- Welcome to Yggdrasil Community.
Recent posts
#21
Разное / Re: Yggdrasil и httpS ресурсы ...
Last post by Revertron - December 29, 2023, 01:39:14 AMСмотрите, есть "основная" система DNS, и несколько "альтернативных".
Для основной системы в любой сети - в клирнете и Иггдрасиль вы можете получить сертификаты от "общепризнанных" CA, типа Let's Encrypt.
Если вы хотите использовать альтернативные системы DNS, то будьте готовы к тому, что Let's Encrypt для них не сможет выдавать сертификаты, и вам придётся страдать. Ну или заставлять страдать ваших пользователей.
Для основной системы в любой сети - в клирнете и Иггдрасиль вы можете получить сертификаты от "общепризнанных" CA, типа Let's Encrypt.
Если вы хотите использовать альтернативные системы DNS, то будьте готовы к тому, что Let's Encrypt для них не сможет выдавать сертификаты, и вам придётся страдать. Ну или заставлять страдать ваших пользователей.
#22
Разное / Re: Yggdrasil и httpS ресурсы ...
Last post by Meettya - December 28, 2023, 06:57:42 PMQuote from: Revertron on December 28, 2023, 01:27:55 PMДаже если у вас домен используется только в Yggdrasil, то можно подтверждать выдачу сертификатов по DNS.Я почитал https://howto.yggno.de/yggdrasil:matrix_server , получается что единственный вариант регистрировать внутри сети домен на ygg и тогда получится схема с выдачей на ygg.at, так?
А остальные лучше не использовать, типа .mob или .mirror ? Или они будут резолвится в clearnet через общедоступные DNS ?
В общем немного не понимаю, если есть возможность - можете пояснить или направить?
Да и выпускать руками не хотелось бы, они же там на 2-3 месяца даются, я на своем пучке сервисов это через Caddy делаю автоматом, одной головной болью меньше.
А в целом сеть - интересная задумка, в свете текущего и прогнозов. Для вариантов "ничего плохого не делаю, примус починяю"
#23
Разное / Re: Yggdrasil и httpS ресурсы ...
Last post by Revertron - December 28, 2023, 01:27:55 PMЕсли пользоваться доменами из клирнета, то никаких проблем нет.
Даже если у вас домен используется только в Yggdrasil, то можно подтверждать выдачу сертификатов по DNS.
Даже если у вас домен используется только в Yggdrasil, то можно подтверждать выдачу сертификатов по DNS.
#24
Разное / Yggdrasil и httpS ресурсы - ес...
Last post by Meettya - December 28, 2023, 06:15:13 AMА подскажите, пожалуйста, какие есть надежды на какую-то поддержку https в сети?
Понятно, что внутри сети траффик шифруется, но как быть с браузерами?
Положим, библиотека crypto не будет работать на http сервере (localhost и всякие 127 там хардкодом в исключениях), да и много чего еще.
Может там есть какой-то план прикрутить сертификаты прямо в сети? Без этого нормально отзеркалить свои сервисы в сетку не получится, а было бы неплохо.
Понятно, что внутри сети траффик шифруется, но как быть с браузерами?
Положим, библиотека crypto не будет работать на http сервере (localhost и всякие 127 там хардкодом в исключениях), да и много чего еще.
Может там есть какой-то план прикрутить сертификаты прямо в сети? Без этого нормально отзеркалить свои сервисы в сетку не получится, а было бы неплохо.
#25
Server software in Yggdrasil / Re: Tailscale
Last post by Revertron - December 08, 2023, 06:47:52 PMI've used Yggdrasil over Wireguard for some time.
There is a script to install WG, routing for Ygg, and create client configs: https://up.revertron.com/wg-ygg-install.sh
There is a script to install WG, routing for Ygg, and create client configs: https://up.revertron.com/wg-ygg-install.sh
#26
Server software in Yggdrasil / Tailscale
Last post by Blade - December 08, 2023, 12:15:31 PMJust wonder
#27
Yggdrasil Discussion / Re: What is your practical use...
Last post by Revertron - September 06, 2023, 05:00:15 PMThere is an alternative DNS solution - ALFIS.
It is a micro-blockchain, that you can run even on your router, that will provide you with trusted DNS responses.
It is a micro-blockchain, that you can run even on your router, that will provide you with trusted DNS responses.
#28
Server software in Yggdrasil / Re: What would in-network emai...
Last post by sdgathman - September 06, 2023, 04:16:09 PMSee https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ for examples with linphone and opensmtpd. It uses Cjdns - but yggdrasil works the same.
