Re-organize many pages

----

-services.md: Buzzster Cerificate Authority.md

-Buzzster Cerificate Authority.md: Buzzster Trust Services.md

-Buzzster Trust Services.md: Buzzster-Trust-Services.md

- * [Universal Network Requirements](/howto/networksettings)

- * [DNS](/services/DNS)

- * [IX Collection](/services/IX-Collection)

- * [Repository Mirrors](/services/Repository-Mirrors)

- * [Certificate Authority](/services/Certificate-Authority)

- * [Registry](/services/Registry)

- * [Interconnections](/internal/Interconnections)

-* can be accessed via [NNTP](/services/News) as well. The group is alt.net.dn42.users

-Channel #dn42 in [hackint](http://www.hackint.eu/)

-

-See [IRC](/services/IRC) too.

-Happy Routing!

-Some people runs [Tahoe LAFS](/services/Tahoe-LAFS) nodes to provide a secure decentralized crypted file storage but in dn42.

-Any idea, apart from pr0n? Multicasting video flux?

-

-

- - multicast routing (well, it doesn't work in dn42 either)

- - We need to branch out to events etc... have talks, streams and increase our media presence.

-

-**This page lists the external Overlay Networks DN42 is connected to**

-

-| Network | IPv4 address space | IPv6 address space | TLDs | Remarks |

-|:-------------------------------------------------------|:-------------------|:-------------------|:-----|:--------|

-| [NeoNetwork](https://github.com/NeoCloud/NeoNetwork) | `10.127.0.0/16` | `fd10:127::/32` | `.neo` | |

-| [ICVPN](https://github.com/freifunk/icvpn) | `10.0.0.0/8` | `fd00::/8` | see [ICVPN-Meta](https://github.com/freifunk/icvpn-meta/) |InterCity VPN - many [freifunk](https://freifunk.net) communities interconnect here |

-| [ChaosVPN](https://wiki.hamburg.ccc.de/ChaosVPN) | `10.4.0.0/16`<br>`10.32.0.0/16`<br>`10.100.0.0/14`<br>`10.104.0.0/14`<br>`172.31.0.0/16` | - | `.hack` | Few active hosts |

-| [CRXN](https://crxn.de/docs/) | - | `fd00::/8` | `.crxn` | |

-You are asked to show some creativity in terms of network usage and content. ;)

-

-Signed by the main DN42 CA (established 2016):

-* xuu is maintaining a [certificate authority](/services/Certificate-Authority) for internal services.

-* Burble maintains an [ACME server](https://burble.dn42/services/acme/) (with accompanying CA), compatible with any LetsEncrypt client like Certbot, Dehydrated or Caddy.

-* Kioubit maintains a [certificate authority](https://dn42.g-load.eu/about/certificate-authority/) with certificates obtainable via a simple script or completely [using only the browser](https://dn42.g-load.eu/about/certificate-authority/oneclick/).

-### IX Services

-

-See [IX Collection](/services/IX-Collection/).

-

-| irc.hackint.dn42 | Yes | DN42 |

-| irc.hackint.hack/dn42 | Yes | ChaosVPN |

-See [Repository Mirrors](/services/Repository-Mirrors).

-There is a list of E-Mail providers [here](/services/E-Mail-Providers)

-# Network / Port scans

-

-A network scan involves examining hosts in a network. The general aim is to find information such as open ports, software versions, and vulnerabilities. Depending on how the scan is performed, many packets are sent to the individual hosts at short intervals.

-

-## Rules

-

-There are no technically enforceable rules for port scanning (i.e., rules that apply only to port scanning; general restriction rules such as rate limits can of course be set), but that does not mean that you should just go ahead and do it - depending on how it is done, it can be perceived as very intrusive. Therefore, the following rules of politeness have become established over time:

-

-1. Announce the network scan in advance on the mailing list.

-2. Provide the option to opt out.

-

-## Opt out

-

-Unfortunately, there is currently no standard way to signal that a network should not be scanned. Several proposals have been discussed in the past - communication via BGP, via the registry, or via the mailing list.

-

-Another option would be to signal opt-outs via the wiki:

-

-| Maintainer | Network | Opt-out? |

-| --- | --- | --- |

-| `EXAMPLE-MNT` | 172.0.0.1/24 | Yes |

-[Tor](https://torproject.org/) ([dn42 mirror](http://tor.e-utp.dn42/)) is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

-# Welcome to perchnet (AS4242422825)

-

-## Introduction

-perchnet is a network on dn42. The goal of perchnet is to facilitate learning about and experimentation with various networking technologies, and linking up multiple sites in the "hybrid" and "multivendor" cloud computing configurations.

-

-

-

-## Background

-perchnet is still being designed and deployed. Presently we consist of two physical nodes at _bri_'s residence in New York City that provide a core router and various services, and we're in the process of onboarding a virtual server graciously donated by [Evolution Host](https://evolution-host.com).

-

-_bri_ enjoys hacking together complex systems out of weird, secondhand, obsolete hardware. As such, their on-site residence nodes are:

-

-- macpro "home private cloud"

- - Heavily upgraded Apple "Mac Pro (early 2009)" (MacPro4,1)

- - Customized firmware

- - Proxmox 7 "testing"

- - 2x Xeon X5675 (12 cores / 24 threads)

- - 128 GB DDR3

- - 512 GB NVMe SSD

- - 2 TB NVMe SSD

- - 2 TB SATA SSD

- - 2x 120 GB SATA SSD

- - 2 TB SATA HDD

- - 1 TB SATA HDD

- - Radeon RX580

-- minipve "home virtual router"

- - Apple "Mac Mini (2014)"

- - Proxmox 7

- - Intel Core i5-4278U (2 cores / 4 threads)

- - 16 GB DDR4

- - 128 GB SSD

- - 1 TB HDD

-

-Routing software in use currently primarily consists of a custom build of VyOS 1.4-rolling and OpenWRT.

-

-

-Note: "perchnet" is officially spelled in all lowercase, but due to constraints it may be written as all uppercase ("PERCHNET") instead. "Perchnet" is not to be used whenever possible. This is all due to an odd idiocyncractic quirk of the network administrator, and should probably not be questioned for the sake of maintaining one's sanity. Nobody will be chastised for using title case, but it will make _bri_ frown.

-# Playground

-

-test what will happen

-DN42 ACME CA

-==================

-

-Certificates can be automatically generated with the [ACME-CA](https://burble.dn42/services/acme/) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego) or [Caddy](https://caddyserver.com/). More information can be found on [https://burble.dn42/services/acme/](https://burble.dn42/services/acme/)

-

-DN42 Self-Serve CA

-==================

-

-This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git]([email protected]:dn42/ca-client))

-

-

-## VALIDATION PROCESS

-

-The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server.

-The following steps take place in creating a signed certificate.

-

-*User Flow*

-

-1. User generates a 2048+ bit rsa key and CSR for their MNT object.

