Re: Panic on ZFS startup after crash

[Pawel Jakub Dawidek]

On Mon, Jul 21, 2008 at 06:18:10PM -0300, Nenhum_de_Nos wrote:
  The ZFS code in 7.0 is the same as in HEAD, so no worries.
 
 I'm trying zfs myself in a small enviroment at home, but for that I do
 follow 7-STABLE. there's no need to do that, as based in the above
 statement ?

There might be some small differences, but the patches I provide here
will apply to 7.0-RELEASE, 7-STABLE and 8-CURRENT.

-- 
Pawel Jakub Dawidek   http://www.wheel.pl
[EMAIL PROTECTED]   http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!


pgpXtFi29GDZt.pgp
Description: PGP signature

Re: ACPI regression on recent 7.0-STABLE: HPET stops working

[Oleg V. Nauman]

Quoting John Baldwin [EMAIL PROTECTED]:


On Monday 21 July 2008 06:07:52 am Oleg V. Nauman wrote:

Quoting Oleg V. Nauman [EMAIL PROTECTED]:

 Quoting Jeremy Chadwick [EMAIL PROTECTED]:

 On Sat, Jul 19, 2008 at 10:03:15AM +0300, Oleg V. Nauman wrote:
 It seems to be something was changed with ACPI support on 7.0-STABLE so
 my next system upgrade ended with ACPI HPET not working anymore on my
 ASUS A9Rp laptop.

 Here is the part of /var/log/dmesg.today dated July 13:

 FreeBSD 7.0-STABLE #65: Tue Jul  8 22:05:07 EEST 2008
[EMAIL PROTECTED]:/usr/src/sys/i386/compile/oleg2
 [..]
 acpi0: A M I OEMRSDT on motherboard
 acpi0: Overriding SCI Interrupt from IRQ 9 to IRQ 21
 acpi0: [ITHREAD]
 acpi0: Power Button (fixed)
 acpi0: reservation of 0, a (3) failed
 acpi0: reservation of 10, 77f0 (3) failed
 Timecounter ACPI-safe frequency 3579545 Hz quality 850
 acpi_timer0: 32-bit timer at 3.579545MHz port 0x808-0x80b on acpi0
 acpi_ec0: Embedded Controller: GPE 0x18 port 0x62,0x66 on acpi0
 acpi_hpet0: High Precision Event Timer iomem
 0xfed0-0xfed003ff on acpi0
 Timecounter HPET frequency 14318180 Hz quality 900

 Here is the fresh dmesg output info:

 FreeBSD 7.0-STABLE #66: Tue Jul 15 22:11:27 EEST 2008
[EMAIL PROTECTED]:/usr/src/sys/i386/compile/oleg2
 [..]
 acpi0: A M I OEMRSDT on motherboard
 acpi0: Overriding SCI Interrupt from IRQ 9 to IRQ 21
 acpi0: [ITHREAD]
 acpi0: Power Button (fixed)
 acpi0: reservation of 0, a (3) failed
 acpi0: reservation of 10, 77f0 (3) failed
 Timecounter ACPI-safe frequency 3579545 Hz quality 850
 acpi_timer0: 32-bit timer at 3.579545MHz port 0x808-0x80b on acpi0
 [..]
 acpi_hpet0: High Precision Event Timer iomem
 0xfed0-0xfed003ff on acpi0
 device_attach: acpi_hpet0 attach returned 12

 And the part of actual sysctl kern.timecounter output:

 kern.timecounter.choice: TSC(800) ACPI-safe(850) i8254(0)

dummy(-100)

 kern.timecounter.hardware: ACPI-safe

 Seems okay here:

 FreeBSD icarus.home.lan 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Jul
 12  10:53:08 PDT 2008
 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PDSMI_PLUS_amd64  amd64

 acpi_timer0: 24-bit timer at 3.579545MHz port 0x1008-0x100b on acpi0
 acpi_hpet0: High Precision Event Timer iomem
 0xfed0-0xfed003ff on acpi0
 Timecounter i8254 frequency 1193182 Hz quality 0
 Timecounter ACPI-fast frequency 3579545 Hz quality 1000
 Timecounter HPET frequency 14318180 Hz quality 900
 Timecounters tick every 1.000 msec

 kern.timecounter.choice: TSC(-100) HPET(900) ACPI-fast(1000)
 i8254(0) dummy(-100)
 kern.timecounter.hardware: ACPI-fast

 You sure you haven't upgraded your BIOS or something and forgot to
 re-enable HPET?

  No it was not upgraded.. Have no option to enable/disable HPET through
 BIOS settings though

  I was unclear a bit or so. There are no ACPI related settings in my
laptop's BIOS.

  Well.. Backout 1.243.2.3 revision of /usr/src/sys/dev/acpica/acpi.c
(committed to RELENG_7 at July 10 by jhb) fixes this issue for me:

acpi_hpet0: High Precision Event Timer iomem 0xfed0-0xfed003ff on

acpi0

Timecounter HPET frequency 14318180 Hz quality 900

kern.timecounter.choice: TSC(800) HPET(900) ACPI-safe(850) i8254(0)
dummy(-100)
kern.timecounter.hardware: HPET

  Hopefully it helps to understand what is went wrong there.


Ok, so the attempt to allocate the resource is failing for some reason.  Can
you get output from 'devinfo -r' and 'devinfo -u'?


 Of course..

The kernel with 1.243.2.2 revision of /usr/src/sys/dev/acpica/acpi.c  
(so HPET working for me):


 devinfo -r output:

nexus0
  apic0
  ram0
  I/O memory addresses:
  0x0-0x9efff
  0x10-0x77fc
  npx0
  acpi0
  Interrupt request lines:
  21
  I/O ports:
  0x10-0x1f
  0x22-0x3f
  0x63
  0x65
  0x67-0x6f
  0x72-0x7f
  0x80
  0x84-0x86
  0x88
  0x8c-0x8e
  0x90-0x9f
  0xa2-0xbf
  0xe0-0xef
  0x250-0x25f
  0x40b
  0x480-0x4bf
  0x4d0-0x4d1
  0x4d6
  0x500-0x53f
  0x800-0x89f
  0x900-0x90f
  0x910-0x91f
  0xc00-0xc01
  0xc14
  0xc50-0xc51
  0xc52
  0xc6c
  0xc6f
  0xcd4-0xcd5
  0xcd6-0xcd7
  0xcd8-0xcdf
  0x4000-0x4004
  0x4005-0x40ff
  I/O memory addresses:
  0xc-0xc
  0xe-0xf
  0xe000-0xefff
  0xfec0-0xfec00fff
  0xfee0-0xfee00fff
  0xfff8-0x
cpu0
ACPI I/O ports:
0x814
0x815
  coretemp0
  p4tcc0
  cpufreq0
pcib0
  pci0
hostb0
pcib1
  pci1
vgapci0
I/O ports:
0x9800-0x98ff
I/O memory addresses:
0xc000-0xcfff
0xfe1f-0xfe1f
  

sleeping without queue ?

[Mikhail Teterin]

Hello!

My attempt to build openoffice.org-3 seems to be hanging. Pressing 
Ctrl-T produces:


   load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s 0% 0k

(tcsh is used by OOo's build-script). What is this sleeping without 
queue state, and why is process in it for so long?


This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap is 
currently in use and the box seems to be perfectly fine otherwise. 
Uptime is 55 days, two different X-sessions are functional... The kernel 
is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.


Thanks!

   -mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Kris Kennaway]

Mikhail Teterin wrote:

Hello!

My attempt to build openoffice.org-3 seems to be hanging. Pressing 
Ctrl-T produces:


   load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s 0% 0k

(tcsh is used by OOo's build-script). What is this sleeping without 
queue state, and why is process in it for so long?


This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap is 
currently in use and the box seems to be perfectly fine otherwise. 
Uptime is 55 days, two different X-sessions are functional... The kernel 
is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.


Thanks!


What is the process backtrace?

Kris
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Oliver Fromme]

Brett Glass wrote:
  At 02:24 PM 7/21/2008, Kevin Oberman wrote:
  
   Don't forget that ANY server that caches data, including an end system
   running a caching only server is vulnerable.
 
  Actually, there is an exception to this. A forward only
  cache/resolver is only as vulnerable as its forwarder(s). This is a
  workaround for the vulnerability for folks who have systems that they
  cannot easily upgrade: point at a trusted forwarder that's patched.
 
  We're also looking at using dnscache from the djbdns package.

I'm curious, is djbdns exploitable, too?  Does it randomize
the source ports of UDP queries?

  Of course, all solutions that randomize ports are really just
  security by obscurity, because by shuffling ports you're hiding the
  way to poison your cache... a little.

True, but there is currently no better solution, AFAIK.
The problem is inherent in the way DNS queries work.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH  Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

That's what I love about GUIs: They make simple tasks easier,
and complex tasks impossible.
-- John William Chambless
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[cpghost]

On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
 I'm curious, is djbdns exploitable, too?  Does it randomize
 the source ports of UDP queries?

Apparently, djbdns had randomization of the source ports a long
time ago...

  Of course, all solutions that randomize ports are really just
  security by obscurity, because by shuffling ports you're hiding the
  way to poison your cache... a little.
 
 True, but there is currently no better solution, AFAIK.
 The problem is inherent in the way DNS queries work.

Yes indeed. If I understand all this correctly, it's because the
transaction ID that has to be sent back is only 2 bytes long, and if
the query port doesn't change as well with every query, that can be
cracked in milliseconds: sending 65536 DNS queries to a constant port
is just way too easy! The namespace is way too small, and there's no
way to fix this by switching to, say, 4 bytes or even more for the
transaction ID without breaking existing resolvers; actually without
breaking the protocol itself.

 Best regards
Oliver

cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Mikhail Teterin]

Kris Kennaway написав(ла):

Mikhail Teterin wrote:

Hello!

My attempt to build openoffice.org-3 seems to be hanging. Pressing 
Ctrl-T produces:


   load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s 
0% 0k


(tcsh is used by OOo's build-script). What is this sleeping without 
queue state, and why is process in it for so long?


This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap 
is currently in use and the box seems to be perfectly fine otherwise. 
Uptime is 55 days, two different X-sessions are functional... The 
kernel is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.


Thanks!


What is the process backtrace?

Hard to say... The process ID 79759. According to ps(1), that PID exists:
79759  p6  DE+0:00,00 /bin/tcsh -fc 
/meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/makedepend 
@/tmp/mk2WUYYi  ../../../unxfbsdx.pro/misc/s_addincol.dpcc

According to gdb, it does not:
gdb 79759
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd...79759: No such file 
or directory.


Interestingly, the file mentioned in the command-line -- the 
s_addincol.dpcc -- does not exist anywhere under 
/meow/ports/editors/openoffice.org-3/work


   -mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

unable to use gmirror on supermicro 5015b-mt

[ian j hart]

These are new boxes.
http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MT.cfm

core 2 Q6600 CPU
8Gb 667 RAM

Boxes were memtested from Fri-Mon okay. 6.3-RELEASE (amd64) installs fine. 
Build cycle okay. Running (no load) for a week or so.

However, when I try to configure gmirror they hang on boot.

After some fiddling it appears issuing
#kldload geom_mirror
hangs the boxes very hard. Ping response stops (after 3), no CAD response, 
CDROM draw doesn't open!

This may well be a foolish thing to do but another (different) amd64 box 
doesn't hang. I don't believe this to be amd64 specific, I suspect that 
there's something strange about this hardware.

There are very many BIOS options and I feel like I've tried them all without 
getting anywhere.

I'm on holiday this week and I've borrowed a box to test. Any suggestions 
would be welcome. I'll (re)try anything but I need help to stay focused.

Before you ask, no I cannot try 7.0-RELEASE, but that's a whole other thread 
(which may bear fruit more quickly).

