| 15 May 2025 |
 @emma:rory.gay | at most in 90 days | 18:04:43 |
 dgrig | When my homeserver died I was back and federating within 12 hours or so. It would have been the same case if the domain was taken over.
The spec mentions this https://spec.matrix.org/v1.14/server-server-api/#security-considerations
| 18:05:46 |
 @saiko:knifepoint.net | ah cool, good to know! | 18:05:53 |
| @saiko:knifepoint.net | so the domain isn’t “bricked” if you lose the key, that would suck | 18:06:22 |
| dgrig | My understanding is that keys are trusted immediately on Synapse | 18:10:45 |
 f0x | huh.. that seems.. bad | 18:23:22 |
| dgrig | Given the various issues with dnssec or hpkp, it's somewhat reasonable that we're at this state currently. It's not ideal though indeed | 18:34:43 |
| 16 May 2025 |
 @aloisw:julia0815.de | DNSSEC will also not help you for the "domain takeover" case at all. | 07:08:36 |
| dgrig | My comment about dnssec and hpkp was an example on how losing keys can have serious impact on a service that we've seen people aren't prepared for in the real world. | 07:15:21 |
| @aloisw:julia0815.de | Key pinning for sure, but I somehow fail to see what the failure mode for DNSSEC here should be. You can just publish new keys and things should work again at most a TTL later. | 07:24:25 |
| @aloisw:julia0815.de | On the other hand of course there is always going to be a trade-off between not being vulnerable to domain takeover and allowing recovery for lost keys. | 07:28:21 |
| @aloisw:julia0815.de | (Or, for that matter, to allow a legitimate new owner of the domain to use it for their purposes.) | 07:29:06 |
| dgrig | ack, dnssec might have not been the best example, but I think it still illustrates the point that systems that require key management are more complex. I don't have numbers for this, but I would love knowing how many homeservers would have issues federating if keys took longer to be trusted again (i.e. how many people recreate their HS without a backup of the keys). | 07:39:41 |
|  mk360 joined the room. | 12:14:00 |
| mk360 | how do i enable chaotic-nyx flake in nixos | 12:14:59 |
| mk360 | i need the cachyos kernel in my system | 12:15:11 |
 K900 | This is the wrong room for this | 12:15:41 |
| K900 | Also please don't use riced kernels, they don't actually help | 12:15:48 |
| mk360 | how so | 12:15:58 |
| mk360 | this one has lto optimization | 12:16:03 |
| mk360 | i need that | 12:16:05 |
| K900 | Can you explain to me, in three sentences or less, what "lto optimization" is and why it matters to you? | 12:16:41 |
| K900 | Except "the internet said it makes more fast" | 12:16:49 |
| mk360 | i guess so whatever | 12:17:41 |
| mk360 | anyways how do i get nvidia drivers unstable in nixos | 14:04:08 |
| K900 | This is the wrong room for this | 14:12:44 |
| K900 | You want #Nix / NixOS | 14:12:47 |
| K900 | If you need an invite to that, you can ask here | 14:12:53 |
| mk360 | I am asking for an invite | 14:16:23 |
| K900 | Sent | 14:17:22 |
