Enabling DNSSEC on Debian and Ubuntu (with systemd-resolved)

Using systemd-resolved opens up some options that may be easier to configure then in the past.

Enabling DNSSEC:

  • systemd-resolve –status
    • look for “DNSSEC setting: no”
  • sudo mkdir -p /etc/systemd/resolved.conf.d
  • sudo nano /etc/systemd/resolved.conf.d/dnssec.conf
    • enter:
      • [Resolve]
        DNSSEC=true
  • sudo systemctl restart systemd-resolved
  • systemd-resolve –status
    • look for “DNSSEC setting: yes”

Some Ubuntu 18.04 problems fixed today

I’ve drafted but not published a long list of problems I’ve experienced with Ubuntu 18.04. In short it’s been one of the worst desktop releases of Ubuntu I’ve used. My experience on servers has been fine. Anyway I haven’t looked into the details of these patches but:

  • libwebkit2gtk-4.0-37:amd64 (2.22.6-0ubuntu0.18.04.1)
  • libjavascriptcoregtk-4.0-18:amd64 (2.22.6-0ubuntu0.18.04.1)

These package releases seem to have fixed some of my issues that have been present since May 2018. In particular Liferea has been broken on my desktop for that long. Better late than never I guess.

Shopping for a wired router

I’ve often run a wired router at the front of my network (well immediately behind the modem). The only other topology has been a linux server at the front of the network. Then I like a network behind that where a wireless router can live. I keep my wireless router turned off when not in use, which is an uncommon setup it seems. Anyway, for 1 network I’m managing I’m considering replacing the linux system with a wired router. Wired routers are not super popular for SOHO uses as mos tpeople seem to prefer a wireless router to do everything. Because there is not a huge market options can be limited. Here are some products I’ve investigated.

Securing NTP Servers

Rarely am I using ntpd to serve ntp information. It is more useful for clock-correction than a strict ntp/sntp client. Thus I don’t want the service listening on a wildcard address, even when there is certainly a firewall in place. I prefer the service to not be listening at all, or listening only to the loopback interface. Here is how to configure that in ntpd and chrony.

ntpd

interface ignore wildcard

chrony

bindaddress 127.0.0.1
port 0
bindcmdaddress 127.0.0.1
cmdport 0

How can I make chronyd more secure?

NTP Servers

There are many NTP server implementations now. Here are some:

  • ntpd
  • chrony
  • ntpsec
  • openntpd
  • sntp clients
    • systemd-timesyncd
    • sntp
  • also:

Resources:

I plan to give chrony a try.