Notices by Thomas Steen Rasmussen (tykling@mastodon.social)

I've been waiting for #FreeBSD packaged base for two decades so I could get rid of sendmail and now pkgbase is finally here but sendmail was already removed in 14

Is there some fedi account I can follow which will tell me when there is space stuff I should go outside and look up at?

I hate missing stuff like auroras :/

It would have to be something where one can follow an account specific for the area one lives in, Denmark in my case.

#askfedi

https://github.com/tykling/ansible-roles/blob/master/freebsd_host/templates/netif.j2#L6 i do this @dvl @feld

If you don't (regularly!) donate to Mozilla to support the development of Firefox you have zero right to complain about them adding AI and other stuff.

How in the the hell are they supposed to fund their operation? Developing a browser is not cheap. They _have_ to try dumb shit like VPNs and AI and whatnot just to survive!

If you want that to stop then give them an alternative by donating: https://foundation.mozilla.org/en/donate/

How do I debug something leaking nmbclusters on a bird2 BGP router (no full feed) on #FreeBSD 13?

@feld like .02% of a core, nothing noticable on my systems at least. But sure, I agree it would be great if node_exporter just included this stuff. gstat_exporter will be there until it does.

Today I tagged v0.2.0 of gstat_exporter, a Prometheus exporter for FreeBSD gstat(8) data: https://github.com/tykling/gstat_exporter/releases/tag/v0.2.0

It is available on PyPi now: https://pypi.org/project/gstat-exporter/

I have opened a PR to update the #FreeBSD port: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275762

I have also updated the Grafana dashboard to use some more modern panels: https://grafana.com/grafana/dashboards/11223-freebsd-gstat-exporter/

I will tag v1.0.0 of gstat_exporter soon if no issues appear with the changes I've made over the last couple of days. If you use it please test! Thanks :)

@feld maybe you want an NS record, I want a CNAME. Making a delegation and seperate zone for every challenge sounds very ineffective to me, but whatever works for you.

A CNAME does exactly what is needed, and as a bonus it can carry the name being challenged in the CNAME target (below the challenge zone), so:

_acme-challenge.www.example.com CNAME www.example.com.acme.example.org

Anyway, we clearly have different views on this, which is fine. I am not on bikeshed.party, so I will stop here :)

@feld I agree that DNS-01 should be pushed, and pinned. ACME tools should check for CAA records and recommend they be added.

But IMO you should never let any tool on an internet-facing server edit your zone directly, or an attacker compromising the server can also edit your zone.

Instead you should make CNAMEs for the _acme-challenge records to a dedicated subzone which is used exclusively for ACME challenges. This has all the advantages of DNS-01, but doesn't hand over control of your zone :)

@feld I believe LE currently does DNS checks from multiple AWS regions + from their own servers. So they likely would have gotten inconsistent answers and bailed out at that point. I don't know about ZeroSSL.

The attackers likely had to try issuing multiple times to get lucky and have all the lookups hit the "bad" server.

No guarantees here, but I would much, much rather have had CAA account pinning in place than not during this attack.

@feld that is what the account pinning prevents. The attacker doesn't control the private keys for the ACME account pinned in the CAA record. ZeroSSL would refuse to issue because the attacker is using a different account.

@feld you can pin both, no problem with that

I was investigating an MITM today where the attacker was using a real LetsEncrypt certificate. This was possible because an NS record domain expired and was re-registered by the attacker

A few weeks ago there was also the jabber.ru MITM issue where a valid LE cert had also been issued.

Both of these attacks could have been avoided by using CAA account pinning.

You should add this on all domains today!

For an example see the CAA record for bornhack.dk https://caatest.co.uk/bornhack.dk

Spread the word!