The first three sections in the README.Debian file of the software I just installed read This is not for the kids!, Size matters and User Manual — slightly obsolete. Should I be worried? Possibly. Am I worried? No. After two days at CC15 you’re keen to experiment.
The future lay sparkling ahead, and we thought we would know each other forever.
I’ve just read a great tip on Firefox performance by Nick Anderson that I wanted to share with you: Newer versions of Firefox store all its data in so-called SQLite databases. SQLite is an ACID compliant relational database engine that consists of one flat file and is meant for storing data of single-user applications. The problem with these SQLite database files is that they get cluttered over time. Luckily, there’s a statement to clean up an SQLite database: The VACUUM statement. Just close all Firefox instances, backup your profile and run the following shell code:
for i in ~/.mozilla/firefox/*/*.sqlite; do sqlite3 $i VACUUM;done;Voilà. Depending on how long you use your profile, the performance increase will be really significant. And don’t think of filing a bug report. There are already plenty of it.
Update: Jeremy Orem recently posted on how you can clean your SQLite databases without shutting down the browser:
Components.classes["@mozilla.org/browser/nav-history-service;1"].getService(Components.interfaces.nsPIPlacesDatabase).DBConnection.executeSimpleSQL("VACUUM")The user interface may freeze for a second while the vacuuming takes place.
Almost exactly a year ago, I quoted a Microsoft press release. It said that Microsoft would provide support for ODF, an open standard for files containing office documents, with its Service Pack 2 update of its Microsoft Office 2007 product. The Service Pack is now available for download and ODF is fully supported. This is great news! [via City of Largo]
Sometimes you need to store binary data inside a MySQL database. While there are various field types for binary data in MySQL, its handling of binary data has a share of different problems. As far as I know you might hit some bugs, if you’re using non-standard connection encodings or character sets. Also, binary data is a hell to escape properly. For example, if you store S????'x7?ma?X?UHMh? inside the MySQL database you might end up with ?????r??v ???????v later under certain conditions. This is not really ideal, to say the least.
The best thing to do is to convert the binary data to a string-based representation, e.g. a hexadecimal form or use a two-way encryption method like Base64. In fact, I recommend to use Base64. The drawback is, that a Base64 representation uses around 35% more space than the original binary representation. For example, in PHP you would do something like this:
// Encode binary data$binary = base64_encode($binary); // Decode binary data$binary = base64_decode($binary);Update: Changed the example data slightly to accommodate some screen readers, that require a valid feed. Thank you Jan for pointing this out.
I just got my first biometric passport. It was a bit of a problem to collect the registered mail from the post office without a valid passport. If you need a passport, you have to open the letter, because my passport is in there. finally convinced the postie and she handed it to me anyway.
This passport contains sensitive electronic technology and should be handled with the same care as other electronic devices. To ensure that it functions properly, please do not bend, perforate or subject to extreme temperatures or excessive moisture.
Now let’s hope that I never forget to handle my new sensitive passport with great care. It wouldn’t surprise me if I misplaced it on the heater in the bathroom one day… Also, I should not dump it down into a river like I once did with one of my other electronic devices. Or spill cold orange juice and hot coffee all over it like I once did with one of Muelli‘s sensitive electronic devices. Just to be sure, I ordered a protective cover for it.
This post is the second part of a workshop on the PowerDNS DNS server. In the first part of this workshop, we set up the PowerDNS server and it’s MySQL database backend. In this part of the workshop, I will show you how to add some domain data to your database and how to synchronize this data to other PowerDNS servers automatically by using the so-called supermaster concept of PowerDNS. I will also show you how to enable AXFR transfers to ensure compatibility with remote Bind slave servers.
For the rest of this workshop it is assumed that you’ve got two PowerDNS installations on two separate physical hosts with the IP addresses 192.168.0.1 and 192.168.1.2, respectively. The first server has the host name dns.example.net and the second server has the host name dns2.example.net.
