Building Back Better

Rebuilding all our virtual servers onto new hosting has been an educational experience, and as you might expect, very different to the first time round in 2009.

Here are a few things we changed:

  • Let’s Encrypt now exists, so all Internet-facing services are protected by SSL/TLS.
  • We took this a stage further and decided most web servers will cease to listen on port 80 and redirect. Recent changes to Chrome make it an ideal time to tighten this up.
  • DNSSEC is enabled on all our domains
  • We’ve rolled out SPF in more places and we’re looking at DANE for e-mail

One thing which I’m pleased to say didn’t change was IPv6: we had it working in 2009, and we have it working now.

Some of us have taken it a stage further and are running IPv6-only VMs with a bit of help from Cloudflare and Mythic Beasts’ proxy. I’m finding it pretty liberating only having to reason about a single stack, and if I were building a new “back end” network today, I’d give it serious consideration.