I already dropped the RAM to 2Gb and disabled the memory remap in the BIOS.

dmesg after sig [AHCI disabled, SATA legacy mode]

Thanks

-- 
ian j hart

%dmesg
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.3-RELEASE #0: Wed Jan 16 01:43:02 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP
ACPI APIC Table: PTLTD  APIC  
Timecounter i8254 frequency 1193182 Hz quality 0
CPU: Intel(R) Core(TM)2 Quad CPUQ6600  @ 2.40GHz (2394.02-MHz K8-class 
CPU)
  Origin = GenuineIntel  Id = 0x6fb  Stepping = 11
  
Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE
  Features2=0xe3bdSSE3,RSVD2,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
  AMD Features=0x20100800SYSCALL,NX,LM
  AMD Features2=0x1LAHF
  Cores per package: 4
real memory  = 2145845248 (2046 MB)
avail memory = 2059509760 (1964 MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
 cpu2 (AP): APIC ID:  2
 cpu3 (AP): APIC ID:  3
ioapic0 Version 2.0 irqs 0-23 on motherboard
ioapic1 Version 2.0 irqs 24-47 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
hptrr: HPT RocketRAID controller driver v1.1 (Jan 16 2008 01:41:13)
acpi0: PTLTDXSDT on motherboard
acpi0: Power Button (fixed)
Timecounter ACPI-fast frequency 3579545 Hz quality 1000
acpi_timer0: 24-bit timer at 3.579545MHz port 0x1008-0x100b on acpi0
cpu0: ACPI CPU on acpi0
cpu1: ACPI CPU on acpi0
cpu2: ACPI CPU on acpi0
cpu3: ACPI CPU on acpi0
pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0
pci0: ACPI PCI bus on pcib0
pcib1: ACPI PCI-PCI bridge irq 16 at device 1.0 on pci0
pci1: ACPI PCI bus on pcib1
pcib2: ACPI PCI-PCI bridge at device 0.0 on pci1
pci2: ACPI PCI bus on pcib2
uhci0: UHCI (generic) USB controller port 0x1820-0x183f irq 16 at device 
26.0 on pci0
uhci0: [GIANT-LOCKED]
usb0: UHCI (generic) USB controller on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: UHCI (generic) USB controller port 0x1840-0x185f irq 17 at device 
26.1 on pci0
uhci1: [GIANT-LOCKED]
usb1: UHCI (generic) USB controller on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: UHCI (generic) USB controller port 0x1860-0x187f irq 18 at device 
26.2 on pci0
uhci2: [GIANT-LOCKED]
usb2: UHCI (generic) USB controller on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0: EHCI (generic) USB 2.0 controller mem 0xd8601000-0xd86013ff irq 18 at 
device 26.7 on pci0
ehci0: [GIANT-LOCKED]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: EHCI (generic) USB 2.0 controller on ehci0
usb3: USB revision 2.0
uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
pcib3: ACPI PCI-PCI bridge irq 16 at device 28.0 on pci0
pci5: ACPI PCI bus on pcib3
pcib4: ACPI PCI-PCI bridge irq 16 at device 28.4 on pci0
pci13: ACPI PCI bus on pcib4
em0: Intel(R) PRO/1000 Network Connection Version - 6.7.2 port 0x2000-0x201f 
mem 0xd800-0xd801 irq 16 at device 0.0 on pci13
em0: Ethernet address: 00:30:48:64:22:fa
pcib5: ACPI PCI-PCI bridge irq 17 at device 28.5 on pci0
pci15: ACPI PCI bus on pcib5
em1: Intel(R) PRO/1000 Network Connection Version - 6.7.2 port 0x3000-0x301f 
mem 0xd820-0xd821 irq 17 at device 0.0 on pci15
em1: Ethernet address: 00:30:48:64:22:fb
uhci3: UHCI (generic) USB controller port 0x1880-0x189f irq 23 at device 
29.0 on pci0
uhci3: 

Re: Panic on ZFS startup after crash

[Nenhum_de_Nos]

On Tue, July 22, 2008 06:07, Pawel Jakub Dawidek wrote:
 On Mon, Jul 21, 2008 at 06:18:10PM -0300, Nenhum_de_Nos wrote:
  The ZFS code in 7.0 is the same as in HEAD, so no worries.

 I'm trying zfs myself in a small enviroment at home, but for that I do
 follow 7-STABLE. there's no need to do that, as based in the above
 statement ?

 There might be some small differences, but the patches I provide here
 will apply to 7.0-RELEASE, 7-STABLE and 8-CURRENT.

 --
 Pawel Jakub Dawidek   http://www.wheel.pl
 [EMAIL PROTECTED]   http://www.FreeBSD.org
 FreeBSD committer Am I Evil? Yes, I Am!

ok, but my main wonder was about to be using the most new but stable zfs
code :)

do I keep running stable ?

thanks,

matheus

-- 
We will call you cygnus,
The God of balance you shall be

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Jeremy Chadwick]

On Tue, Jul 22, 2008 at 12:13:25PM -0400, Mikhail Teterin wrote:
 Kris Kennaway ???(??):
 Mikhail Teterin wrote:
 Hello!

 My attempt to build openoffice.org-3 seems to be hanging. Pressing  
 Ctrl-T produces:

load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s  
 0% 0k

 (tcsh is used by OOo's build-script). What is this sleeping without  
 queue state, and why is process in it for so long?

 This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap  
 is currently in use and the box seems to be perfectly fine otherwise. 
 Uptime is 55 days, two different X-sessions are functional... The  
 kernel is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.

 Thanks!

 What is the process backtrace?
 Hard to say... The process ID 79759. According to ps(1), that PID exists:
 79759  p6  DE+0:00,00 /bin/tcsh -fc  
 /meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/makedepend
  
 @/tmp/mk2WUYYi  ../../../unxfbsdx.pro/misc/s_addincol.dpcc
 According to gdb, it does not:
 gdb 79759
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain  
 conditions.
 Type show copying to see the conditions.
 There is absolutely no warranty for GDB.  Type show warranty for details.
 This GDB was configured as amd64-marcel-freebsd...79759: No such file  
 or directory.

Syntax appears wrong; gdb [program] 79759 would be what you want.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Clifton Royston]

On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
 Brett Glass wrote:
   At 02:24 PM 7/21/2008, Kevin Oberman wrote:
   
Don't forget that ANY server that caches data, including an end system
running a caching only server is vulnerable.
  
   Actually, there is an exception to this. A forward only
   cache/resolver is only as vulnerable as its forwarder(s). This is a
   workaround for the vulnerability for folks who have systems that they
   cannot easily upgrade: point at a trusted forwarder that's patched.
  
   We're also looking at using dnscache from the djbdns package.
 
 I'm curious, is djbdns exploitable, too?  Does it randomize
 the source ports of UDP queries?

  AFAIK Dan Bernstein first spelled out the fundamental problems with
DNS response forgery in 2001.  He implemented dnscache to randomize
source ports and IDs from the beginning, via a cryptographic quality
RNG.  See for instance this page, much of it written in 2003:

  http://cr.yp.to/djbdns/forgery.html

  He rubs a lot of people the wrong way, but I think he has usually
proved to be right on security issues.

  I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.
  -- Clifton

-- 
Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
   President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Mikhail Teterin]

Jeremy Chadwick написав(ла):

On Tue, Jul 22, 2008 at 12:13:25PM -0400, Mikhail Teterin wrote:
  

Kris Kennaway написав(ла):


Mikhail Teterin wrote:
  

Hello!

My attempt to build openoffice.org-3 seems to be hanging. Pressing  
Ctrl-T produces:


   load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s  
0% 0k


(tcsh is used by OOo's build-script). What is this sleeping without  
queue state, and why is process in it for so long?


This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap  
is currently in use and the box seems to be perfectly fine otherwise. 
Uptime is 55 days, two different X-sessions are functional... The  
kernel is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.


What is the process backtrace?
  

Hard to say... The process ID 79759. According to ps(1), that PID exists:
79759  p6  DE+0:00,00 /bin/tcsh -fc  
/meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/makedepend 
@/tmp/mk2WUYYi  ../../../unxfbsdx.pro/misc/s_addincol.dpcc

According to gdb, it does not:
[...]

Syntax appears wrong; gdb [program] 79759 would be what you want.
  

Yes, indeed. The result is similar, though:

   % gdb /bin/tcsh 79759
   [...]
   Attaching to program: /bin/tcsh, process 79759
   ptrace: No such process.
   /meow/ports/79759: No such file or directory.

Thanks,

   -mi

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

unable to boot 7.0-RELEASE cdrom on supermicro 5015b-mt

[ian j hart]

Same hardware as my other thread.
http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MT.cfm

[using 2Gb RAM and SATA in legacy mode]

I'd like to focus only on making the CDROM boot complete.

Summary: hangs just after the CPUs are launched.

6.2-RELEASE works okay, no AHCI support
6.3-RELEASE works okay
7.0-RELEASE hangs
7.0-STABLE-200806-SNAPSHOT  hangs
8.0-CURRENT-200806-SNAPSHOT hangs

I thought I could do a binary search using the current snapshot boot-only CDs 
but they only go back to March. Are there any older ones available?

Thanks

-- 
ian j hart
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Doug Barton]

Clifton Royston wrote:

  I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.


Dan didn't write postfix, he wrote qmail.

If you're interested in a resolver-only solution (and that is not a 
bad way to go) then you should evaluate dns/unbound. It is a 
lightweight resolver-only server that has a good security model and 
already implements query port randomization. It also has the advantage 
of being maintained, and compliant to 21st Century DNS standards 
including DNSSEC (which, btw, is the real solution to the response 
forgery problem, it just can't be deployed universally before 8/5).


hth,

Doug

--

This .signature sanitized for your protection

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: unable to boot 7.0-RELEASE cdrom on supermicro 5015b-mt

[Jeremy Chadwick]

On Tue, Jul 22, 2008 at 05:27:52PM +0100, ian j hart wrote:
 Same hardware as my other thread.
 http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MT.cfm
 
 [using 2Gb RAM and SATA in legacy mode]
 
 I'd like to focus only on making the CDROM boot complete.
 
 Summary: hangs just after the CPUs are launched.
 
 6.2-RELEASE   works okay, no AHCI support
 6.3-RELEASE   works okay
 7.0-RELEASE   hangs
 7.0-STABLE-200806-SNAPSHOThangs
 8.0-CURRENT-200806-SNAPSHOT   hangs
 
 I thought I could do a binary search using the current snapshot boot-only CDs 
 but they only go back to March. Are there any older ones available?

Have you tried disabling ACPI to see if it makes any sort of difference?

Also, AHCI should work just fine on those systems -- I know because I
have fairly extensive experience with Supermicro hardware, although what
you're using is newer than what I presently have.  I don't know why
you're setting Compatible/Legacy mode on your controller (you mention
doing this in your other thread as well).

Below is what we use on our systems; factory defaults, then make the
following changes.  (The G-LAN1 OPROM option you can do whatever you
want with -- it's specific to our environment).

* Main
* Date
 -- Set to GMT, not local time!!!
* Serial ATA
 -- SATA Controller Mode -- Enhanced
 -- SATA AHCI -- Enabled

* Advanced
* Boot Features
 -- Quiet Mode -- Disabled
 -- Enable Multimedia Timer -- Enabled
* PCI Configuration
 -- Onboard G-LAN1 OPROM -- Disabled
 -- Large Disk Access Mode -- Other
* Advanced Processor Options
 -- Intel(R) Virtualization Technology -- Enabled
 -- C1 Enhanced Mode -- Enabled

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Doug Barton]

cpghost wrote:
Yes indeed. If I understand all this correctly, it's because the 
transaction ID that has to be sent back is only 2 bytes long,


2 bits, 16 bytes.


and if the query port doesn't change as well with every query, that
can be cracked in milliseconds: sending 65536 DNS queries to a
constant port is just way too easy! The namespace is way too small,
and there's no way to fix this by switching to, say, 4 bytes or
even more for the transaction ID without breaking existing
resolvers; actually without breaking the protocol itself.


That's more or less accurate, yes.

Doug

--

This .signature sanitized for your protection

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Kris Kennaway]

Jeremy Chadwick wrote:

On Tue, Jul 22, 2008 at 12:13:25PM -0400, Mikhail Teterin wrote:

Kris Kennaway ???(??):

Mikhail Teterin wrote:

Hello!

My attempt to build openoffice.org-3 seems to be hanging. Pressing  
Ctrl-T produces:


   load: 0.11  cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s  
0% 0k


(tcsh is used by OOo's build-script). What is this sleeping without  
queue state, and why is process in it for so long?


This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap  
is currently in use and the box seems to be perfectly fine otherwise. 
Uptime is 55 days, two different X-sessions are functional... The  
kernel is FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37.


Thanks!

What is the process backtrace?

Hard to say... The process ID 79759. According to ps(1), that PID exists:
79759  p6  DE+0:00,00 /bin/tcsh -fc  
/meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/makedepend 
@/tmp/mk2WUYYi  ../../../unxfbsdx.pro/misc/s_addincol.dpcc

According to gdb, it does not:
gdb 79759
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain  
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd...79759: No such file  
or directory.


Syntax appears wrong; gdb [program] 79759 would be what you want.



Well, I mean kernel backtrace.

Kris
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Mikhail Teterin]

Kris Kennaway написав(ла):

Well, I mean kernel backtrace.

Can I obtain that remotely and without restarting/panicking the box? Thanks,

   -mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Kris Kennaway]

Mikhail Teterin wrote:

Kris Kennaway написав(ла):

Well, I mean kernel backtrace.
Can I obtain that remotely and without restarting/panicking the box? 
Thanks,


   -mi




kgdb on /dev/mem or procstat

Kris
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Clifton Royston]

On Tue, Jul 22, 2008 at 09:37:14AM -0700, Doug Barton wrote:
 Clifton Royston wrote:
   I also think that modular design of security-sensitive tools is the
 way to go, with his DNS tools as with Postfix.
 
 Dan didn't write postfix, he wrote qmail.

  I know, but I think qmail sucks.  Wietse didn't write a DNS server
or I'd probably be using that. :-)

 If you're interested in a resolver-only solution (and that is not a 
 bad way to go) then you should evaluate dns/unbound. It is a 
 lightweight resolver-only server that has a good security model and 
 already implements query port randomization. It also has the advantage 
 of being maintained, and compliant to 21st Century DNS standards 
 including DNSSEC (which, btw, is the real solution to the response 
 forgery problem, it just can't be deployed universally before 8/5).

  Sounds interesting; is it a caching resolver? 

  I'm not totally convinced DNSSEC would solve everything (though it
would solve the current vulnerability) but I'm not sure I follow the
arguments pro and con.

  -- Clifton

-- 
Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
   President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Clifton Royston]

On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote:
 cpghost wrote:
 Yes indeed. If I understand all this correctly, it's because the 
 transaction ID that has to be sent back is only 2 bytes long,
 
 2 bits, 16 bytes.
 ^  Think you mean those the other way!

 and if the query port doesn't change as well with every query, that
 can be cracked in milliseconds: sending 65536 DNS queries to a
 constant port is just way too easy! The namespace is way too small,
 and there's no way to fix this by switching to, say, 4 bytes or
 even more for the transaction ID without breaking existing
 resolvers; actually without breaking the protocol itself.
 
