Centroid.EU Blog
(this blog is mostly encrypted - adults only)
|
Previous Page
November 13th, 2015
Here is some validation tools that I have found:
0 comments
Purchased Reggae
November 13th, 2015
Yesterday I purchased the Faithful Riddim of various artists. I liked the
"topic of the day" song by I Octane on youtube which made me get this. Also
got "Trod on" by Devano single. Too bad Devano hasn't got an album on iTunes.
0 comments
Delphinusdnsd does TLSA RR and thus DANE
November 10th, 2015
I hammered the support out this morning within 1.5 hours, probably a record
for me. But I based it off SSHFP RR's support which has only 1 8 bit integer
less in the answer, so it was fairly easy to convert.
I have asked Luke Antins if I can pay him a bit more for the TLSA support
in his dns-zone ruby gem. If he is willing to do it, I'll be able to play
with DANE as I haven't been able to sign the TLSA yet and thus that part is
not tested yet.
These are interesting days for sure.
0 comments
Happy Anniversary Delphinusdnsd!
November 8th, 2015
Even though I checked in the sources on November 29th, 2005 I must have been
writing on Delphinusdnsd before that, so November is anniversary month!
Guess what this daemon of mine is 10 years old! It does DNSSEC now too!
So in my experience it takes a part-timer 10 man-years to reach DNSSEC. And
I had a lot of spare time when I wasn't programming on this server. I have
recieved lots of support mainly out of eastern Europe for this server. I
don't quite know why that is, but thanks to you for using my server, and for
inquiring about it and a big thanks to those that sent patches. Thanks also
goes to #unixhelp for hearing my worries, visions and dreams about this DNS
server. Thanks for putting up with me! The first non-beta version of this
server will likely be released around new years 2016. I'm just doing tests
right now with swshell.de comparing it to BIND and keeping and eye out for
faults. So what is next with this server? I plan on doing DANE support
for it but then I think I'm gonna focus on bug fixing, dunno. There is
always room for some newbie to come along to write on this. An easy task
would be HINFO support. Cheers!
0 comments
swshell.de is DNSSEC enabled now
November 8th, 2015
Since yesterday swshell.de is DNSSEC enabled. I finished the zone signing
utility for delphinusdnsd which is called dd-convert.rb. That utility leans
on BIND tools. One day perhaps I'll make my own. I have checked with the
DNSSEC debugger
and everything seems to be in the green, but I have to figure out what I did
first to do so and play a little with tools. Also delphinusdnsd would need
a good debugging now so that it gives quality answers.
0 comments
Donated to OpenBSDFoundation
November 4th, 2015
I have given the OpenBSD foundation 41.81 EUR which was in my paypal account.
I usually donate directly to deraadt but I wanted to rid the money I had in
my paypal account so it goes to the foundation this time.
0 comments
pledge(2) Don't do this!
October 31st, 2015
pledge(2) in OpenBSD is a whitelist of system calls that a programmer pledges
/ promises his program will conform to. If they lie the kernel will kill the
program. If you look at this from an attacker perspective you'll have to
restrict bytecode or whatever your edge is to the pledged spectrum of syscalls.
I'll give you another example. If you have an anti-virus mechanism that scans
emails or programs it may not need to talk Internet protocols and thus if
someone manages to buffer overflow the scan process and have it open a socket
back to the attacker aka a bindshell, pledge will stop the socket call before
the kernel opens it. It's ingenious and it gets better. As you know your
program you can pledge several times to restrict more and more of it over
the course of the program flow.
In private conversation I offered Theo de Raadt, the principal programmer around
pledge, an awk program that rudamentally scans C sources to determine a base
pledge in a program. What I got back was a response I didn't expect. So I'm
giving out a warning to people to NOT DO AS I had done. I still think I'm not
going to be the only one who writes such a program since my gift to deraadt
was not done publically.
You see in computer science you study the code, then you UNDERSTAND the code
and then you can add to it. What I did was pseudo-science, since I didn't
need to understand the code. Understanding is a big problem with code in
general as everyone has their own style within the allowed programming idioms
of C. Not understanding code means you can't contribute to it. I personally
did not understand BIND code so I decided to write my own nameserver, the
result was something I understood because I wrote it without wasting my time
going into libraries that criss-crossed all over the source tree. However
my code grew past 10,000 lines and it's easy to lose track of some areas.
My memory is not the best I think it's short span so I try to work with tools
that easen this. However let's get back to science. As shown by the
commits of top the programmers who pledged it not only screwed up once but
twice and failed to understand top. So now we're accusing each other of
pseudo-science and not understanding the code right. Let's put that away,
as it's counter-productive. However I'd like to warn people of suggesting to
OpenBSD what I had done. So know your code, apply pledge and stay safe.