You probably want one DNS server to act as the master server and a number of additional servers to act as slaves. PowerDNS supports multiple master servers for one domain and it can be slave and master at the same time.
We will now configure dns.example.net as the master and dns2.example.net as the slave. To do this, add master to the configuration file of the first server and slave to the configuration file of the second server.
In a traditional setup, you would configure a domain name both on the master and the slave server. Additionally, you would specify record data for the domain name on the master server. The slave would then query the master server and download the record data. Whenever you change the record data on the master server, it would notify the slave server and the slave server would refresh the record data by downloading the new record data from the master server. In fact, you can do this with PowerDNS and it will work just fine. But PowerDNS can do more: If you tell your slave(s), that your master is a so-called supermaster, you do not need to setup new domain names on the slave. All you need to do is to setup the new domain name and its record data on the master server. If the domain has a SOA record and your slave is listed as one of the authoritative name servers for the domain, the master will notify your slave of the new domain name. Your slave recognizes, that your master is a supermaster server and adds the domain name to its configuration automatically. It works like magic.
To tell your slave, that your master server is a supermaster server, execute the following SQL statement on your slave’s MySQL server.
INSERT INTO pdns.supermasters (`ip`, `nameserver`, `account`) VALUES ('192.168.0.1', 'dns2.example.net', 'test');This tells your slave, that your PowerDNS server with the IP address 192.168.0.1 is a supermaster server. As you will see later, PowerDNS supports the concept of accounts. These do not have any influence on the operation of PowerDNS. You can specify account information for each domain name, which might be useful, if you want to find all domain names of a certain customer. If PowerDNS sets up a new domain name of a supermaster, it uses account information specified in the supermasters table for that supermaster server. In our case, all domains of the supermaster server dns.example.net will be added with the account information test. Note, that the nameserver column of the supermasters table is not the host name of the supermaster server. It is the host name of the slave server. Before the slave adds a new domain name from our supermaster server, it checks that the host name you specify in the the nameserver column is listed as one of the authoritative DNS servers for that domain name. Thus, we need to add the name of our slave there.
To exchange domain name and record data, your PowerDNS servers will use a method that is called AXFR. For security reasons, AXFR is disabled by default. Edit the configuration files of your PowerDNS master server:
allow-axfr-ips=192.168.2.1disable-axfr=noThis will enable AXFR for the IP address of your slave server. Do not allow AXFR for any server. This would pose a security risk. If you’ve got multiple slave servers, add all the IP addresses of the slave servers separated by a comma. AXFR is compatible with other name server software (e.g. Bind).
PowerDNS should be in a state now, where it can start and connect to the MySQL database with no problems. For now, we will start PowerDNS in monitoring mode. That way we can follow everything that happens live on the console. To start up PowerDNS in monitoring mode, use the following command.
/etc/init.d/pdns monitorLater, you may want to run PowerDNS in the background. To do this just run the following command.
/etc/init.d/pdns startOnce you have started up both the master and the slave PowerDNS server we can start adding domain names.
To add a new domain name, you need to add a new entry to the domains table of your database. To do so, execute the following SQL query on the master server:
INSERT INTO `pdns.domains` (`id`, `name`, `type`, `account`) VALUES (1, 'example.com', 'MASTER', 'test');This will add the example.com domain name to the database. The type MASTER indicates, that our master server will be the master for this domain. The account name is optional, it is for your information only. It is important to note, that the id of our new domain name is 1. We’ll need this in a second.
Next, we need to add some records, i.e. some zone data, to the database for PowerDNS to serve. The records need to be added to the records table of the database. PowerDNS supports a number of different records. Depending on the type of the record, you need to provide different values for the type, content and prio columns. Check the PowerDNS documentation on supported record types and their storage to get an idea of what you need. For your convenience, I’ll give you a few examples of common record types.
