Go DNS (update)

miek
#golang  @programming 

I’m finally back to coding Go DNS and making it work with the latest Go releases. Also the API has changed quite significantly since the last time I blogged about it.

So this I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly, to show the new API and some sample usage.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will explain the main-function:

Read more →

Tweets of June 30 2011

miek
#twitter  @twitter 

RT @danielaukes: Mag ik zeggen dat ik dat gentechvrijegemeente geneuzel in nijmegen grote onzin vind?

Thu Jun 30 07:15:33 +0000 2011

For those wanting/asking: I can not send out google+ invites

Thu Jun 30 08:05:45 +0000 2011

Learning Go \(http://miek\.nl/files/go/\) is book of the week at root.cz: http://www.root.cz/knihy/learning-go/ #nice :-)

Thu Jun 30 08:17:58 +0000 2011

Replying to @Emiel2punt0

Dank je

Thu Jun 30 08:23:36 +0000 2011

Replying to @hj8rs

ah, ff proberen

Read more →

Tweets of May 31 2011

miek
#twitter  @twitter 

@PowerDNS_Bert Thank you for: http://powerdnssec.org/downloads/packages/ !

Tue May 31 07:09:39 +0000 2011

Useless renaming of variables: CUR="${PWD}" #actual #code #bash

Tue May 31 10:35:17 +0000 2011

svn should support the -a flag \(as a noop\)

Tue May 31 12:23:04 +0000 2011

Whenever I see a screenshot of Ubuntu 10.10 I can’t help to think: Remember those go’old days?

Tue May 31 12:51:11 +0000 2011

Replying to @sspans

Dat moet helemaal een mooie tijd zijn geweest!

Read more →

Axfr to Git

miek
#  @dns 

The problem: you want to keep a historical reference of zone changes. This little script helps you do that, it:

  1. AXFRs the zone you want;
  2. Cleans the zone a bit, sorts it and feeds it through named-compilezone to make it look “nice”;
  3. Puts it in a git repository;
  4. Checks it in with a date tag (date -u '+%Y-%m-%d_%H%M%S').

You do need to define the directory where the git repository is located in the script ($gitdir).

Read more →

GNOME 3.2 Wishlist

miek
#  @linux 
  • Zeitgeist integration;
  • Focus follows mouse working. As in ‘alt-tab’ obeys this too. See bug 597190;
  • Easier workspace switching;
  • Themes;
  • Much smaller window titlebars;
  • An easier way to find your windows, maybe a windowlist in the panel.
Read more →

Stay out of my windows

miek
#  @linux 

It’s called a resize grip, you can’t disable it (seems to be a common theme nowadays…) and it sucks.

Stay the FUCK out of my windows with this crap!

Read more →

DNS reflector server in GO

miek
#golang  @programming 

I’m (again) rewriting the API of godns. I’ve now taking a cue from the http package in Go, the result seems very nice. A reflector (returns your query in the answer) in Go becomes:

package main

import (
        "dns"
        "log"
)

func ReflectServer(w dns.ResponseWriter, req *dns.Msg) {
        m := new(dns.Msg)
        m.SetReply(req)

        m.Extra = make([]dns.RR, 1)
        m.Extra[0] = &dns.RR_TXT{Hdr: dns.RR_Header{Name: m.Question[0].Name, Rrtype: dns.TypeTXT, 
                Class: dns.ClassINET, Ttl: 0}, Txt: "Hello world"}
        buf, _ := m.Pack()
        w.Write(buf)
}

func main() {
        dns.HandleFunc(".", ReflectServer)
        err := dns.ListenAndServe(":8053", "udp", nil)
        if err != nil {
                log.Fatal("ListenAndServe: ", err.String())
        }
}
Read more →

Tweets of March 30 2011

miek
#twitter  @twitter 

@ErikHensema Da’s allang niet meer waar, 1225 is het nwe minimum, maar 4k zou ook nog goed moeten gaan

Wed Mar 30 08:43:15 +0000 2011

http://webwereld.nl/achtergrond/106189/oude-netwerken-zien-dnssec-als-aanval.html #dnssec #dutch

Wed Mar 30 10:16:31 +0000 2011

Replying to @reseauxsansfil

zul je net zien :-)

Wed Mar 30 10:49:34 +0000 2011

Replying to @jeroenbulten

jep. Als het optreedt ben je er wel ff zoet mee om uit te zoeken wat er nu precies mis is...

Read more →

Learning Go - version 0.3

miek
#golang  @programming 

I’ve tagged a new version of “Learning Go”, version 0.3. It’s more of a snapshot of the current development, than an actual “release” release.

There are lots of fixes, code updates and tweaks. Numerous people send in fixes. Thank you all for the contributions!

Get it:

Feedback is welcome.

To see the development version you can use:

Major stuff coming in 0.4:

Read more →

Tweets of February 28 2011

miek
#twitter  @twitter 

Replying to @geertjanweijman

jep, hadden wel lichtjes bij ons, dus dat scheelde weer een bekeuring.

Mon Feb 28 10:32:48 +0000 2011

Just stepped in the time machine: reading about NSEC2 and DNSNR

Mon Feb 28 12:54:15 +0000 2011

This Internet-Draft will self destruct on November 30, 2004. #way #cooler

Mon Feb 28 12:55:07 +0000 2011

Released “Learning Go” version 0.3, http://www.miek.nl/s/59fd0dbd79/ #Golang

Mon Feb 28 20:16:58 +0000 2011

Read more →

OpenSSH 5.7 for Ubuntu 10.10

miek
#  @linux 

I need hardlink support in sftp and the newest ssh version provides this. But there are no packages for Ubuntu 10.10. Therefor I backported OpenSSH from Ubuntu 11.04 to 10.10. Here you can find these packages:

64 bit

32 bit

all

The minimum upgrade consists of installing openssh-client and openssh-server.

Read more →

Hardlink support in sshfs

miek
#  @linux 

OpenSSH 5.7 adds hardlink support to the sftp protocol:

sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command

This is awesome as I can use that to make rdup work (better) with sshfs.

I’ve created a patch to add hardlink support to sshfs. See below. I also created packages for ubuntu:

Read more →

DNS and some ccTLDs

miek
#  @dns 
.be [1] .de [1][4] .nl [2] .uk [2] .se [2] .fr [3]
DNSSEC 2010-10-07:
Expired signatures.
Notice. 		Soon? Soon? 2010-09-13:
Signing failure due to failover.
Notice. 		Soon? 2011-02-12:
Invalid signature on NSEC3 disproofing DS.5
Notice. BIND Bug.
DNS Soon? 2010-05-12:
Partial zone published.
Notice. 		2008-05-28:
Partial zone published: missing glue.
Notice (Google Translate). 		Soon? 2009-10-13:
Corrupt zone published: .se appended twice.
Notice. 		Soon?

[1]Homebrew signer/key management
[2]OpenDNSSEC
[3]OpenDNSSEC + BIND
[4]Not deployed DNSSEC yet
[5]WTF?

Good quote from @npua:

@miekg Extrapolation: If you don't hit an operational snag, 
DNSSEC will get you.

Tweets of January 31 2011

miek
#twitter  @twitter 

Replying to @PowerDNS_Bert

overwhelm the resolver with nsec3s and then \(quote Duke Nukem\): “Let God sort them out.”

Mon Jan 31 08:56:47 +0000 2011

The 3 in NSEC3 represents the number of people that actually understand all the corner cases. #dnssec #nsec3

Mon Jan 31 09:00:45 +0000 2011

RT @bdekruijff: Can anyone at #samsung please fire the guy who concieved #kies!? What a worthless piece of crapware..

Mon Jan 31 20:29:21 +0000 2011

Funkensign

miek
#golang  @programming 

How about on-the-fly signing? In this example we add a signature to any packet dealing with www.example.org. Again it is a matter of defining the matching, action and setup functions.

Matching

We don’t have to match anything coming in, we only need to sign pkts on their way out. So the function becomes:

func match(m *dns.Msg, d int) (*dns.Msg, bool) {
        // Matching criteria
        switch d { 
        case IN: 
                // nothing
        case OUT:
                // nothing
        }   
        // Packet Mangling
        switch d { 
        case IN: 
                // nothing
        case OUT:
                if m.Question[0].Name == "www.example.org." {
                        // On the way out sign the packet
                        m = sign(m) // keys are global
                }   
        }   
        return m, true
}

As you can see, it calls the sign() function where the actual signing takes place. We just sign the first RR in the answer section — if there is one.

Funkensturm: delaying proxy example

miek
#golang  @programming 

Another application for Funkensturm is: delaying packets. Here we only delay packets with the recursion desired bit (RD) set, but it can be easily be changed to check for other properties of a packet, see godoc dns for all elements of DNS packets.

The configuration is similar as described here.

