I was wondering how to make my touchpad settings permanent in Ubuntu. I could find a few pointers on the net, like: http://tombuntu.com/index.php/2011/11/06/persistent-touchpad-configuration-in-ubuntu-11-10/ http://ubuntuforums.org/archive/index.php/t-1538147.html But sometimes it makes sense to look at your own system’s documentation: % cd /usr/share/X11/xorg.conf.d % head 50-synaptics.conf # Example xorg.conf.d snippet that assigns the touchpad driver # to all touchpads. See xorg.conf.d(5) for more information on # InputClass. # DO NOT EDIT THIS FILE, your distribution will likely overwrite # it when updating.

I’m starting to get really happy about the Go DNS API, so invasive API changes are less and less likely. We want to create a little program that prints out the MX records of domains, like so: % mx miek.nl miek.nl. 86400 IN MX 10 elektron.atoom.net. Or % mx microsoft.com microsoft.com. 3600 IN MX 10 mail.messaging.microsoft.com. We are using my Go DNS package. First the normal header of a Go program, with a bunch of imports.

NSEC3 - A shadowy flight into the dangerous world of a record who does not exist. Denial of Existence, a young loner on a crusade to champion the cause of the innocent, the helpless, the non-existent, in a world of records who operate above the law.

This is an official announcement from SIDN also published here. Summary In the course of Sunday 28 October, an error occurred during the publication of a new ZSK (with key tag 20331). Because of the error, the new ZSK was not published in the DNS when it should have been. However, the software used by SIDN (OpenDNSSEC) continued to work on the basis that the ZSK had been published successfully.

When editing zone files with vim I always get annoyed by the fact that the syntax highlighting did not understand newer types ‘n stuff. I never did anything about until now. Download this vim syntax file and drop it in ~/.vim/syntax. It adds newer (DNSSEC) types and base64 highlighting. Base64 only works when there are no embedded spaces (patch welcome to fix that btw!)

Puppetd (ruby) was going nuts. Jul 1 01:59:59 elektron kernel: [183728.001601] Clock: inserting leap second 23:59:60 UTC Results in:

I wanted to look at the increase in ntp traffic now that I’ve joined the pool.ntp.org ranks. Unfortunately munin didn’t have a watch-port-x-and-draw-something-plugin. So I wrote my own based upon the ip_ plugin. The plugin monitors both v6, v4, tcp and udp and plots them together, as send and received. Just symlink the port number to the plugin: ip_port_123 -> ip_port_ For it to work, you do need some iptables rules, so yes, this plugin only works in Linux.

For some reason I was experiencing wifi disconnects with the ath9k wifi driver under Linux (Ubuntu 12.04). After reading numerous blogs and bug reports (disable ipv6, use hwcrypto=0, etc.), I suspected it was the power management that was somehow disabling the driver, in turn leading to a disconnect. This will probably be fixed in newer kernels (Ubuntu 12.04 ships 3.2.x). For now I took a shortcut and disabled the power management on the wlan0 interface.

“One Key to rule them all, one Key to find them, one Key to bring them all and in the Resolver bind them." Modified from Lord of the Rings. Yes, this quote is mine. And I think this Internet Protocol Journal has its first use.

See this code in github, where I’ve implemented zipping DNS messages. A modified q prints the compression rate at the first line. It only shows how much compression you would get when you compress the answer. For compression we use DEFLATE as described in RFC 1951. A typical example: q @open.nlnetlabs.nl MX miek.nl ;; Uncompressed/Compressed 253/142 (1.781690) ;; bla bla bla bla That’s not bad a compression factor of almost 1.

When using dig to debug DNS/DNSSEC errors, you (I have the need, I’m assuming you have it too) often want to know: Are the signatures in the message correct? Does the NSEC3 authenticated denial of existence proof look OK? (this is a work-in-progress) With dig this is next to impossible, because we humans can not validate RSA signatures, nor hash names for NSEC3 validation. This is why I added a little feature to q, the query-tool found in godns.

(This is an English translation of this blog article over at sidnlabs.nl) After the publication of the SIDN NSEC3 white paper we received feedback of a number of people. The most constructive feedback was from Karst Koymans of the University of Amsterdam. This, together with the other feedback has led to a version 2 of the white paper. This version has the following differences with respect to version 1: A number of corrections; The NSEC3 example now returns three NSEC3 records in stead of two; Two figures are added; Empty non-terminals are explained (a little).

(This is a English translation of this Dutch blog article) By writing the NSEC3 whitepaper, we gained a lot of insight in how “authenticated denial of existence” works. But some new questions popped up: Is NSEC3 the most efficient way to do (hashed) authenticated denial of existence? Are there ways to optimize the NSEC3 record that asserts or denies the wildcard? Can’t we use Opt-Out for unhashed names too? Answering these question led to the birth of NSEC4, which is documented in this internet draft.

I’ve tweaked my vim color scheme quite a bit and tried to keep the colors of gvim (which I use less often) in sync. This keeping in sync hasn’t worked out, so I wrote this little script to convert the vim colors to the gvim ones: Download the makegvim script, and use it like: $ ./makegvim < ~/.vim/colors/<yourfile> > /tmp/x $ mv /tmp/x ~/.vim/colors/<yourfile> And now the colors of gvim should be identical to those of vim.