-2. User generates a sha256 hash of the rsa public key (commonly known as a [public keypin][keypin]) and adds it as a remark in their MNT

-3. User submits the csr to the CA to validate and sign.

-4. CA checks for the keypin in their MNT object (if it does not find it in the local copy of the [monotone repo][ca-mtn] it will check against io.nixnodes.dn42)

-5. (optional) CA revokes prior certificate as superseded.

-6. CA signs and returns the user certificate.

-

-*Server Flow*

-

-1. User generates a 2048+ bit rsa key and CSR for the dns CN. Also including any SAN domains.

-2. User generates a sha256 hash of the rsa public key (commonly known as a [public keypin][keypin]) and adds it as a txt record in their DNS.

-3. User uses the user certificate to authenticate and submits the csr to the CA to validate and sign.

-4. CA checks for the user keypin in their MNT object (if it does not find it in the local copy of the [monotone repo][ca-mtn] it will check against io.nixnodes.dn42)

-5. CA checks the dns records for the CN and each SAN for the tls keypin.

-6. (optional) CA revokes prior certificate as superseded.

-7. CA signs and returns the tls certificate.

-

-*User Renewals*

-

-User certificates are signed for 180 days. To renew follow the steps above starting from number 3.

-

-*Server renewals*

-

-Server certificates are signed for 45 days. To renew follow the steps above starting from number 3.

-

-[keypin]: <https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning>

-[ca-mtn]: <https://ca.dn42/reg/mntner/>

-

-*Certificate Revocations*

-

-1. User uses the user certificate to authenticate and submits the serial and revoke reason to CA.

-2. CA checks user keypin in their MNT object (if it does not find it in the local copy of the [monotone repo][ca-mtn] it will check against io.nixnodes.dn42)

-3. CA checks that owner in certificate matches.

-4. CA revokes certificate and updates revocation list.

-

-## INSTALL

-

-get the script here:

-

-```sh

-curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42

-```

-

-available via git: [email protected]:dn42/ca-client

-

-

-## KNOWN ISSUES

-

-### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"

-

-The way openssl validated name constraints prevented it from accepting dns names that started with a dot.

-Because the name constraint is "DNS:.dn42" it fails to validate.

-

-[Read more on this mailing list thread][libssl-1]

-

-

-[libssl-1]: <https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE>

-

-

-### X.509 nameConstraints on certificates not supported on OS X

-

-Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints.

-

-Read more on this [stack exchange post][osx-2]

-

-

-[osx-1]: <https://developer.apple.com/library/mac/documentation/Security/Reference/secureTransportRef/>

-[osx-2]: <http://security.stackexchange.com/a/97133>

-

-

-## How to Run

-

-```

-Usage: # OWNER is your MNT handle.

- ./ca.dn42 user-gen OWNER EMAIL # Output to OWNER.csr and OWNER.key

- ./ca.dn42 user-sig OWNER # Output to OWNER.crt and OWNER.p12

- ./ca.dn42 tls-gen DNS OWNER EMAIL [SAN] # Output to OWNER_DNS.csr and OWNER.key

- ./ca.dn42 tls-sig DNS OWNER # Output to OWNER_DNS.crt and OWNER_DNS.p12

- ./ca.dn42 revoke OWNER CERTFILE [REASON]

-

-

-Revoke Reasons: unspecified, keyCompromise, affiliationChanged,

- superseded, cessationOfOperation, certificateHold, removeFromCRL

-

-Environtment Options:

- DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.

-```

-

-## Example

-

-Generate the user key

-

-```sh

-$ ./ca.dn42 user-gen XUU-MNT [email protected]

-Generating a 2048 bit RSA private key

-...............................+++

-.........................+++

-writing new private key to 'XUU-MNT.key'

------

-=

-= You need to have this pin added to your mnt object before proceeding to the next step.

-=

-|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=

-```

-

-### Sign the user key

-

-```sh

-$ ./ca.dn42 user-sign XUU-MNT [email protected]

-== USER CERT ==

- C:XD

- O:dn42

- OU:dn42 Certificate Authority

- CN:XUU-MNT

- emailAddress:[email protected]

- owner:XUU-MNT

- pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=

-OK https://ca.dn42/crt/XUU-MNT.crt

-Enter Export Password:

-Verifying - Enter Export Password:

-```

-

-### Generate the server key

-

-```sh

-$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT [email protected] DNS:ca.dn42

-

-Generating a 2048 bit RSA private key

-...........................................+++

-.......................+++

-writing new private key to 'XUU-MNT_ca.dn42.key'

------

-writing RSA key

-=

-= |DNS Key Pin| You need to have this pin added to your dns records before proceeding to the next step.

-=

-_dn42_tlsverify.ca.dn42. IN TXT XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=

-```

-

-After you set this TXT-Record for your domain, you can verify it with the following command (by replacing the domain with your own):

-

-```sh

-$ dig +short TXT _dn42_tlsverify.ca.dn42.

-"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="

-```

-

-### Sign the server key

-

-```sh

-$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT

-== USER CERT ==

- C:XD

- O:dn42

- OU:dn42 Certificate Authority

- CN:XUU-MNT

- emailAddress:[email protected]

- owner:XUU-MNT

- pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=

-== DNS CSR ==

- C:XD

- O:dn42

- OU:dn42 Certificate Authority

- CN:ca.dn42

- emailAddress:[email protected]

- owner:XUU-MNT

- pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=

-== DNS Tests ==

- CN Record: ca.dn42 PASSED

- SAN Record: ca.dn42 PASSED

-OK https://ca.dn42/crt/XUU-MNT_ca.dn42.crt

-Enter Export Password: ****

-Verifying - Enter Export Password: ****

-```

-

-The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:

-

-```sh

-0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT

-```

-

-or with a systemd timer:

-

-```conf

-# update-dn42-ca.timer

-[Timer]

-OnBootSec=1h

-OnUnitActiveSec=1w

-Persistent=yes

-

-[Install]

-WantedBy=timers.target

-```

-

-```conf

-[Service]

-Type=oneshot

-WorkingDirectory=/etc/ssl/dn42

-ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT

-# accept multiple ExecStart lines for other certificates

-# ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign foobar.dn42 MIC92-MNT

-ExecStart=/usr/bin/nginx -s reload

-```

-

-### Revoke a certificate.

-

-```sh

-$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt

-== USER CERT ==

- C:XD

- O:dn42

- OU:dn42 Certificate Authority

- CN:XUU-MNT

- emailAddress:[email protected]

- owner:XUU-MNT

- pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=

-== REVOKE CERT ==

-OK

-```

-

-### Certificate transparency

-All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).

-# SSL Certificate Authority

-

-internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains.

-If you would like to have a certificate signed by this CA there is [an automated process to do so](/services/Automatic-CA). The CA is maintained by [email protected].

-

-If you are required to specify a license to clarify redistribution, then it [can be considered](https://groups.io/g/dn42/message/844) as [CC0](https://creativecommons.org/public-domain/cc0/).

