
[08:48]
mhoranWhy do we trust DNSSEC over the CA chain? [08:50]
plettBecause there are lots of CAs of questionable quality [08:52]
mhoranI suspect there are also registrars of questionable quality.
I think quality is the wrong word, but I get what you're saying.
[08:53]
plettAnd we can trace DNSSEC trust back to the named people who all handle a part of the root key instead of having to rely on your browser vendor not including the CA belonging to the Chinese Government [08:54]
LTI guess the difference is the domain owner has a choice of registrar, whereas any CA can sign for any domain [08:54]
mhoranI don't understand how registrars work well enough to know the answer -- but couldn't a registrar just inject a rogue record into the root DNS and take over a domain?
I guess I don't see how that's different from the CA problem.
[08:56]
plettNo, the root zone just says that .com is served by these nameservers and that those nameservers will sign responses with these public keys
(for example)
It's then down to the .com nameservers to say that arpnetworks.com is delegated to a different set of nameservers and that they will sign responses with a different set of keys
[08:58]
***LT has quit IRC (Quit: Leaving) [09:04]
..... (idle for 21mn)
brycecIn theory, couldn't a Bad Registrar (notably, the one holding arpnetworks.com) just reassign the authoritative namerservers to its own, hijacking DNS and everything else? Where does the DNSSEC magic fix come into play? [09:25]
mhoranYeah, that's what I thought.
Just like a rogue CA.
Though harder to detect I'd say.
[09:33]
..... (idle for 22mn)
brycecAt the root level, you have multiple servers that should all have the same root signing key, so any alteration should be easily detected
but it's the middleman that I'd worry about
(Granted I'm far from being a dnssec expert)
[09:56]
mhoranYeah.
Also, the entire infrastructure is still controlled by corporations. So we're screwed.
[09:57]
brycecWasn't there an alternate DNS system devised built on p2p?
Not that I'd ever expect such a thing to become mainstream
[09:58]
mhoranSounds familiar.
djb probably wrote it.
[09:59]
***fink has joined #arpnetworks [10:12]
...... (idle for 28mn)
finktesting out 10.1 in a virtualbox, before trying on arpnetworks
zfs on root wooo
[10:40]
........ (idle for 38mn)
***bardo has quit IRC (Ping timeout: 250 seconds) [11:18]
..................... (idle for 1h41mn)
mercutiotaht was in freebsd 10 at least? [12:59]
......... (idle for 44mn)
hmm virtio on openbsd does seem to make tarball extractions quicker. [13:43]
m0unds1yea, virtio is nice [13:50]
mercutioyeah i'ma bit late to the show i think :) [13:51]
m0unds1i'm building a rpi + arduino powered fermenter controller for home brewing
it's exciting
[14:01]
mercutiocool
do you dirnk a lot of beer?
[14:02]
m0unds1similar to this, but i'm not using anything but brewpi
http://www.brewpi.com/
i drink a fair amount; i'm planning on doing small batch stuff until i get the hang of it
[14:02]
mercutiothe temptation when brewijng would be to drink more i imagine [14:03]
m0unds1yields a more reasonable number of beers vs the more common fermenting size (5 gallon is more common - almost 20L)
i'm gonna be doing gallon size, so it'll be ~8-9 bottles per batch
[14:03]
mercutio20 litres hah
i drink like a litre of beer a week :)
[14:04]
m0unds1yeah, there are guys who do that and build keg rigs and stuff for storing/serving and stuff
umm, on average, i'll have maybe 6 beers a week
[14:04]
mercutiobut beer is better in warmer weather [14:04]
m0unds1sometimes more, sometimes less [14:04]
mercutioi find it sedating [14:04]
m0unds1depends on the style
we're not really using our chest freezer anymore, so i'm gonna convert it to a fermentation chamber
[14:05]
mercutioi've been mostly having alcoholic ginger beer recently [14:05]
m0unds1i was in colorado last week and did some brewery tours, so i had lots of tasters of stuff [14:06]
mercutiocool [14:07]
m0unds1yeah, there's a silly number of good breweries up there
glad i left when i did though. two days after i got home, daytime high temp in the city i was in hit -1F/-18C
[14:08]
mercutiowtf
i've never been anywhere near that cold
[14:09]
m0unds1it sucks
hahahah
it was like that when i was up in CO this time last year too
and windy, oof
[14:09]
mercutioi used to live somewhere colder than where i am now
and in the morning windscreen on car would frost up
on inside and out hah
so i had a rag in my car to clean it
then i moved, and i noticed i no longer needed a rag.
[14:10]
m0unds1yeah, haha [14:11]
mercutiobut i didn't even realise except kind of in retrospect [14:11]
m0unds1it gets cold enough here in the winter for that to happen, but our relative humidity is so low it's rarely an issue (the inside of the car part) [14:11]
mercutiothe inside was thinner
humidity here is being annoying
althouighi think i understand humidity better now sort of
when people say the weather is muggy it seems to be variable about how humid it acutally is
[14:11]
m0unds1yeah [14:13]
mercutioand it tends to be when the humdity and temperature is up
but like i feel 70% humidity lower temp on my reader thing more than 60% high temp
but people are more likely to call the weather muggy on the later
i suppose if you cant' see any rain and it feels damp?
[14:13]
m0unds1yeah
southeastern US is like that
super high humidity makes it feel like you're in a steam room
[14:14]
mercutiothis is relative humidity and i dunno how good the sensor is
it's about 49% atm
i have 3 of them, and this is the dryest room though
[14:16]
............ (idle for 56mn)
***toeshred has quit IRC (Quit: WeeChat 1.0.1)
toeshred has joined #arpnetworks
[15:12]
....................... (idle for 1h53mn)
mhoran has quit IRC (Quit: WeeChat 1.0.1) [17:09]
.... (idle for 18mn)
mhoran has joined #arpnetworks
ChanServ sets mode: +o mhoran
[17:27]
........ (idle for 38mn)
tehfink has joined #arpnetworks
fink has quit IRC (Ping timeout: 272 seconds)
tehfink is now known as fink
[18:05]
........... (idle for 53mn)
up_the_ironswhat's this i hear about sshfp records?
oh i think i get it (read more scrollback)
[19:02]
mercutioit sounded kind of nifty [19:06]
brycecIt's a nice idea, for sure. Allows a company to advertise ssh fingerprints out-of-ssh's-band for clients to check, and ssh can do it on its own automatically
We use it for an ssh-based tool we distribute
[19:07]
mercutiowell it seems non ideal but better than nothing [19:08]
........... (idle for 51mn)
brycecAll depends upon your level of paranoia
In a closed, internal environment where you control the DNS as well as everything in between [and assuming that $spies haven't hijacked your internal DNS, etc], then it can make deployments much simpler.
[19:59]
***fink has quit IRC (Quit: fink) [20:06]
................... (idle for 1h30mn)
mercutiowell it's two step anyway
you have to take over the dns, and take over the hosts
actually if you spoof a host it could just let you straight in?
[21:36]
................. (idle for 1h23mn)
smokeping is kind of weird, even when you view the graphs of hosts it does dns lookups on all the targets.
i was wondering why speed was being variable in some places, and it was dns related.
[23:00]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)