Centroid.EU Blog

DNSSEC web validation tools

Here is some validation tools that I have found:

• checks your resolver
• checks your dnssec on a domain
• visually maps your dnssec
• tests dnssec'ed website this didn't pass for me, working on that though.

Purchased Reggae

Yesterday I purchased the Faithful Riddim of various artists. I liked the "topic of the day" song by I Octane on youtube which made me get this. Also got "Trod on" by Devano single. Too bad Devano hasn't got an album on iTunes.

Delphinusdnsd does TLSA RR and thus DANE

I hammered the support out this morning within 1.5 hours, probably a record for me. But I based it off SSHFP RR's support which has only 1 8 bit integer less in the answer, so it was fairly easy to convert.

I have asked Luke Antins if I can pay him a bit more for the TLSA support in his dns-zone ruby gem. If he is willing to do it, I'll be able to play with DANE as I haven't been able to sign the TLSA yet and thus that part is not tested yet.

These are interesting days for sure.

Happy Anniversary Delphinusdnsd!

Even though I checked in the sources on November 29th, 2005 I must have been writing on Delphinusdnsd before that, so November is anniversary month! Guess what this daemon of mine is 10 years old! It does DNSSEC now too! So in my experience it takes a part-timer 10 man-years to reach DNSSEC. And I had a lot of spare time when I wasn't programming on this server. I have recieved lots of support mainly out of eastern Europe for this server. I don't quite know why that is, but thanks to you for using my server, and for inquiring about it and a big thanks to those that sent patches. Thanks also goes to #unixhelp for hearing my worries, visions and dreams about this DNS server. Thanks for putting up with me! The first non-beta version of this server will likely be released around new years 2016. I'm just doing tests right now with swshell.de comparing it to BIND and keeping and eye out for faults. So what is next with this server? I plan on doing DANE support for it but then I think I'm gonna focus on bug fixing, dunno. There is always room for some newbie to come along to write on this. An easy task would be HINFO support. Cheers!

swshell.de is DNSSEC enabled now

Since yesterday swshell.de is DNSSEC enabled. I finished the zone signing utility for delphinusdnsd which is called dd-convert.rb. That utility leans on BIND tools. One day perhaps I'll make my own. I have checked with the DNSSEC debugger and everything seems to be in the green, but I have to figure out what I did first to do so and play a little with tools. Also delphinusdnsd would need a good debugging now so that it gives quality answers.

Donated to OpenBSDFoundation

I have given the OpenBSD foundation 41.81 EUR which was in my paypal account. I usually donate directly to deraadt but I wanted to rid the money I had in my paypal account so it goes to the foundation this time.

pledge(2) Don't do this!

pledge(2) in OpenBSD is a whitelist of system calls that a programmer pledges / promises his program will conform to. If they lie the kernel will kill the program. If you look at this from an attacker perspective you'll have to restrict bytecode or whatever your edge is to the pledged spectrum of syscalls.

I'll give you another example. If you have an anti-virus mechanism that scans emails or programs it may not need to talk Internet protocols and thus if someone manages to buffer overflow the scan process and have it open a socket back to the attacker aka a bindshell, pledge will stop the socket call before the kernel opens it. It's ingenious and it gets better. As you know your program you can pledge several times to restrict more and more of it over the course of the program flow.

In private conversation I offered Theo de Raadt, the principal programmer around pledge, an awk program that rudamentally scans C sources to determine a base pledge in a program. What I got back was a response I didn't expect. So I'm giving out a warning to people to NOT DO AS I had done. I still think I'm not going to be the only one who writes such a program since my gift to deraadt was not done publically.

You see in computer science you study the code, then you UNDERSTAND the code and then you can add to it. What I did was pseudo-science, since I didn't need to understand the code. Understanding is a big problem with code in general as everyone has their own style within the allowed programming idioms of C. Not understanding code means you can't contribute to it. I personally did not understand BIND code so I decided to write my own nameserver, the result was something I understood because I wrote it without wasting my time going into libraries that criss-crossed all over the source tree. However my code grew past 10,000 lines and it's easy to lose track of some areas.

My memory is not the best I think it's short span so I try to work with tools that easen this. However let's get back to science. As shown by the commits of top the programmers who pledged it not only screwed up once but twice and failed to understand top. So now we're accusing each other of pseudo-science and not understanding the code right. Let's put that away, as it's counter-productive. However I'd like to warn people of suggesting to OpenBSD what I had done. So know your code, apply pledge and stay safe.

For me pledge doesn't work as shm*(4) routines don't have a pledge keyword, so I'll have to wait. Anyone else wanting to pledge a program linked against db4 will have to do the same.

And lastly I'll say I was a bit hurt by deraadt's words, but I'm not gonna repeat them in public. I'll still stay loyal to OpenBSD despite this.

Outlook Delphinusdnsd 1.0.0 not before XMAS

I'm getting stalled with development of delphinusdnsd and distracted. I should have been coding on this yesterday to make use of my full vacation for this but I decided to soak up lazyness instead. It's ok though, there is no way I can do this in two weeks, if I do then there would be little testing if any.

AVM FritzBox Router losing ARP packets

After a 2 month long debug session with my gear I finally produced a workaround with codeblue to _fix_ the situation.

The problem: between my routers gamma and uranus (both OpenBSD) arp gets lost either on the FritzBox or a FritzRepeater from the same manufacturer (AVM).

The solution check if a threshold of arp cache timeout has been reached and populate the arpcache manually with an injected arp packet.

Here is the scripts I've written. On uranus:

#!/bin/sh

# this script checks if ARP was lost between gamma and uranus via AVM AP
# if so it will mail me and send a gratuitious arp to restore the arp cache
# on gamma it will do it twice to escape stupid filtering on AVM fritzbox.

sleep 10

CACHE=`ssh watcharp@192.168.179.1 /usr/sbin/arp -na |\
 awk '/192.168.179.10/ { a = split($4, b, "m"); print b[1];}'`

if [ $CACHE -lt 15 ]; then
        echo "cache is at $CACHE going to set arp manually" | \
        mail -s "arp timeout" emailat@centroid.eu

        /usr/local/bin/cb  -a is-at -s192.168.179.10 -d192.168.179.1
        
        sleep 20

        /usr/local/bin/cb  -a is-at -s192.168.179.10 -d192.168.179.1
        
fi

exit 0

#!/bin/sh

/usr/local/bin/cb -l re1 -a who-has -s00:0d:b9:XX:XX:XX,192.168.179.1 \
	-dff:ff:ff:ff:ff:ff,192.168.179.10  

Open Sourced CodeBlue version 1

After 14 years of having this program (mostly) for myself, I think it's worth it to Open Source it. Successes of Code Blue are

• proving a bug in someones program
• proving a bug in the OpenBSD kernel which caused a crash after a CBv1 typo
• proving that ARP packets get lost on AVM routers (recently)