-

-The CA certificate ([dn42](https://ca.dn42/crt/root-ca.crt), [iana](https://ca.dn42.us/crt/root-ca.crt)):

-

-```

-Certificate:

- Data:

- Version: 3 (0x2)

- Serial Number: 137808117760 (0x2016010000)

- Signature Algorithm: sha256WithRSAEncryption

- Issuer: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA

- Validity

- Not Before: Jan 16 00:12:04 2016 GMT

- Not After : Dec 31 23:59:59 2030 GMT

- Subject: C=XD, O=dn42, OU=dn42 Certificate Authority, CN=dn42 Root Authority CA

- Subject Public Key Info:

- Public Key Algorithm: rsaEncryption

- Public-Key: (2048 bit)

- Modulus:

- 00:c1:19:10:de:01:86:11:f1:82:0c:b0:d4:e5:ff:

- 9a:c8:e3:aa:f4:00:08:82:c0:cf:7f:05:7a:21:97:

- c1:b5:8b:a3:d1:54:ee:fa:04:0f:77:d5:5c:98:4b:

- d9:88:18:c1:17:10:92:e5:24:fa:ef:61:eb:5d:7b:

- 11:e5:be:ba:89:f2:60:c9:3b:82:05:3a:74:54:60:

- 23:66:1a:d8:cd:28:7b:f1:ea:55:25:9a:8c:04:a0:

- ff:9d:48:54:4c:9d:bc:2d:a0:df:71:ae:64:47:0d:

- e7:75:05:f4:c5:02:2a:d2:0c:be:a3:63:54:62:2b:

- ad:29:eb:6a:08:a4:5e:a8:eb:f1:52:14:4e:d1:5d:

- 41:2f:d3:19:ba:e4:82:36:7a:d1:a3:f2:84:f6:07:

- b2:f6:0c:30:db:db:76:ee:e9:14:05:c7:8f:75:b7:

- 3f:d5:d5:35:56:d0:92:44:df:26:1e:00:fa:ae:cb:

- 7a:c9:50:67:5d:69:f8:f9:fd:25:a7:1d:db:40:b1:

- 42:bc:45:57:e1:c9:1c:42:ba:69:80:1e:ea:25:99:

- 12:9f:6f:23:a3:d2:2e:4a:cd:15:e4:7c:49:f9:d1:

- c0:f0:19:0c:15:50:ce:a6:51:bb:aa:16:b2:82:ec:

- f4:61:44:8c:1c:dd:65:60:04:77:b0:4d:99:67:17:

- fb:09

- Exponent: 65537 (0x10001)

- X509v3 extensions:

- X509v3 Key Usage: critical

- Certificate Sign, CRL Sign

- X509v3 Basic Constraints: critical

- CA:TRUE

- X509v3 Subject Key Identifier:

- 54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15

- X509v3 Authority Key Identifier:

- keyid:54:76:88:B2:C0:B5:30:D0:FC:4F:C9:6D:3B:F9:8C:55:11:AC:15:15

-

- X509v3 Name Constraints:

- Permitted:

- DNS:.dn42

- IP:172.20.0.0/255.252.0.0

- IP:FD42:0:0:0:0:0:0:0/FFFF:0:0:0:0:0:0:0

-

- Signature Algorithm: sha256WithRSAEncryption

- 5c:a4:3b:41:a0:81:69:e2:71:99:4d:75:4b:5a:20:0d:2a:d9:

- ec:ea:bc:8d:4f:b0:6c:f3:2e:41:1a:a0:75:f3:de:7e:3a:e0:

- a7:b9:db:cd:f5:16:e4:6a:cb:e7:cc:2a:8f:ee:7f:14:0a:a5:

- b5:f9:66:48:81:e5:68:1e:0c:a6:a3:3c:a7:2b:e3:95:cf:e3:

- 63:15:0d:16:09:63:d9:66:31:3b:42:2e:7c:1a:e5:28:8e:5e:

- 3d:9e:28:99:48:e9:47:86:11:e2:04:29:60:2b:96:95:99:ae:

- 3f:ab:ff:3f:45:ab:7e:07:45:4e:4d:0b:18:40:3d:3b:02:9c:

- 4e:a9:0f:a5:c2:3f:4a:30:77:ae:66:5c:b3:8d:b2:41:6b:e2:

- 98:01:7d:e0:6b:52:70:4d:3d:b8:a9:48:f5:02:d2:d9:40:66:

- b6:5e:44:25:11:55:ac:31:02:d7:67:72:6a:6a:bc:74:34:5f:

- 75:dc:9a:4f:83:28:40:e0:2a:dc:3f:41:43:5a:47:07:2b:b7:

- a7:3f:d0:15:a2:42:d7:30:22:f2:f6:e4:b4:f6:3b:38:ca:6b:

- 4c:e7:3c:a4:70:cb:de:af:0a:14:ff:23:25:ca:04:cd:9e:49:

- c3:4b:e4:0a:b5:0b:84:b5:ef:b4:5b:63:07:47:63:cd:5c:50:

- 0b:42:0a:a9

------BEGIN CERTIFICATE-----

-MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC

-WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0

-aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx

-NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE

-CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd

-BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA

-A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR

-VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx

-6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS

-FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu

-y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw

-GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P

-AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J

-bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud

-HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA

-//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11

-S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl

-aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu

-P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI

-9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC

-1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ

-C0IKqQ==

------END CERTIFICATE-----

-```

-

-

-## Testing constraints

-

-The name constraints can be verified for example by using openssl:

-```sh

-openssl x509 -in dn42.crt -text -noout

-```

-which will show among other things:

-```

- X509v3 Name Constraints:

- Permitted:

- DNS:.dn42

-```

-

-## Importing the certificate

-

-- cacert have a comprehensive FAQ on how to import your own root certificates in [browsers](http://wiki.cacert.org/FAQ/BrowserClients) and [other software](http://wiki.cacert.org/FAQ/ImportRootCert)

-

-### Archlinux

-

-Install `ca-certificates-dn42` from [AUR](https://aur.archlinux.org/packages/ca-certificates-dn42/)

-

-### Debian/Ubuntu

-

-#### Unofficial Debian Package

-

-```bash

-wget https://ca.dn42.us/ca-dn42_20161122.0_all.deb

-# If you're on a dn42-only network:

-# wget --no-check-certificate https://ca.dn42/ca-dn42_20161122.0_all.deb

-sudo dpkg -i ca-dn42_20161122.0_all.deb

-sudo dpkg-reconfigure ca-certificates

-```

-

-You will be asked which certificates you would like to enabled. By default, the dn42 root certifcate (dn42/root-ca.crt) is not enabled, be sure to enable it. This package is waiting for inclusion in Debian (Debian bug [#845351](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845351)).