 That's more or less accurate, yes.
 
 Doug

  I just saw mention in Infoworld - adequate details of the exploit
were guessed by another developer and then confirmed.  They're now
circulating, so I think we can expect engineered attacks soon.

All:
  Upgrade your servers today, do not wait.

  -- Clifton

-- 
Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
   President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Mikhail Teterin]

Kris Kennaway написав(ла):

Mikhail Teterin wrote:

Kris Kennaway написав(ла):

Well, I mean kernel backtrace.
Can I obtain that remotely and without restarting/panicking the box? 
Thanks,

kgdb on /dev/mem or procstat

   [EMAIL PROTECTED]:~ (107) kgdb /boot/kernel/kernel /dev/mem
   [...]
   (kgdb) bt
   #0  0x in ?? ()
   Error accessing memory address 0x0: Bad address.

Even less luck with procstat:

   [EMAIL PROTECTED]:~ (108) locate procstat
   [EMAIL PROTECTED]:~ (109) procstat
   procstat: Невідома команда.
   [EMAIL PROTECTED]:~ (110) man procstat
   No manual entry for procstat

I'm sorry, but you'll need to be more specific. What should I type? Thanks,

 -mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Doug Barton]

Clifton Royston wrote:

On Tue, Jul 22, 2008 at 09:39:20AM -0700, Doug Barton wrote:

cpghost wrote:
Yes indeed. If I understand all this correctly, it's because the 
transaction ID that has to be sent back is only 2 bytes long,

2 bits, 16 bytes.

 ^  Think you mean those the other way!


Oops, ELACKOFCAFFEINE


and if the query port doesn't change as well with every query, that
can be cracked in milliseconds: sending 65536 DNS queries to a
constant port is just way too easy! The namespace is way too small,
and there's no way to fix this by switching to, say, 4 bytes or
even more for the transaction ID without breaking existing
resolvers; actually without breaking the protocol itself.

That's more or less accurate, yes.

Doug


  I just saw mention in Infoworld - adequate details of the exploit
were guessed by another developer and then confirmed.  They're now
circulating, so I think we can expect engineered attacks soon.

All:
  Upgrade your servers today, do not wait.


Agreed on both counts.


--

This .signature sanitized for your protection

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Matthew Seaman]

Doug Barton wrote:

Clifton Royston wrote:

  I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.


Dan didn't write postfix, he wrote qmail.

If you're interested in a resolver-only solution (and that is not a bad 
way to go) then you should evaluate dns/unbound. It is a lightweight 
resolver-only server that has a good security model and already 
implements query port randomization. It also has the advantage of being 
maintained, and compliant to 21st Century DNS standards including DNSSEC


Are there any plans to enable DNSSEC capability in the resolver built into 
FreeBSD?

(which, btw, is the real solution to the response forgery problem, it 
just can't be deployed universally before 8/5).


That big announcement Dan Kaminsky was going to make at the Blackhat
Conference in August?  Unfortunately the cat has already been let out
of the bag:

http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html

There's no implementation of DNS that can be any /more/ proof against this
than BIND+latest patches because the problem is intrinsic to the design of 
the DNS protocol. You'ld better be patched up or using alternative DNS 
implementations equally secure already.  Even so that just increases the 
search space from about 16bits to about 30bits, which should make it not 
really feasible given current network and server capabilities.  


Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: FreeBSD 7.1 and BIND exploit

[Doug Barton]

Matthew Seaman wrote:

Are there any plans to enable DNSSEC capability in the resolver built 
into FreeBSD?


The server is already capable of it. I'm seriously considering 
enabling the define to make the CLI tools (dig/host/nslookup) capable 
as well (there is already an OPTION for this in ports).


The problem is that _using_ DNSSEC requires configuration changes in 
named.conf, and more importantly, configuration of trust anchors 
(even for the command line stuff) since the root is not signed. It's 
not hard to do that with the DLV system that ISC has in place, and I 
would be willing to create a conf file that shows how to do that for 
users to include if they choose to. I am not comfortable enabling it 
by default (not yet anyway), it's too big of a POLA issue.


Doug

--

This .signature sanitized for your protection

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Paul Schmehl]

--On Tuesday, July 22, 2008 09:37:14 -0700 Doug Barton [EMAIL PROTECTED] 
wrote:



Clifton Royston wrote:

  I also think that modular design of security-sensitive tools is the
way to go, with his DNS tools as with Postfix.


Dan didn't write postfix, he wrote qmail.


I think his point was that djbdns is modular just like Postfix is modular - not 
that Dan wrote both.  I'm pretty sure everyone on the planet knows that Weitse 
wrote/maintains Postfix.


If djbdns was as easy to setup as Postfix is, I'd use it too.



If you're interested in a resolver-only solution (and that is not a bad way
to go) then you should evaluate dns/unbound. It is a lightweight
resolver-only server that has a good security model and already implements
query port randomization. It also has the advantage of being maintained, and
compliant to 21st Century DNS standards including DNSSEC (which, btw, is the
real solution to the response forgery problem, it just can't be deployed
universally before 8/5).



What happens on 8/5?

--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: unable to boot 7.0-RELEASE cdrom on supermicro 5015b-mt

[ian j hart]

On Tuesday 22 July 2008 17:37:24 Jeremy Chadwick wrote:
 On Tue, Jul 22, 2008 at 05:27:52PM +0100, ian j hart wrote:
  Same hardware as my other thread.
  http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MT.cfm
 
  [using 2Gb RAM and SATA in legacy mode]
 
  I'd like to focus only on making the CDROM boot complete.
 
  Summary: hangs just after the CPUs are launched.
 
  6.2-RELEASE works okay, no AHCI support
  6.3-RELEASE works okay
  7.0-RELEASE hangs
  7.0-STABLE-200806-SNAPSHOT  hangs
  8.0-CURRENT-200806-SNAPSHOT hangs
 
  I thought I could do a binary search using the current snapshot boot-only
  CDs but they only go back to March. Are there any older ones available?

 Have you tried disabling ACPI to see if it makes any sort of difference?

Yes, but I'm happy to re-try.

Which method is best? Or is it 1 + 2 or 3?

1) BIOS
2) Beastie menu option
3) loader prompt set hint


 Also, AHCI should work just fine on those systems -- I know because I
 have fairly extensive experience with Supermicro hardware, although what
 you're using is newer than what I presently have.  I don't know why
 you're setting Compatible/Legacy mode on your controller (you mention
 doing this in your other thread as well).

Because I don't know what's wrong yet and AHCI support is newer than SATA 
support and this is a newish board? [At least 6.2 doesn't seem to support it 
and it has an AHCI legacy option!]

I'd be happy to swap this over. Slight problem; the drives get renumbered, so 
I'd rather not swap back and forth.


 Below is what we use on our systems; factory defaults, then make the
 following changes.  (The G-LAN1 OPROM option you can do whatever you
 want with -- it's specific to our environment).

 * Main
 * Date
  -- Set to GMT, not local time!!!
 * Serial ATA
  -- SATA Controller Mode -- Enhanced
  -- SATA AHCI -- Enabled

 * Advanced
 * Boot Features
  -- Quiet Mode -- Disabled
  -- Enable Multimedia Timer -- Enabled
 * PCI Configuration
  -- Onboard G-LAN1 OPROM -- Disabled
  -- Large Disk Access Mode -- Other
 * Advanced Processor Options
  -- Intel(R) Virtualization Technology -- Enabled
  -- C1 Enhanced Mode -- Enabled

I've got as close as I can to this.

This board also has an AHCI legacy option [disabled] which hides ports 5 and 
6. I also disabled quickboot and POST errors. I assume multimedia timer is 
the same as HPET. Doesn't seem to be any disk translation option. I took the 
fans off 'flat out'.

Thanks for your help.

-- 
ian j hart
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Paul Schmehl]

--On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton [EMAIL PROTECTED] 
wrote:



Matthew Seaman wrote:


Are there any plans to enable DNSSEC capability in the resolver built
into FreeBSD?


The server is already capable of it. I'm seriously considering enabling the
define to make the CLI tools (dig/host/nslookup) capable as well (there is
already an OPTION for this in ports).

The problem is that _using_ DNSSEC requires configuration changes in
named.conf, and more importantly, configuration of trust anchors (even for
the command line stuff) since the root is not signed. It's not hard to do
that with the DLV system that ISC has in place, and I would be willing to
create a conf file that shows how to do that for users to include if they
choose to. I am not comfortable enabling it by default (not yet anyway), it's
too big of a POLA issue.



I just played around with it recently.  It's not that easy to understand 
initially *and* the trust anchors thing is a royal PITA.


Once you implement DNSSEC you *must* generate keys every 30 days.  So, I think, 
if you're going to enable it by default, there needs to be a script in periodic 
that will do all the magic to change keys every 30 days.  Maybe put vars in 
/etc/rc.conf to override the default key lengths and other portions of the 
commands that could change per installation.


If I were to implement it, I'd write a shell script to turn the keys over and 
cron it because doing it manually every 30 days ain't gonna happen.  Too many 
ways to forget to do it.  (I did the same for the root servers so that named.ca 
gets updated automagically every month.)


But until root is signed, it's not worth it for those of us who don't have 
dedicated staff doing dns only.


--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[sthaug]

 If you're interested in a resolver-only solution (and that is not a 
 bad way to go) then you should evaluate dns/unbound. It is a 
 lightweight resolver-only server that has a good security model and 
 already implements query port randomization. It also has the advantage 
 of being maintained, and compliant to 21st Century DNS standards 
 including DNSSEC (which, btw, is the real solution to the response 
 forgery problem, it just can't be deployed universally before 8/5).

I've been trying out unbound-1.0.1 on a 7.0-STABLE box (2.67 GHz i86,
uniprocessor, 32 bit mode, 2 GB memory).

Don't know what I'm doing wrong so far - but I've been unable to scale
Unbound to more than a couple of hundred q/s.  Any more than that and
I get serious (several hundred ms) delays on lots of queries, including
stuff which is known to be in the cache.

I'll be doing some more Unbound tests the next few days. For now, both
CNS and PowerDNS handle our load (around 2.5K q/s) fine.

Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Matthew Seaman]

Doug Barton wrote:

Matthew Seaman wrote:

Are there any plans to enable DNSSEC capability in the resolver built 
into FreeBSD?


The server is already capable of it. I'm seriously considering enabling 
the define to make the CLI tools (dig/host/nslookup) capable as well 
(there is already an OPTION for this in ports).


Forgive me for being obtuse.  What I meant was the capability to enable 
checking signatures on DNS RRs as a routine effect of getnameinfo() etc.
by modifying resolver(3) routines or similar locally, without needing a
DNSSEC enabled recursive resolver listed in resolv.conf?  I've a feeling
the answer is no, but I haven't been able to find anything definitive.

Which I suppose simply means that if you're in the habit of, for example, 
taking your laptop into the coffee shop and getting on line there then you 
need to run your own instance of named on your laptop rather than blindly 
trusting whatever servers the coffee shop provides via their DHCP.


The problem is that _using_ DNSSEC requires configuration changes in 
named.conf, and more importantly, configuration of trust anchors (even 
for the command line stuff) since the root is not signed. It's not hard 
to do that with the DLV system that ISC has in place, and I would be 
willing to create a conf file that shows how to do that for users to 
include if they choose to. I am not comfortable enabling it by default 
(not yet anyway), it's too big of a POLA issue.


I sense a business opportunity in providing DLV there.  I'm wondering why
the likes of Verisign (including Thawte and Geotrust), Comodo group and 
GoDaddy aren't circling like vultures over a dead wildebeest.  Perhaps they 
are.


Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: sleeping without queue ?

[Mikhail Teterin]

Kostik Belousov написав(ла):

Did you switched to the process before doing backtrace (using the proc pid
command)?

Ok, thanks. Did not know about this one. Here:
...
(kgdb) proc 79759
(kgdb) bt
#0  sched_switch (td=0xff01286dc000, newtd=0xff00010ce000, 
flags=2) at /var/src/sys/kern/sched_4bsd.c:928

#1  0x in ?? ()
#2  0x802f1108 in mi_switch (flags=678281216, newtd=0x2) at 
/var/src/sys/kern/kern_synch.c:442
#3  0x80318513 in sleepq_check_timeout () at 
/var/src/sys/kern/subr_sleepqueue.c:519
#4  0x80318c85 in sleepq_timedwait (wchan=0x80688408) at 
/var/src/sys/kern/subr_sleepqueue.c:597
#5  0x802f16a2 in _sleep (ident=0x80688408, lock=0x0, 
priority=0, wmesg=0x804f3059 vmo_de, timo=1) at 
/var/src/sys/kern/kern_synch.c:224
#6  0x8043036b in vm_object_deallocate 
(object=0xff0053024a90) at /var/src/sys/vm/vm_object.c:509
#7  0x8042920e in vm_map_delete (map=0xff0015ba4b60, 
start=18446742979242478224, end=140737488355328) at 
/var/src/sys/vm/vm_map.c:2315
#8  0x804293df in vm_map_remove (map=0xff0015ba4b60, 
start=0, end=140737488355328) at /var/src/sys/vm/vm_map.c:2423
#9  0x8042b813 in vmspace_exit (td=0xff01286dc000) at 
/var/src/sys/vm/vm_map.c:324
#10 0x802c8cff in exit1 (td=0xff01286dc000, rv=0) at 
/var/src/sys/kern/kern_exit.c:294

#11 0x802ca08e in sys_exit (td=Variable td is not available.
) at /var/src/sys/kern/kern_exit.c:98
#12 0x8045a700 in syscall (frame=0xb0d89c70) at 
/var/src/sys/amd64/amd64/trap.c:852
#13 0x8043f38b in Xfast_syscall () at 
/var/src/sys/amd64/amd64/exception.S:290

#14 0x00080095f34c in ?? ()
Previous frame inner to this frame (corrupt stack?)


