NSEC3 - A shadowy flight into the dangerous world of a record who does not exist.
Denial of Existence, a young loner on a crusade to champion the cause of the innocent, the helpless, the non-existent, in a world of records who operate above the law.
Adding new RR types to GO DNS
Inspired by NLnet Labs and PowerDNS, I figured I couldn’t stay behind, so here is how to add new RRs to Go DNS.
A small note before I delve into the details, I haven’t optimized Go DNS for adding new types, as this is a relative infrequent event. There are a few items that need to be added before Go DNS understands the new RR type.
- Adding the type itself (as a structure) and the four methods needed to implement the
RRinterface; - Adding the type number and the text string belonging it;
- Parsing from text, i.e. when parsing zonefiles.
Lets take the new DANE (RFC6698) as an example. The record is called TLSA, and looks like:
Tweets of November 30 2012
Replying to @Nijmeegsebus
je hebt nu toch een LEEG flesje? Just saying...
Fri Nov 30 13:46:18 +0000 2012
RT @PowerDNS_Bert: DNS-OARC is good, please consider this job! http://lnkd.in/sGxGuW
Fri Nov 30 20:17:47 +0000 2012
Can drop7 get a table interface! Please
.NL DNSSEC error on 28th of October 2012
This is an official announcement from SIDN also published here.
Summary
In the course of Sunday 28 October, an error occurred during the publication of a new ZSK (with key tag 20331). Because of the error, the new ZSK was not published in the DNS when it should have been. However, the software used by SIDN (OpenDNSSEC) continued to work on the basis that the ZSK had been published successfully.
Tweets of October 31 2012
Replying to @gitaar
yeah, but xlstproc doesn’t do 2 on Linux AFAIK
Wed Oct 31 07:03:22 +0000 2012
Who is Kroah-Hartman? https://lwn.net/Articles/522088/
Wed Oct 31 11:37:36 +0000 2012
Replying to @jpmens
and with those words hell froze over. #hotel #wifi
Wed Oct 31 16:08:12 +0000 2012
Ubuntu’s mainline kernels dont install anymore... Who should I tell this? 3.6.4 and 3.6.5 fail on quantal
Tweets of September 29 2012
RT @Omdenken: Those who believe in telekinetics, raise my hand. \(Kurt Vonnegut\)
Source Code Pro
Indeed a really nice font and fully open source. Using it now at 11pt. See:
Dynamic Syntax Highlighting in Vim
I’m a huge fan of syntax highlighting in my editor Vim. One thing I started to
miss was that user defined type miss out on the highlighting, because Vim does
not know about them. Wouldn’t it be cool to have some sort of automatic support that
detect your types and adds them to the correct highlighting group? I call
this “dynamic syntax highlighting”.
As a proof-of-concept I took the tagbar
plugin, and modified it a little to take
advantage of the language detection (specifically the types). The modified code
can be found in my fork on github.
Updated DNS syntax file for VIM
When editing zone files with vim I always get annoyed by the fact that the syntax highlighting did not understand newer types ’n stuff. I never did anything about until now.
Download this vim syntax file and drop it
in ~/.vim/syntax. It adds newer (DNSSEC) types and base64 highlighting. Base64 only works
when there are no embedded spaces (patch welcome to fix that btw!)
Tweets of August 31 2012
Replying to @jessemcnelis
ah thanks I was only using cpuprof, but indeed there is also memprof.
Fri Aug 31 05:35:59 +0000 2012
Mail subject: “DS lunch”, huh Delegation Signer lunch?? Alas, turned out to be something completely different
Fri Aug 31 07:01:57 +0000 2012
Replying to @ecnivnl
Dacht dat we dit gefixt hadden toen we de crawler geupgrade hadden. Je hebt zeker alleen een algo 8 key? \(perfectly ok\)
User management in fksd
If you do DNS for too long everything looks like 53.
In this “trace” I’m showing the logging of fksd when I add a
zone, try to list it as a non-existent user miekg (which fails), add the user
miekg and list it again. User are identified by the key in the TSIG record, their
password is the shared secret.
The “config files” from nsupdate can be found in the github repo
of fksd.
The nsupdate commands are preceded with a %, extra comments are preceded with #:
Dynamic nameserver provisioning with dns pkts
I’m writing a nameserver called fksd (Funkensturm daemon), which is
currently in a prototype stage (but the code is available at
github).