The first thing you want to add is a SOA record. A typical SOA record would look like this:
INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, 'example.com','SOA', 'dns.example.net. hostmaster.example.net. 2009042301 10800 3600 604800 3600', 3600);Note the domain_id, which is set to the id value of our example.com domain. Then there is the fully qualified domain name, that this record is valid for. You are probably familiar with the values of the type, content and ttl columns. If not, check the documentation.
Next, let’s add a few name servers. It is important that your master and all your slaves are listed here, of course.
INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, 'example.com','NS', 'dns.example.net', 3600);INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, 'example.com','NS', 'dns2.example.net', 3600);You probably want some A records:
INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, 'example.com','A', '192.168.0.3', 3600);INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, 'sales.example.com','A', '192.168.0.4', 3600);INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`) VALUES (1, '*.example.com','A', '192.168.0.2', 3600);The first of these records is for the example.com domain name. The second is for a subdomain, i.e. sales.example.com. The third A record is special. It is a wildcard record. It matches any subdomain, that is not already specified, i.e. everything except example.com and sales.example.com.
Let’s finish by adding some MX records:
INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`, `prio`) VALUES (1, 'example.com', 'MX','mail.example.net', 3600, 10);INSERT INTO `pdns.records` (`domain_id`, `name`, `type`, `content`, `ttl`, `prio`) VALUES (1, 'example.com', 'MX','mailbackup.example.net', 3600, 20);Within a short time you will see the following information showing up in the log file of your slave server. Don’t be impatient, it takes some time. You should see something within a minute, though.
Feb 07 21:43:26 Received NOTIFY for example.com from 192.168.0.1 for which we are not authoritativeFeb 07 21:43:26 Created new slave zone 'example.com' from supermaster 192.168.0.1, queued axfrFeb 07 21:43:27 gmysql Connection succesfulFeb 07 21:43:27 No serial for 'example.com' found - zone is missing?Feb 07 21:43:27 AXFR started for 'example.com', transaction startedFeb 07 21:43:27 AXFR done for 'example.com', zone committedAnd the equivalent on the master server:
Feb 7 21:43:20 1 domain for which we are master needs notificationsFeb 7 21:43:20 Queued notification of domain 'example.com' to 192.168.1.2Feb 7 21:43:21 AXFR of domain 'example.com' initiated by 192.168.1.2Feb 7 21:43:21 Removed from notification list: 'example.com' to 192.168.1.2 (was acknowledged)Feb 7 21:43:21 gmysql Connection succesfulFeb 7 21:43:23 No master domains need notificationsThis looks like a successful AXFR of the example.com domain name. Let’s see, if the domain was really added to the MySQL database on the slave server:
mysql> SELECT * FROM pdns.domains WHERE name='example.com';+----+--------------+---------------+------------+-------+-----------------+---------+| id | name | master | last_check | type | notified_serial | account |+----+--------------+---------------+------------+-------+-----------------+---------+| 1 | example.com | 192.168.0.2 | 1234039407 | SLAVE | NULL | test | +----+--------------+---------------+------------+-------+-----------------+---------+1 row in set (0.00 sec)Quite cool, isn’t it? You can also query the records table. All your records will be there. Every time you add a new record and raise the serial number, PowerDNS will notify your slave and the record data will be updated automatically.
Sometimes, you might want to add a slave domain to one of your servers manually. Suppose your master server acts as a slave server for the domain example.org. Say, the master server of the example.org domain is a remote Bind server with the IP address 192.168.2.34. First, make sure that AXFR with that server is allowed (see above). Then, execute the following SQL query on your server.
INSERT INTO `pdns.domains` (`id`, `name`, `master`, `type`, `account`) VALUES (2, 'example.org', '192.168.2.34', 'SLAVE', 'test');Voilà. That’s it. PowerDNS will take care of the rest.