For me pledge doesn't work as shm*(4) routines don't have a pledge keyword,
so I'll have to wait. Anyone else wanting to pledge a program linked against
db4 will have to do the same.
And lastly I'll say I was a bit hurt by deraadt's words, but I'm not gonna
repeat them in public. I'll still stay loyal to OpenBSD despite this.
0 comments
Outlook Delphinusdnsd 1.0.0 not before XMAS
October 27th, 2015
I'm getting stalled with development of delphinusdnsd and distracted. I should
have been coding on this yesterday to make use of my full vacation for this but
I decided to soak up lazyness instead. It's ok though, there is no way I can
do this in two weeks, if I do then there would be little testing if any.
0 comments
AVM FritzBox Router losing ARP packets
October 26th, 2015
After a 2 month long debug session with my gear I finally produced a workaround
with codeblue to _fix_ the situation.
The problem: between my routers gamma and uranus (both OpenBSD) arp
gets lost either on the FritzBox or a FritzRepeater from the same manufacturer
(AVM).
The solution check if a threshold of arp cache timeout has been reached
and populate the arpcache manually with an injected arp packet.
Here is the scripts I've written. On uranus:
#!/bin/sh
# this script checks if ARP was lost between gamma and uranus via AVM AP
# if so it will mail me and send a gratuitious arp to restore the arp cache
# on gamma it will do it twice to escape stupid filtering on AVM fritzbox.
sleep 10
CACHE=`ssh watcharp@192.168.179.1 /usr/sbin/arp -na |\
awk '/192.168.179.10/ { a = split($4, b, "m"); print b[1];}'`
if [ $CACHE -lt 15 ]; then
echo "cache is at $CACHE going to set arp manually" | \
mail -s "arp timeout" emailat@centroid.eu
/usr/local/bin/cb -a is-at -s192.168.179.10 -d192.168.179.1
sleep 20
/usr/local/bin/cb -a is-at -s192.168.179.10 -d192.168.179.1
fi
exit 0
And then on gamma:
#!/bin/sh
/usr/local/bin/cb -l re1 -a who-has -s00:0d:b9:XX:XX:XX,192.168.179.1 \
-dff:ff:ff:ff:ff:ff,192.168.179.10
With these scripts I am willing to bet my problems go away.
0 comments
Open Sourced CodeBlue version 1
October 24th, 2015
After 14 years of having this program (mostly) for myself, I think it's worth
it to Open Source it. Successes of Code Blue are
- proving a bug in someones program
- proving a bug in the OpenBSD kernel which caused a crash after a CBv1 typo
- proving that ARP packets get lost on AVM routers (recently)
There was many other cases that I used codeblue for good. It's not an evil
program. Sources are here
. Codeblue was based on gppf in idea but not in code.
0 comments
Next Page
|
Search
RSS Feed
Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
November, 2023
October, 2023
September, 2023
August, 2023
July, 2023
June, 2023
May, 2023
April, 2023
March, 2023
February, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
October, 2021
September, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
August, 2019
July, 2019
June, 2019
May, 2019
April, 2019
March, 2019
February, 2019
January, 2019
December, 2018
November, 2018
October, 2018
September, 2018
August, 2018
July, 2018
June, 2018
May, 2018
April, 2018
March, 2018
February, 2018
January, 2018
December, 2017
November, 2017
October, 2017
September, 2017
August, 2017
July, 2017
June, 2017
May, 2017
April, 2017
March, 2017
February, 2017
January, 2017
December, 2016
November, 2016
October, 2016
September, 2016
August, 2016
July, 2016
June, 2016
May, 2016
April, 2016
March, 2016
February, 2016
January, 2016
December, 2015
November, 2015
October, 2015
September, 2015
August, 2015
July, 2015
June, 2015
May, 2015
April, 2015
March, 2015
February, 2015
January, 2015
December, 2014
November, 2014
October, 2014
September, 2014
August, 2014
July, 2014
June, 2014
May, 2014
April, 2014
March, 2014
February, 2014
January, 2014
December, 2013
November, 2013
October, 2013
September, 2013
August, 2013
July, 2013
June, 2013
May, 2013
April, 2013
March, 2013
February, 2013
January, 2013
December, 2012
November, 2012
October, 2012
September, 2012
August, 2012
July, 2012
June, 2012
May, 2012
April, 2012
March, 2012
February, 2012
January, 2012
December, 2011
November, 2011
October, 2011
September, 2011
August, 2011
July, 2011
June, 2011
May, 2011
April, 2011
March, 2011
February, 2011
January, 2011
December, 2010
November, 2010
October, 2010
September, 2010
August, 2010
July, 2010
June, 2010
May, 2010
April, 2010
March, 2010
February, 2010
January, 2010
December, 2009
November, 2009
October, 2009
September, 2009
August, 2009
July, 2009
June, 2009
May, 2009
Powered by BCHS
|