In this server I’m pursuing some interesting directions in nameserver development, such as the dynamic configuration as provided by BIND10.
BIND10 uses http(s), but I think using DNS packets is more in line with a nameserver, so I opted for that route.
With fksd you can use packets (which will be TSIG signed in the
future tomorrow) to configure the server. The only configuration possible at the
moment is adding a zone. Such a packet needs to have a TXT record like
the following in its AUTHORITY SECTION:
Tweets of July 31 2012
Android Jelly bean on my aging Xoom. Indeed nice and fast
Tue Jul 31 16:00:22 +0000 2012
Either my server crashed or something else happened... 7000 km from home
Leap second insertion at work
Puppetd (ruby) was going nuts.
Jul 1 01:59:59 elektron kernel: [183728.001601] Clock: inserting leap second 23:59:60 UTC
Results in:
Libunbound wrapper in Go
I’ve created a small wrapper for libunbound for use in Go.
The code can be found at github. It depends on my Go DNS library which can be found here.
Official announcement on the Unbound-users@ list.
To give you a little taste of how it looks, I’ve (re)created tutorials 2 to 6 in Go. Tutorial 2 looks like this, for instance:
package main
// https://www.unbound.net/documentation/libunbound-tutorial-2.html
import (
"dns"
"fmt"
"os"
"unbound"
)
func main() {
u := unbound.New()
defer u.Destroy()
if err := u.ResolvConf("/etc/resolv.conf"); err != nil {
fmt.Printf("error %s\n", err.Error())
os.Exit(1)
}
if err := u.Hosts("/etc/hosts"); err != nil {
fmt.Printf("error %s\n", err.Error())
os.Exit(1)
}
r, err := u.Resolve("www.nlnetlabs.nl.", dns.TypeA, dns.ClassINET)
if err != nil {
fmt.Printf("error %s\n", err.Error())
os.Exit(1)
}
fmt.Printf("%+v\n", r)
}
Tweets of June 30 2012
Replying to @nlmarkscholten
je hebt toch de ip’s van de nameservers, met een tcp\(\!\) DNSKEY query ben je al een heel eind. Zie ook: http://drskey.sidnlabs.nl/
Sat Jun 30 08:11:25 +0000 2012
back to go’old XFCE 4.10. GNOME3 is more slick, but at least this just works \(and fast\!\)
Sat Jun 30 08:12:23 +0000 2012
Replying to @nlmarkscholten
key2ds? zit in ldns, perl’s net:dns en nog een paar andere libs denk ik zo :-)
Sync subversion to github.com
This is a post that details on how to sync a subversion repository to git repository on github.com, and how to keep it in sync.
The following sites were instrumental in getting this to work:
There are a number of steps to take. From a bird’s eye view:
- Use
git svnto clone thesvnrepo to agitrepo; - Create a github
gitrepo; - Add a remote origin in your local git to the remote github repo;
- Use some SSH foo to use a separate SSH key for pushing to github.com.
Prerequisites
- We are working with the fictional svn repo located at
https://svn.example.net/example; git-svnis installed;sshis installed.
Clone the repository
Munin port traffic plugin
I wanted to look at the increase in ntp traffic now that I’ve
joined the pool.ntp.org ranks. Unfortunately munin didn’t
have a watch-port-x-and-draw-something-plugin. So I wrote my
own based upon the ip_ plugin.
The plugin monitors both v6, v4, tcp and udp and plots them together, as send and received. Just symlink the port number to the plugin:
ip_port_123 -> ip_port_
For it to work, you do need some iptables rules, so yes, this
plugin only works in Linux. See the
munin plugin
for the documentation.
Printing MX records with Go DNS
Now that the API seems to stabilize it is time to update these items.
We want to create a little program that prints out the MX records of domains, like so:
% mx miek.nl
miek.nl. 86400 IN MX 10 elektron.atoom.net.
Or
% mx microsoft.com
microsoft.com. 3600 IN MX 10 mail.messaging.microsoft.com.
We are using my Go DNS package.
First the normal header of a Go program, with a bunch of imports. We
need the dns package:
ath9k under Linux
For some reason I was experiencing wifi disconnects with the ath9k wifi
driver under Linux (Ubuntu 12.04). After reading numerous blogs and bug
reports (disable ipv6, use hwcrypto=0, etc.), I suspected it was the
power management that was somehow disabling the driver, in turn leading
to a disconnect. This will probably be fixed in newer kernels (Ubuntu 12.04
ships 3.2.x).
