Daniel Roesen Posted December 27, 2020 at 08:24 PM Posted December 27, 2020 at 08:24 PM Hi, vatsim.net's DNSSEC setup is incomplete, and thus effectively nonexistent: vatsim.net is missing the DS signature record in the .net TLD zone, so no verifiable signature chain exists: https://dnssec-analyzer.verisignlabs.com/data.vatsim.net https://dnsviz.net/d/data.vatsim.net/dnssec/ Result is that noone can properly verify vatsim.net FQDNs and resolvers fall back to unverified responses. Also, some logs of resolvers get spammed with: Dec 20 14:07:29 infra1 named[1415]: validating my.vatsim.net/A: no valid signature found Dec 20 14:07:29 infra1 named[1415]: validating my.vatsim.net/AAAA: no valid signature found Dec 20 14:07:29 infra1 named[1415]: validating auth.vatsim.net/AAAA: no valid signature found Dec 20 14:07:29 infra1 named[1415]: validating auth.vatsim.net/A: no valid signature found Dec 20 14:07:32 infra1 named[1415]: validating stats.vatsim.net/A: no valid signature found Dec 20 14:07:32 infra1 named[1415]: validating stats.vatsim.net/AAAA: no valid signature found Dec 20 14:08:07 infra1 named[1415]: validating status.vatsim.net/A: no valid signature found Dec 20 14:08:07 infra1 named[1415]: validating status.vatsim.net/AAAA: no valid signature found Dec 20 14:08:41 infra1 named[1415]: validating metar.vatsim.net/A: no valid signature found Dec 20 14:08:41 infra1 named[1415]: validating metar.vatsim.net/AAAA: no valid signature found etc. (This is how I came to that issue...) Best regards, Daniel Link to comment Share on other sites More sharing options...
Nick Harasym Posted December 27, 2020 at 09:59 PM Posted December 27, 2020 at 09:59 PM I'll look at getting this enabled. Nick Harasym VATSIM Senior Developer Team Lead, Infrastructure [email protected] Link to comment Share on other sites More sharing options...
Daniel Roesen Posted May 24, 2021 at 01:19 PM Author Posted May 24, 2021 at 01:19 PM Half a year later, this problem still persists... Link to comment Share on other sites More sharing options...
Nick Harasym Posted May 24, 2021 at 06:58 PM Posted May 24, 2021 at 06:58 PM Filling up your disk with logs eh? Logrotate can help with that. I've talked to the powers at be here and its just not high on the list of things to do. I'll follow up. Nick Harasym Senior Network Infrastructure Engineer [email protected] www.vatsim.net Link to comment Share on other sites More sharing options...
Daniel Roesen Posted May 24, 2021 at 09:51 PM Author Posted May 24, 2021 at 09:51 PM 2 hours ago, Nick Harasym said: Filling up your disk with logs eh? Logrotate can help with that. This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance. And sorry caring about the security of vatsim.net, I won't bother anymore. Link to comment Share on other sites More sharing options...
Alistair Thomson Posted May 24, 2021 at 10:07 PM Posted May 24, 2021 at 10:07 PM (edited) On 5/24/2021 at 5:51 PM, Daniel Roesen said: On 5/24/2021 at 2:58 PM, Nick Harasym said: Filling up your disk with logs eh? Logrotate can help with that. This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance. And sorry caring about the security of vatsim.net, I won't bother anymore. You get used to it after a while. Don't worry about it, just accept that this is the way it is. Sarcasm aside (and maybe it wasn't sarcasm) you have to accept that the VATSIM tech department is ridiculously overloaded, and they can't do what ten people tell them to do, so they do what's most urgent. Edited May 28, 2021 at 06:36 PM by Alistair Thomson Abrasion reduction :) Alistair Thomson === Definition: a gentleman is a flying instructor in a Piper Cherokee who can change tanks without getting his face slapped. Link to comment Share on other sites More sharing options...
Nick Harasym Posted May 26, 2021 at 12:04 AM Posted May 26, 2021 at 12:04 AM On 5/24/2021 at 2:51 PM, Daniel Roesen said: This is just an annoyance resulting from the broken DNSSEC setup of vatsim.net, but thanks for the sarcasm. I totally dig that arrogance. And sorry caring about the security of vatsim.net, I won't bother anymore. I didn't intend to upset people. Sometimes I like to be abrasive. This is being looked into. I've set a reminder to follow up on it later so that it isn't dropped. Nick Harasym Senior Network Infrastructure Engineer [email protected] www.vatsim.net Link to comment Share on other sites More sharing options...
Recommended Posts