-

-#### Manual Installation

-

-```bash

-$ mkdir /usr/share/ca-certificates/extra

-$ cat > /usr/share/ca-certificates/extra/dn42.crt <<EOF

------BEGIN CERTIFICATE-----

-MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC

-WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0

-aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx

-NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE

-CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd

-BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA

-A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR

-VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx

-6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS

-FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu

-y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw

-GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P

-AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J

-bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud

-HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA

-//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11

-S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl

-aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu

-P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI

-9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC

-1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ

-C0IKqQ==

------END CERTIFICATE-----

-EOF

-$ echo "extra/dn42.crt" >> /etc/ca-certificates.conf

-$ update-ca-certificates

-```

-

-### AlmaLinux/RockyLinux/Probably anything RHEL

-

-```bash

-$ /etc/pki/ca-trust/source/anchors/dn42.crt <<EOF

------BEGIN CERTIFICATE-----

-...

------END CERTIFICATE-----

-EOF

-$ update-ca-trust

-```

-

-## PKI Store

-

-All issued keys and crl information are posted at: <https://ca.dn42/>

-# DN42 DNS

-

-This page covers guidance and examples on using DNS within DN42.

-

-## Quick Start

-

-It is recommended to run your own DNS resolver as this provides you with the most security and privacy.

-However, to get started, or if running your own resolver isn't desirable an anycast service

-is available. The anycast service supports DNSSEC and will resolve public DNS names together with all the

-relevant DN42 and affiliated networks' names.

-

-### Using the DNS Anycast Service

-

-The DNS anycast service is provided by multiple operators, with each operator contributing to one of the two separate

-anycast services. By configuring both services, users get additional resiliency from having two, independent, resolvers.

-

-| Name | IPv4 | IPv6 |

-|---|---|---|

-| a0.recursive-servers.dn42 | 172.20.0.53 | fd42:d42:d42:54::1 |

-| a3.recursive-servers.dn42 | 172.23.0.53 | fd42:d42:d42:53::1 |

-

-To configure the service, ping both sets of addresses then set your primary nameserver to the lowest latency

-service and configure the other service as the secondary or backup nameserver.

-

-Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:

-

-```conf

-nameserver 172.20.0.53

-nameserver 172.23.0.53

-nameserver fd42:d42:d42:54::1

-nameserver fd42:d42:d42:53::1

-search dn42

-```

-

-Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:

-

-```conf

-nameserver fd42:d42:d42:53::1

-nameserver fd42:d42:d42:54::1

-nameserver 172.23.0.53

-nameserver 172.20.0.53

-option inet6 # Linux/glibc

-family inet6 inet4 # BSD

-search dn42

-```

-

-## Advanced Configuration

-

-There are multiple top level domains (TLDs) associated with DN42, its affiliated networks and for reverse DNS that must

-be configured in order to run your own resolver. The registry is the authoritative source of active TLDs, but see also

-this page [dns/External-DNS](/services/dns/External-DNS) in the wiki.

-

-### Split horizon DNS

-

-In this configuration, you run your own, caching resolver but forward DN42 related queries (with recursion bit set)

-to the anycast service. Example configurations for different recursor implementations are included in the [dns/Configuration](/services/dns/Configuration) page.

-

-### Full recursion

-

-Authoritative DNS for DN42 is provided by the *.delegation-servers.dn42 servers, see the DNS architecture here

-[New DNS](/services/New-DNS) Delegations servers have full support for DNSSEC. Example configuration unbound implementations are included in the [dns/Configuration](/services/dns/Configuration#resolver-setup) page.

-

-## Additional client configuration

-

-- **Firefox**: Set `browser.fixup.domainsuffixwhitelist.dn42` to `true` in `about:config` to prevent Firefox from confusing dn42 domains with search queries.

-

-## Further Information

-

-* [dns/Configuration](/services/dns/Configuration) - Forwarder/Resolver configuration examples

-* [New DNS](/services/New-DNS) - current architecture

-* [dns/External-DNS](/services/dns/External-DNS) - external DNS zones from interconnected networks

-* [Old Hierarchical DNS](/services/Old-Hierarchical-DNS) - deprecated

-* [Original DNS (deprecated)](/services/Original-DNS-(deprecated)) - deprecated

-If you have an E-Mail service and would like to test it's functionality, send an email to [[email protected]](mailto:[email protected]). You will get a response usually within a few hours.

-

-**X Mail by Bingxin.**

-* X Mail <https://mail.x.dn42>

- * Free, easy to sign up, and unlimited internal email system.

- * Use the /email command on Telegram @baka_lg_bot to register an account.

- * Or, Register at <https://mail.x.dn42/email/>

- * Having issues with registration? Send an email to [[email protected]](mailto:[email protected]) or [[email protected]](mailto:[email protected]) for assistance.

-

-**bMail by Buzzster.**

-* bMail <https://mail.bmail.dn42>

- * Free, easy and unlimited internal email system.

- * Register at <https://accounts.buzzster.dn42/register>

-

-**Free E-Mail Addresses for DN42 Users.**

-* DN42 Mail, <https://dmail.dn42>

- * Free, easy to sign up, unlimited internal emailing. Hosted by zane_reick

- * Register at <https://dmail.dn42/register/register.php>

-

-### Simplelogin server:

-* a selfhosted [Simplelogin](https://simplelogin.io/) server for dn42.cc

-* create aliases that forward to your real e-mail

-* signup at <https://simplelogin.dn42/auth/register> with a clearnet e-mail address (dn42 mail addresses are for some reason not supported by simplelogin)

- * also available via <https://sl.dn42.cc/> (except signup)

-* for "lifetime premium" (more than 5 aliases + custom domains), if you want aliases for \<anything>@\<your_mntner>.dn42.cc or experience deliverability problems please send a mail to [[email protected]](mailto:[email protected]) or [[email protected]](mailto:[email protected])

-In the real world two organizations have to lay cables to one another when they want to peer. This is why IXPs (Internet Exchange Points) or IXes (Internet Exchanges) for short exist. Instead of laying cables to one another, organizations lay cables to an exchange instead. This allows them to peer with hundreds of other companies.

-

-Even though DN42 has 'cheap' tunnels like Wireguard, as it is a simulation of the internet it makes sense to have exchanges as a learning exercise.

-

-IXP frnte operated by LGP Corp: [IXP frnte](/services/IXP-frnte)

-

----

-

-A few people have provided exchanges previously on DN42, however they created single

-points of failure and are no longer operating

-

-* Amsterdam (OpenVPN) - NL Zuid (marlinc) - <https://nl-zuid.dn42/>

-* Los Angeles (OpenVPN) - tombii - <https://nl-zuid.dn42/>

-* New York (OpenVPN) - tombii - <https://nl-zuid.dn42/>

-* Falkenstein/Hetzner (OpenVPN) - GRMML (Nurtic-Vibe) - <https://nl-zuid.dn42/>

-* India (OpenVPN) - Technopoint - apply via email to [[email protected]](mailto:[email protected]) (reply within 24hours)

-

-The NL-Zuid website is also available from the public internet: <https://nl-zuid.nl>

-

-Its generally recommended to only announce prefixes from your own network and that of your transit customers.

-We provide some anycast services over IPv6.

