Hello World.

Using Certbot without root privileges

This post will briefly describe my setup for Let’s Encrypt. I use the official client Certbot, formerly known as letsencrypt, but I don’t use any of its webserver autoconfiguration features and don’t run it as root. The domain validation always uses the webroot method. Some tiny details are specific to Debian, but should be fairly easy to adapt to other distributions.

Read more…

Some notes on collectd and PostgreSQL

collectd comes with a PostgreSQL plugin, which is one of these so-called generic plugins, i.e. it won’t do anything useful unless you explicitly configure it. But it can actually do some pretty nice things with almost no configuration. But don’t expect anything too fancy in this post, it is more like a “you should take a look at this if you are using PostgreSQL and collectd anyways” kind of post.

Read more…

Refreshing GPG keys on Arch Linux with GnuPG 2.1, parcimonie.sh and a tinfoil hat

Neal Walfield gave a talk at 32C3 called “An Advanced Introduction to GnuPG” (slides, there is no recording as it was held in one of the smaller workshop rooms) which gave some insights on the data formats used by GnuPG, its architecture and showed some good practices. One of these practices is to use a tool called parcimonie instead of gpg --refresh-keys to fetch updated keys from the key servers.

parcimonie is a daemon that sleeps most of the time but every now and then picks a random key from you GnuPG keyring and refreshes this key over Tor. The idea is not to leak your whole address book every time you refresh these keys in bulk, but to fetch a single key at a time over a fresh Tor circuit in order not to leak any information.

Read more…

Setting up OpenDNSSEC on Debian sid

As the previous post described how to do fancy DNS setups with BIND and OpenDNSSEC, this post will cover the missing part: setting up OpenDNSSEC. I’ll describe how to install OpenDNSSEC (1: in combination with SoftHSM2 (2.0.0-2) on Debian sid (as of today, 2016-01-03). It’s more like a reference for my future self, but I think it’s worth sharing.

Read more…

BIND with dynamic zone updates and OpenDNSSEC

Usually I prefer the more lightweight Knot or NSD daemons for running authoritative nameservers, but you can do pretty cool things with BIND as it has much more features.

In this post I will cover how to allow dynamic updates to a DNS zone in BIND, then sign that zone using OpenDNSSEC, transfer it back to BIND where it gets served to clients and secondary nameservers asking for zone transfers. I will not cover how to set up OpenDNSSEC, you need to have that already running.

In case you are asking why I am not just using the built-in DNSSEC signing features of BIND: that should work too, but I already have OpenDNSSEC up and running and I had some spare time. Apart from that, does BIND support fully automatic key rollover in the meantime? OpenDNSSEC does.

Read more…

Hello World

Welcome to my next blog, you probably don’t remember the previous iterations, but I already had a few attempts at blogging some years ago.

Recently I found myself in some situations where I wanted to publish something, so I’m trying again. New posts will only appear sporadically, so please don’t be disappointed.

As I know this blog would die rather quickly if I had to keep Wordpress or something similar up-to-date, I’m giving Nikola a try, let’s see.