Unfortunately, supermaster mode is not equivalent to database synchronization. Automatic set up of new domain names and record data works like a charm. What doesn’t work, though, is the automatic deletion of domain names. If you delete your domain name on the master server, you need to delete it on all slaves manually.
It’s sometimes necessary to disable your web browser’s cache, especially, if you’re doing web development. If you’re using a legacy Firefox build (e.g. Firefox prior to 3.5), you could use the excellent Web Developer Toolbar by Chris Pederik to do this (on the Disable menu, select Disable caching). But if you’re living on the cutting edge of things and use a nightly build or a beta build of the current Firefox 3.5 (code name: Shiretoko) like I do, you can’t use the extension, because it is not compatible with nightly builds or recent beta builds (as of this writing).
Thus, a quick and dirty approach: First, type about:config into the URL bar. You’ll see a warning, that advises you to be careful. Be careful. After carefully dismissing the warning, enter network.http.use-cache into the filter bar. You should now see the preference of the same name. Double click on the value to change its value. If the value is set to false, the cache is disabled. If the value is set to true, which is the default, the cache is enabled. Despite the name, caching of sites using the https protocol will be disabled, too. And don’t forget to re-enable the cache after you’re done with whatever you wanted to do.
I’ve got an AR5008 wireless network adapter from Atheros in my Thinkpad. Unfortunately, while the card has some nice capabilities per se, Linux driver support is not that good. I’ve experienced a number of different issues with it ever since. Numerous times in the past I’ve thought about getting rid of it and putting some random Intel card into my notebook, but I never came around to actually doing it so far. Also, things could be a lot worse. Apple shipped this card in one of their Mac books, so pressure on the Linux kernel developers was quite high. And support for the card really got better over time. Right now (with a current ath9k driver) almost everything works for me. The only thing that doesn’t work is WPA2 Enterprise. Unfortunately, WPA2 Enterprise is the only thing that I really need. The only wlan network that I’d like to connect to on a regular basis uses WPA2 Enterprise. But that’s another story.
Lately, I’ve experienced a strange issue for a number of times. I’ve not debugged it deep enough to file a bug or to know the cause of the problem, but I’ve been lucky enough to find a workaround. To illustrate the problem, let’s take a realistic, though almost totally hypothetical example: You just moved 900 km (600 miles) north of where you lived before. Unfortunately, your new internet provider needs decades to set up your new internet connection. You’re offline. You could use the university network, but that uses WPA2 Enterprise. You’re living on the 18th floor. Luckily, there is a nice cafe in the basement, that kindly distributes the radio waves of its WPA2 Personal wireless network all the way up to your apartment. Why not go in there for a coffee and ask for the key of the wifi network? M. calls this the fine art of social engineering. And it works. Unfortunately, the owners of the cafe are not dumb. They change the key from time to time. No problem for you. You have another coffee. You get the new key. You try to connect with the new key. NetworkManager tries to connect forever. In the log you see thousands of messages like this:
ath9k_config: Unable to set channelNetworkManager would ask you for the key of the network from time to time, but it will never connect successfully. You’re offline again. And this is reproducible. You connect for the first time: Success. The key’s changed. You try to log on with the new key: Miserable failure. Doh!
The workaround for this is easy: Just remove the ath9k driver module from the kernel and load it back into the kernel a second later:
sudo modprobe -r ath9ksudo modprobe ath9kAlthough it does feel more like Windows than like Linux, it works. Your connection will now succeed. This also helps for a number of other random problems with the ath9k driver, that you might experience. So just try it. As far as our example goes, you’d still need to drink a coffee from time to time to stay online, though.
Class struggle (Klassenkampf)
I just got an email from Feargal Mac Conuladh, Vice President, Lenovo Services EMEA, who asked for feedback regarding Lenovo’s service. The service was powered by IBM and the quality was good overall. A few things would have improved my experience, though:
On the positive side, there were no weird questions from the call centre agent trying to diagnose, if my problem was really a problem. She just asked in which city I was at the moment and that was it, basically. Also, the technician replaced the faulty fan in no time. The response time was not very quick, but not bad either. It was okay per the terms of the SLA. Fast, competent, hassle-free customer service. Thumbs up, IBM!