-

-## Anycast address space

-

-**fd42:d42:d42::/48** is reserved for anycast services.

-

-Each anycast service runs on a dedicated /64 in this range. This way, nobody needs to update filters.

-

-Remember, if you announce an anycast /64, then you need to provide **all** services within this /64. It's probably simpler to only provide one service for each /64.

-

-## Anycast services

-

-| **Name** | **Service address** | **Protocol/port** | **Comment** |

-| ---------------------- | ------------------------- | ----------------- | ----------------------------- |

-| Recursive DNS resolver | `fd42:d42:d42:54::1/64` | UDP/53 | `.` and `dn42.` [Providers](/services/dns/Providing-Anycast-DNS#Persons-providing-anycast-DNS-for-IPv6) |

-| Whois Database | `fd42:d42:d42:43::1/64` | TCP/43 | |

-| TOR SOCKS5 Proxy | `fd42:d42:d42:9050::1/64` | TCP/9050 | |

-| internal Wiki | `fd42:d42:d42:80::1/64` | TCP/80, TCP/443 | |

-| myip.dn42 | `fd42:d42:d42:81::1/64` | TCP/80 | |

-

-

-

-### Future services

-

-- streaming

-- other kind of DNS (authoritative-only, recursive for `dn42` only)

-# replirc

-

-replirc does not have a channel about dn42 but it is connected to dn42 at the address [irc.replirc.dn42](ircs://irc.replirc.dn42:6697). It is also accessible via Tor, Yggdrasil or the internet.

-

-|Name|Wiki Page|Related Link(s)|

-|:---|:---|:---|

-|IXP-frnte|[IXP-frnte](/services/IXP-frnte)|N/A|

-|mcast-ix|[mcast-ix](/services/mcast-ix)|N/A|

-|SERNET-IX|[SERNET-IX](/services/SERNET-IX)|[https://blog.sherpherd.net/ix.html](https://blog.sherpherd.net/ix.html)|

-|SerinaIX||<https://ix.dn42.serinanya.cn/>|

-|Nedifinita IX||https://ix.nedifinita.com/|

-The IXP frnte

-=============

-

-An IXP is a collection point for Internet providers. This can be physical or virtual. In a physical IXP, several Internet providers place servers in a data center and connect them to each other.

-

-In a virtual IXP, the servers are not "real". They are not physically connected with cables, but for example via a VPN.

-

-In dn42 almost all connections are virtual. One builds on the Internet and creates virtual links between the single nodes. In IXP frnte, all providers have virtual machines, which are connected to each other. Due to the large number of providers in IXP, it is possible to reach them easily and with low latency. However, the large number also leads to the fact that no direct peerings are established within an IXP, instead route servers are used. This receives and coordinates all routes of the providers and sends out appropriate routes. This way, many indirect peerings can be established.

-

-Current participants

---------------------

-

-| Name | AS | Route server | IRC |

-| --- | --- | --- | --- |

-| Bandura's network | 4242422923 | 4242421081 | mark22k |

-

-History and origin

-------------------

-

-In dn42 and in the Anonet there was the UCIS IXP for a long time. However, this is no longer actively operated.

-

-Members of the LGP Corp have now created a new IXP in dn42. This is the IXP frnte. It is located in France near Nantes and has two separate internet connections. This article describes how to enter the IXP and set up peering with the current route server.

-

-Join the IXP

-------------

-

-### 1\. Request the infrastructure

-

-LGP Corp provides virtual machines free of charge to any AS operator or anyone who wants to experiment with networks. There are no costs! The VM's can be configured and linked together as desired. The VM's can be connected to each other via a VLAN. Furthermore, an internet connection is available with two ISPs, depending on your choice. The virtual machine gets a public IPv6 and if necessary IPv4 over NAT to be able to access important resources like GitHub.

-It is best to create a diagram of your network and send it to the LGP Corp.

-The LGP Corp or the responsible admin for the IXP can be reached in **IRC** on hackint.org under **toinux**. Send the diagram to them and discuss further details.

-Furthermore, all virtual machines are put into a common VLAN. This causes that one can reach all providers at the IXP without problems.

-

-### 2\. Proxmox Login and VM Setup

-

-After that you will receive your access data for the Proxmox portal from the LGP Corp. Under which you can set up your VM's. The portal can be reached under [**https://pve.home.lgp-corp.fr/**](https://pve.home.lgp-corp.fr/). Select "Proxmox VE authentication server" as "Realm". It also offers a VNC monitor to work directly on the server. For the setup under SSH an IPv6 connectivity to the internet is required. If you only have an IPv4, you can get an IPv6 for free from Hurricane Electric at [https://tunnelbroker.net/](https://tunnelbroker.net/).

-

-### 3\. Configure VLAN

-

-An internal IPv6 Range has been requested for the IXP: `fde0:93fa:7a0:2::/64` ([fde0:93fa:7a0:2::/64 on explorer](https://explorer.dn42.dev/#/inet6num/fde0:93fa:7a0:2::_64))

-

-The following is the assignment policy:

-`fde0:93fa:7a0:2:0:<asn32|high16|hex>:<asn32|low16|hex>:1/64`

-For example, if you have the ASN 4242421080, you get the range `fde0:93fa:7a0:2:0:fcde:3558:1/64`

-It should be noted that only the last block may be changed. So you get a practical IPv6 range of `fde0:93fa:7a0:2:0:fcde:3558:/112`.

-A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb on GitHub Gist](https://gist.github.com/marek22k/494cf9c4d269867f23f2c3577e1780ef).

-

-An example configuration for Debian based Linux distributions would be:

-

-```sh

-iface ensXX inet6 static

- address fde0:93fa:7a0:2:0:fcde:3558:1/64

-```

-

-Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:

-

-```sh

-ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu

- 1500 qdisc pfifo_fast state UP mode DEFAULT group

- default qlen 1000

- link/ether MAC brd ff:ff:ff:ff:ff:ff

-```

-

-`MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.

-Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.

-

-### 4\. Connect to the Route Server

-

-There can be several Route Servers (RS) on one IXP. However, on the IXP frnte there is currently only one, which is operated by jlu5 (operator of the highdef network).

-IPv6: fde0:93fa:7a0:2:0:fcde:3559:1

-ASN: 4242421081

-

-You can now enter this configuration into your routing daemon and it will connect to the RS. You should keep in mind that the RS itself does not forward any traffic, but is only responsible for the coordination. Therefore the AS path must not necessarily start with the AS of the RS.

-

-An example configuration for bird2 would be the following:

-

-```conf

-protocol bgp ixp_rs from dnpeers {

- neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;

-

- enable extended messages on;

- direct;

- enforce first as off;

-

- ipv4 {

- extended next hop;

- };

-}

-```

-

-**What does this configuration do?**

-

-First we create a new BGP session (`protocol bgp`). This is based on the dnpeers template which can be found in the standard Bird2 configuration in the [wiki](/howto/Bird2). We name this session "ixp\_rs". However, this is only an internal name and can be replaced with another one.