#29
Yggdrasil Discussion / Re: What is your practical use...
Last post by sdgathman - September 06, 2023, 04:12:15 PMBesides authorized services, Cjdns and yggdrasil allow common applications to be fully decentralized.
DNS is federated, but was centralized via ICANN (who can spoof/cancel domains at will). Not everyone is up to running their own nameserver and making DNS federated again. (However, see https://www.opennic.org for an alternate centralized root zone.)
TLS depends on a shadowy cabal that determines what CAs are trusted. All mainstream browsers either trust a CA fully, or not at all. (Need browser extensions to "veto" CAs using information in the cert. E.g. trust this CA only for .GEEK tld.) This allows the cabal to man in the middle TLS connections.
By using raw Yggdrasil/Cjdns ips, you get the equivalent of TLS connections without the risk of getting fooled by ICANN or TLS cabal. Opensmtpd works well for fully decentralized email in this manner. SIP phones like Linphone can call a raw ip6 - and these work just as well as phone numbers in the address book.
XMPP and Matrix want a domain - so you can either go with federated DNS and TLS, or just add the hostnames to /etc/hosts with ygg/cjd IP.
DNS is federated, but was centralized via ICANN (who can spoof/cancel domains at will). Not everyone is up to running their own nameserver and making DNS federated again. (However, see https://www.opennic.org for an alternate centralized root zone.)
TLS depends on a shadowy cabal that determines what CAs are trusted. All mainstream browsers either trust a CA fully, or not at all. (Need browser extensions to "veto" CAs using information in the cert. E.g. trust this CA only for .GEEK tld.) This allows the cabal to man in the middle TLS connections.
By using raw Yggdrasil/Cjdns ips, you get the equivalent of TLS connections without the risk of getting fooled by ICANN or TLS cabal. Opensmtpd works well for fully decentralized email in this manner. SIP phones like Linphone can call a raw ip6 - and these work just as well as phone numbers in the address book.
XMPP and Matrix want a domain - so you can either go with federated DNS and TLS, or just add the hostnames to /etc/hosts with ygg/cjd IP.
#30
Yggdrasil Discussion / Re: What is your practical use...
Last post by sdgathman - September 06, 2023, 03:49:48 PMYggdrasil does relay when you have 2 or more peers (otherwise there is no point).
My practical use is an an alternative to Cjdns that uses TCP instead of UDP (which evades different kinds of attempts to block vpns).
What did I use Cjdns for? The e2e encryption and IP authentication provide a simplified alternative to private certificate authority schemes with signed certs used by large corporations. For any service, I just list all the Cjdns/ygg ips authorized to use it. (E.g. using ipset.) An example would be nameservers. Recursive nameservers are hard to make public without getting DoSed.
Obviously, this doesn't scale - those lists of IPs become like /etc/hosts. This is why Big Corps use a private CA. The central authority also obviates the need for lists of ips on each service - the signed certs list what services they are authorized to access.
A key principle to take away is the distinction between authentication (not an imposter) and authorization (are you authorized to use this service).
You could scale the lists of IPs by providing a well known service that returns whether an IP is authorized for a service (or just return a list of authorized services which can be cached).
As for VPN use, yggdrasil fools firewalls that try to block vpns (by blocking UDP traffic), but allow websites (with possible blacklist). On the other hand, Cjdns connects from behind firewalls that block web traffic, but allow UDP sessions on random ports.
My practical use is an an alternative to Cjdns that uses TCP instead of UDP (which evades different kinds of attempts to block vpns).
What did I use Cjdns for? The e2e encryption and IP authentication provide a simplified alternative to private certificate authority schemes with signed certs used by large corporations. For any service, I just list all the Cjdns/ygg ips authorized to use it. (E.g. using ipset.) An example would be nameservers. Recursive nameservers are hard to make public without getting DoSed.
Obviously, this doesn't scale - those lists of IPs become like /etc/hosts. This is why Big Corps use a private CA. The central authority also obviates the need for lists of ips on each service - the signed certs list what services they are authorized to access.
A key principle to take away is the distinction between authentication (not an imposter) and authorization (are you authorized to use this service).
You could scale the lists of IPs by providing a well known service that returns whether an IP is authorized for a service (or just return a list of authorized services which can be cached).
As for VPN use, yggdrasil fools firewalls that try to block vpns (by blocking UDP traffic), but allow websites (with possible blacklist). On the other hand, Cjdns connects from behind firewalls that block web traffic, but allow UDP sessions on random ports.