Re: pdns security update (was Re: NBN satelite setup)

2016-09-16 Thread Rick Moen via luv-main 
Oh, meant to add:

> >  - powerdns is serious overkill for my needs (home server with only a
> >few domains).
> 
> Yeah.  $WORK did a massive conversion of hundreds of domains from BIND9
> to PowerDNS Authoritative Server, and there were various problems along
> the way.  I'm not convinced it was a good idea, even for a large
> Internet firm that does that many domains.  Probably on balance (gains
> in performance and security), but with some reservations.

I recently stumbled upon a (new?) feature of BIND9's 'rndc' control
utility that reduces the relative attraction of PowerDNS:  ability to
add/remove zones without restarting BIND:

  Problem

  You want to add a new zone or delete an existing zone without restarting
  or reloading a name server.

  Solution

  Add a new zone statement to named.conf or delete an existing one, then
  run rndc reconfig (for BIND 9) or ndc reconfig (for BIND 8).

https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch05s07.html


At $WORK prior to the changeover to PowerDNS, we had greatly reduced the
risk inherent in restarting BIND9 by building into our rollout process
what they flattered me by naming the 'Rick test' using BIND9's
named-checkconf utility:

#Double-check BIND conffile:
/usr/sbin/named-checkconf -z -t /var/named/chroot/ /etc/named.conf | \
egrep 'missing|not allowed|unknown|not at top of zone|\
appears to be an address|no current owner name|MAXTTL|file not found|\
may not be used with|outside epoch|in future|invalid|unsupported|no TTL|\
ignoring| TTL set to prior TTL' | sort -u 
#Should return null.

This 'lints' the conffiles and all referenced zonefiles (-z), giving you
advance warning of problems that might either prevent BIND9 startup or 
invalidate individual zones at load time.  This alone prevented a lot of
downtime.  And 'rndc relaod [zone]' eliminated most restarts.
_However_, ability to add/remove zones without restarting BIND is huge,
and should eliminate almost all restarts.
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: pdns security update (was Re: NBN satelite setup)

2016-09-16 Thread Rick Moen via luv-main 
Quoting Craig Sanders (c...@taz.net.au):

> On Fri, Sep 16, 2016 at 01:12:07AM -0700, Rick Moen wrote:
> 
> > _But_ that is completely unrelated to pdnsd.
> 
> ah, my mistake.  i assumed he was talking about powerdns.

No worries.  ;->

> > http://linuxmafia.com/faq/Network_Other/dns-servers.html
> 
> good page that, i've read it before but not for some time. IMO a useful
> addition to it would be a list of authoritative servers that use bind9
> RFC-1034 zonefiles.

You know, they kind of _could_ have called that format the RFC-1034 file
format, as some RRs are described/defined there, but because all the key
ones are described/defined in accompanying RFC-1035, it's generally
called 'RFC-1035 format'.

Anyway, yes, good idea -- and I actually do document RFC 1035 support
where I know about it.

> apart from "it aint broke, why fix it?" laziness, one of the reasons i'm
> still using bind9 is because I don't want to rewrite my zone files in
> a new format (or even have to learn a new format), and I haven't been
> overly happy with the few alternatives I've tried that could use bind
> zonefiles.
> 
>  - powerdns is serious overkill for my needs (home server with only a
>few domains).

Yeah.  $WORK did a massive conversion of hundreds of domains from BIND9
to PowerDNS Authoritative Server, and there were various problems along
the way.  I'm not convinced it was a good idea, even for a large
Internet firm that does that many domains.  Probably on balance (gains
in performance and security), but with some reservations.

>  - last time i looked at it (years ago, not long after it was released),
>there were some incompatibilities between NSD's interpretation of
>bind zonefiles and bind9's interpretation.

I believe you, but haven't seen this.  I've administered NSD on
ns1.svlug.org from NSD 2.x days onwards, and it's been really good.
I've not encountered any zonefile-parsing weirdness.  (I still run BIND9
on ns1.linuxmafia.com .)

Searching for data on this, I find some docs in their initial public
release candidate:
https://www.nlnetlabs.nl/downloads/nsd/OLD/nsd-1.0.0-rc2/REQUIREMENTS
'Section C. Technical Specifications has C.1. Zone file format and RR
records.'  It basically _claimed_ NSD would parse any valid RFC 1035
file containing only IN-class RRs.  FWIW, I've not seen NSE 2.x and
later's parser reject or get wrong anything from my own zones.

> Also, I didn't want to
> have to run two name servers (internet-facing authoritative and
> private LAN recursive) - although dnsproxy or similar could solve
> that problem now. it's probably worth another look.

I found about a year ago what struck me at the time as the ideal
solution to that problem but failed to add it to my linuxmafia.com
knowledgebase.  Maybe it was dnsproxy.  