-

-After that we determine with whom we want to have the session. This would be the RS. Therefore we put IPv6 address and ASN there.

-

-Furthermore, we allow larger BGP messages. Thus, instead of 4096 bytes, a whole 65535 bytes are transmitted in one message. This is especially useful because an RS has to announce a lot of routes.

-

-With `direct` we indicate that the RS is directly connected to our server and no routing via third parties has to be performed. In our case, the RS is connected to us via the dn42 VLAN.

-

-The next line has the effect that the ASN of the RS does not necessarily have to be the next hop for routing. This is important because we do not route the traffic via the RS, but via the respective peers. These have an ASN that differs from the ASN of the RS.

-

-Since the dn42 VLAN _only_ supports IPv6, any IPv4 traffic must also go over IPv6. If you do not have or do not want to use IPv4, you can ignore this part of the configuration.

-

-Finally we save the bird2 configuration and load the new configuration with `birdc configure`.

-

-### 5\. Check if it works

-

-There are now a few things to check:

-Once you can see if the BGP session is esablished. In Bird you can do this with `birdc show protocols all ixp_rs`.

-Furthermore, you can display different routes (in case of bird with `birdc show route for [ip address]`) or perform a traceroute.

-One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:

-

-* Bandura's pingable:

- * `172.22.149.224`

- * `fd04:234e:fc31::`

-After frequent issues with the [Old Hierarchical DNS](/services/Old-Hierarchical-DNS) system in early 2018, work has started to build a new and more reliable DNS system. The main goals are:

-* Reliability and Consistency to avoid debugging very obscure issues that are also hard to reproduce.

-* Low maintenance burden on operators.

-* Proper DNSSEC support for everything.

-

-# End Users

-It is **strongly recommended** to run your own resolver for security and privacy reasons. Setting it up and maintaining it should be easy, see [services/dns/Configuration](/services/dns/Configuration).

-

-If running your own resolver is not possible or desirable, you can choose one or more instances from [dns/recursive-servers.dn42 in the registry](https://git.dn42.dev/dn42/registry/src/master/data/dns/recursive-servers.dn42). Please make sure you fully understand the consequences and fully trust these operators.

-

-You can also use the globally anycasted a.recursive-servers.dn42 but you won't have any control over which instance you get. This is a **very bad idea** from a security standpoint.

-

-# Instances

-The new DNS system has two different components:

-* *.recursive-servers.dn42 and local resolvers responsible for handling queries from clients, validating DNSSEC and directing the queries at clearnet/dn42/ICVPN.

-* *.delegation-servers.dn42 and *.master.delegation-servers.dn42 are a normal master-slave setup for providing the few official infrastructural zones.

-

-## *.recursive-servers.dn42

-These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitly not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.

-

-## *.delegation-servers.dn42

-These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastructure zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.

-

-## *.master.delegation-servers.dn42

-These instances do not serve any clients. They poll the registry regularly and rebuild and resign (DNSSEC) the zones as needed. If any zone changes, all *.delegation-servers.dn42 instances are notified ([RFC1996](https://tools.ietf.org/html/rfc1996)) which then load the new zone data over AXFR ([RFC5936](https://tools.ietf.org/html/rfc5936)). The pool of masters is intentionally kept very small because of its much higher coordination needs and also the lacking support of a multi-master mode in many authoritative server implementations. The masters are only reachable over dedicated IPv6 assignments which are set up in a way that any master operator can hijack the address of a problematic master without having to wait for its operator to fix something.

-

-# Running your own instances

-* If you want to run your own instances, make sure you are subscribed to the [mailinglist](/contact). It is also strongly recommended to join #dn42-dns@hackint. All changes are announced to the mailinglist but IRC makes debugging sessions much easier.

-* Choose the implementation(s) you want to use. It should support at least AXFR+NOTIFY (*.delegation-servers.dn42) or DNSSEC (*.recursive-servers.dn42).

-* Check if [TODO](/TODO) already has configuration snippets for your implementation.

- * If yes, download it from there and include it in the main configuration.

- * If not, then join us in #dn42-dns@hackint so we can add it together.

-* Verify that everything works:

- * For *.delegation-servers.dn42: Do an AXFR against all zones and compare with the result of an existing instance. The result should be identical.

- * For *.recursive-servers.dn42: Query clearnet, dn42 and ICVPN domains including rDNS. Make sure that both signed and unsigned domains work properly.

-* (Optional) Choose your single letter name and ask in #dn42-dns@hackint to get it added to the registry. Once added to the list, you must implement changes announced to the mailinglist within a week (faster is obviously better) or you might get removed again. We try to keep maintenance work as low as possible but we can't do it without the cooperation of all operators!

-

-# [Monitoring](https://grafana.burble.com/d/E4iCaHoWk/dn42-dns-status?orgId=1&refresh=1m)

-burble is providing monitoring for the new DNS system. It does simple checks on all instances every minute and also logs all changes into #dn42-dns@hackint.

-

-Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.

-

-# DNSSEC

-There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next signing. All other signatures are valid for 3 days and replaced at least once per day.

-

-The set of valid KSKs can be found in the registry.

-

-# See also

-

-* [DNS Quick Start](/services/DNS)

-* [Old Hierarchical DNS](/services/Old-Hierarchical-DNS)

-* [Original DNS (deprecated)](/services/Original-DNS-(deprecated))

-This information is now **deprecated**. Please check [New DNS](/services/New-DNS) for the current architecture.

-

-***

-

-DNS in the global internet is designed as a tree starting from "." and traveling outward in layers. Currently in DN42 dns is flat. This leads to issues when trying to debug problems and makes it difficult to delegate to subnets smaller than /24. Another problem that arises is having the root dns setup as an anycast. If one of the anycast roots is having problems it creates inconsistent errors for some users. This has led to the problem of when a user has a poorly configured anycast available to create their own root anycast.

-

-The purpose of this project is to create a system of high quality dns roots. With them in place, an anycast resolver would only need to be a simple caching resolver that uses the roots to query.

-

-## Hierarchy in DN42

-

- - . (dot)

- - arpa

- - in-addr

- - 172

- - 20

- - 22

- - 23

- - 31

- - dn42

- - \<dn42 domain names>

- - hack

- - ffhh

- - \<Future Top Level Domains?>

- - \<ano, bit or other organisation TLDs?>

- - \<ICANN TLDs>

-

-Note: With this system it could be possible to merge the IANA root file.. but it would be beyond the scope of this project.

-

-## Servers

-

-For all of these servers they have a specific IP assigned, only respond to their authoritative zones, and do not allow recursion.

-

-**\<name>.root-servers.dn42** - This server is authoritative for "." (root zone). Is authorative for ICANN root as well. "172.in-addr.arpa" is delegated to ICANN, except rfc1918 zones which are delegated to dn42. The rest of rfc1918 as well as rfc4193 address space is delegated to dn42.

-

-**\<name>.zone-servers.dn42** - This server is authoritative for "dn42", "hack", .. This would be where the records for all forward dns nameservers would be. Similar to our current root setup.