For now I took a shortcut and disabled the power management
on the wlan0 interface. For this to work I created a (super)small
script: /etc/network/if-up.d/wifipower:
draft-gieben-creating-rfcs-pandoc-00.txt
Maybe I’ll try to send it in as a individual submission.
Network Working Group R. Gieben
Internet-Draft SIDN
Intended status: Informational April 2012
Expires: October 3, 2012
Creating Internet Drafts and RFCs using Pandoc
draft-gieben-creating-rfcs-pandoc-00
Abstract
This memo presents a technique for using Pandoc syntax as a source
format for documents in the Internet-Drafts (I-Ds) and Request for
Comments (RFC) series.
Using Pandoc syntax this way minimizes the need to directly edit the
raw XML, but it does not completely make the XML invisible.
Status of this Memo
This document is an Internet-Draft and is NOT offered in accordance
with Section 10 of RFC 2026, and the author does not provide the IETF
with any rights other than to publish as an Internet-Draft.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 3, 2012.
Gieben Expires October 3, 2012 [Page 1]
Internet-Draft Pandoc for RFC creation April 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Using Pandoc for RFC creation . . . . . . . . . . . . . . . . . 4
3. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. References . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9
Gieben Expires October 3, 2012 [Page 2]
Internet-Draft Pandoc for RFC creation April 2012
1. Introduction
This memo presents a technique for using Pandoc [1] syntax as a
source format for documents in the Internet-Drafts (I-Ds) and Request
for Comments (RFC) series.
Pandoc is an "almost plain text" format, which is inspired by
Markdown Syntax [2] and therefor particularly well suited for editing
RFC-like documents.
The power of Pandoc also comes from the fact that it can be
translated to numerous output formats, including, but not limited to:
HTML, Markdown and "docbook" XML.
In this case the Pandoc sources are converted to "docbook" XML. This
XML is then converted again, using an XSLT stylesheet, to XML
suitable as input for "xml2rfc" [RFC2629]. The conversions are
collectively called Pandoc2rfc [pandoc2rfc].
Pandoc2rfc is in some way amusing, as we start off with (almost)
plain text, use elaborate XML and end up with plain text again, as
shown in Figure 1.
Attempt to justify Pandoc2rfc.
+-------------------+ Pandoc +---------+
| ALMOST PLAIN TEXT | ------> | DOCBOOK |
+-------------------+ +---------+
| |
non-existent | | XSLT (transform.xsl)
quicker way | |
v v
+------------+ xml2rfc +---------+
| PLAIN TEXT | <-------- | XML2RFC |
+------------+ +---------+
Figure 1
For the conversion to work the following tools and files need to be
installed:
o xml2rfc [3];
o xsltproc [4] (or any other XSLT (v1) processor);
o Pandoc [1];
Gieben Expires October 3, 2012 [Page 3]
Internet-Draft Pandoc for RFC creation April 2012
o transform.xsl [5].
2. Using Pandoc for RFC creation
As said in the introduction the use of Pandoc does not eliminate the
need to setup some files in XML. Particularly the "<front>" matter
of "xml2rfc" can not be codified in Pandoc, so a template like this
is still needed:
A minimal template.xml.
< ?xml version='1.0' ?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd'>
<rfc ipr='trust200902' docName='draft-gieben-pandoc-rfcs-01'>
<front>
<title>Creating Internet Drafts and RFCs using Pandoc</title>
<abstract>
< ?rfc include="abstract.xml"?>
</abstract>
<author initials="R." surname="Gieben"
fullname="R. (Miek) Gieben">
<organization>SIDN</organization>
</author>
</front>
<middle>
< ?rfc include="middle.xml"?>
</middle>
<back>
<references title="Normative References">
< ?rfc include="reference.RFC.2629.xml"?>
</references>
< ?rfc include="back.xml"?>
</back>
</rfc>
Figure 2
The template shown in Figure 2 includes 3 (not counting the
reference) XML files:
Gieben Expires October 3, 2012 [Page 4]
Internet-Draft Pandoc for RFC creation April 2012
1. abstract.xml;
2. middle.xml;
3. back.xml.
To create the complete document you will need to edit three Pandoc
files and the template, (".pdc" is the extension for Pandoc files):
1. abtract.pdc;
2. middle.pdc;
3. back.pdc;
4. template.xml (probably a fairly static file once setup).
