Re: Does DNS need TCP?
Nicolai wrote : > On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > For number of years I had in my /var/unbound/etc/unbound.conf line > > > > do-tcp: no > > > To make things worse I was blocking port TCP port 53. > > Just curious, why did you do that? When I start using Unbound on OpenBSD it was not the part of the base. There was not such a thing as the default unbound.conf file. I vividly remember reading NLnet Labs Documentation three full days before deciding on my defaults. Even once Unbound became the part of the base, (IIRC 5.7) the defaults were not carved in stone. They changed quite a bit over the time. As of the port blocking unfortunately I am old enough to remember this post http://cr.yp.to/djbdns/tcp.html#why and the remark that TCP is only needed for records larger than 512 bytes. "You want to publish record sets larger than 512 bytes. (This is almost always a mistake.)" I had no need for TCP port 53 to be open. Until month and a half ago things worked as expected and I have more important things to do than to fix things which don't appear to be broken. The following https://www.openbsd.org/faq/pf/ is also evolving. It has been almost 15 years since the OpenBSD became my daily driver and I would swear (but I am not going to look through Internet archive) that there was a time when UDP port 53 was the only open domain service in the minimal working example. > > On my authoritative servers roughly 1 in 1000 queries are over TCP, even > though no answers are over 512 bytes. Like most people, I don't use > DNSSEC, and unlike most people, I do use DNSCurve. > I try to stay away from a universal quantification (a professional deformation). I do use DNSSEC more or less since it became available. I used it before the time it became default in unbound.conf file of OpenBSD. That is an example of the OpenBSD unbound.conf default which actually changed not so long time ago. > I've seen "in the wild" authoritative servers that always set TC=1 but > that's exceedingly rare and a bad idea for general use. > > If you block 53/udp then your life will change for the worse a LOT > faster than if you merely block 53/tcp, but both are used, and both > should be allowed. Blocking either will lead to downtime. > > If you don't understand the defaults then leave them be. Put your > energy into fixing things that are visibly broken. > That is exactly the reason that I kept 53/tcp closed past it useful shelf life. I actually have more interesting things to do than fixing the stuff which are only marginally important for my life. > > Just a related PSA: please don't block ICMP either. It's important, > necessary, and good. I am not blocking and I have never blocked it although I do have some restrictions in place since I read the first edition of the book of PF. As you know the book is overdue for 4th edition. As you see the only constant in life is change. Cheers, Predrag > > Nicolai
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no > To make things worse I was blocking port TCP port 53. Just curious, why did you do that? On my authoritative servers roughly 1 in 1000 queries are over TCP, even though no answers are over 512 bytes. Like most people, I don't use DNSSEC, and unlike most people, I do use DNSCurve. I've seen "in the wild" authoritative servers that always set TC=1 but that's exceedingly rare and a bad idea for general use. If you block 53/udp then your life will change for the worse a LOT faster than if you merely block 53/tcp, but both are used, and both should be allowed. Blocking either will lead to downtime. If you don't understand the defaults then leave them be. Put your energy into fixing things that are visibly broken. Just a related PSA: please don't block ICMP either. It's important, necessary, and good. Nicolai
What do I do when ifconfig hangs?
I have 6.7 installed with latest patches. It has been running for about a week without a reboot and then suddenly I was not able to ping the internet. I tried executing sh /etc/netstart run0 It hung. I then tried to kill the ifconfig process (kill -9 pid) and then the system hung. It was unreachable from my other computer and keystrokes did not appear to do anything. Following is the output of dmesg related to run0 upon reboot: run0 at uhub0 port 2 configuration 1 interface 0 "Ralink 802.11 n WLAN" rev 2.00/1.01 addr 2 run0: MAC/BBP RT3572 (rev 0x0223), RF RT3052 (MIMO 2T2R), address f0:79:59:74:85:ed
Re: Primepower 250 vs Sunfire v215
On Sun, Sep 20, 2020 at 08:00:45PM +0300, Kihaguru Gathura wrote: > > The Primepower is bigger and needs more power but if you find a box with > > good CPUs and memory it should run faster than a V215 > > How did the performance of the PrimePower 250 SCSI drives compare to Sun > Fire V215 SAS drives? Any spinning rust is slow compared to SSD disks. I run my Fire V215 with a NVME disk for the busy partitions (but boot from the SAS drives). This is not really possible with the primepower 250 (hard to find any kind of SSD for that system). -- :wq Claudio
Re: Primepower 250 vs Sunfire v215
> The Primepower is bigger and needs more power but if you find a box with > good CPUs and memory it should run faster than a V215 How did the performance of the PrimePower 250 SCSI drives compare to Sun Fire V215 SAS drives? Thanks and regards, Kihaguru
Re: home printer
On Thu, Sep 17, 2020 at 03:07:19PM -0700, Sean Kamath wrote: > > > > On Sep 17, 2020, at 09:48, Ingo Schwarze wrote: > > That answer [HP] used to be spot on until about the year 2000. > > I concur. I used to work at a printer company that competed directly with > them. Was that Imagen, by any chance? Anyway, I concur too. I have a mid-1990's HP6MP with 75,000 pages on its ticker (would be more but it was in storage for several years) and it still prints beautifully. The manual for it proudly talks about their BBS and how to set your comm sofware to 8-N-1; their internet site (FTP only) is mentioned (by IP address) almost as an afterthought.
