Centroid.EU Blog

(this blog is mostly encrypted - adults only)
  

Previous Page


Delphinusdnsd performed two KSK rollovers over 30 hours

January 11th, 2019

I finally had the code right, but one KSK rollover was botched. This was due to the wrong instructions of RFC 6781 section 4.1.2. I should have looked in the Errata section of this RFC. The result due to the botched effort of rolling the KSK of the zone dtschland.eu is that if you got the DS key of this from the eu. nameservers it will not be validated because the old DNSKEY was rolled out in the dtschland.eu. zone.

The rollover should keep the old rolled out key around for 86400 seconds, as is being done for the freifunk-schweinfurt.de zone. Here is the listing of dnskey's of that zone:

beta$ dig @omega.virgostar.net dnskey freifunk-schweinfurt.de +dnssec |\
	 grep RRSIG | awk '{print $11}'         <
40824
59532
56933
These are the key pid's that are currently active. After tomorrow 18:00, the 59532 key can be safely removed.

I'm going to be working on all my DNSSEC'ed zones to roll ZSK and KSK over the next few weeks. I have services on some domain names so this process must work. I must work out any kinks before I do any such changes. Someone told me that RFC 7583 is important to read. Also I have written up the process for rolling a KSK with delphinusdnsd here in the delphinusdns.org's handbook.

0 comments

More XSS vulns

January 11th, 2019

I have been informed that there is more XSS vulns on my blog. This one was not as easy to solve as the last time I fixed XSS vulns. I had to actually write a bit of code. I noticed with this "double-sanitizing" that html code injections were possible through the search system not just XSS.

I have an open source blog this means you can see the changes. Here is the code history with comments. Enjoy, and sorry if you were vulnerable to an XSS attack.

0 comments

The endless debate around Computer-System security

January 6th, 2019

Recently in conversation it dawned on me that we're really stuck in a lake full of shit, and our boat is sinking. Let me explain. Person I talked to said that to drive a car he doesn't have to know about how the car functions in detail, he gets on the wheel and drives. A computer should be the same, you don't care about anti-virus, or security knowledge, you just get on and surf. He expects the government to do something in regards to the security. I don't share that viewpoint because the government would be invasively monitoring us all for the sake of security. It adds up to surveillance.

Similarily in infrastructure, we mentioned that powerplants should not be on the Internet. But in todays world powerplants have to be turned on and off depending on demand, and this needs to be signaled. So then I said why can't powerplants be on their own "internet" (small i) but not on the big Internet (big I). This is a costly solution, but also a safe solution. Because when the power is off because of hackers we wish it were so. Again the argument was that government should protect these companies and they should not care a damn about security themselves. Reality is they have an IT department that is supposed to take care of these, they are powerplants and have lots of money.

The BSI (Bundesamt fuer Sicherheit am Internet?) can only do certification programmes and guidelines, anything beyond that is again intrusive to everyones privacy and would be monitored en-masse. Should the BSI have the control that the BND in the Frankfurt IX currently enjoys? With firewalls all along the way managed by them (perhaps with help of an artificial intelligence)? I say no. We must keep this centralized component out of our Internet. Everyone has a responsibility to have an IT contact who gets paid full time to look over networks. It's the decentralized approach and is supposed to minimize mass surveillance. What do you think? Why don't you discuss this with your peers? We talked about a "family IT person" who looks after the families computers, is this good or bad? Everyone wants to squeeze money but security forces us to squeeze more than our wallets, we actually have to think to defend ourselves _and_ make decisions. We should not let the government do these decisions for us! Government is a control-freak and will make it the worst-case scenario for us all.

0 comments

Ambitious goal: have KSK's rotated by first week in February

January 5th, 2019

I have reviewed my code in dddctl.c of delphinusdnsd and determined for it to be mostly good. Next week I'll start coding on this again. I want to rotate my KSK keys of my DNSSEC zones by first week in February. I'm very so much looking forward to this day as it means that it's an important step in delphinusdnsd's development. Basically one could make keys back in 2015 but by now they are 4 years old and weakened by time. When I have done this work, I can look further toward other TODO's that I had planned.

Other things that the project needs is a clean-up of the website. The handbook is somewhat outdatedly using dd-convert.c still. This needs to be updated to use dddctl.c. It will be easy though.

0 comments

New redundant setup

January 4th, 2019

As you know my switch is very loud. Until I can fix it I have set up a redundant setup here at home, using trunk(4) and OSPF (ospfd). I'm gonna try to cover the configs here.

