Add DNSSEC notes etc.

config/game-server/minecraft-bukkit.md

@@ -22,7 +22,7 @@ This page is intended for the Bukkit server software or any of its derivatives,
 ## Server Managers
 
 - [Pterodactyl](https://pterodactyl.io/):
-    - See [Linux Server Applications: Pterodactyl](../../linux-server/applications/#pterodactyl)).
+    - See [Linux Server Applications: Pterodactyl](/config/linux-server/applications/#pterodactyl)).
     - Open-source.
     - Free to use.
     - Modern.

config/general/computer-testing.md

@@ -59,6 +59,6 @@ fio --name=random-write --ioengine=posixaio --rw=randwrite --bs=1m --size=16G --
 ### smartmontools (Linux)
 
 - For health testing.
-- See [smartmontools](../../linux-general/applications/#smartmontools).
+- See [smartmontools](/config/linux-general/applications/#smartmontools).
 
 {% include footer.md %}

config/linux-server/debian.md

@@ -24,7 +24,7 @@ Using **Debian 10 (Buster)**.
 - Use separate password for root and your personal admin user.
 - System disk partitioning:
     - (Recommended for "simple" systems) Manually partition: One partition using all space, mounted as EXT4 at `/`.
-    - (Recommended for "complex" systems) Manually partition, see [system storage](../storage/#system-storage).
+    - (Recommended for "complex" systems) Manually partition, see [system storage](/config/linux-server/storage/#system-storage).
     - Swap can be set up later as a file or LVM volume.
     - When using LVM: Create the partition for the volume group, configure LVM (separate menu), configure the LVM volumes (filesystem and mount).
 - At the software selection menu, select only "SSH server" and "standard system utilities".
@@ -117,8 +117,12 @@ If you didn't already configure this during the installation. Typically the case
     1. Monitor disk: `smartctl -s on <dev>`.
 1. Setup lm_sensors to monitor sensors:
     1. Install: `apt install lm-sensors`
-    1. Run `sensors` to make sure it runs without errors.
-    1. For further configuration (more sensors) and more info, see [Linux Server Applications: lm_sensors](../applications/#lm_sensors).
+    1. Run `sensors` to make sure it runs without errors and shows some (default-ish) sensors.
+    1. For further configuration (more sensors) and more info, see [Linux Server Applications: lm_sensors](/config/linux-server/applications/#lm_sensors).
+1. Check the performance governor and other frequency settings:
+    1. Install `linux-cpupower`.
+    1. Run `cpupower frequency-info` to show the boost state (should be on) (Intel) and current performance governor (should be "ondemand" or "performance").
+    1. Fix it something is wrong: Google it.
 1. (Optional) Mask `ctrl-alt-del.target` to disable CTRL+ALT+DEL reboot at the login screen.
 
 #### QEMU Virtual Host
@@ -209,7 +213,7 @@ Everything here is optional.
         - Check: `swapon --show`
     1. Add it to fstab using this line: `/swapfile swap swap defaults 0 0`
         - Check: `mount -a`
-- Setup Postfix mail relay: See [Linux Server Applications: Postfix](../applications/#postfix).
+- Setup Postfix mail relay: See [Linux Server Applications: Postfix](/config/linux-server/applications/#postfix).
 - Prevent root local login:
     - Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
     - Add a personal user first.

config/linux-server/storage.md

@@ -27,7 +27,7 @@ Using **Debian**, unless otherwise stated.
 - Addressing modes: Cylinder, head and sector (CHS) (old and HDD-based) and logical block addressing (LBA) (new and hardware agnostic).
 - After receiving a new drive or after transporting an existing drive, you should run a SMART conveyance test,
   which is similar to a short test but targeted at this scenario.
-  See [smartmontools](../../linux-general/applications/#smartmontools).
+  See [smartmontools](/config/linux-server/applications/#smartmontools).
 - Alignment and block sizes:
     - Using a logical block size smaller than the physical one or misaligning logical and physical blocks will cause reduced performance, mainly for small writes.
     - Main variants:
@@ -106,7 +106,7 @@ Attributes 1 (Raw Read Error Rate) and 7 (Seek Error Rate) can be a bit misleadi
 
 ### SMART
 
-See [smartmontools](../../linux-general/applications/#smartmontools).
+See [smartmontools](/config/linux-server/applications/#smartmontools).
 