Re: Primepower 250 vs Sunfire v215
On Sun, Sep 20, 2020 at 09:02:55AM +0300, Kihaguru Gathura wrote: > Hi, > > For those who have experience with older Sparc machines, Which hardware > offers better reliability/stability? > > Fujitsu Primepower 250 or Sun fire V215. > Depends mostly on how well they were handled. Also if they are equipped with all the PSUs. I used both for a long time, neither caused me issues. The Primepower is bigger and needs more power but if you find a box with good CPUs and memory it should run faster than a V215. On the other hand the V215 has PCIe slots and so NVMe disks are an option. -- :wq Claudio
Re: /etc/netstart fails on first attempt, works on second
On Sat, 2020-09-19 at 17:36 +0200, Unicorn wrote: > On Sat, 2020-09-19 at 14:18 +0100, Tom Smyth wrote: > > Hi Unicorn, > > > > what do you have in in your em0 config > > /etc/hostname.em0 > > Hi, the contents are just this, to reduce the possibility of errors > on > my part for now: > > dhcp > inet6 autoconf > > > are you in control of the KVM infrastructure ? can you get a > > vio nic instead of a intel 1000 nic it will generally perform > > better (according to my humble testing) > > > > Hope this helps > > > > Tom Smyth > > Thanks for the advice! I am not in control of the KVM infrastructure > but the support has previously been nice enough to change the > storage > driver for me as it was also causing issues with OpenBSD (it was > virtio-scsi that was causing issues iirc). > I will ask them to change to virtio for networking and report back > once it's done. > > Best, > Unicorn Indeed, switching to Virtio (and renaming /etc/hostname.em0 to /etc/hostname.vio0) solved my issue, it now works correctly at boot. Thank you for your help! Best, Unicorn
Re: Is altroot a sysupgrade foe?
On Sun, Sep 20, 2020 at 01:19:17AM -0400, Predrag Punosevac wrote: > > Hi Misc, > > For number of years I had a very simple scheme to backup my OpenBSD > infrastructure servers running critical network services for our small > university lab. Namely, I would put a low profile usb flash drive and > use /altroot facility in the daily(8) scripts to backup root partition > to it as described in FAQ > > https://www.openbsd.org/faq/faq14.html#altroot > > I started doing that many years ago, before sysupgrade was available. It > worked like a charm. Once sysupgrade became available I noticed that it > would get confused by an extra disk in the server. My "solution" was to > remove usb drive before running sysupgrade and that worked OK until > Covid 19 when the physical access to my servers became more challenging. > > I had a quick look at the sysupgrade.sh script > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sysupgrade/sysupgrade.sh?rev=1.40=text/x-cvsweb-markup > > and I have to admit that it is not clear to me how the target disk for > the installation is picked. I completely understand that sysupgrade is > designed not to be configurable in order to be foolproof. http://cvsweb.openbsd.org/src/distrib/miniroot/install.sub?rev=1.1154=text/x-cvsweb-markup Specifically check_unattendedupgrade(). The installer tries to guess what a root disk is ( get_dkdevs_root -> is_rootdisk ). Your altroot disk will naturally look like a root disk, that's the whole point of the facility after all. The installer will pick the first disk that looks like a root disk. If there is no auto_upgrade.conf present it will stop. I'm surprised that your usb stick shows up as the first disk in the installer but computers are weird I guess. I have a diff that might improve on this and that might make 6.8. -- I'm not entirely sure you are real.
Re: Does DNS need TCP?
On Sun, Sep 20, 2020 at 12:43:41AM -0400, Predrag Punosevac wrote: > > > Hi Misc, > > I have been a double as a system admin for our small university research > group for a number of years now but every now and then I get reminded of > my own ignorance. One of those moments happened a month and a half ago > when pkg management tools stopped working on all my FreeBSD file servers > and jail hosts. After waisting an hour, I got to the bottom of my > problem. Namely, my caching DNS Unbound resolvers (obviously running of > OpenBSD) which also serve my LAN and DMZ authoritatively could no longer > resolve > > pkg.freebsd.org. > > After waisting another hour it became clear that authoritative DNS for > pkg.freebsd.org no longer was serving using UDP protocol and was > expecting my DNS resolver to use TCP instead of UDP for name queries. > For number of years I had in my /var/unbound/etc/unbound.conf line > > do-tcp: no > > even though I was aware that OpenBSD 6.7 is shipped with > > do-tcp: yes > > To make things worse I was blocking port TCP port 53. > > I am not much of a DNS expert but I was under impression that TCP was > only used for publishing record sets larger than 512 bytes. However, it > appears that I am mistaken. > > https://serverfault.com/questions/181956/is-it-true-that-a-nameserver-have-to-answer-queries-over-tcp > > That is not just a random garbage thread. The person whose answer was > accepted claims to be the author of RFC 5966. There is another > interesting post getting a lot of thumbs downs who is bringing back some > of old fights started by Daniel Bernstein. > > There is a second less illuminating thread > > https://serverfault.com/questions/404840/when-do-dns-queries-use-tcp-instead-of-udp > > According to above threads it appears that DNSSEC validation requires > TCP port 53 and do-tcp: yes to work properly. > > Could a kind soul who runs DNS for living point me to the documentation > which I can use to educate myself. https://tools.ietf.org/html/rfc7766 says it all. The TCP requirement is related to DNSSEC because DNSSEC makes the DNS replies bigger, but the custom of dumping more and more into TXT records is another reason. The recommendation to use an UDP buffer size of 1232 to avoid big UDP packets and thus IP fragmentation also makes TCP fallback needed more often. See https://dnsflagday.net/2020/ For all practical purposes, setting up DNS without TCP is broken. -Otto
Primepower 250 vs Sunfire v215
Hi, For those who have experience with older Sparc machines, Which hardware offers better reliability/stability? Fujitsu Primepower 250 or Sun fire V215. Kind regards Kihaguru.