Yesterday afternoon at 4 p.m. I finally phoned IBM regarding the broken fan in my ThinkPad. About an hour ago, a technician showed up and replaced the broken fan. Now I’ve got a silent office again.
Right now our DNS servers are used for a DNS root query amplification attack. The attack works like this: Mallory (the bad guy) is sending a lot of UDP queries for the root zone to a number of DNS servers. These queries are very short and don’t require a lot of bandwidth. In theory, the DNS server will respond with a very large response, because the response would contain the whole DNS root zone file. When sending the queries, Mallory will spoof the IP address of the source. He uses the IP of Alice (the good gal). The DNS server will send all the large root zone files back to Alice. Alice connection will be filled with root zone files from all over the world. This is a very nice attack vector, as it allows Mallory to send much more traffic to Alice then he can actually generate himself. Also, this does not really affect the DNS servers that are used by Mallory. If he does it the right way, it might even go unnoticed.
According to our DNS server log, these forged queries come in at a rate of about 20 Hz. Of course, our DNS server does not allow recursion from outside the trusted company network, so this is not really a problem either for us nor for Alice. Our DNS servers respond with a servfail. The log is full of these errors at the moment:
Not authoritative for '', sending servfail to 89.149.221.182 (recursion was desired)It is important to note that the IP address displayed in the log (which is in the middle of a subnet of a German provider based in Frankfurt/Main) is not Mallory, the attacker. It is Alice, the target of the attack.
While not as bad as a full root zone response, a servfail is still data. If we send enough data down the line to Alice, their service will go down. Also, our own log files will be full of error messages and they will grow big. We don’t want any of this, so what else can we do beyond disabling recursion for the outside world? Of course we could stop responding to those kind of requests entirely, playing stealth DNS. Unfortunately, this makes DNS cache poisoning easier, so we don’t want to do this. Instead, we use fail2ban to block an IP address temporarily after 10 failed queries for the root zone in a relatively short time frame. The following regular expressions will be fine for PowerDNS:
not authoritative for(.*)servfail(.*)<HOST>pdns\[.*\]: Not authoritative for '', sending servfail to <HOST>If you are administering your own DNS server, check your log files for these kind of attacks and implement appropriate measures to prevent them.
Recently, I ate in a restaurant car of ?eské dráhy, which is a Czech railway company. While I was eating my meal and thought, that the food quality was simply bad – even worse than the food quality in the restaurant cars of the German railway, the people at the table next to me talked about how the Czech railway company prepared the food by hand and how much better it was compared to the defrosted food served by the German railway. Strange. You can paint your own picture now, but I would avoid eating in Czech restaurant cars, if I were you. Kozel ?erný seems to be worth a try, though.
Exerpt from mail server statistics showing an increase in filtered mail and overall mail throughput versus a decrease of mails in the queue
On 1/21/09, ******* **** <*****@*****.***> wrote:>> Hi there,>>>> ******* **** here, just got subscribed to the mailing list.>> Great! :). We can start to discuss stuff you have in mind if you want ;)I herewith declare, that Einlieferungs-Paketzentrum (in English: incoming delivery parcel center) is the word of the day. You can see it live when tracking a parcel delivered by DHL. While other companies like UPS display real location names in their online tracking system (e.g. I can see, that my parcel was last seen in Berlin at 7 p.m.), DHL provides a service that is a bit more anonymous. They simply tell me, that my package was last seen in the incoming delivery parcel center at 19:00. If you want to send parcels anonymously, use DHL.
Today I finally managed to buy a BahnCard. It is issued by our national railway company and allows you to safe up to 100% of the price of a ticket. Of course I only bought BahnCard 50 for the 2nd class, which gives me a 50% discount on any 2nd class railway ticket for one year. The 100% card is too expensive. It doesn’t pay off for me.
