diff options
Diffstat (limited to 'e-post/doman.mdwn')
| -rw-r--r-- | e-post/doman.mdwn | 66 |
1 files changed, 62 insertions, 4 deletions
diff --git a/e-post/doman.mdwn b/e-post/doman.mdwn index b7b8543..c20a76c 100644 --- a/e-post/doman.mdwn +++ b/e-post/doman.mdwn @@ -69,6 +69,24 @@ Om man är flera som är medlemmar, kan man få olika adresser från samma domä Ja, det finns ingenting som hindrar det. Dock kan vi ha max en person som står som ägare per domännamn. Alla ändringar av eventuella alias måste göras av dess ägare. +Vad menas med att DNS är Internets svagaste länk? +---------------- + +Ofta påpekas att DNS brister i datasäkerhet. Detta diskuteras av +många, och bl. a. rekommenderar Rasmus Fleisher i Nyhetsmagasinet ETC, +2 jul, en essä av Robert W Gehl, [The internet's weakest +link](https://thereboot.com/the-internets-weakest-link-dns-and-the-risks-of-consolidation/), +*The Reboot*, 2021. Han hänvisar till Zookos triangel, vilken innebär +att man måste kompromissa mellan Internets tre ideal: (a) säkerhet, +(b) decentralisering och (c) begriplighet. Bara två kan prioriteras, +men då på bekostnad av det tredje. + +DNS är exponerat för stater att blockera trafik och tillåter +operatörer att spionera på kunderna surfvanor. Gehl varnar dock för +att åtgärder mot detta riskerar ett centraliserande av DNS till +informationsjättarna. + + Tekniska frågor (på engelska) ============================= @@ -175,6 +193,47 @@ prefer to have a dedicated key pair for your domain. public part, as well as the signing domain identifier and selector used in the `DKIM-Signature` header field.) +How do I set up my own DKIM keys for my custom domain? +---------------------------------------------------------- +The [Wikipedia page](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) has a nice +introduction to DKIM. + +Begin by contacting the Fripost admins +([admin@fripost.org](mailto:admin@fripost.org)) with the request to create +a DKIM key for your custom domain. This DKIM key can be associated with +your whole domain or an individual email address. Await a response from +the admins (remember they do it on their spare time!). Their response will +contain an identifier and the text (public key) that you need to enable DKIM +validation. To enable the DKIM validation with the public key received you +have to login to your DNS-management system and add a new TXT record +with the subdomain `[identifier]._domainkey.[your domain]`. The record should +look like the following except your key after the `p=` part. +``` +v=DKIM1; k=rsa; t=s; s=email; p=MIIB...AQAB +``` +*Note* that in most DNS-management systems you should only use the +subdomain (not the whole domain name) when you're creating a new TXT +record. For example: `sub.example.org` only need +`[identifier]._domainkey.sub`. + +How do I set up my own DMARC for my custom domain? +---------------------------------------------------------------------- +The [Wikipedia page](https://en.wikipedia.org/wiki/DMARC) has a nice +introduction to DMARC. + +Begin by logging into your DNS-management system and add a TXT +record for `_dmarc.[your domain]`. The record should look something like +the following. +``` +v=DMARC1;p=none;sp=none; +``` +You can tweak the `p=none` and `sp=none` parts to more restrictive +configurations such as `reject` or `quarantine`. + +*Note* that in most DNS-management systems you should only use the +subdomain (not the whole domain name) when you're creating a new TXT +record. For example: `sub.example.org` only need `_dmarc.sub`. + Should I publish a SPF (Sender Policy Framework) record for my domain? ---------------------------------------------------------------------- @@ -216,10 +275,9 @@ Here `example.org` is merely copying Fripost's policy. Here the policy says that mails `@example.org` should PASS if they're being accepted by Fripost's policy, that is if the sender host is `outgoing.fripost.org` and FAIL otherwise (where Fripost's policy would -return NEUTRAL). Note however that DNS is spoofable, and as -unfortunately Fripost doesn't use DNSSEC at the moment, an attacker -could for instance poison the DNS cache and fake the reply for -`outgoing.fripost.org`'s TXT record. +return NEUTRAL). Note however that DNS is spoofable, and if the +`example.org` zone isn't authenticated then an attacker could poison the +DNS cache resulting in a malicious SPF policy. example.org IN TXT "v=spf1 a include:outgoing.fripost.org -all" |