| 15 May 2025 |
 f0x | In reply to @dgrig:erethon.com
(This is a bit pedantic, but it's good that people are informed. Leaving rooms in matrix isn't enough from a moderation perspective. Because if they ever rejoin they'll have the power level they had when they left unless they were demoted. And if the domain ever expires, anyone can take over the domain and recreate any users.) no? federation relies on request signatures, and someone taking over the domain won't have access to your homeserver's key | 17:59:08 |
 @saiko:knifepoint.net | In reply to @f0x:pixie.town
no? federation relies on request signatures, and someone taking over the domain won't have access to your homeserver's key what happens if the key for a homeserver changes, for example in this case? | 18:03:22 |
 @emma:rory.gay | over time homeservers will accept the new key | 18:04:33 |
| @emma:rory.gay | at most in 90 days | 18:04:43 |
 dgrig | When my homeserver died I was back and federating within 12 hours or so. It would have been the same case if the domain was taken over.
The spec mentions this https://spec.matrix.org/v1.14/server-server-api/#security-considerations
| 18:05:46 |
| @saiko:knifepoint.net | ah cool, good to know! | 18:05:53 |
| @saiko:knifepoint.net | so the domain isn’t “bricked” if you lose the key, that would suck | 18:06:22 |
| dgrig | My understanding is that keys are trusted immediately on Synapse | 18:10:45 |
| f0x | huh.. that seems.. bad | 18:23:22 |
| dgrig | Given the various issues with dnssec or hpkp, it's somewhat reasonable that we're at this state currently. It's not ideal though indeed | 18:34:43 |
| 16 May 2025 |
 @aloisw:julia0815.de | DNSSEC will also not help you for the "domain takeover" case at all. | 07:08:36 |
| dgrig | My comment about dnssec and hpkp was an example on how losing keys can have serious impact on a service that we've seen people aren't prepared for in the real world. | 07:15:21 |
| @aloisw:julia0815.de | Key pinning for sure, but I somehow fail to see what the failure mode for DNSSEC here should be. You can just publish new keys and things should work again at most a TTL later. | 07:24:25 |
| @aloisw:julia0815.de | On the other hand of course there is always going to be a trade-off between not being vulnerable to domain takeover and allowing recovery for lost keys. | 07:28:21 |
| @aloisw:julia0815.de | (Or, for that matter, to allow a legitimate new owner of the domain to use it for their purposes.) | 07:29:06 |
| dgrig | ack, dnssec might have not been the best example, but I think it still illustrates the point that systems that require key management are more complex. I don't have numbers for this, but I would love knowing how many homeservers would have issues federating if keys took longer to be trusted again (i.e. how many people recreate their HS without a backup of the keys). | 07:39:41 |
|  mk360 joined the room. | 12:14:00 |
| mk360 | how do i enable chaotic-nyx flake in nixos | 12:14:59 |
| mk360 | i need the cachyos kernel in my system | 12:15:11 |
 K900 | This is the wrong room for this | 12:15:41 |
| K900 | Also please don't use riced kernels, they don't actually help | 12:15:48 |
| mk360 | how so | 12:15:58 |
| mk360 | this one has lto optimization | 12:16:03 |
| mk360 | i need that | 12:16:05 |
| K900 | Can you explain to me, in three sentences or less, what "lto optimization" is and why it matters to you? | 12:16:41 |
| K900 | Except "the internet said it makes more fast" | 12:16:49 |
| mk360 | i guess so whatever | 12:17:41 |
| mk360 | anyways how do i get nvidia drivers unstable in nixos | 14:04:08 |
| K900 | This is the wrong room for this | 14:12:44 |
| K900 | You want #Nix / NixOS | 14:12:47 |
