Next: , Previous: , Up: Sergey Matveev’s homepage  


Trust anchor

All my domains are under control of stargrave.org’s nameservers. DNSSEC inherently sucks, at least because it is global-scale PKI, so it is not secure against government-level adversary. That is why, my nameservers use DNSCurve technology. All my TLS certificates use DANE, so their subject public key hashes are stored inside DNS TLSA records. However all that certificates are also signed by my own ca.cypherpunks.ru and cagost.cypherpunks.ru CAs.

There are my authoritative DNSCurve PGP signed nameservers below. Of course the trust anchor is my PGP key.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

uz5nulnd504gp3s7sdmdl5l2gxc762hpw926t90k39ltxp67flbccn
uz544mqwggqbf3z4utlhfqn45vpbpq78nc63hpg5u2ut29stkt0pkr
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIpNVsPbb+nIRVbvGHh7ERWs1C6UFAmI8yxoACgkQHh7ERWs1
C6VesA/8CGuX4oDajykMZRG4aI4T6Z474V4/n6DV3A4q0N9YruFdvrqOR/FnNQws
ov9AhhO+DXsT9q6bAkkXcBgVCioqFxhRCfzQ7UcPXrtkiqHtLlcXd391N6Xpo1jC
woa9SbL8bz7ZFIyClAWhnaInUWjMjX1BGMWoKX4KERceXzPuh1qrSoOqMnf2FGTp
wAaCoO4aaTg9wwbFpth4Lr5EgKr09+pNI1vseKBqbCjjXD8UzBripP/7Ca8I1P3h
9xMSNYKv7ZYV5KET2WIFEBGmTk7Dw/xrF5Rgwfnru7Xbn5F73Vv3qjbca+SVVswa
jTdkgNldE/CU4/KOR7NJSHVMDOkq0edjVIoJ+49LRk6X1kEFl9H06Ng70PnIkefi
LC86XHWLdCxy9mtCd+DYfvAFS2kzCl5zB5+IFdBu6ipPBTcw3fNByMjBQMhuz+WB
TaistkNvi99KUHHj7Hu6an1UicwdCGQ3M0pqQ4guMrQ/GkywLqxDxccC2V3v+LOz
GIjNE5pCZ9ETHgOwOtiB1UUjydL446eopbpkPByMR7PbKd/Tdk8LaixFcpZz69Ka
Cr7iOowB7/jyuWVBWMbYepDUl575Xcxvp9foRjNfJMLlKqJb4X6mlXpNv5tkLkcg
Rf9Rkpf6yUoiL4UrOomqx3hpZ6F53kWNqngA9FzV7gfqn9eza1Y=
=6qvm
-----END PGP SIGNATURE-----

Also nearly all my domains has y. prefix, leading to Yggdrasil accessible address.