China: Internetanschluss oder Telefonnummer nur gegen Gesichtsscan

In China soll es ab Dezember Telefonnummern oder Internet-Anschlüsse nur noch mit Identitätsfeststellung per Gesichtserkennung geben. Eine entsprechende Regelung wurde kürzlich erlassen und soll auch für bereits registrierte Anschlüsse gelten.

Weiterlesen …

Posted in Uncategorized | Leave a comment

Staatliche Überwachung bedroht die Religionsfreiheit

Christen, die in totalitär regierten Staaten leben, geraten immer stärker unter Druck. Laut dem aktuellen Weltverfolgungsindex des christlichen Hilfswerks Open Doors hat sich die Lage für Christen etwa in China und in der Türkei weiter zugespitzt.

Weiterlesen …

Posted in Uncategorized | Leave a comment

DNSSEC with bind 9(.11) on debian 10(.1)

Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).

 

Configuration


# vi /etc/bind/named.conf.local
add
file “/var/lib/bind/example.com.zone.signed”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain

# vi /etc/bind/named.conf.options
add
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

The keys


# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)

create the zone signing key (zsk)
dnssec-keygen -a RSASHA256 -b 2048 example.com
create the key signing key (ksk)
dnssec-keygen -a RSASHA256 -b 4096 -f KSK example.com

change permissions and the owner
(all keys must be readable by bind)
# chmod 644 Kexample.com*.key
# chmod 600 Kexample.com*.private
# chown bind Kexample.com*

you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls Kexample.com*.key`
do
echo “\$INCLUDE $key”>> example.com.zone
done

Signing


sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone

Restart


# /etc/init.d/bind9 restart

Testing


# dig DNSKEY example.com. @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.

some good DNSSEC testing sites:
https://dnssec-analyzer.verisignlabs.com/
http://dnsviz.net/
https://mxtoolbox.com/DNSKey.aspxdnsviz
dnsviz

Registrar


when we ran the dnssec-signzone command apart from the .signed zone file, a file named dsset-example.com was also created, this contains the DS records.
# cat dsset-example.com.
go to the registrar of your domain and enter those DS records

Update zone files

    1. make changes to the example.com.zone file
    2. # rndc freeze example.com
    3. delete all example.com.signet* files (i have not found another way)
    4. resign the key
      # dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com.zone
    5. # rndc reload example.com
    6. # rndc thaw example.com

Subdomains


…are automatically signed with your domain

Troubleshooting


if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on dnsviz.net, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables th PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here: https://melkfl.es/article/2018/07/edns/
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
add
edns-udp-size 512;
max-udp-size 512;

If you like this write-up or I missed something, please let me know.

Posted in Debian, Linux, Security | Tagged , , , , , , , , , | Leave a comment

Bill Gates will den Planeten mit Geoengineering kühlen

Jetzt will Bill Gates den Planeten mit Geoengineering kühlen, genauer gesagt mit Kalkpulver. Jede Menge Kalkpulver. Experten sagen, der Unfug könnte katastrophale Auswirkungen haben.

Continue reading …

Quelle: recentr.com

Posted in Uncategorized | Leave a comment