← Back to context

Comment by icedchai

15 hours ago

I've been in IT 30+ years, been running DNS, web servers, etc. since at least 1994. I haven't bothered with DNSSEC due to perceived operational complexity. The penalty for a screw up, a total outage, just doesn't seem worth the security it provides.

7 comments

icedchai

Reply
gerdesj  12 hours ago

That was my experience too until I decided that just running email systems for 30 odd years when HN says that is unnatural piqued my weird or something!

I ran up three new VMs on three different sites. I linked all three systems via a private Wireguard mesh. MariaDB on each VM bound to the wg IP and stock replication from the "primary". PowerDNS runs across that lot. One of the VMs is not available from the internet and has no identity within the DNS. The idea is that if the Eye of Sauron bears down on me, I can bring another DNS server online quite quickly and fiddle the records to bring it online. It also serves as a third authority for replication.

I also deployed https://github.com/PowerDNS-Admin/PowerDNS-Admin which is getting on a bit and will be replaced eventually but works beautifully.

Now I have DNS with DNSSEC and dynamic DNS and all the rest. This is how you start signing a zone and PowerDNS will look after everything else:

  # pdnsutil secure-zone example.co.uk
  # pdnsutil zone set-nsec3 example.co.uk
  # pdnsutil zone rectify example.co.uk

Grab a test zone and work it all out first, it will cost you not a lot and then go for "production".

My home systems are DNSSEC signed.

qingcharles  12 hours ago

How simple sysadmin was in 1994 with no cryptography on any protocol. Everything could be easily MITM'd. Your credit card number would get jacked left and right in the 90s.

  • icedchai  9 hours ago

    Nobody was taking credit cards online then. Your telnet sessions were easily sniffed, however.

    • qingcharles  8 hours ago

      Not in '94, sure. But a couple of years later it was common and SSL was still uncommon, for a bunch of reasons, and also everyone was storing the card numbers in plaintext on their servers too.

      Telnet was sniffed. IRC was being sniffed and logged.

  • account42  2 hours ago

    And your mailman can also just open your letters. So what, it mostly doesn't happen in developed countries. Not everything needs an airtight technical solution, we have way less costly ways to deal with unwanted behavior.

  • gerdesj  12 hours ago

    Cool. Feel free to explain how to tighten things up.

    I've just given them part of a recipe for using DNSSEC. I suspect you are not actually human .. qingcharles.