To convert, for instance, the "middle.pdc" file to XML the following
command is executed on a Unix-like system:
pandoc -t docbook -s middle.pdc|xsltproc transform.xsl - > middle.xml
This is also done for "abstract.pdc" and "back.pdc". After which
"xml2rfc" is called:
xml2rfc template.xml draft.txt
Which creates the final output. Of course this process can be
automated using a tool like "make".
When using Pandoc2rfc consider adding the following sentence to an
Acknowledgements section:
This document was prepared using Pandoc2rfc.
3. Syntax
Almost all features of "xml2rfc" are supported. A notable exception
is the "crefs" tag, but HTML comments are allowed within Pandoc
sources so they may be used as a substitute.
Sections are started by using a header [README#headers].
Paragraphs are separated by an empty line. Hanging paragraphs are
entered by using a definition list [README#deflists].
Footnotes are not supported. Pandoc2rfc (ab)uses the footnote syntax
Gieben Expires October 3, 2012 [Page 5]
Internet-Draft Pandoc for RFC creation April 2012
to support indices. Block quotes are not directly supported in
"xml2rfc" so they get translated to a hanging paragraph.
A good number of different type of lists are supported, they are
translated according to the following table.
List conversions from Pandoc to "xml2rfc".
+---------------------------------+------------------------------+
| Pandoc | Converts to |
+---------------------------------+------------------------------+
| "* First item" | "<list style="symbol">" |
| "1. First item" | "<list style="numbers">" |
| "#. First item" | "<list style="empty">" |
| "a. First item" | "<list style="letters">" |
| "A. First item" | "list style="format %C.">" |
| "i. First item" | "<list style="format %i.">" |
| "I. First item" | "<list style="format (%d)">" |
+---------------------------------+------------------------------+
Table 1
A figure or artwork is created with a paragraph that is indented with
four spaces [README#codeblocks]. A figure caption is always
translated to a "<preamble>". A figure caption is created by using
this text as the last line in the artwork: "Figure: ...caption
text..."
The different tables [README#tables] Pandoc supports are all mapped
to "<texttable>". A table caption is always translated to a
"<postamble>". A table caption is added by using "Table: ...caption
text..." after a table.
The caption is _always_ translated to a "<preamble>". The
"<postamble>" tag isn't supported. If a table has a caption, it will
*also* get a reference. See Section 3.1 for the details.
As footnotes are not supported in RFCs the syntax in Pandoc is used
to support an index. Footnotes in Pandoc (and thus an index in the
RFC) are entered in two steps, you have a marker in the text, and
later you give actual footnote text. Like this:
[^1]
[^1]: footnote text
This text translates to: "<iref item="footnote text"/>". It points
to the page where to footnote marker was placed. Sub items are also
Gieben Expires October 3, 2012 [Page 6]
Internet-Draft Pandoc for RFC creation April 2012
supported. Use an exclamation mark ("!") to separate them: "[^1]:
item!sub item".
3.1. References
References to section are created automatically by Pandoc and the
normal Pandoc rules are followed.
Reference conversions from Pandoc to "xml2rfc".
+-------------------------+------------------------------+----------+
| Pandoc | Converts to | Type |
+-------------------------+------------------------------+----------+
| "[Click](URL)" | "<eref | External |
| | target="URL">Click..." | |
| "[See](#local)" | "<xref | Internal |
| | target="local">See..." | |
| "[](#RFC2119)" | "<xref target="RFC2119"/>" | Citation |
+-------------------------+------------------------------+----------+
Table 2
Internal references will add "Section:", "Table:" or "Figure:"
depending on where it points to (this is the default behavior of
"xml2rfc"). For the citations to work the reference anchor must be
known (i.e. the RFC reference.xml must be included in the template).
References to tables and figures are not handled by Pandoc, this
behavior is implemented in the XSLT stylesheets, therefor the rules
are slightly different (and less flexible). A figure and table only
get a reference when they have a caption. If a figure has a caption
it is also centered on the page.
The reference anchor attribute will be: "fig:" + "first 10
(normalized) characters from the caption" for figures and "tab:" +
"first 10 (normalized) characters from the caption" for tables.
Normalized is:
o Take the first 10 characters of the caption (i.e. this is the text
_after_ the string "Figure:" or "Table:");
o Spaces are translated to a minus "-";
o Uppercase letters translated to lowercase.