Here's a creative solution from one of the NLnet Labs guys:
https://www.nlnetlabs.nl/pipermail/nsd-users/2014-August/001998.html

  It is possible, but not using the same address+port of course. One
  solution is to have NSD only listen on localhost while unbound listens
  on the external adress. You can then use stub-zone configuration in
  unbound to make it use the localhost adress for lookups in any zone you
  are serving from NSD.

  This is what i do for my home network, for a production setup I would
  rather keep authorative and caching DNS services fully separated.

However, followup from a different poster stresses that this is
appropriate only for serving a private zone from NSD, as it wouldn't
have the AA bit set.  This is similar:
https://www.nlnetlabs.nl/pipermail/nsd-users/2014-August/002000.html

The ArchLinux wiki proposes a different soution:  Bind NSD to
127.0.0.1:53530, and bind Unbound to *:53 with the auhtoritative zones
declared as ones to refer to NSD using the 'local-zone' and 'stub-zone' 
features:
https://wiki.archlinux.org/index.php/Nsd

The 'Dnsspoof' examples on
https://web.archive.org/web/20160329083109/https://calomel.org/unbound_dns.html
show some ways to leverage the DNS host being dual-homed (if it is).

Other solutions might beckon if the host is multihomed, e.g., bind NSD
to the public-facing real IP, and bind Unbound to the private RFC1918
address.

Personally, when I do my next server rebuild on ns1.linuxmafia.com 
(which is a totally public-facing 'bastion host', not dual-homed),
what I'll probably do is IP-alias a second public IP address onto the
public network port (its sole network port other than loopback), 
and bind NSD to one and Unbound to the other -- which has the benefit of
simplicity, letting me easily ACL the daemons individually, and keeping
their configurations totally separate.  Fortunately, I have spare IPs.

None of this tested by your present correspondent.  Yet.  ;->

>  - maradns provides a conversion tool for bind zonefiles, but doesn't use
>them natively.  otherwise, i'd probably switch to it.   I've used it
>several times on gateway boxes i've built for other people.

I like author Sam Trenholme quite

Warzone 2100 on Debian

2016-09-16 Thread Russell Coker via luv-main 
Debian has an older version of the game Warzone 2100, which among other things 
means that it misses the ability to use some data files developed for newer 
versions, the ability to have multiplayer games with Windows users (who 
download the latest version) and whatever features there are in the new 
version.

The DDs responsible for the package haven't had time to package the newer 
version.  NB this is no criticism of them, there are plenty of packages I 
haven't had time to maintain properly.

I've done some work on packaging the latest version.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814248

One issue is that I get the Qt related error described in the latest update to 
the above bug when I build the latest version.  This error happens after the 
main binary is compiled, it's in a test program.  Before you ask, I am not 
planning on removing tests from Debian packages.

The attachment to that update has my latest files for the Debian package.  If 
you download the attachment you can build warzone2100 on Debian/Unstable and 
most likely get the same Qt error I get.

When I run the binary produced I find that it has every object that is movable 
(units and walls) move to random angles in 3D.  Basically you have tanks 
breakdancing.  I don't even know where to start debugging this, I've never 
done graphics programming on anything more advanced than a Z80.

Would anyone like to help with this?

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/

___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: OT: trains & demand tariffs [Was: outage]

2016-09-16 Thread Anthony via luv-main 
On Tue, Sep 13, 2016 at 12:23 PM, Russell Coker via luv-main <
luv-main@luv.asn.au> wrote:

> Interesting.  I've been wondering how difficult it would be to use some IP
> enabled switches to control home energy use.  If you had a meter on the
> main
> power that reports the power use to a Linux system then you could have it
> turn
> off non-essential devices and make your PCs stop running BOINC if power
> use is
> too high.
>

Hrrmm.. Well, the smart meters in Victoria are supposed to use the "Zigbee
Power" version 1 protocol.

I know that for the distribution company within the area I reside (Jemena),
I need only log into their portal (which also allows me to browse my power
usage data online up to four hours ago at an hourly resolution or so, and
to download a CSV that has data going back to when the meter was
installed), specify the MAC address and installer code of the Zigbee device
I wish to pair with my meter, and then that device can receive information
from my smart meter.

This is primarily for "in home displays", but presumably there's gotta be a
device that's linux friendly out there that talks Zigbee Power v1?
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: pdns security update (was Re: NBN satelite setup)

2016-09-16 Thread Craig Sanders via luv-main 
On Fri, Sep 16, 2016 at 01:12:07AM -0700, Rick Moen wrote:

> _But_ that is completely unrelated to pdnsd.

ah, my mistake.  i assumed he was talking about powerdns.

