Hello all, I’m looking for a second set of eyes before I potentially screw up all my self hosted services. I’ll be the first to admit I’m not an IT expert and am getting a wee bit lost in all of the reading I’ve been doing so please go easy on me.

I’m currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I’m willing to pay for my little self-hosting hobby.

Fundamentally I believe I need to point my domain to new nameservers which provide support for ‘Let’s Encrypt’. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I “think” cloudflare offers this but its the only one and I’ve heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?

The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I’ve struggled to see the renewal costs when looking at these transfers.

Before fully borking my setup, would appreciate some input on if I’m on the right track or not. Thank you!

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    DNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only

    I believe that DNSSEC breaks it since the IP addresses will be different.

    • dihutenosa@piefed.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Oh, now I see. I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names.

      Oh, and now I realize I confused the direction. DNS64 makes v4 into v6.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        What is the security benefit of DNSSEC?

        It made more sense when everything was http now https is the norm is is less useful as far as I can tell.

        • dihutenosa@piefed.social
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          How could a hijacked DNS entry harm you?

          • redirect to ads/spam
          • downgrade to HTTP (no HSTS), then steal creds
          • MitM the TOFU of SSH
          • probably something more…

          You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.

          • Possibly linux@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http and other unencrypted/unauthenticated protocols are on their death bed.

            I do appreciate the response but it is important to keep in mind tech changes rapidly. I personally don’t care for DNSSEC as it breaks the TCP/IP model. The layers should be independent to allow for maximum flexibility.

            • dihutenosa@piefed.social
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              I’m not sure if I agree.

              You can’t easy man in the middle authenticated protocols like SSH or HTTPS.

              Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users’ PCs.

              As for SSH - you missed the “TOFU” bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn’t even mention it.

              unencrypted/unauthenticated protocols are on their death bed.

              I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it’s layers upon layers of half-solutions of wishful thinking, glued together with hope.

              The layers should be independent to allow for maximum flexibility.

              Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.