I added a shiny project page for the “Learning Go” book I’m writing.

Errata, new releases and other stuff will get a place there.

For good measure I even added a “Donate” button - we’ll see how to that plays out.

Online signing is cool, but slow. Caching queries in a reverse proxy is nice, but useless for something like NSD. But what if you want to do online signing in a fast way?

Enter: proxy chaining.

I already showed FunkenSign (example code is quite old though) and yesterday FunkenShield.

What if you combine the two? That gives the best of both worlds:

• Online signing;
• Caching;
• And it adheres to the true Unix philosophy: do one thing, and do one thing well.

So lets get some figures again.

Have a slow nameserver and want to spice things up? How about a reverse DNS proxy? For lack of a cool name I chose the name FunkenShield. It’s (of course) in the early stages, but it works quite nicely already.

This is done with the framework of FunkenSturm. Which is part of GoDNS.

How it works:

You place FunkenShield in front of your nameserver and it will cache the binary packets coming from your server in a local cache.

From 3000 to 27000+ qps http://www.miek.nl/blog/archives/2011/07/31/reverse_dns_proxy/index.html #Golang #DNS #ReverseProxy

Sun Jul 31 14:21:41 +0000 2011

Replying to @bketelsen

not sure what you mean...godns implements dns. So everything you can do with the dns you can access via godns \(if implemented\)

Sun Jul 31 14:56:40 +0000 2011

Replying to @bketelsen

that’s easy. But how do you take into account client caching? You can also use bind and dynamic updates.

Sun Jul 31 15:07:32 +0000 2011

[Personal note to self:]

I’m assuming LDAP en Kerberos completely setup and configured and working. You get your TGT after a kinit, etc. And then you want to utilize Kerberos to password-less login using ssh.

I have a client machine foton.atoom.net, from this machine you want to login to the server. The server is elektron.atoom.net.

On the client the command, hostname -f should return the fqdn of your host, in my case:

Very well written email message from Geoff Teale on the golang mailing list on programmers and progamming languages (thread).

To summarise a long presentation I gave to non-programmers:

• There are 12 million programmers in the world
• The majority of those programmers are scarcely qualified
• Most technology decisions are made by a combination of following the crowd and a false understanding of risk.
• The high cost and failure rate in software development is no coincidence.

Remember the Stevie Wonder rule - “When you believe in something you don’t understand then you suffer”. In this case that means “Perhaps making programming language decisions based on what 12 million powerless idiots are doing isn’t the golden road to glory and great hacks.”

I’m finally back to coding Go DNS and making it work with the latest Go releases. Also the API has changed quite significantly since the last time I blogged about it.

So this I will detail key2ds which is small utility that queries a zone and print any DNSKEY records as DS records on the fly, to show the new API and some sample usage.

% ./key2ds sidn.nl
sidn.nl.    0   IN  DS  42033 8 1 343F74674D36C9B5BE2CEB2C401AC4EDEB2A05B2
sidn.nl.    0   IN  DS  42033 8 2 BF985EC0738FACC89EE0B12FBD9261827C59191D9EA6A9BDFF55F9BDF3DBBFF3
sidn.nl.    0   IN  DS  39274 8 1 E79E031DFDE8E68EF1E2C6CA0943C2CC0DED1889
sidn.nl.    0   IN  DS  39274 8 2 8E8A8CFB40FD0C30BFA82E53752E1C257DAFB7B6206D12B9EDA43AF3EAB2157D

This util uses synchronous queries. I will explain the main-function:

RT @danielaukes: Mag ik zeggen dat ik dat gentechvrijegemeente geneuzel in nijmegen grote onzin vind?

Thu Jun 30 07:15:33 +0000 2011

For those wanting/asking: I can not send out google+ invites

Thu Jun 30 08:05:45 +0000 2011

Learning Go \(http://miek\.nl/files/go/\) is book of the week at root.cz: http://www.root.cz/knihy/learning-go/ #nice :-)

Thu Jun 30 08:17:58 +0000 2011

Replying to @Emiel2punt0

Dank je

Thu Jun 30 08:23:36 +0000 2011

Replying to @hj8rs

ah, ff proberen

@PowerDNS_Bert Thank you for: http://powerdnssec.org/downloads/packages/ !

Tue May 31 07:09:39 +0000 2011

Useless renaming of variables: CUR="${PWD}" #actual #code #bash

Tue May 31 10:35:17 +0000 2011

svn should support the -a flag \(as a noop\)

Tue May 31 12:23:04 +0000 2011

Whenever I see a screenshot of Ubuntu 10.10 I can’t help to think: Remember those go’old days?

Tue May 31 12:51:11 +0000 2011

Replying to @sspans

Dat moet helemaal een mooie tijd zijn geweest!

The problem: you want to keep a historical reference of zone changes. This little script helps you do that, it:

1. AXFRs the zone you want;
2. Cleans the zone a bit, sorts it and feeds it through named-compilezone to make it look “nice”;
3. Puts it in a git repository;
4. Checks it in with a date tag (date -u '+%Y-%m-%d_%H%M%S').

You do need to define the directory where the git repository is located in the script ($gitdir).

Lovely time in Rome. Tomorrow back to NL

Sat Apr 30 10:38:46 +0000 2011

• Zeitgeist integration;
• Focus follows mouse working. As in ‘alt-tab’ obeys this too. See bug 597190;
• Easier workspace switching;
• Themes;
• Much smaller window titlebars;
• An easier way to find your windows, maybe a windowlist in the panel.