For example a figure with a caption "Figure: A minimal template" will
get the anchor "fig:a-minimal-"
Gieben Expires October 3, 2012 [Page 7]
Internet-Draft Pandoc for RFC creation April 2012
4. Security Considerations
This memo raises no security issues.
5. IANA Considerations
This memo has no actions for IANA.
6. Acknowledgements
The following people have helped to make Pandoc2rfc what it is today:
Benno Overeinder, Erlend Hamnaberg, Matthijs Mekking, and Trygve
Laugstoel.
This document was prepared using Pandoc2rfc.
7. Normative References
[README#codeblocks]
MacFarlane, J., "PANDOC Documentation", 2006, <http://
johnmacfarlane.net/pandoc/
README.html#indented-code-blocks>.
[README#deflists]
MacFarlane, J., "PANDOC Documentation", 2006, <http://
johnmacfarlane.net/pandoc/README.html#definition-lists>.
[README#headers]
MacFarlane, J., "PANDOC Documentation", 2006,
<http://johnmacfarlane.net/pandoc/README.html#headers>.
[README#tables]
MacFarlane, J., "PANDOC Documentation", 2006,
<http://johnmacfarlane.net/pandoc/README.html#tables>.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[pandoc2rfc]
Gieben, R., "Pandoc2rfc", 2012,
<http://github.com/miekg/pandoc2rfc>.
[1] <http://johnmacfarlane.net/pandoc/>
[2] <http://daringfireball.net/projects/markdown/>
Gieben Expires October 3, 2012 [Page 8]
Internet-Draft Pandoc for RFC creation April 2012
[3] <http://xml.resource.org/>
[4] <http://xmlsoft.org/xslt/xsltproc2.html>
[5] <https://raw.github.com/miekg/pandoc2rfc/master/transform.xsl>
Author's Address
R. (Miek) Gieben
SIDN
Meander 501
Arnhem, 6825 MD
NL
Phone:
Email: miek@miek.nl
URI:
Gieben Expires October 3, 2012 [Page 9]
Tweets of May 31 2012
Replying to @silentlennie and @dakami
The equivalent of HTST in DNS is the DS at the parent. If its there you *expect* DNSKEYs and RRSIGs as a resolver
Thu May 31 11:23:42 +0000 2012
Replying to @dakami and @silentlennie
yeah, but dns is of course a slightly diff. proto than http\(s\)
Thu May 31 12:41:00 +0000 2012
RT @nlmarkscholten: Aanrader RT @SIDN U kunt het webinar ‘Do’s and don’ts van DNSSEC voor .nl-registrars’ terugkijken via http://t.co/Jv ...
Tweets of April 30 2012
Replying to @jessemcnelis
ah ok. Silly that go vet complains about it then
Mon Apr 30 08:35:10 +0000 2012
What is the LOC record a bitch!
Mon Apr 30 12:09:26 +0000 2012
Replying to @_cyclops_
that too. Implementing experimental records *sigh*
Mon Apr 30 12:15:43 +0000 2012
Replying to @rogpeppe
how do you encode for that? One long tag-string or multiple tags?
Mon Apr 30 12:34:34 +0000 2012
#xfce #4.10 #ubuntu No packages yet: https://launchpad.net/~xubuntu-dev/+archive/xfce-4.10
Tweets of March 31 2012
RT @jasparov: En zo blijft Nijmegen ‘scoren’@fabfrank1508: Zo staan ze bij alle parkeerautomaten in #Nijmegenparkeren. Schande http://t. ...
Sat Mar 31 16:33:48 +0000 2012
Replying to @stonehead
sorry? Wat voor voornemens...?
Sat Mar 31 16:34:39 +0000 2012
Site van Paradigit, paradigit.nl, nog steeds down...
Lord of the DNSSEC
“One Key to rule them all,
one Key to find them,
one Key to bring them all
and in the Resolver bind them."
- Modified from Lord of the Rings.
Yes, this quote is mine. And I think this Internet Protocol Journal has its first use.
Why not ZIP the damn thing
See this code in github,
where I’ve implemented zipping DNS messages.
A modified q prints the compression rate at the first line. It only shows
how much compression you would get when you compress the answer.
For compression we use DEFLATE as described in RFC 1951. A typical example:
q @open.nlnetlabs.nl MX miek.nl
;; Uncompressed/Compressed 253/142 (1.781690)
;; bla bla bla bla
That’s not bad a compression factor of almost 1.8! Some more examples: