Due to the new go tool (long story), I’ve renamed godns to dns. This means the github repo is also somewhere else.

godns installed itself as dns so code using it does not need to be changed.

http://tools.ietf.org down?

Tue Jan 31 09:09:58 +0000 2012

I don’t like the go build tool ‘go’ #WantMakefiles

Tue Jan 31 09:45:13 +0000 2012

Replying to @twitjeb

thanks. With shift-reloading that page. Also saw it is working again.

Tue Jan 31 09:55:21 +0000 2012

Always a keep way to check if your e-mail server setup is working. Incoming spam and PHP security alerts.

Tue Jan 31 10:00:47 +0000 2012

Replying to @SpamExperts and @ecnivnl

Announcing FP

The tool for DNS fingerprinting is fpdns, which is Perl based. In recent times development seems to have picked up, but a little competition never hurt anyone, so I wrote fp in Go. Fp is also a fingerprint program for DNS servers. Its aim is to be more readable then fpdns is (was?). And make it more easy to add new server types.

Help needed!

Do you have some old(er) nameserver laying around that can be queried? Does your (sick) mind know of a few extra evil queries that can be sent to nameservers? If so, please contact me: query@evilquery.nl. I want to get to a point where fp sends about 10 queries that can be used to identify a server.

Get the latest version (called weekly) of Go:

1. Get Go: hg clone -u release https://go.googlecode.com/hg/ go Note the directory you have downloaded it to and set $GOROOT to it: export GOROOT=$PWD/go. Add the GOROOT bin directory to your path: PATH=$PATH:$GOROOT/bin

2. Update Go to the latest weekly: cd $GOROOT; hg pull; hg update weekly

3. Compile Go: cd $GOROOT/src ; ./all.bash

   Install missing commands (gcc, sed, bison, etc.) if needed.

The latest Go is now installed.

When using dig to debug DNS/DNSSEC errors, you (I have the need, I’m assuming you have it too) often want to know:

• Are the signatures in the message correct?
• Does the NSEC3 authenticated denial of existence proof look OK? (this is a work-in-progress)

With dig this is next to impossible, because we humans can not validate RSA signatures, nor hash names for NSEC3 validation.

This is why I added a little feature to q, the query-tool found in godns. The tool looks very much like dig or drill (from ldns).

(This is an English translation of this blog article over at sidnlabs.nl)

After the publication of the SIDN NSEC3 white paper we received feedback of a number of people. The most constructive feedback was from Karst Koymans of the University of Amsterdam. This, together with the other feedback has led to a version 2 of the white paper.

This version has the following differences with respect to version 1:

• A number of corrections;
• The NSEC3 example now returns three NSEC3 records in stead of two;
• Two figures are added;
• Empty non-terminals are explained (a little).

Version 2 of the white paper can be found here. Or here locally.

(This is a English translation of this Dutch blog article)

By writing the NSEC3 whitepaper, we gained a lot of insight in how “authenticated denial of existence” works. But some new questions popped up:

• Is NSEC3 the most efficient way to do (hashed) authenticated denial of existence?
• Are there ways to optimize the NSEC3 record that asserts or denies the wildcard?
• Can’t we use Opt-Out for unhashed names too?

Answering these question led to the birth of NSEC4, which is documented in this internet draft.

This came up during a recent Pandoc discussion. The discussion was about outputting <sectN> section styling when creating DocBook XML. Currently Pandoc outputs nested <section>s.

I argued you could easily change between the two formats and <section> is more flexible, so just leave Pandoc as it is. But it allowed me to play with XSLT once more. With the following results.

Translate to sectN

This XSLT translates <section> to <sectN> where N is 5. If the sections are nested deeper it switches to <section>.

Replying to @stonehead

als de buren het papier buiten hebben staan moet je het ook buiten zetten #simpel

Sat Dec 31 10:09:31 +0000 2011

Een leuke Hollandse traditie. Ik denk 2 doden \(in den haag natuurlijk\), stuk of 10 zwaar gewonden. En overal rellen #oudennieuw

Sat Dec 31 12:31:38 +0000 2011

Xslt, Go, Perl, Bash, C, Java #code2011

Sat Dec 31 14:03:56 +0000 2011

Twitter already over capacity??

Sat Dec 31 15:14:40 +0000 2011

I’ve tweaked my vim color scheme quite a bit and tried to keep the colors of gvim (which I use less often) in sync.

This keeping in sync hasn’t worked out, so I wrote this little script to convert the vim colors to the gvim ones:

Download the makegvim script, and use it like:

$ ./makegvim < ~/.vim/colors/<yourfile> > /tmp/x
$ mv /tmp/x ~/.vim/colors/<yourfile>

And now the colors of gvim should be identical to those of vim.

