Microchip® CryptoAuthentication Device
-
Netgate's blog Microchip CryptoAuthentication Device
Before implementing security dongles, what about activating DNSSEC on all Netgate's DNS resources ?
If we trust our resolver, build in the sofware we downloaded from a source we trust like pfSense from here, our firewall will get trusted IPs, which helps in getting in trusted software without "no" user side hassle, free of cost, easy to control.I'm using DNSSECon many of my sites now for over 2 years. It pretty close to fully transparent for all visitors - as far as I know.
I'm pretty sure Netgate is capable of handling DNNSEC - if @jimp is capable of scripting with acme/LetEnscrypt, the KSK/ZSK key rotating will not be hard for him.
-
Have to say I agree company about security isn't using dnssec for their dns.. Which is really low hanging fruit to pick too..
dnssec is not that hard ;) It really is a shame that all domains are not doing it - the hardest part is registrar that actually supports it... Even though my understanding is its a requirement to be an actual accredited registrar..
I know when I fired up a domain to play with dnssec back in 2015, they had .xyz on sale and said they supported dnssec - yet took some emails to their support to actually get their implementation on their website to work.. And I looked around at the time namecheap didn't even support... From what I recall..
While its only a domain I use for my personal stuff, and use it for mostly testing - its not that hard to add stuff or maintain sign off on your records... I have a cron job that runs, and script I run when I add new records or edit them, etc.