The hallway router's OSPF config looks like this:

router-id 0.0.0.2
redistribute default
redistribute 0.0.0.0/0

area 0.0.0.0 {
        interface trunk0 {
                auth-type simple
                auth-key $password
        }

        interface gif0 {
                metric 100
                auth-type simple
                auth-key $password
        }

}
The Office's OSPF setup looks like this:
router-id 0.0.0.3
fib-update yes
redistribute 192.168.35.0/24
redistribute 192.168.2.0/24
redistribute 192.168.177.3

area 0.0.0.0 {
        interface ix1 {
                auth-type simple
                auth-key $password
        }

        interface gif0 {
                metric 100
                router-priority 5
                auth-type simple
                auth-key $password
        }
}
This causes gif0 to go on when ix1 (switch) is not available, and reverts back to switch when it turns on. I have a timer on the switch, at a 12 hour Hz. Lastly the living room is not served with OSPF. It is just a trunk interface and looks like this:
uranus$ more /etc/hostname.trunk0
trunkport em0
trunkport em5
trunkproto failover
inet 192.168.177.40 255.255.255.0 192.168.177.255
inet6 autoconf
up
Trunk notices the link going from active to inactive and does a failover from trunkport em0 to trunkport em5 (which is connected directly to the router). It all seems to work out. There is a caveat. When ssh'ed from office to the Internet and OSPF returns back to the switch in the morning, the session expires because it came from the wifi's interface endpoint. Also when it's evening and the switch turns off, one has to clear the ARP cache in the office, because it still thinks 192.168.177.3 (my dns server) is on the local link. Once it is cleared it routes via wifi.

0 comments

Donated 15 EUR to F3Netze

January 3rd, 2019

I have donated to the offspring from Freifunk Franken. I don't use Freifunk anymore personally but I think it's a great concept, within reason. I left Freifunk because I did not have enough time at the time, and I still don't have enough time :-).

0 comments

My switch at home is too loud

January 1st, 2019

The 10 GbE switch is too loud. I'm going to work today to set a timer on it so that it turns off at 8PM and turns on at 8AM. Also I'm going to set up a wireless alternative path from office to Internet (and from living room to Internet). This requires trunk(4) and bridge(4) modifications in OpenBSD. In theory it should work, but we'll see about that really.

0 comments

My self-education schedule for 2019

January 1st, 2019

I'm learning Microsoft Windows (Server and Active Directory). My schedule looks like this:

Saturday->Monday	family + reading books
Tuesday + Thursday	Windows Administration	(34 days or  272 hours)
Wednesday + Friday	Delphinusdnsd + Windows Programming (34 days or 272h)

Start: January 7th, 2019
Duration: 17 weeks
End:  May 3rd, 2019
I'm going to have a very ghetto basics course that I'm developing as I go. I'm using literature to guide me. Also I'm looking at jobs on the side, but I'm not going to apply for a Windows job until May 3rd as I'd really like to learn more about this system first. If a good UNIX job comes along I'll apply to it likely before May 3rd. I'm very excited about this all and I'm glad I have the opportunity to do this. Here is a list of books I purchased last year that I will receive today.
Mastering Active Directory - Francis, Dishan
Gruppenrichtlinien in Windows Server und Windows 10 - Holger Voges et al.
Windows Server 2019: Praxiseinstieg - Joerg Schieb
I'm sure I'll find valuable things in these books. I'm also going to start another course in June if no job found by then, it'll likely run until October. In it I believe I want to learn reverse engineering tools in Windows. Not sure if I'll get there yet. Like said I'm very excited.

0 comments

2019, Something great is about to happen...

January 1st, 2019

I'm sitting on 1000 EUR of donation money for OpenBSD. I will begin paying out half of that shortly. By end of May I should have paid the full amount minus the small donation I gave to Gilles Chehade of OpenSMTPD in late 2018 (unless something unexpected happens and I have to use it for something else). Either way it all makes it into the OpenBSD eco-system. I'm very proud of this and I'm making sure that my investments in Microsoft will never surpass the invest ment for OpenBSD.

0 comments

Happy New Year 2019

December 31st, 2018

As I write this the earth already rolled into 2019. Currently the east coast of Australia is celebrating new years. It will be new years here in about 10 hours. I'm likely going to have a quiet new years. I'm at my parents but going to bed at 8PM or so. Whether I'll get woken at midnight will depend on other people whether they decide to have fireworks this year or not. So happy new year 2019. One year away from 2020! May peace be unto thee.

0 comments

Next Page

Search

RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries


Powered by BCHS