Now secured with DNSSEC

In the last few days, all my web services has been secured with DNSSEC. I have use DNSPod for some time and is pretty satisfied with their service, but after some incidents of fail to resolve on foreign places, I decided to change my DNS service. So my DNS service has been changed, and also secured with DNSSEC.

DNSSEC is a chain of trust service which authorization each DNS reply using asymmetric encryption. It starts from the top-level CA, which is “.”, and then some gTLD, like “org.”, and then the register’s domain. It’s a signing only method, so the DNS request is not encrypted and can be cached. The weakest point is that your domain registrar have total control over the DNSSEC key, so that if your domain registrar wanted to change it to another thing, it will be done. Also, the encrypt key of “.” and “org.” is both 1024 bit RSA, so there may be some possibility to break it using really big supercomputer within expire time.(there is about 1.47% possibility that you can break an 1024bit RSA key using Tianhe-2 under 6 month)

It’s a good way to prevent DNS poisoning. With DNSSEC, most respectable mail service(Google) will not be fooled by easy tricks to send the email to some MIMA server. Also, if the client’s DNS service is secured under DNSSEC, the client will not be fooled to another site.

However, there is little ISP that do right DNSSEC check inside China. One famous DNS provider inside china, 114DNS, has exactly zero aware of DNSSEC. And if the DNS record is signed with the wrong key, the 114DNS will not care and just return the malicious result.

So I set up three DNS servers to do the right DNSSEC check. One for my personal network(mail/VPCC/wiki/gitlab/backup/LDAP/WebDAV…) and another for my personal VPN. The two DNS servers using another DNS server as cache.  Now the weakest spot is that before I start my VPN the DNS is poisoned. However, as my VPN is secured using another set of RSA keys, and I never visit anywhere without my VPN on, it should be fine.

With DNSSEC, I can now have my keys published using DNS. Now my GPG key for can be auto-fetched if the DNS search is enabled. The weak point is that DNS search function is not capable of verifying DNSSEC at peer, but rely on the remote resolver. RFC4035 seems to be suggesting any client with the ability to check DNSSEC to check DNSSEC by itself. I believe gnupg is a client both can have the ability to check DNSSEC and should have checked DNSSEC. Without that function, anyone can just modify the udp package between the resolver and the client to give the client any key the attacker thinks as good. A temporary solution would be set up a DNSSEC capable resolver at localhost and dig from 127.0.0.1:53.

Whatever, having it is better than having nothing. But still, if you want to send me encrypt emails, see about page on this blog and using keys there, or make sure you are doing DNSSEC check at localhost…

Now lab to 6.5

After alert some files in gitlab, the upgrade process become not such an easy and happy job. Every new version come out, dozens of files need to merge manually to upgrade gitlab successfully. So, after hours of mental struggle, I finally decide to upgrade it. To be honest, the process is not as terrible as I thought it would be. But still, DOZENS of files to edit…… Fuck ruby!..

And now the update process has been finished. All things seem to be good. If anything went south, please email me~

SQL’s not end

Today, in a distributed cloud environment, there is no good DB that can have both ACID and SQL support, at the same time keep the performance up. Though in some case it is true, it can’t be applied to all DBMSes. Berkeley DB, a famous Key/value based nosql DB, support most SQL statement as well as XML/XQuery, it also support Java object API.

noSQL means not only SQL, not means NO SQL. Mongo and its followers have set up a bad example for followers. a noSQL DBMS should not use SQL as it’s base query language, but it should can support SQL as a higher layer query language, just like what foundationDB tried to do. Of course, the problem is ACID, which is a rather difficult problem for a sharding DB,who becomes more and more common as the cloud computing is conquering the server world. SQL language itself is not difficult to carry out, ACID is.

But ACID is a must-have feature in many apps, not only bankers needs ACID, all app developer who want to make a simple but strong app must have transitions as one of their tools. No one can stand an app that only act normally when user got the luck. Those who want to throw away ACID can’t walk long as this is not possible for many things.

There are many ways to overcome ACID implement problem. In cloud, locking is an unacceptable way, unless there is some way to lock at a very small, accurate scale, which is not a easy job for 100+ sharding servers. Log and check is another way, which is easier than accurate locks, though it’s not an as easy and comfortable way as a single DBMS in an old good big lock, and will cause exe time limit in some implement. But it’s possible, and that’s enough.

If ACID is possible in a cloud environment, SQL will be, too. But it may exist as a layer top on ACID system based on some simpler API. Whatever, SQL will not be ended by noSQL and cloud, it will still be used in many places for whoever wants to keep data update easy(or even possible). Maybe one day there will be only copy and not reference in DB world, but I think the day has not come yet.