 For HDDs, the following attributes should stay near 0 and should not be rising. If they are, it may indicate the drive is about to commit seppuku.
 

config/network/cisco-hardware.md

@@ -11,9 +11,9 @@ Hardware and special configuration for Cisco equipment.
 ### Related Pages
 {:.no_toc}
 
-- [Cisco IOS General](../cisco-ios-general/)
-- [Cisco IOS Routers](../cisco-ios-routers/)
-- [Cisco IOS Switches](../cisco-ios-switches/)
+- [Cisco IOS General](/config/network/cisco-ios-general/)
+- [Cisco IOS Routers](/config/network/cisco-ios-routers/)
+- [Cisco IOS Switches](/config/network/cisco-ios-switches/)
 
 ## ASR General
 

config/network/cisco-ios-general.md

@@ -11,9 +11,9 @@ Software configuration for Cisco switches and routers running IOS or derivatives
 ### Related Pages
 {:.no_toc}
 
-- [Cisco Hardware](../cisco-hardware/)
-- [Cisco IOS Routers](../cisco-ios-routers/)
-- [Cisco IOS Switches](../cisco-ios-switches/)
+- [Cisco Hardware](/config/network/cisco-hardware/)
+- [Cisco IOS Routers]/config/network/cisco-ios-routers/)
+- [Cisco IOS Switches](/config/network/cisco-ios-switches/)
 
 ## Resources
 

config/network/cisco-ios-routers.md

@@ -11,9 +11,9 @@ Software configuration for Cisco routers running IOS or derivatives.
 ### Related Pages
 {:.no_toc}
 
-- [Cisco Hardware](../cisco-hardware/)
-- [Cisco IOS General](../cisco-ios-general/)
-- [Cisco IOS Switches](../cisco-ios-switches/)
+- [Cisco Hardware](/config/network/cisco-hardware/)
+- [Cisco IOS General](/config/network/cisco-ios-general/)
+- [Cisco IOS Switches](/config/network/cisco-ios-switches/)
 
 ### Using
 {:.no_toc}

config/network/cisco-ios-switches.md

@@ -11,9 +11,9 @@ Software configuration for Cisco switches running IOS or derivatives.
 ### Related Pages
 {:.no_toc}
 
-- [Cisco Hardware](../cisco-hardware/)
-- [Cisco IOS General](../cisco-ios-general/)
-- [Cisco IOS Routers](../cisco-ios-routers/)
+- [Cisco Hardware](/config/network/cisco-hardware/)
+- [Cisco IOS General](/config/network/cisco-ios-general/)
+- [Cisco IOS Routers](/config/network/cisco-ios-routers/)
 
 ### Using
 {:.no_toc}

config/network/juniper-hardware.md

@@ -9,8 +9,8 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Juniper Junos General](../juniper-junos-general/)
-- [Juniper Junos Switches](../juniper-junos-switches/)
+- [Juniper Junos General](/config/network/juniper-junos-general/)
+- [Juniper Junos Switches](/config/network/juniper-junos-switches/)
 
 ## EX3300
 

config/network/juniper-junos-general.md

@@ -11,8 +11,8 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Juniper Hardware](../juniper-hardware/)
-- [Juniper Junos Switches](../juniper-junos-switches/)
+- [Juniper Hardware](/config/network/juniper-hardware/)
+- [Juniper Junos Switches](/config/network/juniper-junos-switches/)
 
 ## Info
 

config/network/juniper-junos-switches.md

@@ -11,8 +11,8 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Juniper Hardware](../juniper-hardware/)
-- [Juniper Junos General](../juniper-junos-general/)
+- [Juniper Hardware](/config/network/juniper-hardware/)
+- [Juniper Junos General](/config/network/juniper-junos-general/)
 
 ### Using
 {:.no_toc}

config/network/ubiquiti-unifi-aps.md

@@ -9,7 +9,7 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Ubiquiti UniFi Controllers](../ubiquiti-unifi-controllers/)
+- [Ubiquiti UniFi Controllers](/config/network/ubiquiti-unifi-controllers/)
 
 ### Using
 {:.no_toc}

config/network/ubiquiti-unifi-controllers.md

@@ -9,7 +9,7 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Ubiquiti UniFi Access Points](../ubiquiti-unifi-aps/)
+- [Ubiquiti UniFi Access Points](/config/network/ubiquiti-unifi-aps/)
 