I’ve create a little tool (actually an XSLT file) that helps to write RFCs. Browsing my github repo I found two different forks. And browsing those forks, I saw some commits I wanted to have. But how do you merge a commit from a forked git repository? Turns out it is not that difficult. The commit I want has the hash 5a11e88ddbef4ce7513aae93bdcd377449f45efb. The steps: Create a remote branch:

(This is an English translation of this blog article over at sidnlabs.nl) In theory DNSSEC isn’t really that complicated, but in practice some parts can be pretty intimidating. One such part is “Authenticated denial of existence”. In short this is communicating, with certainty, to a resolver that a name does not exist in the DNS. The DNSSEC specification uses two records (and thus actually two different methods) for this purpose:

I recently came across solarized. I started to use it immediately for vim and mutt, but after a few days the low contrast of the color scheme started to annoy me. Oh and btw, I’m red/green color blind. I went searching and found “xoria256” a color scheme suited for 256 color terminal and a dark background. There is even a Ubuntu/Debian package for it: vim-scripts. Unlike solarized it doesn’t come with a custom palette, just use Tango in gnome-terminal (or whatever your favorite is).

In VIM you can use the command J to join to lines: hello -> J -> hello goodday goodday Where the cursor is positioned somewhere on the ‘hello’ line. But I often find myself wanting to use the opposite, I want ‘hello’ to be put after ‘goodday’. The cursor is now positioned on the ‘goodday’ line. hello goodday -> K -> goodday hello The following mapping does that:

I added a shiny project page for the “Learning Go” book I’m writing. Errata, new releases and other stuff will get a place there. For good measure I even added a “Donate” button - we’ll see how to that plays out.

[Personal note to self:] I’m assuming LDAP en Kerberos completely setup and configured and working. You get your TGT after a kinit, etc. And then you want to utilize Kerberos to password-less login using ssh. I have a client machine foton.atoom.net, from this machine you want to login to the server. The server is elektron.atoom.net. On the client the command, hostname -f should return the fqdn of your host, in my case:

The problem: you want to keep a historical reference of zone changes. This little script helps you do that, it: AXFRs the zone you want; Cleans the zone a bit, sorts it and feeds it through named-compilezone to make it look “nice”; Puts it in a git repository; Checks it in with a date tag (date -u '+%Y-%m-%d_%H%M%S'). You do need to define the directory where the git repository is located in the script ($gitdir).

Zeitgeist integration; Focus follows mouse working. As in ‘alt-tab’ obeys this too. See bug 597190; Easier workspace switching; Themes; Much smaller window titlebars; An easier way to find your windows, maybe a windowlist in the panel.

It’s called a resize grip, you can’t disable it (seems to be a common theme nowadays…) and it sucks. Stay the FUCK out of my windows with this crap!

I need hardlink support in sftp and the newest ssh version provides this. But there are no packages for Ubuntu 10.10. Therefor I backported OpenSSH from Ubuntu 11.04 to 10.10. Here you can find these packages: 64 bit openssh-client_5.7p1-1ubuntu1_amd64.deb openssh-server_5.7p1-1ubuntu1_amd64.deb ssh-askpass-gnome_5.7p1-1ubuntu1_amd64.deb sshfs_2.2-1build1_amd64.deb 32 bit openssh-client_5.7p1-1ubuntu1_i386.deb openssh-server_5.7p1-1ubuntu1_i386.deb ssh-askpass-gnome_5.7p1-1ubuntu1_i386.deb sshfs_2.2-1build1_i386.deb all ssh_5.7p1-1ubuntu1_all.deb ssh-krb5_5.7p1-1ubuntu1_all.deb The minimum upgrade consists of installing openssh-client and openssh-server.

OpenSSH 5.7 adds hardlink support to the sftp protocol: sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command This is awesome as I can use that to make rdup work (better) with sshfs. I’ve created a patch to add hardlink support to sshfs.

.be [1] .de [1][4] .nl [2] .uk [2] .se [2] .fr [3] DNSSEC 2010-10-07:Expired signatures. Notice. Soon? Soon? 2010-09-13:Signing failure due to failover. Notice. Soon? 2011-02-12:Invalid signature on NSEC3 disproofing DS.5 Notice. BIND Bug. DNS Soon? 2010-05-12:Partial zone published. Notice. 2008-05-28:Partial zone published: missing glue. Notice (Google Translate). Soon? 2009-10-13:Corrupt zone published: .se appended twice. Notice. Soon?

…Or why shell scripting is not really programming. Two scripts, one called bash-hate: #!/bin/bash count=0 cat /dev/null - | while read line; do ((count++)) done echo $count and the other one zsh-love: #!/bin/zsh count=0 cat /dev/null - | while read line; do ((count++)) done echo $count Then: % cat testfile | ./bash-hate 0 % cat testfile | ./zsh-love 9 (Yes, I know about subshells. Just learn a real programming language.

And finally, after so many years miek.nl can be DNSSEC validated from the root down. Check it yourself.

I’ve extended the DNS filesystem a bit and added the possibility to WRITE to it. This only works for zones which utilize dynamic updates. You can now mount the world and write to it! Also TSIG should be supported (but I have not tested it - as I’m lazy). For TSIG you need a file (named “dynupdate” here with the following): # domain tsig-key name key miek.nl tsig-key awwLOTrFPge+rRKF2+DEiw== Code is still contained in a single Perl file.

This is the second time I’m writing this, but now its much better then the previous attempt. The idea is as follows, using Fuse and Perl this is an actual filesystem which maps the DNS to files and directories. You can now mount the world! :-) The following holds true for this filesystem: Uppercase named directories are zone-cuts, or; Uppercase named directories are labels; Lowercase named files are rrtypes (like txt, soa, etc.