Matching pkts with RD bit set

The matching function becomes:

// the only matching we do is on the RD bit
// for incoming packets.
func match(m *dns.Msg, d int) (*dns.Msg, bool) {
        // Matching criteria
        var ok bool
        switch d {
        case IN:
                // only delay pkts with RD bit 
                ok = m.MsgHdr.RecursionDesired == true
        case OUT:
                // nothing
        }

        // Packet Mangling
        switch d {
        case IN:
                // nothing
        case OUT:
                // nothing
        }
        return m, ok
}

Action function

First a delay helper function. As shown here it returns true if the delay time isn’t reached, and false if a something should be delayed.

Funkensturm: transparent proxy example

miek
#golang  @programming 

A transparent proxy is a proxy that does nothing, but it serves as a nice introduction into Funkensturm.

See this post for an architectural overview of Funkensturm.

Currently a configuration is compiled into the Funkensturm binary. As such it must look like a normal Go program.

Matching function

The matching function checks a packet for features and can optionally modify it.

This is the prototype of a matching function:

func match(m *dns.Msg, d int) (*dns.Msg, bool)

It receives a *dns.Msg which is a packet in Go DNS and a direction d which can be IN (first incoming packet) or OUT when the packet is on its way back to the client. It returns a DNS packet and a boolean value signaling a match.

Funkensturm: a versatile DNS proxy

miek
#golang  @programming 

What’s a DNS proxy?

A proxy is something this sits between a client and a server and does something with the data flowing through it. So a DNS proxy does this for DNS packets.

How does Funkensturm work?

Funkensturm consists out of 3 configuration parts:

  1. A setup function for the initial setup.
  2. Match/Modify function(s) — This function checks the packet for configured properties. If there is match true is returned.
  3. Action function(s) — Taking the truth value from 2. (and the packet) as input, it does something with it.

With this setup you can change incoming packets before they are send through to the server. And you can change packet coming from the server that are send back to the client.

Bash Hate, Zsh Love

miek
#  @linux 

…Or why shell scripting is not really programming. Two scripts, one called bash-hate:

#!/bin/bash
count=0
cat /dev/null -  | while read line; do
    ((count++))
done
echo $count

and the other one zsh-love:

#!/bin/zsh
count=0
cat /dev/null -  | while read line; do
    ((count++))
done
echo $count

Then:

% cat testfile | ./bash-hate
0

% cat testfile | ./zsh-love
9

(Yes, I know about subshells. Just learn a real programming language.)

DNSSEC validation in Go for fun and profit

miek
#golang  @programming 

Doing cryptography is hard, luckily there are enough libraries out there that help you with it. OpenSSL is probably one of the best (known). Go has its own crypto library, which is written in pure Go.

Now with these aids crypto becomes doable for mere mortals, but all these libraries work with buffers which hold the data, the signature and sometimes the key also. Off-by-one errors in composing these buffers leads to a “Bogus signature” error (in DNSSEC). The problem here is that you don’t get any other clue on what went wrong. For me as a programmer an error such as “Shift buffer A one byte to the left and you’re OK”, would be much better. But due to the nature of crypto these kind of errors are not possible, nor desirable.

Go DNS and AXFR

miek
#golang  @programming 

I’ve implemented axfr in my Go DNS library in nice and Go-like way (at least that’s what I like to think). Starting an axfr results in a channel which can then be used with the range keyword to loop over it, until the entire axfr is received.

Using it

First the normal begin of a Go program:

package main
import (
    "fmt"
    "dns"           // DNS package
)

Then we start the main function in which we define a new resolver and a channel for receiving the axfr messages. The channels will send dns.xfr messages which is defined as:

Tweets of December 31 2010

miek
#twitter  @twitter 

Lekker dat schuifelen over de ijzel

Fri Dec 31 09:33:13 +0000 2010

@WebAudience die was makkelijk! #nsa maar wel leuk

Fri Dec 31 09:37:28 +0000 2010

RT @jeroenbulten: Yes. De validating resolver doet het. http://twitpic.com/3ljnmz

Fri Dec 31 11:55:42 +0000 2010

So I can pack/unpack uint8/16/32, string, hex, etc. Looking at TSIG RFC: time_signed: uint48, 48! *GRRRR* #godns

Fri Dec 31 15:14:38 +0000 2010

Staan hier 2 jongetjes vuurwerk af te steken en het wordt meteen al mistiger. Beloofd wat voor vanavond.

(Re)announcing GoDNS

miek
#golang  @programming 

[ post updated to reflect changes in the library ]

This library takes a new, innovative and enterprise ready approach sends and receives queries to and from the DNS.

The library was forked from the official DNS code in Go (in the net package). Since that time Go team has thrown out this code and started to use the system’s C library via a wrapper. I was however struck by the elegance of the code (esp. the pack and unpack functions), so I forked it and added new record types (AAAA, DS, RRSIG, etc.) and turned into a more general DNS API.