What is the exact version of the system ? Note that procstat
appeared in the late RELENG_7.

FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37 EST 2008


Also, show the output of ps axl pid.

 UID   PID  PPID CPU PRI NI   VSZ   RSS MWCHAN STAT  TT   TIME COMMAND
   0 79759 79758   0  96  0 016 -  DE+   p60:00,00 
/bin/tcsh -fc 
/meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/ma


Yours,

   -mi
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: sleeping without queue ?

[Kostik Belousov]

On Tue, Jul 22, 2008 at 03:26:29PM -0400, Mikhail Teterin wrote:
 Kostik Belousov написав(ла):
 Did you switched to the process before doing backtrace (using the proc 
 pid
 command)?
 Ok, thanks. Did not know about this one. Here:
 ...
 (kgdb) proc 79759
 (kgdb) bt
 #0  sched_switch (td=0xff01286dc000, newtd=0xff00010ce000, 
 flags=2) at /var/src/sys/kern/sched_4bsd.c:928
 #1  0x in ?? ()
 #2  0x802f1108 in mi_switch (flags=678281216, newtd=0x2) at 
 /var/src/sys/kern/kern_synch.c:442
 #3  0x80318513 in sleepq_check_timeout () at 
 /var/src/sys/kern/subr_sleepqueue.c:519
 #4  0x80318c85 in sleepq_timedwait (wchan=0x80688408) at 
 /var/src/sys/kern/subr_sleepqueue.c:597
 #5  0x802f16a2 in _sleep (ident=0x80688408, lock=0x0, 
 priority=0, wmesg=0x804f3059 vmo_de, timo=1) at 
 /var/src/sys/kern/kern_synch.c:224
 #6  0x8043036b in vm_object_deallocate 
 (object=0xff0053024a90) at /var/src/sys/vm/vm_object.c:509
From this frame, please, print the object (like p *object) and
likewise, print the object that is at the head of the object-shadow_head
list.

Another question is what scheduler do you use ?

 #7  0x8042920e in vm_map_delete (map=0xff0015ba4b60, 
 start=18446742979242478224, end=140737488355328) at 
 /var/src/sys/vm/vm_map.c:2315
 #8  0x804293df in vm_map_remove (map=0xff0015ba4b60, 
 start=0, end=140737488355328) at /var/src/sys/vm/vm_map.c:2423
 #9  0x8042b813 in vmspace_exit (td=0xff01286dc000) at 
 /var/src/sys/vm/vm_map.c:324
 #10 0x802c8cff in exit1 (td=0xff01286dc000, rv=0) at 
 /var/src/sys/kern/kern_exit.c:294
 #11 0x802ca08e in sys_exit (td=Variable td is not available.
 ) at /var/src/sys/kern/kern_exit.c:98
 #12 0x8045a700 in syscall (frame=0xb0d89c70) at 
 /var/src/sys/amd64/amd64/trap.c:852
 #13 0x8043f38b in Xfast_syscall () at 
 /var/src/sys/amd64/amd64/exception.S:290
 #14 0x00080095f34c in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 
 What is the exact version of the system ? Note that procstat
 appeared in the late RELENG_7.
 FreeBSD 7.0-STABLE #0: Sat Mar  8 16:02:37 EST 2008
 
 Also, show the output of ps axl pid.
  UID   PID  PPID CPU PRI NI   VSZ   RSS MWCHAN STAT  TT   TIME COMMAND
0 79759 79758   0  96  0 016 -  DE+   p60:00,00 
 /bin/tcsh -fc 
 /meow/ports/editors/openoffice.org-3/work/BEB300_m3/solver/300/unxfbsdx.pro/bin/ma

It makes sense to show the whole ps axl output.
 
 Yours,
 
-mi


pgpAvegd51ob6.pgp
Description: PGP signature

Re: sleeping without queue ?

[Kostik Belousov]

On Tue, Jul 22, 2008 at 01:09:28PM -0400, Mikhail Teterin wrote:
 Kris Kennaway написав(ла):
 Mikhail Teterin wrote:
 Kris Kennaway написав(ла):
 Well, I mean kernel backtrace.
 Can I obtain that remotely and without restarting/panicking the box? 
 Thanks,
 kgdb on /dev/mem or procstat
[EMAIL PROTECTED]:~ (107) kgdb /boot/kernel/kernel /dev/mem
[...]
(kgdb) bt
#0  0x in ?? ()
Error accessing memory address 0x0: Bad address.
 
 Even less luck with procstat:
 
[EMAIL PROTECTED]:~ (108) locate procstat
[EMAIL PROTECTED]:~ (109) procstat
procstat: Нев?дома команда.
[EMAIL PROTECTED]:~ (110) man procstat
No manual entry for procstat
 
 I'm sorry, but you'll need to be more specific. What should I type? Thanks,

Did you switched to the process before doing backtrace (using the proc pid
command) ? What is the exact version of the system ? Note that procstat
appeared in the late RELENG_7.

Also, show the output of ps axl pid.


pgpHpbt1prlWo.pgp
Description: PGP signature

Re: sleeping without queue ?

[Mikhail Teterin]

Kostik Belousov написав(ла):

On Tue, Jul 22, 2008 at 03:26:29PM -0400, Mikhail Teterin wrote:

Kostik Belousov написав(ла):
Did you switched to the process before doing backtrace (using the proc 
pid

command)?

Ok, thanks. Did not know about this one. Here:
...
(kgdb) proc 79759
(kgdb) bt
#0  sched_switch (td=0xff01286dc000, newtd=0xff00010ce000, 
flags=2) at /var/src/sys/kern/sched_4bsd.c:928

#1  0x in ?? ()
#2  0x802f1108 in mi_switch (flags=678281216, newtd=0x2) at 
/var/src/sys/kern/kern_synch.c:442
#3  0x80318513 in sleepq_check_timeout () at 
/var/src/sys/kern/subr_sleepqueue.c:519
#4  0x80318c85 in sleepq_timedwait (wchan=0x80688408) at 
/var/src/sys/kern/subr_sleepqueue.c:597
#5  0x802f16a2 in _sleep (ident=0x80688408, lock=0x0, 
priority=0, wmesg=0x804f3059 vmo_de, timo=1) at 
/var/src/sys/kern/kern_synch.c:224
#6  0x8043036b in vm_object_deallocate 
(object=0xff0053024a90) at /var/src/sys/vm/vm_object.c:509

From this frame, please, print the object (like p *object) and
likewise, print the object that is at the head of the object-shadow_head
list.

kgdb /usr/obj/var/src/sys/SILVER-SMP/kernel.debug /dev/mem
[GDB will not be able to debug user-mode threads: 
/usr/lib/libthread_db.so: Undefined symbol ps_pglobal_lookup]

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd.
There is no member named pathname.
Reading symbols from /opt/modules/fuse.ko...done.
Loaded symbols for /opt/modules/fuse.ko
Reading symbols from /opt/modules/rtc.ko...done.
Loaded symbols for /opt/modules/rtc.ko
Reading symbols from /boot/kernel/snd_ich.ko...Reading symbols from 
/boot/kernel/snd_ich.ko.symbols...done.

done.
Loaded symbols for /boot/kernel/snd_ich.ko
Reading symbols from /boot/kernel/msdosfs.ko...Reading symbols from 
/boot/kernel/msdosfs.ko.symbols...done.

done.
Loaded symbols for /boot/kernel/msdosfs.ko
#0  0x in ?? ()
(kgdb) frame 6
Error accessing memory address 0x0: Bad address.
(kgdb) pid 79759
Undefined command: pid.  Try help.
(kgdb) proc 79759
(kgdb) frame 6
#6  0x8043036b in vm_object_deallocate 
(object=0xff0053024a90) at /var/src/sys/vm/vm_object.c:509

509 pause(vmo_de, 1);
(kgdb) p *object
$1 = {mtx = {lock_object = {lo_name = 0x804f21c4 vm object, 
lo_type = 0x804f3018 standard object, lo_flags = 21168128, 
lo_witness_data = {
   lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, 
mtx_recurse = 0}, object_list = {tqe_next = 0xff0005018a90,
   tqe_prev = 0xff00539a6850}, shadow_head = {lh_first = 
0xff005d3afa90}, shadow_list = {le_next = 0x0, le_prev = 
0xff005d2cd048}, memq = {
   tqh_first = 0xff007eb9fa58, tqh_last = 0xff007f864820}, root 
= 0xff007ee14d38, size = 427, generation = 66, ref_count = 2, 
shadow_count = 1,
 type = 0 '\0', flags = 256, pg_color = 0, paging_in_progress = 0, 
resident_page_count = 44, backing_object = 0x0, backing_object_offset = 
0, pager_object_list = {
   tqe_next = 0x0, tqe_prev = 0x0}, cache = 0x0, handle = 0x0, un_pager 
= {vnp = {vnp_size = 576646}, devp = {devp_pglist = {tqh_first = 0x8cc86,

   tqh_last = 0x0}}, swp = {swp_bcount = 576646}}}
(kgdb) p (object-shadow_head)
$2 = {lh_first = 0xff005d3afa90}
(kgdb) p *object-shadow_head.lh_first
$3 = {mtx = {lock_object = {lo_name = 0x804f21c4 vm object, 
lo_type = 0x804f3018 standard object, lo_flags = 21168128, 
lo_witness_data = {
   lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, 
mtx_recurse = 0}, object_list = {tqe_next = 0xff0066c32340,
   tqe_prev = 0xff012f673ac0}, shadow_head = {lh_first = 0x0}, 
shadow_list = {le_next = 0x0, le_prev = 0xff0053024ad0}, memq = {
   tqh_first = 0xff007779f9a0, tqh_last = 0xff0077c04140}, root 
= 0xff0077c04130, size = 387, generation = 3, ref_count = 1, 
shadow_count = 0,
 type = 0 '\0', flags = 8452, pg_color = 0, paging_in_progress = 0, 
resident_page_count = 2, backing_object = 0xff0053024a90, 
backing_object_offset = 163840,
 pager_object_list = {tqe_next = 0x0, tqe_prev = 0x0}, cache = 0x0, 
handle = 0x0, un_pager = {vnp = {vnp_size = 365278}, devp = {devp_pglist = {

   tqh_first = 0x592de, tqh_last = 0x0}}, swp = {swp_bcount = 365278}}}




Another question is what scheduler do you use ?

options SCHED_4BSD  # 4BSD scheduler
options PREEMPTION  # Enable kernel thread preemption


Also, show the output of ps axl pid.

 UID   PID  PPID CPU PRI NI   VSZ   RSS MWCHAN STAT  TT   TIME COMMAND
  

6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Royce Williams]

We have 10 SuperMicro PDSMi+ 5015M-MTs that are panic'ing every few
days.  This started shortly after upgrade from 6.2-RELEASE to
6.3-RELEASE with freebsd-update.

Other than switching to a debugging kernel, a little sysctl tuning,
and patching with freebsd-update, they are stock.  The debugging
kernel was built from source that is also being patched with
freebsd-update.

These systems are running postfix and Courier imapd for an ISP with a
userbase on the order of 10^4 users.  They use gmirror, but the
mailstore is over NFS.  That NFS server is under pretty high load.
All of the servers with this app and load pattern are panic'ing.

I have little experience with kernel debugging, but the box in
question is out of our farm and available for testing, and I am
motivated to cooperate. :-)

The full debugging kernel options I used are:

include SMP
options KDB
options KDB_TRACE
options DDB
options BREAK_TO_DEBUGGER
options WITNESS
options WITNESS_SKIPSPIN


db trace
Tracing pid 71182 tid 100325 td 0xcc08b180
kdb_enter(c095f294) at kdb_enter+0x2b
panic(c09768ad,1000,1400,c145bc88,1000,...) at panic+0x127
kmem_malloc(c14680c0,1000,102,eba6a8cc,c07e3fa5,...) at kmem_malloc+0x89
page_alloc(c1453780,1000,eba6a8bf,102,c06b8a84,...) at page_alloc+0x1a
slab_zalloc(c1453780,102,c14537e0,c1453780,c1460d5c,...) at
slab_zalloc+0xa1
uma_zone_slab(c1453780,2) at uma_zone_slab+0xf0
uma_zalloc_bucket(c1453780,2) at uma_zalloc_bucket+0x11c
uma_zalloc_arg(c1453780,0,2) at uma_zalloc_arg+0x24c
cache_enter(cd02c220,c9e62880,eba6a9fc) at cache_enter+0xa6
nfs_readdirplusrpc(cd02c220,eba6aa60,cc0ab880) at nfs_readdirplusrpc+0x6a6
nfs_doio(cd02c220,dce59668,cc0ab880,cc08b180,dce59668,...) at
nfs_doio+0x20f
nfs_bioread(cd02c220,eba6acb0,0,cc0ab880) at nfs_bioread+0xa64
nfs_readdir(eba6ac90) at nfs_readdir+0xe6
VOP_READDIR_APV(c09ebbc0,eba6ac90) at VOP_READDIR_APV+0x38
getdirentries(cc08b180,eba6ad04) at getdirentries+0x146
syscall(3b,3b,3b,9085f00,9085f00,...) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (196, FreeBSD ELF32, getdirentries), eip = 0xb825a79b, esp
= 0xbfbfa1fc, ebp = 0xbfbfa228 ---



Royce

-- 
Royce D. Williams   - http://royce.ws/
  I don't like that man. I must get to know him better. - A. Lincoln

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Kevin Oberman]

 Date: Tue, 22 Jul 2008 12:52:15 -0500
 From: Paul Schmehl [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]
 
 --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton [EMAIL PROTECTED] 
 wrote:
 
  Matthew Seaman wrote:
 
  Are there any plans to enable DNSSEC capability in the resolver built
  into FreeBSD?
 