It’s called a resize grip, you can’t disable it (seems to be a common theme nowadays…) and it sucks.

Stay the FUCK out of my windows with this crap!

I’m (again) rewriting the API of godns. I’ve now taking a cue from the http package in Go, the result seems very nice. A reflector (returns your query in the answer) in Go becomes:

package main

import (
        "dns"
        "log"
)

func ReflectServer(w dns.ResponseWriter, req *dns.Msg) {
        m := new(dns.Msg)
        m.SetReply(req)

        m.Extra = make([]dns.RR, 1)
        m.Extra[0] = &dns.RR_TXT{Hdr: dns.RR_Header{Name: m.Question[0].Name, Rrtype: dns.TypeTXT, 
                Class: dns.ClassINET, Ttl: 0}, Txt: "Hello world"}
        buf, _ := m.Pack()
        w.Write(buf)
}

func main() {
        dns.HandleFunc(".", ReflectServer)
        err := dns.ListenAndServe(":8053", "udp", nil)
        if err != nil {
                log.Fatal("ListenAndServe: ", err.String())
        }
}

@ErikHensema Da’s allang niet meer waar, 1225 is het nwe minimum, maar 4k zou ook nog goed moeten gaan

Wed Mar 30 08:43:15 +0000 2011

http://webwereld.nl/achtergrond/106189/oude-netwerken-zien-dnssec-als-aanval.html #dnssec #dutch

Wed Mar 30 10:16:31 +0000 2011

Replying to @reseauxsansfil

zul je net zien :-)

Wed Mar 30 10:49:34 +0000 2011

Replying to @jeroenbulten

jep. Als het optreedt ben je er wel ff zoet mee om uit te zoeken wat er nu precies mis is...

I’ve tagged a new version of “Learning Go”, version 0.3. It’s more of a snapshot of the current development, than an actual “release” release.

There are lots of fixes, code updates and tweaks. Numerous people send in fixes. Thank you all for the contributions!

Get it:

• PDF download;
• Latest daily build.

Feedback is welcome.

To see the development version you can use:

• Gitweb repository;
• Daily builds.

Major stuff coming in 0.4:

Replying to @geertjanweijman

jep, hadden wel lichtjes bij ons, dus dat scheelde weer een bekeuring.

Mon Feb 28 10:32:48 +0000 2011

Just stepped in the time machine: reading about NSEC2 and DNSNR

Mon Feb 28 12:54:15 +0000 2011

This Internet-Draft will self destruct on November 30, 2004. #way #cooler

Mon Feb 28 12:55:07 +0000 2011

Released “Learning Go” version 0.3, http://www.miek.nl/s/59fd0dbd79/ #Golang

Mon Feb 28 20:16:58 +0000 2011

I need hardlink support in sftp and the newest ssh version provides this. But there are no packages for Ubuntu 10.10. Therefor I backported OpenSSH from Ubuntu 11.04 to 10.10. Here you can find these packages:

64 bit

• openssh-client_5.7p1-1ubuntu1_amd64.deb
• openssh-server_5.7p1-1ubuntu1_amd64.deb
• ssh-askpass-gnome_5.7p1-1ubuntu1_amd64.deb
• sshfs_2.2-1build1_amd64.deb

32 bit

• openssh-client_5.7p1-1ubuntu1_i386.deb
• openssh-server_5.7p1-1ubuntu1_i386.deb
• ssh-askpass-gnome_5.7p1-1ubuntu1_i386.deb
• sshfs_2.2-1build1_i386.deb

all

• ssh_5.7p1-1ubuntu1_all.deb
• ssh-krb5_5.7p1-1ubuntu1_all.deb

The minimum upgrade consists of installing openssh-client and openssh-server.

OpenSSH 5.7 adds hardlink support to the sftp protocol:

sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command

This is awesome as I can use that to make rdup work (better) with sshfs.

I’ve created a patch to add hardlink support to sshfs. See below. I also created packages for ubuntu:

^[1]Homebrew signer/key management
^[2]OpenDNSSEC
^[3]OpenDNSSEC + BIND
^[4]Not deployed DNSSEC yet
^[5]WTF?

Good quote from @npua:

@miekg Extrapolation: If you don't hit an operational snag, 
DNSSEC will get you.

func match(m *dns.Msg, d int) (*dns.Msg, bool) {
        // Matching criteria
        switch d { 
        case IN: 
                // nothing
        case OUT:
                // nothing
        }   
        // Packet Mangling
        switch d { 
        case IN: 
                // nothing
        case OUT:
                if m.Question[0].Name == "www.example.org." {
                        // On the way out sign the packet
                        m = sign(m) // keys are global
                }   
        }   
        return m, true
}

// the only matching we do is on the RD bit
// for incoming packets.
func match(m *dns.Msg, d int) (*dns.Msg, bool) {
        // Matching criteria
        var ok bool
        switch d {
        case IN:
                // only delay pkts with RD bit 
                ok = m.MsgHdr.RecursionDesired == true
        case OUT:
                // nothing
        }

        // Packet Mangling
        switch d {
        case IN:
                // nothing
        case OUT:
                // nothing
        }
        return m, ok
}

func match(m *dns.Msg, d int) (*dns.Msg, bool)