At first, I intended to buy the card online, but it isn’t possible to get a student discount, if you buy online. So I stopped by the Reisezentrum (travel centre) on my way to the city for some Christmas shopping.
Unfortunately, I forgot to bring a photo. No problem, the officer said, but I need to take a photo of you now. This is part of our service, you don’t need to pay an extra fee for it, she added.
After she had taken a photo of me with a digital camera that seemed to be an old one from Medion, I told her that I really appreciated it and that I was surprised that they even offered such a service. Well, she said in a very official way, this is a special service of our Dienststelle (authority). We originally used Polaroid pictures. It isn’t offered all over Germany.
There are actually some branches of German railway that resist the overall tendency and seem to be commited to provide really great customer service. Still, the tone of the employee was very official. At all times, I didn’t have the impression that I bought a train ticket at a private company, but that I applied for some kind of formal document at a Bundesbehörde (federal authority). Also, I feel a bit like all those involuntary Jamba customers. I meant to buy a single BahnCard, but what I actually bought, was a subscription. I need to cancel 6 weeks in advance, if I don’t want to get (and pay for) a new one. It seems that Deutsche Bahn combines the worst of both worlds (private and public sector).
PS: I’m currently looking for partners at a new company. The company will be called Sunny Railway GbR. If you travel with German railway frequently, but a BahnCard 100 is still too expensive for you, contact me for more information.
Suppose you’ve got an Eumex telephone system. You’ve got a few extensions, which are configured as phone extensions in the dial plan. You’ve got an extension that is configured as a fax/modem extension in the dial plan. Now you plug a fax modem into the fax extension of your Eumex. You haven’t used the fax modem since the nineties and you are not sure it does work at all. To test your setup, you dial the number of one of your phone extensions. Now the phone extension rings and you know that everything is ok. Merely a matter of very few minutes. Right? Wrong! Eumex tries to be smart. It “knows” that you try to call a phone number from a fax number. And that must be a mistake of the user. Eumex will not let you do this. While Eumex “thinks” that it is not a problem to call the number of your own extension, Eumex “thinks” it is a serious problem, if you want to call a phone extension from a fax extension. It won’t let you. It will always give you a busy signal.
In my mind’s eye I see the numbers of users, who, years after installation, decided to get rid of their fax machine and plug in a phone instead. How much time will be burned until they notice why they can’t call other in-house extensions?
Good morning … from Hamburg. I’m feeling a bit like the protagonist of this Cluseo song at the moment. Anyway, if you’re awaiting email from me, you will probably receive my answer before Christmas. Just give me some time to struggle through the pile of mail. In not so related news, Hamburg is looking for a new data protection officer. When I first heard of this, I thought it would be a good idea, if M. applied for this position. I wish someone like him will be appointed. The geek shall inherit the earth. As current senator of justice, Till Steffen will conduct the interviews. If we’re all lucky, eventually, Hamburg will get a real, independent data protection officer, like the one in Schleswig-Holstein. You think that the independent doesn’t really make a difference? Probably not, but I’ve listened to both the former Hamburg officer and the independent Kiel officer talking about privacy and data protection. And it made a difference ;). If nothing else, it has a symbolic value at least.
It seems that German whistle-blowers recently discovered Wikileaks. While you have to take into account a confidential part of the Schäfer Bericht, most documents published by Wikileaks didn’t have a direct relation to Germany so far. But last week they published a document that is said to contain network blocks used by the German intelligence service Bundesnachrichtendienst and as of this morning there are a number of internal reports on failures in the nuclear power plant Krümmel. The Krümmel nuclear power plant is located at the Elbe river, just south-east of Hamburg, so this is especially interesting to me. I even sailed past a bank of fog caused by hot Krümmel cooling water a few years ago.