 ## Cloud Key
 
@@ -26,7 +26,7 @@ UniFi 5 is the latest version and does only officially support Debian 9 (Stretch
 Official installation instructions: [UniFi: How to Install & Upgrade the UniFi Network Controller Software](https://help.ubnt.com/hc/en-us/articles/360012282453-UniFi-How-to-Install-Upgrade-the-UniFi-Network-Controller-Software)
 
 1. Install Debian 9 (later versions don't have the required versions of Java etc.).
-1. Configure it: See [Debian Server](../server/../debian/) (for Debian 10).
+1. Configure it: See [Debian Server](/config/linux-server/debian/) (for Debian 10).
 1. Allow the following incoming ports (see [UniFi - Ports Used](https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used)):
     - TCP 8080: Device-controller communication (for devices)
     - TCP 8443: GUI/API (for admins)

config/virt-cont/proxmox-ve.md

@@ -29,7 +29,7 @@ Using **Proxmox VE 6**.
 
 ### Initial Configuration
 
-Follow the instructions for [Debian server basic setup](../debian/#initial-setup), but with the following exceptions and extra steps:
+Follow the instructions for [Debian](/config/linux-server/debian/), but with the following changes:
 
 1. Before installing updates, setup the PVE repos (assuming no subscription):
     1. Comment out all content from `/etc/apt/sources.list.d/pve-enterprise.list` to disable the enterprise repo.
@@ -318,7 +318,7 @@ Check the host system logs. It may for instance be due to hardware changes or st
 
 ## Ceph
 
-See [Storage: Ceph](../storage/#ceph) for general notes.
+See [Storage: Ceph](/config/linux-server/storage/#ceph) for general notes.
 The notes below are PVE-specific.
 
 ### Notes

it/services/dns.md

@@ -6,6 +6,10 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+## Basics
+
+Everyone knows this, no point reiterating.
+
 ## Special TLDs
 
 - `.localhost`: For statically defined domain names pointing to localhost. (RFC 2606)
@@ -13,4 +17,32 @@ breadcrumbs:
 - `.test`: For testing. (RFC 2606)
 - `.invalid`: For domain names that should never be valid. (RFC 2626)
 
+## DNSSEC
+
+- Domain Name System Security Extensions (DNSSEC).
+- DNSSEC is an extension of DNS for providing CA-style authentication for RRs by cryptographically signing them, thus eliminating DNS poisoning.
+- As well as providing authentication and integrity to existing records, it can prove non-existance of non-existing records.
+- IANA is the CA for DNSSEC with a single trusted root key.
+- Host systems and recursive DNS servers may be configured to validate received RRs for DNSSEC-enabled domains.
+- The set of all RRs of the same type for a domain is called an "RRset".
+- The presence if a DS record for a child zone signals that the child zone is DNSSEC-enabled.
+- The NSEC RR may be used to search for all subdomains and which RRs exist for them (aka "zone walking"), so _secret_ subdomains are no longer possible, although NSEC3 _partially_ prevents this. See "DNSSEC white lies" as well for more info.
+- A zone's RRsets may be signed in live mode, where the DNSKEY private key is present on the authorative DNS server(s), or in offline mode, where the zone's RRsets are signed in advance and the private key is somewhere safe.
+- Due to the size of DNSSEC record types, it makes the DNS server more vulnerable to amplification attacks.
+
+### New Record Types
+
+- DS (delegation signer):
+    - Fir bridging the trust from parent zone to child zone.
+    - Contains the key tag and hash digest of the DNSKEY of the current zone, as well as the DNSKEY algorithm and hash digest algorithm.
+    - Created by the current zone and added to the parent zone where it's signed by the parent.
+- DNSKEY:
+    - The public key used to verify RRSIGs.
+    - Takes the role "key signing key" (KSK), which signs the DNSKEY RRset (including itself), and/or "zone signing key" (ZSK), which signs all other RRsets.
+- RRSIG (resource record signature):
+    - Signature for an RRset.
+- NSEC (next secure record):
+    - For returning a signed/authenticated response for non-existing RRs, thus proving its non-existance.
+    - NSEC3 and NSEC3PARAM (NSEC v3, NSEC v3 parameters) do the same thing.
+
 {% include footer.md %}