We need your help for a safer and a more security compliant internet, please vote!

Imtek

Imtek

Verified User
Joined
Dec 11, 2005
Messages
212
Location
The Netherlands
Things like IPv6, DNSSEC, SSL, DANE, DMARC, SPF and DKIM are increasingly getting more important for you as an entrepreneur/end user in terms of security on the internet.

Help all DirectAdmin end-users and by voting to have these features enabled by default in DirectAdmin!

Upvoty

feedback.directadmin.com feedback.directadmin.com

Upvoty

feedback.directadmin.com feedback.directadmin.com

Upvoty

feedback.directadmin.com feedback.directadmin.com

Upvoty

feedback.directadmin.com feedback.directadmin.com

Upvoty

feedback.directadmin.com feedback.directadmin.com

Upvoty

feedback.directadmin.com feedback.directadmin.com

Thank you in advance!
 
Imtek said:
you as an entrepreneur
Click to expand...
Well I am not a entrepreneur. Just a Regular ole admin.

I think the "on by default" is what throws some people. All of these items are do able now in the system. The admin just needs to do them. I have most of them on on my systems.

All directadmin.conf values | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

All directadmin.conf values | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Reducing sending spamscore | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Maintaining DNS records | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

All directadmin.conf values | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

All directadmin.conf values | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

Default needs to follow the 80/20 rule. If 80% of the world needs or required these then they should be default. Like ssl is the standard so it should be defaulted in all of the configs, but its not:unsure:. I don't live in the Netherlands but its the only country I ever see anyone from ask for this. Which to me says its not 80% of places.. Which is why there aren't a lot of votes. Again I don't think they are bad things to turn on. I would turn on tlsa, dkim, and dmarc as default.

Historically here the ask has always been we need a Option to do X. I totally agree these items make things safer. The issue is DA is used all over the world. Certain countries have different requirements and needs. The other thing is alot of these options are not widely adopted.. I mean IPV6 right...
 
@Imtek As CAA records are already possible to make in DNS manager so what do you mean with that this is disabled by default?

I myself wouldn't turn on things like DNSSEC and DMARC on by default for example.
Reason is that DMARC is depending on SPF and DKIM setup correctly, which not everybody can do. Sometimes on forwards, due to DMARC things get into the spam folder, which is not the wanted behaviour.
Also users don't always know how to implement DNSSEC into their system. Not every registrar supports that and them who do, don't always support that on every TLD, so for now it does not need to be enabled by default imho.

HSTS is a good idea.

So I upvoted DKIM, TLSA (in directadmin.conf on by default) and HSTS.
 
@bdacus01

Most of the features are there, but not on by default, they are implemented but not available to the public if they are not enabled by default or offered to the end user as a possibility.

It would help the adoption of these standards, these standards are not only applicable to the Netherlands but the internet as a whole.

Of course some standards will not be adopted directly or used in some countries, it is true that we are one of the countries that is more active in the implementation of these standards due to government funding and/or non-profits that active in the promotion of these standards like platform internet standardisation (internet.nl).
 
Last edited:
@Richard G

The implementation of DNSSEC, DANE and are very environment configurations related to registrars and automation of it, but if you manually sign your zones with DNSSEC it is still possible.

So why not have it enabled, i understand that the end effect of it when you misconfigure it may cause problems but that even possible with a thing like DNS records being removed from a domain that are required to make a domain resolveable.
 
Imtek said:
they are implemented but not available to the public
Click to expand...
That is only because the admin hasn't turned them on.. Not because they are not defaulted on.
Imtek said:
the internet as a whole.
Click to expand...
Thats not really true though. There is no Internet police or law that states everyone must have these things.. Thats the rub.. we just should self police and do whats right defaulted or not.

None of these things are bad and should they be addopted. As a US admin I have and encourage others to turn these things on.

It is like wishing everyone was not on CentOS 5 or 6. As well as no PHP 5 existed in the world...
 
I honestly think what DirectAdmin needs the most right now is a 'Tweak Settings' equlivant. There are so many options that can be added and most people are unaware of them. Whether a prompt is given during installation where all these options can be enabled or a menu option.

This would reduce many queries about these topics.
 
Imtek said:
I understand that the end effect of it when you misconfigure it may cause problems
Click to expand...
DNS does not get wrong that fast. And easier to fix. If not, then people should not even start with DNSSEC.
But mostly like I said, registrars don't even have their things in order for DNSSEC and especially DANE. So at least for this reason already there I don't see any reason to enable it by default. It would only create more support issues and things. While there is not yet a strict need for DNSSEC and DANE.
Nowedays there is also another thing, let me look it up....ahyeah... a BIMI record. It's nice but all party's involved should make use of it and SPF is not even used and checked by everybody.
So your statement about the internet as a whole, doesn't work. Even Microsoft is not using certain protections, at least not long ago I could send a mail from my ISP with the from of [email protected] and still being delivered in the inbox of big ISP's.

Too many users don't even know and if they see it in their DNS manager, they are going to fuzz with it, so that's why I don't vote to have DNSSEC and DANE on by default.
It might be changed later on, I just don't see any benefit enabling it by default now. But everybody is free to vote how they want ofcourse.

Imtek said:
but if you manually sign your zones with DNSSEC it is still possible.
Click to expand...
DNSSEC has to be enabled by both your server and the registrar to have verification in place. How is it still possible to enable your DNSSEC and it can not be verified? So how do you make that possible?
 
You must log in or register to reply here.
Back
Top