I’ve create a little tool (actually an XSLT file) that helps to write RFCs. Browsing my github repo I found two different forks. And browsing those forks, I saw some commits I wanted to have.

But how do you merge a commit from a forked git repository? Turns out it is not that difficult.

The commit I want has the hash 5a11e88ddbef4ce7513aae93bdcd377449f45efb.

The steps:

• Create a remote branch:

    git remote add hamnis https://github.com/hamnis/pandoc2rfc
  

• Fetch the contents of it:

Replying to @geertjanweijman

Op google+ staat wat, maar ik moet het nog bij elkaar schrapen

Wed Nov 30 11:59:46 +0000 2011

I can’t help to feel sorry for people who are stuck with using windows as their desktop env. #SucksToBeYou

Wed Nov 30 13:40:44 +0000 2011

Replying to @zmooc

like prostitutes?

Wed Nov 30 13:59:21 +0000 2011

Replying to @tomhendr

Unity victims :-) #like

Wed Nov 30 14:08:22 +0000 2011

Replying to @zmooc

Gnome

(This is an English translation of this blog article over at sidnlabs.nl)

In theory DNSSEC isn’t really that complicated, but in practice some parts can be pretty intimidating.

One such part is “Authenticated denial of existence”. In short this is communicating, with certainty, to a resolver that a name does not exist in the DNS.

The DNSSEC specification uses two records (and thus actually two different methods) for this purpose:

• The NSEC record and;
• The NSEC3 record.

In this white paper (local copy) we explain how NSEC and NSEC3 work and what the main differences are. We also show the evolutionary path of NSEC to NSEC3.

#RIPE63 observation: mac laptops: nerds, linux laptops: ubernerds \(I run linux :\) ), windows laptops: newcomers

Mon Oct 31 08:12:41 +0000 2011

Replying to @Linprotwit

Jep :-) Lekker aan het nerden, nu RPKI routing workshop

Mon Oct 31 08:34:38 +0000 2011

Replying to @bortzmeyer

#RPKI I find DNSSEC easier

Mon Oct 31 08:43:28 +0000 2011

RT @112nijmegen: We hebben inmiddels 904 volgers uit #Nijmegen en omstreken! :) Nog 96 volgers en dan verloten we een bioscoopbon! RT om ...

Acer Android 3.2 update and Xoom Android 3.2.1 update #nice

Fri Sep 30 07:03:55 +0000 2011

Anybody tried gnome 3.2? Does it work better? Does ffm finally work?

Fri Sep 30 12:33:21 +0000 2011

This is an follow-up on this pandoc item in Dutch.

When writing RFC 4641 we directly wrote the XML. Needless to say is was kinda tedious even thought the XML of xml2rfc is very “light”.

Nowadays I’m a fan of the markdown syntax and especially the syntax as supported (created?) by Pandoc.

So for my next RFC (if ever!) I decided I wanted to use Pandoc. As xml2rfc uses XML I thought the easiest way would be to create docbook XML and transform that using XSLT.

In the xoria256m post, I introduced my xoria256 like color scheme. Again, inspired by solarized, I extended this to other applications. So now I use this in the following apps:

• vim (see that previous post);
• mutt (idem);
• zsh;
• dircolors;
• git (a bit).

zsh

See this file to setup the colors. Then in my prompt I have stuff like:

PS1=$'${vcs_info_msg_0_}$FG[067]%(1j.$myjobs% $FX[reset].$FX[reset])$FG[179]%#$FX[reset] '
RPS1="$RPSL%$MAXMID<...<$mypath$RPSR$FG[239]$FX[bold]$__ZH$FX[reset]${vcs_info_msg_1_}"
RPSR=$'$FX[reset]$FG[009]%(0?.$FG[reset]. $E)$FX[reset]'

For zsh I have two files that make up my prompt:

I recently came across solarized. I started to use it immediately for vim and mutt, but after a few days the low contrast of the color scheme started to annoy me. Oh and btw, I’m red/green color blind.

I went searching and found “xoria256” a color scheme suited for 256 color terminal and a dark background. There is even a Ubuntu/Debian package for it: vim-scripts. Unlike solarized it doesn’t come with a custom palette, just use Tango in gnome-terminal (or whatever your favorite is).

Cacert kan de deuren ook wel sluiten. SSL certs zijn dood. Lang leve #dane

Wed Aug 31 07:05:29 +0000 2011

Wat!? Is DigiNotar gekraakt door het DataCrime virus? #1989 #datwarennogeenstijden

Wed Aug 31 07:08:52 +0000 2011

Replying to @hj8rs

even the ietf cannot handle ssl it seems. #fail #ssl #ietf

Wed Aug 31 07:18:40 +0000 2011

RT @DEVOPS_BORAT: If forget root password, not need of boot in single user mode. Is sufficient of install Joomla and get root access imm ...