-

-**\<name>.in-addr-servers.arpa** - This server is authoritative for "arpa", "in-addr", and each of the 172 zones for dn42 ip space. For non dn42 ip space NS records to the respective darknet would need to be registered.

-

-**\<name>.dn42-servers.arpa** - This server is authoritative for RFC 2317 delegations. For any inetnum object smaller than /24 and whos parent has no nameserver records, a C class parent zone is created (all its subnetworks are delegated to appropriate nameservers with CNAME)

-

-Real-time server monitor is available at <http://nixnodes.net/dn42/dnsview>

-

-## Setup

-

-Contact one of the root-servers.dn42 operators if you wish to set up a root/zone/dn42 server.

-

-You may want to set up a resolver, see link below or use 172.23.0.53 directly.

-

-Techical information available [here](https://nixnodes.net/wiki/n/DN42_DNS)

-# Original DNS (deprecated)

-This information is now **deprecated**. Please check [New DNS](/services/New-DNS) for the current architecture.

-

-***

-

-*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.20.0.53` and `fd42:d42:d42:54::1`.

-

-**DNS is built from the [whois database](/services/Whois). Please edit your DNS records there.**

-

-## Using the DNS service

-

-Below are several ways to use the `dn42` DNS service, from easiest to more challenging. The recommended method is the second one.

-

-### Using the anycast resolver directly

-

-Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.

-

-To do this, just use `172.20.0.53` or `fd42:d42:d42:54::1` as your resolver, for instance in `/etc/resolv.conf`.

-

-### Forwarding `.dn42` queries to the anycast resolver

-

-If you run your own resolver (`unbound`, `dnsmasq`, `bind`), you can configure it to forward dn42 queries to the anycast DNS resolver. See [DNS forwarder configuration](/services/dns/Configuration).

-

-### Recursive resolver

-

-You may also want to configure your resolver to recursively resolve dn42 domains. For this, you need to find authoritative DNS servers for the `dn42` zone (and for the reverse zones). See [services/dns/Recursive DNS resolver](/services/dns/Recursive-DNS-resolver).

-

-### Building the dn42 zones from the registry

-

-Finally, you may want to host your own authoritative DNS server for the `dn42` zone and the reverse zones. The zone files are built from the monotone repository: scripts are provided in the repository itself.

-

-## Register a `.dn42` domain name

-

-The root zone for `dn42.` is built from the [whois registry](/services/Whois). If you want to register a domain name, you need to add it to the registry (of course, you also need one or two authoritative nameservers).

-

-## DNS services for other networks

-

-Other networks are interconnected with dn42 (ChaosVPN, Freifunk, etc). Some of them also provide DNS service, you can configure your resolver to use it. See [External DNS](/services/dns/External-DNS).

-

-## Providing DNS services

-

-See [Providing Anycast DNS](/services/dns/Providing-Anycast-DNS).

-

-## [Old Hierarchical DNS](/services/Old-Hierarchical-DNS)

-

-This is a new effort to build a DNS system that mirrors how DNS was designed to work in clearnet.

-# Registry cleanup process

-This process is used to remove inactive objects based on MRT data and the git commit history.

-The process is to be executed on a regular basis (yearly).

-

-A maintainer is classified as "inactive" if the following conditions have been fulfilled:

-1. All of the ASNs the maintainer has been directly or indirectly associated with (in any way and by following all references, whether through mnt-by, admin-c, tech-c, etc. or through an ORG) have not been observed originating any prefix in the global routing table at any point within the last three years. (Determined by analyzing the daily MRT RIB dumps provided by the DN42 Global Route collector.)

-2. The maintainer has not edited any of the ASNs they are associated with in the registry within the last three years. (Determined by analyzing the git commit history.)

-

-Maintainers that are not affiliated with an ASN (whether directly or indirectly or through other maintainers) are also considered inactive regardless of whether they fulfill the above conditions.

-

-## Process

-

-Using **registry_wizard (written for v0.4.12)**:

-

-1. Download the MRT files from the Global Route Collector (GRC):

-`wget -r -np -nH --cut-dirs=1 -A "*.mrt.bz2" --reject "*:*" http://collector.dn42/`

-2. Generate a list of active ASNs based on MRT data:

-`./registry_wizard /path/to/registry mrt_activity parse /path/to/mrt/files --cutoff-time <value> --list > active_list.txt`

-3. Based on the list of active ASNs and through referencing the registry git commit log, generate a list of inactive ASNs:

-`./registry_wizard /path/to/registry mrt_activity active_asn_to_inactive --list_file /path/to/active_list.txt --cutoff-time <value> > inactive_list.txt`

-4. Generate the removal commands to remove inactive objects based on the previous list:

-`./registry_wizard /path/to/registry remove aut-num --list_file /path/to/inactive_list.txt --enable_subgraph_check`

-

-ASNs can be excluded from removal by removing them from the list produced in step 3.

-

-Manual review of a few resources (primarily those affiliated with "DN42-MNT") will be required as they cannot be removed in an automated way (for example, resources associated with an inactive maintainer that used to host the DN42 anycast DNS will be affiliated with DN42-MNT and will require manual removal).

-To identify the exact conflicts leading to the manual review requirement the following command can be used:

-`./registry_wizard /path/to/registry graph path mntner YAMAKAYA-MNT mntner DN42-MNT` (To list conflicts between YAMAKAYA-MNT and DN42-MNT)

-# Repository Mirrors

-

-There are some mirrors available in DN42. All mirrors are subdomains of "mirror.dn42". DNS Round-Robin is set up for Load Balancing.

-

-## mirror.ano-org.dn42

-

-Proxy to multiple repositories:

-

-* <http://mirror.ano-org.dn42/debian>: deb.debian.org/debian

-* <http://mirror.ano-org.dn42/debsec>: security.debian.org/debian-security

-* <http://mirror.ano-org.dn42/ubuntu>: archive.ubuntu.com/ubuntu

-* <http://mirror.ano-org.dn42/ubsec>: security.ubuntu.com/ubuntu

-* <http://mirror.ano-org.dn42/proxmox>: download.proxmox.com/debian

-* <http://mirror.ano-org.dn42/grafana>: packages.grafana.com/oss/deb

-* <http://mirror.ano-org.dn42/rpi>: archive.raspberrypi.org/debian

-

-Other repos can be added on request, contact glueckself@hackint on IRC or send a mail to <[email protected]>

-

-## Ubuntu

-**<http://mirror.dn42/ubuntu>**

-

-Hosted by:

-* mephisto

-

-

-## mirror.yandex.ru proxy

-**<http://172.23.158.41/>**

-**<http://[fd91:9191:9191:3::1]/>**

-

-Hosted by:

-* ne-vlezay80

-

-## mirrors.nia.dn42 (IPv6 Only)

-

-[eweOS](https://os.ewe.moe/download):

-* <http://mirrors.nia.dn42/eweos/>: Official Mirror in DN42

-* <http://mirrors.nia.dn42/eweos-images/>: Official Mirror in DN42

-

-## mirror.z.dn42

-

-Not hosting repositories itself, it collects other mirrors

-

-* Dynamic page: **<http://mirror.z.dn42/>**

-* Static page: **<http://mirror.z.dn42/_/>**

-

-## mirrors.leziblog.dn42

-

-Notes:

-- Local repository, hosted by [LeZi](mailto:[email protected])

-- Synchronize with the upstream every day at 00:00 UTC.

-- Supports `https`, `rsync`

- - https: `https://mirrors.leziblog.dn42`

- - rsync: `rsync://rsync.mirrors.leziblog.dn42`

-

-Ubuntu:

-- <http://mirrors.leziblog.dn42/ubuntu/>: archive.ubuntu.com/ubuntu

-- <http://mirrors.leziblog.dn42/ubuntu-ports/>: ports.ubuntu.com

-

-OpenWrt:

-- <http://mirrors.leziblog.dn42/openwrt/>: downloads.openwrt.org

-

-Ubuntu-image:

-- 20.04.6

- - [magnet:?xt=urn:btih:83df9f532bed288518d884fe63363e8f5b2286e2](magnet:?xt=urn:btih:83df9f532bed288518d884fe63363e8f5b2286e2&dn=ubuntu-20.04.6-live-server-amd64&tr=udp%3A%2F%2Ftracker.leziblog.dn42%3A11451&tr=https%3A%2F%2Ftracker.leziblog.dn42%2Fannounce&tr=http%3A%2F%2Ftracker.leziblog.dn42%2Fannounce)

-- 22.04.5

- - [magnet:?xt=urn:btih:8df707795d20b9d8021241d56c6f8282929c8b8d](magnet:?xt=urn:btih:8df707795d20b9d8021241d56c6f8282929c8b8d&dn=ubuntu-22.04.5-live-server-amd64&tr=udp%3A%2F%2Ftracker.leziblog.dn42%3A11451&tr=https%3A%2F%2Ftracker.leziblog.dn42%2Fannounce&tr=http%3A%2F%2Ftracker.leziblog.dn42%2Fannounce)

-- 24.04.3

- - [magnet:?xt=urn:btih:5fd2dd3688fdb31fe554b15ed65228f3db29a9f9](magnet:?xt=urn:btih:5fd2dd3688fdb31fe554b15ed65228f3db29a9f9&dn=ubuntu-24.04.3-live-server-amd64&tr=udp%3A%2F%2Ftracker.leziblog.dn42%3A11451&tr=https%3A%2F%2Ftracker.leziblog.dn42%2Fannounce&tr=http%3A%2F%2Ftracker.leziblog.dn42%2Fannounce)

-There is a route beacon periodically advertising and withdrawing the prefixes `172.21.100.24/29` and `fd40:e3b7:1d77:1234::/64`. These are the only prefixes of as4242421933.

-The schedule is the following: the prefixes are announced in every even (cest) hour in between minutes 1-10, and withdrawn when the clock is outside of the above mentioned period.

-The main purpose of the whole experiment is to be able to spot the ghosting implementations.

-The current state could be monitored on the prometheus or nrpe endpoint at test.nop.dn42 or one can query the last recorded ghosting state by telnetting the same endpoint and issuing commands from the banner.

-Placeholder.

-# Statistics

-

-

-## IRC

-

-Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stats/>.

-

-## Scripts

-

-### Number of prefixes for collectd

-

-#### collectd.conf

-

-```conf

-LoadPlugin exec

-<Plugin exec>

- Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"

-</Plugin>

-```

-

-collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.

-

-#### bgp_prefixes-quagga.sh

-

-```sh

-#!/bin/bash

-

-INTERVAL=10

-HOSTNAME=dn42.hq.c3d2.de

-

-while true; do

-n4=$(vtysh -d bgpd -c "show ip bgp"|grep Total|sed -e 's/Total number of prefixes //')

-n6=$(vtysh -d bgpd -c "show ipv6 bgp"|grep Total|sed -e 's/Total number of prefixes //')

-

-echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv4 interval=$INTERVAL N:$n4"

-echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"

-

-sleep $INTERVAL

-done

-```

-

-#### Number of prefixes per neighbour for bird

-

-```sh

-#!/bin/sh

-#

-# Collectd script for collecting the number of routes going through each

-# BGP neighour. Works for bird.

-#

-# See https://dn42.net/Services-Statistics

-

-INTERVAL=60

-HOSTNAME=mydn42router

-[ -n "$COLLECTD_HOSTNAME" ] && HOSTNAME="$COLLECTD_HOSTNAME"

-

-while true

-do

- birdc 'show protocols "*"' | grep ' BGP' | cut -d ' ' -f 1 | while read neighbour

- do

- nbroutes=$(birdc "show route protocol $neighbour primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)

- echo "PUTVAL $HOSTNAME/bird-bgpd/routes-$neighbour interval=$INTERVAL N:$nbroutes"

- done

- # FIXME: we probably count non-BGP routes here

- totalroutes=$(birdc "show route primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)

- echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"

- sleep $INTERVAL

-done

-```

-

-### munin plugin

-* add the following to /etc/munin/plugin-conf.d/munin-node

-

-```

-[quagga_bgp]

-user root

-```

-

-* place the script as quagga_bgp in /etc/munin/plugins

-

-```sh

-#!/bin/sh

-#

-#

-# Munin Plugin to show quagga bgp4 routes

-

-# Standard Config Section Begin ##

- if [ "$1" = "autoconf" ]; then

- echo yes

- exit 0

- fi

-

- if [ "$1" = "config" ]; then

-

- echo 'graph_title Quagga BGP4 Routes'

- echo 'graph_args --base 1000 -l 0'

- echo 'graph_scale yes'

- echo 'graph_vlabel Received routes via BGP4'

- echo 'graph_category Network'

- echo 'bgproutes.label Routes'

- echo 'graph_info Route information provided by quagga daemon via vtysh'

- exit 0

- fi

-# Standard Config Section End ####

-

-# Measure Section Begin ##########

- data=($(vtysh -c "show ip bgp"|grep Total|cut -d" " -f5))

-

- if [ "$data" = "" ]; then

- echo bgproutes.value 0

- else

- echo bgproutes.value $data

- fi

-# Measure Section ##########

-```

-* restart munin-node

-# Tahoe LAFS

-

-## The idea

-Tahoe-LAFS provides a distributed, reliable and crypted file system.

-

-## How?

-Some people run Tahoe-LAFS nodes, providing space. With clients files can be published and received to the cloud. Everything will be encrypted on client side and keep redundant in the cloud.

-

-## Benefit

-Default you need only 3 of 10 parts of a file to reconstruct it. So a downtime of a tahoe node doesn't means data loss.

-

-Because of the encryption an owner of a node don't know anything about the stored content.

-

-## Usage

-To provide storage to the cloud you have to run a node.