  The server is already capable of it. I'm seriously considering enabling the
  define to make the CLI tools (dig/host/nslookup) capable as well (there is
  already an OPTION for this in ports).
 
  The problem is that _using_ DNSSEC requires configuration changes in
  named.conf, and more importantly, configuration of trust anchors (even for
  the command line stuff) since the root is not signed. It's not hard to do
  that with the DLV system that ISC has in place, and I would be willing to
  create a conf file that shows how to do that for users to include if they
  choose to. I am not comfortable enabling it by default (not yet anyway), 
  it's
  too big of a POLA issue.
 
 
 I just played around with it recently.  It's not that easy to understand 
 initially *and* the trust anchors thing is a royal PITA.

No one is likely to argue with that statement!

 Once you implement DNSSEC you *must* generate keys every 30 days.  So,
 I think, if you're going to enable it by default, there needs to be a
 script in periodic that will do all the magic to change keys every 30
 days.  Maybe put vars in /etc/rc.conf to override the default key
 lengths and other portions of the commands that could change per
 installation.

No, you don't HAVE to generate keys every 30 days, but you should if you
want real security. Still, for a while, until the infrastructure is
complete enough to make DNSSEC really of value to the end user, just
getting signed domains with keys published in an easily accessed place
is at least getting things started and getting the infrastructure
moving.

Rolling keys is a rather tricky operation where mistakes, once DNSSEC
makes it to the end user, would be disastrous, so it would require a
couple of scripts, one to set a new key and another to remove the old
one. You need both key present for a period of time.

 If I were to implement it, I'd write a shell script to turn the keys
 over and cron it because doing it manually every 30 days ain't gonna
 happen.  Too many ways to forget to do it.  (I did the same for the
 root servers so that named.ca gets updated automagically every month.)

And that is FAR less important than the signatures. (named.ca could be
updated once a year and be just fine.)

 But until root is signed, it's not worth it for those of us who don't
 have dedicated staff doing dns only.

Work continues on getting the root signed, but it .com and .net that
present the really big problems. The root delay is mostly political, not
technical. .com and .net are both.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]   Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751


pgpvlKF3Qz7qt.pgp
Description: PGP signature

Re: 6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Kris Kennaway]

Royce Williams wrote:


db trace
Tracing pid 71182 tid 100325 td 0xcc08b180
kdb_enter(c095f294) at kdb_enter+0x2b
panic(c09768ad,1000,1400,c145bc88,1000,...) at panic+0x127
kmem_malloc(c14680c0,1000,102,eba6a8cc,c07e3fa5,...) at kmem_malloc+0x89


You forgot to include the panic, but this is probably the kmem_map too 
small panic.  It says that your kernel ran out of memory, and the 
solution is to fix that situation by giving more memory to the kernel. 
Increase the vm.kmem_size tunable until your system stops running out of 
memory on your workload.


Kris

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Paul Schmehl]

--On Tuesday, July 22, 2008 13:07:20 -0700 Kevin Oberman [EMAIL PROTECTED] 
wrote:



Once you implement DNSSEC you *must* generate keys every 30 days.  So,
I think, if you're going to enable it by default, there needs to be a
script in periodic that will do all the magic to change keys every 30
days.  Maybe put vars in /etc/rc.conf to override the default key
lengths and other portions of the commands that could change per
installation.


No, you don't HAVE to generate keys every 30 days, but you should if you
want real security.


For me that means must.  :-)

Someone needs to write a really good tutorial on dnssec.  The bits and pieces 
are scattered about the web, but explanations of now to publish your keys, to 
whom they need to be published and what is involved in the ongoing maintenance 
are lacking.  Especially a clear explanation of what is required to run both 
keyed and legacy dns at the same time.



Still, for a while, until the infrastructure is
complete enough to make DNSSEC really of value to the end user, just
getting signed domains with keys published in an easily accessed place
is at least getting things started and getting the infrastructure
moving.



Where do you publish the keys?


Rolling keys is a rather tricky operation where mistakes, once DNSSEC
makes it to the end user, would be disastrous, so it would require a
couple of scripts, one to set a new key and another to remove the old
one. You need both key present for a period of time.



I'd not read that.  Can you explain?  I thought you simply overwrote the 
existing keys with the new ones (in the zone file.)  In fact I was thinking 
that an $INCLUDE would make a great deal more sense.  I didn't realize you had 
to retain the old keys for a while.  That complicates matters significantly.


BTW, I think without those scripts (or at least examples) you'll find adoption 
will be a great deal slower.  Many people that need to run dns are far from 
experts and often intimidated by its complexity - especially the complexity of 
dnssec.


--
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ACPI regression on recent 7.0-STABLE: HPET stops working

[John Baldwin]

On Tuesday 22 July 2008 04:37:51 am Oleg V. Nauman wrote:
 Quoting John Baldwin [EMAIL PROTECTED]:
 
  On Monday 21 July 2008 06:07:52 am Oleg V. Nauman wrote:
  Quoting Oleg V. Nauman [EMAIL PROTECTED]:
 
   Quoting Jeremy Chadwick [EMAIL PROTECTED]:
  
   On Sat, Jul 19, 2008 at 10:03:15AM +0300, Oleg V. Nauman wrote:
   It seems to be something was changed with ACPI support on 7.0-STABLE 
so
   my next system upgrade ended with ACPI HPET not working anymore on my
   ASUS A9Rp laptop.
  
   Here is the part of /var/log/dmesg.today dated July 13:
  
   FreeBSD 7.0-STABLE #65: Tue Jul  8 22:05:07 EEST 2008
  [EMAIL PROTECTED]:/usr/src/sys/i386/compile/oleg2
   [..]
   acpi0: A M I OEMRSDT on motherboard
   acpi0: Overriding SCI Interrupt from IRQ 9 to IRQ 21
   acpi0: [ITHREAD]
   acpi0: Power Button (fixed)
   acpi0: reservation of 0, a (3) failed
   acpi0: reservation of 10, 77f0 (3) failed
   Timecounter ACPI-safe frequency 3579545 Hz quality 850
   acpi_timer0: 32-bit timer at 3.579545MHz port 0x808-0x80b on acpi0
   acpi_ec0: Embedded Controller: GPE 0x18 port 0x62,0x66 on acpi0
   acpi_hpet0: High Precision Event Timer iomem
   0xfed0-0xfed003ff on acpi0
   Timecounter HPET frequency 14318180 Hz quality 900
  
   Here is the fresh dmesg output info:
  
   FreeBSD 7.0-STABLE #66: Tue Jul 15 22:11:27 EEST 2008
  [EMAIL PROTECTED]:/usr/src/sys/i386/compile/oleg2
   [..]
   acpi0: A M I OEMRSDT on motherboard
   acpi0: Overriding SCI Interrupt from IRQ 9 to IRQ 21
   acpi0: [ITHREAD]
   acpi0: Power Button (fixed)
   acpi0: reservation of 0, a (3) failed
   acpi0: reservation of 10, 77f0 (3) failed
   Timecounter ACPI-safe frequency 3579545 Hz quality 850
   acpi_timer0: 32-bit timer at 3.579545MHz port 0x808-0x80b on acpi0
   [..]
   acpi_hpet0: High Precision Event Timer iomem
   0xfed0-0xfed003ff on acpi0
   device_attach: acpi_hpet0 attach returned 12
  
   And the part of actual sysctl kern.timecounter output:
  
   kern.timecounter.choice: TSC(800) ACPI-safe(850) i8254(0)
  dummy(-100)
   kern.timecounter.hardware: ACPI-safe
  
   Seems okay here:
  
   FreeBSD icarus.home.lan 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat Jul
   12  10:53:08 PDT 2008
   [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PDSMI_PLUS_amd64  amd64
  
   acpi_timer0: 24-bit timer at 3.579545MHz port 0x1008-0x100b on acpi0
   acpi_hpet0: High Precision Event Timer iomem
   0xfed0-0xfed003ff on acpi0
   Timecounter i8254 frequency 1193182 Hz quality 0
   Timecounter ACPI-fast frequency 3579545 Hz quality 1000
   Timecounter HPET frequency 14318180 Hz quality 900
   Timecounters tick every 1.000 msec
  
   kern.timecounter.choice: TSC(-100) HPET(900) ACPI-fast(1000)
   i8254(0) dummy(-100)
   kern.timecounter.hardware: ACPI-fast
  
   You sure you haven't upgraded your BIOS or something and forgot to
   re-enable HPET?
  
No it was not upgraded.. Have no option to enable/disable HPET through
   BIOS settings though
 
I was unclear a bit or so. There are no ACPI related settings in my
  laptop's BIOS.
 
Well.. Backout 1.243.2.3 revision of /usr/src/sys/dev/acpica/acpi.c
  (committed to RELENG_7 at July 10 by jhb) fixes this issue for me:
 
  acpi_hpet0: High Precision Event Timer iomem 0xfed0-0xfed003ff on
  acpi0
  Timecounter HPET frequency 14318180 Hz quality 900
 
  kern.timecounter.choice: TSC(800) HPET(900) ACPI-safe(850) i8254(0)
  dummy(-100)
  kern.timecounter.hardware: HPET
 
Hopefully it helps to understand what is went wrong there.
 
  Ok, so the attempt to allocate the resource is failing for some reason.  
Can
  you get output from 'devinfo -r' and 'devinfo -u'?
 
 ...

 Will not provide with full listings but just a diff comparing two  
 states (this good one with HPET working and bad w/o it):
 
 rainhaven# diff devinfo.r.good devinfo.r.bad
 177,179d176
  acpi_hpet0
  I/O memory addresses:
  0xfed0-0xfed003ff
 
 rainhaven# diff devinfo.u.good devinfo.u.bad
 128c128
  0xfed0-0xfed003ff (acpi_hpet0)
 ---
  0xfed0-0xfed003ff (ichsmb0)
 
   So kernel with 1.243.2.3 revision of /usr/src/sys/dev/acpica/acpi.c  
 allocates the region required to ichsmb0 instead HPET (it not helps to  
 ichsmb0 because it never was working on my laptop but it is another  
 story I think).
 
 Thank you for looking into.

Hmm, so ichsmb0 doesn't show up at all in your earlier dmesg.   Try this 
change, it restores the probe orders to be more of what they used to be and 
just gives CPUs a really high probe order so that they should be after other 
devices.

Index: acpi.c
===
RCS file: /usr/cvs/src/sys/dev/acpica/acpi.c,v
retrieving revision 1.248
diff -u -r1.248 acpi.c
--- acpi.c  7 Apr 2008 18:35:11 -   1.248
+++ acpi.c  22 Jul 2008 19:12:56 -
@@ -1531,8 +1531,7 @@
  * 1. I/O port and memory system resource holders
  * 2. Embedded controllers (to 

Re: 6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Royce Williams]

Kris Kennaway wrote, on 7/22/2008 12:12 PM:
 Royce Williams wrote:
 
 db trace
 Tracing pid 71182 tid 100325 td 0xcc08b180
 kdb_enter(c095f294) at kdb_enter+0x2b
 panic(c09768ad,1000,1400,c145bc88,1000,...) at panic+0x127
 kmem_malloc(c14680c0,1000,102,eba6a8cc,c07e3fa5,...) at kmem_malloc+0x89
 
 You forgot to include the panic

Is there is a way to get the panic after dropping into the debugger?
This serial console setup has no scrollback, so I couldn't see the
preceding text.

 but this is probably the kmem_map too small panic.  

Ah, I see this now, at faq/book.html#KMEM-MAP-TOO-SMALL:

Compile your own kernel, and add the VM_KMEM_SIZE_MAX to your kernel
configuration file, increasing the maximum size to 400 MB (options
VM_KMEM_SIZE_MAX=419430400). 400 MB appears to be sufficient for
machines with up to 6 GB of memory.


 It says that your kernel ran out of memory, and the
 solution is to fix that situation by giving more memory to the kernel.
 Increase the vm.kmem_size tunable until your system stops running out of
 memory on your workload.

Comparing the FAQ, kern_malloc.c and your mentioning it as tunable,
please clarify: is the Right Thing to do to use vm.kmem_size, or
vm.kmem_size_max?

I tried vm.kmem_size_max, which yields:

# sysctl -a | grep kmem
vm.kmem_size: 419430400
vm.kmem_size_max: 419430400
vm.kmem_size_scale: 3


Should I contribute some additional language to the FAQ, saying that
the vm.kmem_size[_max] tunable can be used without recompiling the kernel?

Royce


-- 
Royce D. Williams   - http://royce.ws/
Reproof should not exhaust its power upon petty failings. - S. Johnson
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ACPI regression on recent 7.0-STABLE: HPET stops working

[Dimitry Andric]

On 2008-07-22 00:00, John Baldwin wrote:
 On Monday 21 July 2008 06:07:52 am Oleg V. Nauman wrote:
   Well.. Backout 1.243.2.3 revision of /usr/src/sys/dev/acpica/acpi.c  
 (committed to RELENG_7 at July 10 by jhb) fixes this issue for me:

 acpi_hpet0: High Precision Event Timer iomem 0xfed0-0xfed003ff on 
 acpi0
 Timecounter HPET frequency 14318180 Hz quality 900

 kern.timecounter.choice: TSC(800) HPET(900) ACPI-safe(850) i8254(0)  
 dummy(-100)
 kern.timecounter.hardware: HPET

   Hopefully it helps to understand what is went wrong there.
 
 Ok, so the attempt to allocate the resource is failing for some reason.  Can 
 you get output from 'devinfo -r' and 'devinfo -u'?

FWIW, I've tried acpi.c revs 1.243.2.1 through 1.243.2.3, and all give
the same result:

acpi_hpet0: High Precision Event Timer iomem 0xfe80-0xfe8003ff on acpi0
device_attach: acpi_hpet0 attach returned 12

E.g. it looks like bus_alloc_resource_any() in acpi_hpet_attach()
fails, but no idea why?  Anyway, devinfo -r and -u give:

nexus0
  apic0
  ram0
  I/O memory addresses:
  0x0-0x9efff
  0x10-0x1eed
  npx0
  acpi0
  Interrupt request lines:
  9
  I/O ports:
  0x10-0x1f
  0x22-0x3f
  0x44-0x5f
  0x62-0x63
  0x65-0x6f
  0x74-0x7f
  0x91-0x93
  0xa2-0xbf
  0xe0-0xef
  0x290-0x297
  0x400-0x47f
  0x4d0-0x4d1
  0x500-0x50f
  0x800-0x805
  I/O memory addresses:
  0xf-0xf
  0x1eee-0x1eef
  0xfe80-0xfe8000ff
  0xfea0-0xfea000ff
  0xfec0-0xfecf
  0xfee0-0xfeef
  0xfff8-0xfffe
  0x-0x
cpu0
ACPI I/O ports:
0x414
0x415
  acpi_perf0
  est0
  p4tcc0
  cpufreq0
acpi_button0
acpi_sysresource0
pcib0
  pci0
hostb0
I/O memory addresses:
0xe800-0xefff
hostb1
hostb2
hostb3
hostb4
hostb5
pcib1
  pci1
vgapci0
I/O memory addresses:
0xf400-0xf7ff
0xfb00-0xfbff
re0
Interrupt request lines:
18
I/O ports:
0xf000-0xf0ff
I/O memory addresses:
0xfdfff000-0xfdfff0ff
  miibus0
rgephy0
re1
Interrupt request lines:
19
I/O ports:
0xf200-0xf2ff
I/O memory addresses:
0xfdffe000-0xfdffe0ff
  miibus1
rgephy1
atapci0
Interrupt request lines:
20
I/O ports:
0xf400-0xf4ff
0xfb00-0xfb0f
0xfc00-0xfc03
0xfd00-0xfd07
0xfe00-0xfe03
0xff00-0xff07
  ata2
ad4
  subdisk4
  ata3
ad6
  subdisk6
atapci1
I/O ports:
0x170-0x177
0x1f0-0x1f7
0x376
0x3f6
0xfa00-0xfa0f
  ata0
  Interrupt request lines:
  14
  ata1
  Interrupt request lines:
  15
uhci0
Interrupt request lines:
21
I/O ports:
0xf900-0xf91f
  usb0
uhub0
uhci1
I/O ports:
0xf800-0xf81f
  usb1
uhub1
uhci2
I/O ports:
0xf700-0xf71f
  usb2
uhub2
uhci3
I/O ports:
0xf600-0xf61f
  usb3
uhub3
ehci0
I/O memory addresses:
0xfdffd000-0xfdffd0ff
  usb4
uhub4
isab0
  isa0
atkbdc0
I/O ports:
0x60
0x64
  atkbd0
  Interrupt request lines:
  1
sc0
vga0
I/O ports:
0x3c0-0x3df
I/O memory addresses:
0xa-0xb
orm0
I/O memory addresses:
0xc-0xcf7ff
pmtimer0
acpi_sysresource1
acpi_sysresource2
pci_link0
pci_link1
pci_link2
pci_link3
pci_link4
pci_link5
pci_link6
pci_link7
pci_link8
pci_link9
pci_link10
pci_link11
acpi_sysresource3
atpic0
atdma0
attimer0
attimer1
npxisa0
uart0
Interrupt request lines:
4
I/O ports:
0x3f8-0x3ff
uart1
Interrupt request lines:
3
I/O ports:
   

Re: FreeBSD 7.1 and BIND exploit

[Kevin Oberman]

 Date: Tue, 22 Jul 2008 15:30:53 -0500
 From: Paul Schmehl [EMAIL PROTECTED]
 
 --On Tuesday, July 22, 2008 13:07:20 -0700 Kevin Oberman [EMAIL PROTECTED] 
 wrote:
 
  Once you implement DNSSEC you *must* generate keys every 30 days.  So,
  I think, if you're going to enable it by default, there needs to be a
  script in periodic that will do all the magic to change keys every 30
  days.  Maybe put vars in /etc/rc.conf to override the default key
  lengths and other portions of the commands that could change per
  installation.
 
  No, you don't HAVE to generate keys every 30 days, but you should if you
  want real security.
 
 For me that means must.  :-)
 
 Someone needs to write a really good tutorial on dnssec.  The bits and
 pieces are scattered about the web, but explanations of now to publish
 your keys, to whom they need to be published and what is involved in
 the ongoing maintenance are lacking.  Especially a clear explanation
 of what is required to run both keyed and legacy dns at the same
 time.

I can't imagine why anyone would want to run both. Resolvers which don't
know how to check signatures simple don't do so and everything still
works.

A pretty good, though somewhat outdated tutorial can be found in NIST
SP800-81. It's pretty readable and tells you how to generate keys and
sign a zone properly.
http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf

  Still, for a while, until the infrastructure is
  complete enough to make DNSSEC really of value to the end user, just
  getting signed domains with keys published in an easily accessed place
  is at least getting things started and getting the infrastructure
  moving.
 
 
 Where do you publish the keys?

I have not done so at this time. We have a DNS system that does not
quite support DNSSEC, although that should be resolved shortly.
NIST simply puts theirs on a web page. This is not a good long-term
answer, but is adequate for growing the infrastructure and letting
people play with it.

DNSSEC really needs to be ready now, but it's simply not, so we need to
get some sort of start and more experience in using it. I have a test
server that is signed and that I am playing with and I hope that I will
be able to sign our production zones in the next few months.

Our plan is to buy a network appliance to do the key generation, signing
and key rolls.

  Rolling keys is a rather tricky operation where mistakes, once DNSSEC
  makes it to the end user, would be disastrous, so it would require a
  couple of scripts, one to set a new key and another to remove the old
  one. You need both key present for a period of time.
 
 
 I'd not read that.  Can you explain?  I thought you simply overwrote
 the existing keys with the new ones (in the zone file.)  In fact I was
 thinking that an $INCLUDE would make a great deal more sense.  I
 didn't realize you had to retain the old keys for a while.  That
 complicates matters significantly.

Since data in cached, you can't simply replace the key and not have
failures when the cached old keys are used to try to verify newly received
data.

You need to have the old key remain valid for the length of your longest
TTL.

Note: I am not a DNSSEC expert at all. I have been playing with it for
over a year, but have been unable to actually use it in production
because of our DNS management software which does not support
DNSSEC. Hopefully everything I said is correct, but it would be best to
verify things before basing much on it.

 BTW, I think without those scripts (or at least examples) you'll find
 adoption will be a great deal slower.  Many people that need to run
 dns are far from experts and often intimidated by its complexity -
 especially the complexity of dnssec.

I completely agree that you are right. DNSSEC is not trivial to manage
and, while managing it does not require any detailed knowledge of how it
works, it does take careful planning and some education for those who
will be working with it.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [EMAIL PROTECTED]   Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751


pgpttofZiTPsb.pgp
Description: PGP signature

Re: 6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Kris Kennaway]

Royce Williams wrote:

Kris Kennaway wrote, on 7/22/2008 12:12 PM:

Royce Williams wrote:


db trace
Tracing pid 71182 tid 100325 td 0xcc08b180
kdb_enter(c095f294) at kdb_enter+0x2b
panic(c09768ad,1000,1400,c145bc88,1000,...) at panic+0x127
kmem_malloc(c14680c0,1000,102,eba6a8cc,c07e3fa5,...) at kmem_malloc+0x89

You forgot to include the panic


Is there is a way to get the panic after dropping into the debugger?
This serial console setup has no scrollback, so I couldn't see the
preceding text.


You can either show msgbuf, or x/x panicstr and then x/s 0x 
where that is the hex value from the previous step.  The latter only 
diplays the format string and not the arguments, but on i386 you can 
read them off from the panic() line in the stack trace.  Actually on 
i386 the panicstr is the first argument (0xc09768ad here).


but this is probably the kmem_map too small panic.  


Ah, I see this now, at faq/book.html#KMEM-MAP-TOO-SMALL:

Compile your own kernel, and add the VM_KMEM_SIZE_MAX to your kernel
configuration file, increasing the maximum size to 400 MB (options
VM_KMEM_SIZE_MAX=419430400). 400 MB appears to be sufficient for
machines with up to 6 GB of memory.



It says that your kernel ran out of memory, and the
solution is to fix that situation by giving more memory to the kernel.
Increase the vm.kmem_size tunable until your system stops running out of
memory on your workload.


Comparing the FAQ, kern_malloc.c and your mentioning it as tunable,
please clarify: is the Right Thing to do to use vm.kmem_size, or
vm.kmem_size_max?


kmem_size_max is used for automatically tuning based on RAM size.  To 
increase the actual value explicitly you just need to tune vm.kmem_size.



I tried vm.kmem_size_max, which yields:

# sysctl -a | grep kmem
vm.kmem_size: 419430400
vm.kmem_size_max: 419430400
vm.kmem_size_scale: 3


Should I contribute some additional language to the FAQ, saying that
the vm.kmem_size[_max] tunable can be used without recompiling the kernel?


Yes, that would be fantastic!  I would also note that the loader tunable 
is usually more convenient since it doesn't require a kernel recompile, 
and probably reword the claim about 400MB: the memory needed depends 
very much on the workload you are giving your kernel, so the best advice 
is to increase the value until you determine empirically how much you 
need (i.e. the memory exhaustion stops).


You can also use 400M notation for loader tunables which is often more 
convenient.


Thanks,
Kris

Kris
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: unable to boot 7.0-RELEASE cdrom on supermicro 5015b-mt

[Jeremy Chadwick]

On Tue, Jul 22, 2008 at 06:47:34PM +0100, ian j hart wrote:
 On Tuesday 22 July 2008 17:37:24 Jeremy Chadwick wrote:
  On Tue, Jul 22, 2008 at 05:27:52PM +0100, ian j hart wrote:
   Same hardware as my other thread.
   http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MT.cfm
  
   [using 2Gb RAM and SATA in legacy mode]
  
   I'd like to focus only on making the CDROM boot complete.
  
   Summary: hangs just after the CPUs are launched.
  
   6.2-RELEASE   works okay, no AHCI support
   6.3-RELEASE   works okay
   7.0-RELEASE   hangs
   7.0-STABLE-200806-SNAPSHOThangs
   8.0-CURRENT-200806-SNAPSHOT   hangs
  
   I thought I could do a binary search using the current snapshot boot-only
   CDs but they only go back to March. Are there any older ones available?
 
  Have you tried disabling ACPI to see if it makes any sort of difference?
 
 Yes, but I'm happy to re-try.
 
 Which method is best? Or is it 1 + 2 or 3?
 
 1) BIOS
 2) Beastie menu option
 3) loader prompt set hint

Item #2 is the easiest.  You should really be able to leave the BIOS
settings at their defaults (Factory Defaults) and have this system work
on FreeBSD.

Items #2 and #3 are the same.  The loader menu option for disabling ACPI
simply sets the hint.

  Also, AHCI should work just fine on those systems -- I know because I
  have fairly extensive experience with Supermicro hardware, although what
  you're using is newer than what I presently have.  I don't know why
  you're setting Compatible/Legacy mode on your controller (you mention
  doing this in your other thread as well).
 
 Because I don't know what's wrong yet and AHCI support is newer than SATA 
 support and this is a newish board? [At least 6.2 doesn't seem to support it 
 and it has an AHCI legacy option!]
 
 I'd be happy to swap this over. Slight problem; the drives get renumbered, so 
 I'd rather not swap back and forth.

You *absolutely* should have AHCI enabled.  There's a lot of reasons
why, too.  I highly recommend avoiding the SATA Compatible mode.

AHCI should work fine on FreeBSD 6.3 as well as 7.0 -- I know, because
we have many Supermicro boards running those versions which do have AHCI
enabled.  Please use it, and stick with it.

Here's added proof that AHCI works fine on 6.3:

$ dmesg -a | grep -i ahci
atapci1: Intel AHCI controller port 
0x30e8-0x30ef,0x30dc-0x30df,0x30e0-0x30e7,0x30d8-0x30db,0x30b0-0x30bf mem 
0xe400-0xe7ff irq 19 at device 31.2 on pci0
atapci1: AHCI Version 01.10 controller with 4 ports detected
$ uname -r -s
FreeBSD 6.3-PRERELEASE

The adX device renumbering is expected.  There are workarounds for this,
but I recommend you simply enable AHCI.  Do not keep toggling it on/off.

  Below is what we use on our systems; factory defaults, then make the
  following changes.  (The G-LAN1 OPROM option you can do whatever you
  want with -- it's specific to our environment).
 
  * Main
  * Date
   -- Set to GMT, not local time!!!
  * Serial ATA
   -- SATA Controller Mode -- Enhanced
   -- SATA AHCI -- Enabled
 
  * Advanced
  * Boot Features
   -- Quiet Mode -- Disabled
   -- Enable Multimedia Timer -- Enabled
  * PCI Configuration
   -- Onboard G-LAN1 OPROM -- Disabled
   -- Large Disk Access Mode -- Other
  * Advanced Processor Options
   -- Intel(R) Virtualization Technology -- Enabled
   -- C1 Enhanced Mode -- Enabled
 
 I've got as close as I can to this.
 
 This board also has an AHCI legacy option [disabled] which hides ports 5 and 
 6. I also disabled quickboot and POST errors. I assume multimedia timer is 
 the same as HPET. Doesn't seem to be any disk translation option. I took the 
 fans off 'flat out'.

Okay, I've had a chance to review the board manual that comes with the
X7SBi.  You should set the following:

Serial ATA: Enabled
Native Mode Operation: Serial ATA
SATA AHCI: Enabled
SATA AHCI Legacy: Disabled

The name SATA AHCI Legacy a horrible name for what it does.  The ICH9
itself has support for 6 SATA ports, but (if I remember correctly, based
on reading some Intel design documents) there are extra registers you
have to tweak to get those ports to work, and the OS has to be fully
aware of how to do that.  The BIOS option simply disables SATA ports 5
and 6 altogether; the underlying OS never sees them.  I'd recommend
keeping that setting Disabled (the default) unless you have disks on
those ports (I don't see how, since it's a 4-disk system!).

I don't think this option is what's causing you problems, though.

Multimedia Timer is indeed HPET.  Looks like they changed the name to
be more reflective of what it actually is.

The Large Disk Access mode does appear to be missing from that BIOS,
probably for a good reason.  I can enable/disable it on our boards with
no repercussions (the options are DOS and Other, which is why I
choose Other).  I'm not entirely sure what it does.

As for your problem...

If the 

Re: FreeBSD 7.1 and BIND exploit

[Mark Andrews]

 --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton [EMAIL PROTECTED] 
 wrote:
 
  Matthew Seaman wrote:
 
  Are there any plans to enable DNSSEC capability in the resolver built
  into FreeBSD?
 
  The server is already capable of it. I'm seriously considering enabling the
  define to make the CLI tools (dig/host/nslookup) capable as well (there is
  already an OPTION for this in ports).
 
  The problem is that _using_ DNSSEC requires configuration changes in
  named.conf, and more importantly, configuration of trust anchors (even fo
 r
  the command line stuff) since the root is not signed. It's not hard to do
  that with the DLV system that ISC has in place, and I would be willing to
  create a conf file that shows how to do that for users to include if they
  choose to. I am not comfortable enabling it by default (not yet anyway), it
 's
  too big of a POLA issue.
 
 
 I just played around with it recently.  It's not that easy to understand 
 initially *and* the trust anchors thing is a royal PITA.
 
 Once you implement DNSSEC you *must* generate keys every 30 days.  So, I thin
 k, 
 if you're going to enable it by default, there needs to be a script in period
 ic 
 that will do all the magic to change keys every 30 days.  Maybe put vars in 
 /etc/rc.conf to override the default key lengths and other portions of the 
 commands that could change per installation.

WRONG.

You need to re-sign the zone an expire period before the
signatures expire.  You need to generate new keys periodically
but no where near every 30 days.

KSKs annually.   This is what the TLD's are doing and that is
a very conservative exposure period.  In practice it could be
multiple years between key rollovers.  The reason it is done
this frequently is so humans don't forget what they need to do.

ZSKs are generally weaker than KSKs but again they don't need
to be done monthly.

 If I were to implement it, I'd write a shell script to turn the keys over and
 cron it because doing it manually every 30 days ain't gonna happen.  Too many
 ways to forget to do it.  (I did the same for the root servers so that named.
 ca 
 gets updated automagically every month.)
 
 But until root is signed, it's not worth it for those of us who don't have 
 dedicated staff doing dns only.

There are solutions to the root not being signed.

If all the TLD were signed the trust anchor work load would
not be too great to managed by hand.

For those that want a single trust anchor solution there
is DLV.

Sign your zone.  Add it to a DLV.  Ask you parent to sign
their zone.  If you don't sign you parent has no insentive
to sign.  This can be driven bottom up.  That is one of the
reasons why DLV was invented to provide incentive for the
parent zones to sign.

Mark

 -- 
 Paul Schmehl
 As if it wasn't already obvious,
 my opinions are my own and not
 those of my employer.
 
 ___
 freebsd-stable@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-stable
 To unsubscribe, send any mail to [EMAIL PROTECTED]
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Mark Andrews]

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --enig5488BAD5E4511AF4D0C2864A
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: quoted-printable
 
 Doug Barton wrote:
  Matthew Seaman wrote:
 =20
  Are there any plans to enable DNSSEC capability in the resolver built =
 
  into FreeBSD?
 =20
  The server is already capable of it. I'm seriously considering enabling=
 =20
  the define to make the CLI tools (dig/host/nslookup) capable as well=20
  (there is already an OPTION for this in ports).
 
 Forgive me for being obtuse.  What I meant was the capability to enable c=
 hecking signatures on DNS RRs as a routine effect of getnameinfo() etc.
 by modifying resolver(3) routines or similar locally, without needing a
 DNSSEC enabled recursive resolver listed in resolv.conf?  I've a feeling
 the answer is no, but I haven't been able to find anything definitive.
 
 Which I suppose simply means that if you're in the habit of, for example,=
 =20
 taking your laptop into the coffee shop and getting on line there then yo=
 u=20
 need to run your own instance of named on your laptop rather than blindly=
 =20
 trusting whatever servers the coffee shop provides via their DHCP.

Use a local (on machine) validating caching nameserver.
 
  The problem is that _using_ DNSSEC requires configuration changes in=20
  named.conf, and more importantly, configuration of trust anchors (eve=
 n=20
  for the command line stuff) since the root is not signed. It's not hard=
 =20
  to do that with the DLV system that ISC has in place, and I would be=20
  willing to create a conf file that shows how to do that for users to=20
  include if they choose to. I am not comfortable enabling it by default =
 
  (not yet anyway), it's too big of a POLA issue.
 
 I sense a business opportunity in providing DLV there.  I'm wondering why=
 
 the likes of Verisign (including Thawte and Geotrust), Comodo group and=20
 GoDaddy aren't circling like vultures over a dead wildebeest.  Perhaps th=
 ey=20
 are.

You only need one DLV.  ISC is offering the service for free.
Donations welcome as it does cost to run the service.

   Cheers,
 
   Matthew
 
 --=20
 Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
   Flat 3
 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
   Kent, CT11 9PW
 
 
 --enig5488BAD5E4511AF4D0C2864A
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename=signature.asc
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2.0.9 (FreeBSD)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
 iEYEAREIAAYFAkiGKPIACgkQ8Mjk52CukIxbWACfTVCDPVViUJ0NTd5GLMMVU8bD
 xXkAniwbkPNqgVZYLi4a/5aQHYFxBHSo
 =T6Z8
 -END PGP SIGNATURE-
 
 --enig5488BAD5E4511AF4D0C2864A--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Mark Andrews]

 On Tue, Jul 22, 2008 at 05:52:42PM +0200, Oliver Fromme wrote:
  Brett Glass wrote:
At 02:24 PM 7/21/2008, Kevin Oberman wrote:

 Don't forget that ANY server that caches data, including an end system
 running a caching only server is vulnerable.
   
Actually, there is an exception to this. A forward only
cache/resolver is only as vulnerable as its forwarder(s). This is a
workaround for the vulnerability for folks who have systems that they
cannot easily upgrade: point at a trusted forwarder that's patched.
   
We're also looking at using dnscache from the djbdns package.
  
  I'm curious, is djbdns exploitable, too?  Does it randomize
  the source ports of UDP queries?
 
   AFAIK Dan Bernstein first spelled out the fundamental problems with
 DNS response forgery in 2001.  He implemented dnscache to randomize
 source ports and IDs from the beginning, via a cryptographic quality
 RNG.  See for instance this page, much of it written in 2003:
 
   http://cr.yp.to/djbdns/forgery.html

And the IETF was working on a solution well before that.
One that addressed not only off path attacks but also
addressed on path attacks.   One that worked with kernels
that only supported limited numbers of file desriptors.
One that worked regardless on the number of concurrent
outstanding queries.

That solution is called DNSSEC.  We looked at what Dan did
and said it didn't go far enough and that it has implementation
issues at high query rates that can't be solved just by
throwing more cpu at the problem.  The problems are inherent
to how UDP works.
 
   He rubs a lot of people the wrong way, but I think he has usually
 proved to be right on security issues.

Dan is often right.  However a different, more encompassing,
solution was choosen.

   I also think that modular design of security-sensitive tools is the
 way to go, with his DNS tools as with Postfix.
   -- Clifton
 
 -- 
 Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
President  - I and I Computing * http://www.iandicomputing.com/
  Custom programming, network design, systems and network consulting services
 ___
 freebsd-stable@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-stable
 To unsubscribe, send any mail to [EMAIL PROTECTED]
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Jeremy Chadwick]

On Tue, Jul 22, 2008 at 12:52:15PM -0500, Paul Schmehl wrote:
 --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton 
 [EMAIL PROTECTED] wrote:

 Matthew Seaman wrote:

 Are there any plans to enable DNSSEC capability in the resolver built
 into FreeBSD?

 The server is already capable of it. I'm seriously considering enabling the
 define to make the CLI tools (dig/host/nslookup) capable as well (there is
 already an OPTION for this in ports).

 The problem is that _using_ DNSSEC requires configuration changes in
 named.conf, and more importantly, configuration of trust anchors (even for
 the command line stuff) since the root is not signed. It's not hard to do
 that with the DLV system that ISC has in place, and I would be willing to
 create a conf file that shows how to do that for users to include if they
 choose to. I am not comfortable enabling it by default (not yet anyway), it's
 too big of a POLA issue.


 I just played around with it recently.  It's not that easy to understand  
 initially *and* the trust anchors thing is a royal PITA.

I completely agree on both points.  To give you some idea of how much of
an annoyance DNSSEC is, a friend of mine who used to work at Nominum
stated that one of their software engineers, when signing, on had a
clause appended to his employee agreement stating he would not be
required to work on DNSSEC code, due to the absurd complexity of it all.

For what it's worth, I went looking into DNSSEC last week, and after a
few hours of skimming then reading, I concluded it's over-engineered and
adds too much hassle for it to be considered a worthwhile upgrade.  In
no way am I putting down the need for security, but the added complexity
is what's going to turn people off to this, and because of such, very
likely ignore it.  You can call me ignorant/lazy -- I welcome such --
but I guarantee others feel the same way.

DNS, for most people, is expected to be a simple thing.  They like it
to be simple, and it's generally not rocket science.  People have come
to expect that, and while I think most are willing to accept change
(take TSIG for example), it has to be easy to set up, simple to
maintain, troubleshooting outlined step-by-step with easy-to-follow
output, and in the case of a hard failure, the documentation easy to
understand.

This is not the case with DNSSEC; I feel like I'm setting up a bloody
IPsec VPN.  IPsec: AH or ESP across tunnel/transport using AES or 3DES
with IKE/ISAKMP or static secrets, and don't forget GRE.  DNSSEC: trust
anchors with lookaside validation, SEP, DNSKEY, DLV, RRSIG, ZSK and its
phases, KSK and its phases, etc...

There's the how to make it work in 6 minutes PDF by the ISC, which
appears to have been made/used for/as presentation material -- meaning
you're missing the verbal explanations that go along with each item.
There's also inconsistencies in configuration syntax within the PDF,
making you wonder how much time someone put into it.

There also appears to be an assumption made throughout all of the
documentation that I've read: that your recursive and non-recursive DNS
servers are separate.  I'm still trying to understand why that
assumption is made; sure, the majority of the enterprise-class world
has segregated DNS servers (public authoritative vs. internal recursive
resolvers), but the runner-up would be administrators who simply run
BIND on their servers and use two simple configuration lines:

  acl trusted { my.net.block/cidr; 127.0.0.1; };
  options { 
allow-recursion { trusted; }
  };

If DNSSEC really requires that your recursive and non-recursive servers
be separate, then it will fail.

And I still cannot get over the fact that this HOWTO is 47 pages long:
http://www.nlnetlabs.nl/dnssec_howto/

Let's not forget this packet flow diagram, which is quite legible and
easy to understand:
http://www.nlnetlabs.nl/dnssec_howto/dnspktdemo.png

 Once you implement DNSSEC you *must* generate keys every 30 days.  So, I 
 think, if you're going to enable it by default, there needs to be a 
 script in periodic that will do all the magic to change keys every 30 
 days.  Maybe put vars in /etc/rc.conf to override the default key lengths 
 and other portions of the commands that could change per installation.

I believe you're talking about re-signing the zones.  The duration is
adjustable, but 30 days appears to be what the documentation and howto
site defaults to/recommends using:

http://www.isc.org/sw/bind/arm95/man.dnssec-signzone.html
http://www.nlnetlabs.nl/dnssec_howto/#x1-240002.4

 But until root is signed, it's not worth it for those of us who don't 
 have dedicated staff doing dns only.

Bingo.

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___

Re: FreeBSD 7.1 and BIND exploit

[Alfred Perlstein]

Jeremy, I can't agree with you more, for some reason
crypto people seem to believe that in order to drive
a car you should have to know how to rebuild a carb.

Makes no sense.

The funny part is that your comparison with setting up
IPsec is the same thing that I compare these things to.

Back in 2003 I tried to set up a shared key IPSEC dhcp
at home, basically I'd just make a key and sneaker-net it
to the hosts that wanted to connect, after about 6 hours
I just gave up and used wep.

*sigh*

-Alfred

* Jeremy Chadwick [EMAIL PROTECTED] [080722 18:59] wrote:
 On Tue, Jul 22, 2008 at 12:52:15PM -0500, Paul Schmehl wrote:
  --On Tuesday, July 22, 2008 10:27:42 -0700 Doug Barton 
  [EMAIL PROTECTED] wrote:
 
  Matthew Seaman wrote:
 
  Are there any plans to enable DNSSEC capability in the resolver built
  into FreeBSD?
 
  The server is already capable of it. I'm seriously considering enabling the
  define to make the CLI tools (dig/host/nslookup) capable as well (there is
  already an OPTION for this in ports).
 
  The problem is that _using_ DNSSEC requires configuration changes in
  named.conf, and more importantly, configuration of trust anchors (even 
  for
  the command line stuff) since the root is not signed. It's not hard to do
  that with the DLV system that ISC has in place, and I would be willing to
  create a conf file that shows how to do that for users to include if they
  choose to. I am not comfortable enabling it by default (not yet anyway), 
  it's
  too big of a POLA issue.
 
 
  I just played around with it recently.  It's not that easy to understand  
  initially *and* the trust anchors thing is a royal PITA.
 
 I completely agree on both points.  To give you some idea of how much of
 an annoyance DNSSEC is, a friend of mine who used to work at Nominum
 stated that one of their software engineers, when signing, on had a
 clause appended to his employee agreement stating he would not be
 required to work on DNSSEC code, due to the absurd complexity of it all.
 
 For what it's worth, I went looking into DNSSEC last week, and after a
 few hours of skimming then reading, I concluded it's over-engineered and
 adds too much hassle for it to be considered a worthwhile upgrade.  In
 no way am I putting down the need for security, but the added complexity
 is what's going to turn people off to this, and because of such, very
 likely ignore it.  You can call me ignorant/lazy -- I welcome such --
 but I guarantee others feel the same way.
 
 DNS, for most people, is expected to be a simple thing.  They like it
 to be simple, and it's generally not rocket science.  People have come
 to expect that, and while I think most are willing to accept change
 (take TSIG for example), it has to be easy to set up, simple to
 maintain, troubleshooting outlined step-by-step with easy-to-follow
 output, and in the case of a hard failure, the documentation easy to
 understand.
 
 This is not the case with DNSSEC; I feel like I'm setting up a bloody
 IPsec VPN.  IPsec: AH or ESP across tunnel/transport using AES or 3DES
 with IKE/ISAKMP or static secrets, and don't forget GRE.  DNSSEC: trust
 anchors with lookaside validation, SEP, DNSKEY, DLV, RRSIG, ZSK and its
 phases, KSK and its phases, etc...
 
 There's the how to make it work in 6 minutes PDF by the ISC, which
 appears to have been made/used for/as presentation material -- meaning
 you're missing the verbal explanations that go along with each item.
 There's also inconsistencies in configuration syntax within the PDF,
 making you wonder how much time someone put into it.
 
 There also appears to be an assumption made throughout all of the
 documentation that I've read: that your recursive and non-recursive DNS
 servers are separate.  I'm still trying to understand why that
 assumption is made; sure, the majority of the enterprise-class world
 has segregated DNS servers (public authoritative vs. internal recursive
 resolvers), but the runner-up would be administrators who simply run
 BIND on their servers and use two simple configuration lines:
 
   acl trusted { my.net.block/cidr; 127.0.0.1; };
   options { 
 allow-recursion { trusted; }
   };
 
 If DNSSEC really requires that your recursive and non-recursive servers
 be separate, then it will fail.
 
 And I still cannot get over the fact that this HOWTO is 47 pages long:
 http://www.nlnetlabs.nl/dnssec_howto/
 
 Let's not forget this packet flow diagram, which is quite legible and
 easy to understand:
 http://www.nlnetlabs.nl/dnssec_howto/dnspktdemo.png
 
  Once you implement DNSSEC you *must* generate keys every 30 days.  So, I 
  think, if you're going to enable it by default, there needs to be a 
  script in periodic that will do all the magic to change keys every 30 
  days.  Maybe put vars in /etc/rc.conf to override the default key lengths 
  and other portions of the commands that could change per installation.
 
 I believe you're talking about re-signing the zones.  The duration is
 adjustable, 

Re: FreeBSD 7.1 and BIND exploit

[Paul Schmehl]

--On July 23, 2008 10:46:43 AM +1000 Mark Andrews [EMAIL PROTECTED] 
wrote:


I just played around with it recently.  It's not that easy to
understand  initially *and* the trust anchors thing is a royal PITA.

Once you implement DNSSEC you *must* generate keys every 30 days.  So,
I thin k,
if you're going to enable it by default, there needs to be a script in
period ic
that will do all the magic to change keys every 30 days.  Maybe put
vars in  /etc/rc.conf to override the default key lengths and other
portions of the  commands that could change per installation.


WRONG.

You need to re-sign the zone an expire period before the
signatures expire.  You need to generate new keys periodically
but no where near every 30 days.



OK.  I misspoke.  I got the 30 days from Andrew Clegg's presentation and 
confused keys with signatures.  But still, you have to resign *every* zone 
every 30 days.


Signatures have lifespans

“Born-on” date – 1 hour prior to running
dnssecsignzone

Expiration date – 30 days after running
dnssecsignzone

Expired signatures lead to zones that
will not validate!

I followed Clegg's presentation to try out dnssec.

Then there's this:

Any time you modify a zone – or at
least every 30 days (minus TTL) you
must re-run dnssecsignzone

If you don't
1) Zone data will be stale
2) Zone data will be GONE

So, for me, that's three zones I have to mess with every 30 days.  Then 
Clegg says the the ZSK keys should be changed every quarter and the KSK 
keys every year.  So I have to resign monthly, regen ZSK keys quarterly 
and regen KSK keys annually, and I have to do this without breaking any of 
my zones so that they stop resolving for periods long enough to clear out 
caches.


How is the average person supposed to understand this, much less do it 
correctly?  Don't misunderstand me, Mark, I'm all for security.  But this 
ain't easy, and the online information only confuses the issue.


Clegg also says this:

When finished:
2 ZSK files (.key and .private)
2 KSK files (.key and .private)
2 zonefiles (unsigned and .signed)

So, do I have to have two zone files or not?  As someone who is trying to 
understand this new technology, I have to tell you, the online 
documentation isn't written for non dns-gurus.


I'll be happy to sign my zones, but not until I understand how it works, 
what the ramifications are and what my maintenance responsibilities are.


Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

Re: 6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Clifton Royston]

On Tue, Jul 22, 2008 at 11:45:30AM -0800, Royce Williams wrote:
 We have 10 SuperMicro PDSMi+ 5015M-MTs that are panic'ing every few
 days.  This started shortly after upgrade from 6.2-RELEASE to
 6.3-RELEASE with freebsd-update.

  I was having similar problems on some servers using 6.2-psomething,
which also use an NFS server heavily (for shared configuration files),
until I started using the same vmem.kmem_size tunable Kris is
recommending.

  That seemed to solve the problem for me.  (I just slapped it up to
512M rather than try to binary search for some optimum value.)

  -- Clifton

-- 
Clifton Royston  --  [EMAIL PROTECTED] / [EMAIL PROTECTED]
   President  - I and I Computing * http://www.iandicomputing.com/
 Custom programming, network design, systems and network consulting services
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: 6.3-RELEASE-p3 recurring panics on multiple SM PDSMi+

[Jeremy Chadwick]

On Tue, Jul 22, 2008 at 11:45:30AM -0800, Royce Williams wrote:
 We have 10 SuperMicro PDSMi+ 5015M-MTs that are panic'ing every few
 days.  This started shortly after upgrade from 6.2-RELEASE to
 6.3-RELEASE with freebsd-update.

We use the same hardware (board and chassis), and have no such problems
running both RELENG_6 and RELENG_7.

I don't think your issue is specific to the board or chassis.  Kris's
explanation makes a lot more sense.  :-)

-- 
| Jeremy Chadwickjdc at parodius.com |
| Parodius Networking   http://www.parodius.com/ |
| UNIX Systems Administrator  Mountain View, CA, USA |
| Making life hard for others since 1977.  PGP: 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: FreeBSD 7.1 and BIND exploit

[Doug Barton]

Lots of good discussion on this thread, I'm going to cherry-pick some
things to respond to.

Kevin Oberman wrote:

And, if you are not sure how good a job it does (and I am not), you
 should use the OARC test to check how well it works: dig +short 
porttest.dns-oarc.net TXT


If the result is not GOOD, it's not good enough.

You can test a remote server by adding @remote-server to the dig
command. The server may be specified by name or IP address.


This is good, I would not specify a name server to test by hostname
though, you're hitting a chicken/egg problem if you do. There is also
https://www.dns-oarc.net/oarc/services/dnsentropy if your desktop is
behind the resolver you want to test.


Paul Schmehl wrote:
I just played around with it recently.  It's not that easy to 
understand initially *and* the trust anchors thing is a royal PITA.


The trust anchors thing is made mega easier if you use the DLV service
provided by ISC. If you want to configure specific trust anchors
yourself, you really need to know what you're doing first.


Once you implement DNSSEC you *must* generate keys every 30 days.


You are talking about signing a zone you are authoritative for. I am
talking about enabling DNSSEC for the named that comes with FreeBSD
and by default is configured as a resolver only.

So, I think, if you're going to enable it by default, there needs 
to be a script in periodic that will do all the magic to change 
keys every 30 days.


I would certainly never write, and I can't imagine that I would ever
approve such a script. There are too many moving parts to setting good
DNSSEC key policy for me to be comfortable with a cookie-cutter approach.


Jeremy Chadwick wrote:
For what it's worth, I went looking into DNSSEC last week, and 
after a few hours of skimming then reading, I concluded it's 
over-engineered and adds too much hassle for it to be considered a 
worthwhile upgrade.


I could certainly sympathize with an argument that parts of the DNSSEC
spec are over-engineered. The problem however is that the DNS, more
than any other Internet system that I can think of, has so many corner
cases that they almost seem to be the norm sometimes, and more than
any other service it has been engineered to accommodate them.
Personally I was in favor of the flag day approach to DNSSEC
deployment 7 years ago, and was told that's not how we do things in
DNS. The corner cases have gotten worse since then, not better.


DNS, for most people, is expected to be a simple thing.


And back in the good old days it could be. Those days are over.
(Arguably they ended in 1995, but I digress.)

There also appears to be an assumption made throughout all of the 
documentation that I've read: that your recursive and non-recursive

DNS servers are separate.  I'm still trying to understand why that
assumption is made;


Because we've been telling people to do that since, oh, say, the
'90's? There are very good reasons to do that, I'm not going to
belabor them here. The simplest way to understand the justification is
that by their very nature authoritative service operates in the
UNtrusted world, and you would like your name resolution to happen in
a more or less TRUSTED way. The two goals are antithetical.


Matthew Seaman wrote:

Forgive me for being obtuse.  What I meant was the capability to
enable checking signatures on DNS RRs as a routine effect of
getnameinfo() etc. by modifying resolver(3) routines or similar
locally, without needing a DNSSEC enabled recursive resolver listed
in resolv.conf?  I've a feeling the answer is no, but I haven't
been able to find anything definitive.


Ok, how is this: no. :)  But seriously folks, the problem here is that 
you're talking about 3 completely separate spheres of operation, which 
for 99.9% of Internet users are all operating under the control of 
different people. I'll take it as a given that the members of this 
list understand what authoritative name service is, and that in order 
for DNSSEC to work you have to sign the zone that is on the 
authoritative name server. Interestingly enough, that is the easy part.


The second sphere is the resolving name server (often erroneously 
referred to as a caching server) that goes out into the wide world and 
gathers answers to queries generated by users on its network.


The third sphere is the stub resolver located on your little 
computer. What you're asking is, can we have a stub resolver in 
FreeBSD that will do the DNSSEC thing regardless of what kind of 
resolving name server it's sitting behind? (Please note that I and 
others have made the argument for a long time now that there is 
actually a fourth sphere, the application itself. More people agree 
with that idea now than did in the past, but the question is still 
what to do about it.)


So, here is the problem (actually, problemS) with that. First, the 
authoritative server is just spitting out bits, it really has no 
knowledge of what it's sending (let's leave nasty stuff like