How to keep yourself busy with local inf…

How to keep yourself busy with local infrastructure, episode 100:

I keep all my local stuff (rfc1918) below a public facing tld, served by my local OpnSense. Think: “printer.lan.example.com”.

Not that big of an issue.

BUT: I also have a few public facing services below the same top level domain, e.g. “vault.example.com”.

Now I thought it would be a brilliant idea to finally enable DNSSEC for that domain.

Well, guess what broke after I created the DNSSEC records for the top level domain. 🤕

· 2022-11-08· #mastodon

/posts/mastodon/

Reaktionen

Antworten

@bascht 🙌🏼

Alright, let me tell you how this is now actually a good thing:I had a spare unused TLD lying around (don't ask) and just switched OpnSense to announce it as the new local domain. Now that I have a proper separation of outer and inner zones, I can start issuing proper TLS certificates for internal services. 💖

Since I already had a working Wireguard setup, this essentially means: All the benefits of Tailscale, without Tailscale. All local devices are discoverable and remotely reachable via their own DHCP hostnames + the tld. In case it's needed, I can use any old acme client and put a valid SSL certificate in front of them. I'm in awe.

Jetzt kommentieren

Ähnliche Beiträge