Thanks to a patch from Thomas Kappler I can now offer two types of PDFs, one for A4 pages and one for E-readers, like the kindle.

The E-reader variant is suffixed with -kindle:

• Learning Go for E-readers
• Learning Go A4 paper

In VIM you can use the command J to join to lines:

hello       -> J ->  hello goodday
goodday

Where the cursor is positioned somewhere on the ‘hello’ line.

But I often find myself wanting to use the opposite, I want ‘hello’ to be put after ‘goodday’. The cursor is now positioned on the ‘goodday’ line.

hello
goodday    -> K -> goodday hello

The following mapping does that:

After several years I decided to use a different color scheme for VIM. Also I’m going for force myself to use VIM’s folding abilities and use make from within VIM.

For good measure I also want to use Omni-completion when writing Go code:

Btw, this screenshots also shows the solarized (dark) colorscheme.

Coloring

Google for solarized. In my .vimrc:

let g:solarized_termcolors=256
colorscheme solarized

Make from VIM

Use :make inside the editor and jump through the errors with:

I added a shiny project page for the “Learning Go” book I’m writing.

Errata, new releases and other stuff will get a place there.

For good measure I even added a “Donate” button - we’ll see how to that plays out.

Online signing is cool, but slow. Caching queries in a reverse proxy is nice, but useless for something like NSD. But what if you want to do online signing in a fast way?

Enter: proxy chaining.

I already showed FunkenSign (example code is quite old though) and yesterday FunkenShield.

What if you combine the two? That gives the best of both worlds:

• Online signing;
• Caching;
• And it adheres to the true Unix philosophy: do one thing, and do one thing well.

So lets get some figures again.

Have a slow nameserver and want to spice things up? How about a reverse DNS proxy? For lack of a cool name I chose the name FunkenShield. It’s (of course) in the early stages, but it works quite nicely already.

This is done with the framework of FunkenSturm. Which is part of GoDNS.

How it works:

You place FunkenShield in front of your nameserver and it will cache the binary packets coming from your server in a local cache.

From 3000 to 27000+ qps http://www.miek.nl/blog/archives/2011/07/31/reverse_dns_proxy/index.html #Golang #DNS #ReverseProxy

Sun Jul 31 14:21:41 +0000 2011

Replying to @bketelsen

not sure what you mean...godns implements dns. So everything you can do with the dns you can access via godns \(if implemented\)

Sun Jul 31 14:56:40 +0000 2011

Replying to @bketelsen

that’s easy. But how do you take into account client caching? You can also use bind and dynamic updates.

Sun Jul 31 15:07:32 +0000 2011

[Personal note to self:]

I’m assuming LDAP en Kerberos completely setup and configured and working. You get your TGT after a kinit, etc. And then you want to utilize Kerberos to password-less login using ssh.

I have a client machine foton.atoom.net, from this machine you want to login to the server. The server is elektron.atoom.net.

On the client the command, hostname -f should return the fqdn of your host, in my case:

Very well written email message from Geoff Teale on the golang mailing list on programmers and progamming languages (thread).

To summarise a long presentation I gave to non-programmers:

• There are 12 million programmers in the world
• The majority of those programmers are scarcely qualified
• Most technology decisions are made by a combination of following the crowd and a false understanding of risk.
• The high cost and failure rate in software development is no coincidence.

Remember the Stevie Wonder rule - “When you believe in something you don’t understand then you suffer”. In this case that means “Perhaps making programming language decisions based on what 12 million powerless idiots are doing isn’t the golden road to glory and great hacks.”

I’m finally back to coding Go DNS and making it work with the latest Go releases. Also the API has changed quite significantly since the last time I blogged about it.

So this I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly, to show the new API and some sample usage.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will explain the main-function:

RT @danielaukes: Mag ik zeggen dat ik dat gentechvrijegemeente geneuzel in nijmegen grote onzin vind?

Thu Jun 30 07:15:33 +0000 2011

For those wanting/asking: I can not send out google+ invites

Thu Jun 30 08:05:45 +0000 2011

Learning Go \(http://miek\.nl/files/go/\) is book of the week at root.cz: http://www.root.cz/knihy/learning-go/ #nice :-)

Thu Jun 30 08:17:58 +0000 2011

Replying to @Emiel2punt0

Dank je

Thu Jun 30 08:23:36 +0000 2011

Replying to @hj8rs

ah, ff proberen