Categories
Announcements Q&A

Two Factor Auth Q and A

We’ve received a bunch of questions about YuibKey two factor authentication, so we’re going to summarize them here.

How can I add a YubiKey to my account?

Email support@rollernet.us with your account name and your 12 character key IDs. Online management is in development. Once keys are associated to your account you won’t be able to log in to the account control center without providing the OTP at login time.

Do you support multiple keys?

Yes. In the current test phase we’re only supporting two keys per account: primary and secondary. We plan to allow an arbitrary number of YubiKeys to be associated with an account and support both OTP and U2F.

How do I recover access if my key is lost?

We encourage a backup key (or two) for safekeeping in case the primary is lost, stolen, or damaged. Most people will carry their primary key with them on a daily basis. The backup key(s) should be kept in a safe, secure, or trusted location. We don’t like the idea of disabling the second factor to “recover” access because doing so defeats its purpose if it can be easily turned off.

Are you going to support Google Authenticator?

We’re also looking at support for Google Authenticator (TOTP) and Authy as other methods, but for now we’re focusing on YubiKey since we use them internally at our office.

Categories
Changes

Primary DNS: TLSA Record Support

Support for the TLSA record has been added to the Primary DNS service.

We’ve also streamlined up the display for SSHFP records in this update.

Categories
Announcements Changes

Control Center Updates

We’ve made a few minor updates to the account control center in preparation for a major update to the account profile section, which will include a new way of selecting service levels for Mail and DNS accounts that we intend to be less confusing than the current method.

The main login screen has also changed slightly: there’s an additional field for a YubiKey OTP. This two factor authentication method is currently in early testing, so if you have a YubiKey and want to add it to your account, please contact us with your 12 character key ID and account name. Up to two keys are supported at this time. If you don’t have a YubiKey, leave this third field blank and the normal login process with password-only remains unchanged. Once you have a YubiKey associated to your account you must use it to log in.

Categories
Announcements

Advanced Business Broadband – Project Canceled

We regretfully must announce the cancellation of the Advanced Business Broadband service we previous mentioned.

In summary, we were working with Straight Path to lease spectrum which we would use to operate this service. It turned out that Straight Path was in trouble with the FCC and was fined $100M (yes, million) in early 2017. Straight Path never followed through with the lease to us in late 2016, which led us to the first announcement. In order to avoid fully paying the FCC fine they were given a few options, one of which was to sell their licenses. We have since learned that the buyer is A&T. Update: Verizon outbid AT&T.

We are clearly disappointed with this outcome. This left us with no choice but to make assumptions based on what little information we have been able to obtain externally. Since it seems highly unlikely that AT&T Verizon is going to turn around and start leasing spectrum instead of using it for themselves, and the lack of communication with Straight Path, this firmly places our plans into the “canceled” category.

UPDATE: We received notices from Verizon that the 39GHz leases we do have will be terminated in September 2018, so that’s the end of that.

Categories
Changes

Secondary DNS Minor Updates: auto-enable and NOTAUTH

We’ve made a couple minor updates to the Secondary DNS system.

  • If we see a successful transfer, the back end will automatically send an “enable” flag to the account control center. This addresses a possible condition where a zone can become disabled between update runs due to an error that was fixed before the next run.
  • Secondary DNS zones will be automatically disabled if a NOTAUTH (not authoritative) response is received from the configured master. This is similar to the existing behavior of disabling on a REFUSED response. Our system must assume that if the master is not authoritative for a zone that we must not try to be a secondary, and it wastes resources to keep trying.