> http://linuxmafia.com/faq/Network_Other/dns-servers.html

good page that, i've read it before but not for some time. IMO a useful
addition to it would be a list of authoritative servers that use bind9
RFC-1034 zonefiles.

apart from "it aint broke, why fix it?" laziness, one of the reasons i'm
still using bind9 is because I don't want to rewrite my zone files in
a new format (or even have to learn a new format), and I haven't been
overly happy with the few alternatives I've tried that could use bind
zonefiles.

 - powerdns is serious overkill for my needs (home server with only a
   few domains).

 - last time i looked at it (years ago, not long after it was released),
   there were some incompatibilities between NSD's interpretation of
   bind zonefiles and bind9's interpretation.  Also, I didn't want to
   have to run two name servers (internet-facing authoritative and
   private LAN recursive) - although dnsproxy or similar could solve
   that problem now. it's probably worth another look.

 - maradns provides a conversion tool for bind zonefiles, but doesn't use
   them natively.  otherwise, i'd probably switch to it.   I've used it
   several times on gateway boxes i've built for other people.


craig

--
craig sanders 
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: TCP rate/congestion control

2016-09-16 Thread Julien Goodwin via luv-main 
On 16/09/16 11:02, Toby Corkindale via luv-main wrote:
> I noticed that Windows 10 now uses CTCP as the default TCP
> congestion/rate control algorithm, but Linux still defaults to the old
> Cubic algorithm.
> 
> CTCP doesn't appear to be available on Ubuntu LTS at the moment, but
> there's a whole host of others to choose from.
> Has anyone here worked out which is the best one to use on typical
> consumer internet links in Australia?

Over and above the rate control algorithm Linux has a bunch of features
that make it work much better than a to-the-spec cubic implementation
(not surprising with a bunch of large content providers like $EMPLOYER
submitting their fixes upstream).

Things like TCP pacing and the work from the bufferbloat folk have
really improved things.

https://fasterdata.es.net/host-tuning/linux/fair-queuing-scheduler/
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

Re: pdns security update (was Re: NBN satelite setup)

2016-09-16 Thread Rick Moen via luv-main 
Quoting Craig Sanders (c...@taz.net.au):

> On Wed, Sep 14, 2016 at 07:10:43AM +1000, zlin...@virginbroadband.com.au 
> wrote:
> > I am using pdnsd 
> 
> FYI, I saw this DSA come in a few days ago:
> 
> https://www.debian.org/security/2016/dsa-3664
> 
> Debian Security Advisory
> DSA-3664-1 pdns -- security update

Craig, PowerDNS Authoritative Server is sometimes called 'pdns', and
that is the name of the related Debian package.  (Complementary codebase
PowerDNS Recursor has Debian package pdns-recursor.)  _But_ that is
completely unrelated to pdnsd.

http://linuxmafia.com/faq/Network_Other/dns-servers.html#pdnsd
http://linuxmafia.com/faq/Network_Other/dns-servers.html#pdns
http://linuxmafia.com/faq/Network_Other/dns-servers.html#pdns-recursor

___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main

pdns security update (was Re: NBN satelite setup)

2016-09-16 Thread Craig Sanders via luv-main 
On Wed, Sep 14, 2016 at 07:10:43AM +1000, zlin...@virginbroadband.com.au wrote:
> I am using pdnsd 

FYI, I saw this DSA come in a few days ago:

https://www.debian.org/security/2016/dsa-3664

Debian Security Advisory
DSA-3664-1 pdns -- security update

Date Reported: 10 Sep 2016
Affected Packages: pdns 
Vulnerable: Yes

Security database references:
In the Debian bugtracking system: Bug 830808.
In Mitre's CVE dictionary: CVE-2016-5426, CVE-2016-5427, CVE-2016-6172.

More information:

Multiple vulnerabilities have been discovered in pdns, an
authoritative DNS server. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2016-5426 / CVE-2016-5427

Florian Heinz and Martin Kluge reported that the PowerDNS
Authoritative Server accepts queries with a qname's length
larger than 255 bytes and does not properly handle dot inside
labels. A remote, unauthenticated attacker can take advantage of
these flaws to cause abnormal load on the PowerDNS backend by
sending specially crafted DNS queries, potentially leading to a
denial of service.  

CVE-2016-6172

It was reported that a malicious primary DNS server can crash a
secondary PowerDNS server due to improper restriction of zone
size limits. This update adds a feature to limit AXFR sizes in
response to this flaw.

For the stable distribution (jessie), these problems have been fixed
in version 3.4.1-4+deb8u6.

We recommend that you upgrade your pdns packages.


craig

--
craig sanders 
___
luv-main mailing list
luv-main@luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main