Share this page!

Thoma§ H. Ptacek Profile picture
Twitter logo
29 Nov, 8 tweets, 2 min read
A many-splendored infrasec disaster. Count all the ways DNSSEC sabotaged this infra team.
DNSSEC quietly changes the behavior of resolvers even before we get to signature checking — they stop honoring CNAMEs at zone apexes. Even before you push the DS record that “links” your zone to the USG’s PKI. Of course! Who would think otherwise.
Does that DS record get cached by resolvers or not? Who knows! Nobody uses DNSSEC, so if you’re Slack, you have the fun project of being the one of the first serious sites with a modern DNS configuration to actually turn it on. Whee!
What would a 1990s crypto protocol be without several different types of keys each with different key storage? You thought the KSKs and ZSKs were both recoverable, so you could re-sign after pulling your DS? Nah.
My favorite bit here is the hour(s) during which the Slack DNS team is trying to figure out whether pushing a new DS to link Slack.com back to the USG PKI will mitigate the disaster or prolong it. NOBODY KNOWS.
Oh, and apparently Slack is the first company ever to attempt DNSSEC on AWS with wildcard records, which we surmise from the fact that wildcard records break when DNSSEC is enabled at AWS.
A day-long outage, and why? Because a USG FedRAMP document suggests it’s required. Meanwhile here’s what Cloud.gov has to say about DNSSEC (tl;dr: don’t): cloud.gov/docs/complianc…
Coda: they still haven’t re-enabled DNSSEC.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Thoma§ H. Ptacek

Thoma§ H. Ptacek Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tqbf

Thoma§ H. Ptacek Profile picture
29 Nov
Ha! This DNSSEC Internet Draft thanks me by name. datatracker.ietf.org/doc/html/draft…
This is the funniest fucking thing.
Back in the late 1990s when I was writing the OpenBSD security advisories, I used to include a line that said “The OpenBSD Project would like to thank Perry Metzger for his steadfast support of our work”, until he threatened to sue me.
Read 6 tweets
Thoma§ H. Ptacek Profile picture
8 Jun
This, as they say, is “a take”.
I don’t even know what to say.
Yes. Yessss. More.
Read 15 tweets
Thoma§ H. Ptacek Profile picture
19 Jan
Today is the deadline for questions to be added to the 2021 Oak Park village ballot and one of our anti-defund trustees just slipped a resolution to add “Should Oak Park defund its police department” to the ballot.
If that question hits the ballot it will almost certainly fail _dramatically_, so the pro-defund trustees basically have to vote against it. It’s probably too late for them to introduce a competing resolution with friendlier wording, too.
I don’t like the trustee that did this but I have to concede this was well played: defund supporters are going to end up voting against a measure to put the question to the voters in plain language, thus effectively conceding the unpopularity of the slogan.
Read 4 tweets
Thoma§ H. Ptacek Profile picture
18 Jan
Why does the Go standard library think an rcode of REFUSED is a temporary error of “server misbehaving”? I just REFUSED you.
(The Go stdlib appears to reconnect a _bunch_ of times on REFUSED, is why we noticed; switching REFUSED to NXDOMAIN fixes that problem.)
Another weird thing is that the Go stdlib flips out if there’s no Question record in an error response — it claims not to be able to unmarshal the message, doesn’t show the rcode, and reconnects.
Read 4 tweets
Thoma§ H. Ptacek Profile picture
14 Jan
This is extremely cool. The basic idea: WireGuard is just a network protocol, like any other, and you can drive it from unprivileged userland code… which means you can drive all of TCP/IP from unprivileged userland code, through WireGuard.
Why would you ever want to do that? Well, we expose services on Fly.io over WireGuard (and, for security, over no other interfaces) but not all of our users are going to install OS WireGuard.
But: all of our users have our (Golang) `flyctl` installed, and flyctl can do WireGuard via wireguard-go, and then userland TCP/IP, to be a client of a network service exposed over WireGuard, without installing WireGuard itself.
Read 4 tweets
Thoma§ H. Ptacek Profile picture
9 Jan
This is super smart, and it took me less than 4 minutes to do the same thing for Oak Park, the suburb in which I live.
Illinois makes it super easy to send FOIA requests to any municipality (just look up their FOIA officer’s email); it’s free, and they get just 5 days to respond (10 with a written extension) before you can sue and have them pay your legal costs if you win.
What I’m saying is, not a crazy project to just come up with every police officer in all of Chicagoland who took PTO during the riots in DC.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @tqbf has new unrolls!

Check out other threads from @tqbf!

Read all threads by @tqbf

:(