Apparently last month the root servers were attacked. ICANN published a fact sheet about the attacks and root server attacks. Interesting reading.

At work, Mobistar delegated our reverse DNS to a zone with a slash in it. I didn’t even know this was legal in DNS but apparently it is, and BIND and PowerDNS serve it perfectly. I installed PowerAdmin to manage my PowerDNS records with a GUI (MySQL INSERT/UPDATE was becoming a bit tedious), but could not create a domain nor any entries below it (after creating the domain through MySQL), because it wouldn’t accept the / as a valid character. I cooked up a small patch (don’t know if it’s complete, I just know it works for me) which you can find here .

I just set up FreeNX on my Sarge machine and it works really nice! I was hoping it would be able to "receive" remote desktop (rdc) connections and channel it to an X server (to use standard Windows CE/TS thin clients with a Linux server). I found the .deb’s too late, and as such followed another howto for Ubuntu .

Here’s how I did it on Sarge:

apt-get install cdbs autotools-dev patchutils autoconf bzip2 zlib1g-dev libpng12-dev libjpeg-dev xlibs-dev libfreetype6-dev libmikmod2-dev libssl-dev libxaw7-dev automake1.9 automake1.4 expect tcl8.4 netcat ssh build-essential dpatch

Add the following to /etc/apt/sources.list: deb-src http://debian.tu-bs.de/project/kanotix/unstable/ sid nx

apt-get source nx freenx
cd nx-1.4.92+1.5.0

sed -i s/debhelper\ \(\>=\ 5.0.0\)/debhelper\ \(\>=\ 4.2.0\)/ debian/control
export DH_COMPAT=4
dpkg-buildpackage

cd ../freenx-0.4.4+0.4.5

sed -i s/debhelper\ \(\>=\ 5.0.0\)/debhelper\ \(\>=\ 4.2.0\)/ debian/control
sed -i s/openssh-server,\ openssh-client/ssh/ debian/control
dpkg-buildpackage

cd ..; dpkg -i *deb 

Edit /etc/nxserver/node.conf and add the following line:

COMMAND_XAUTH=/usr/bin/X11/xauth

If you want to use SSH authentication instead of FreeNX’s own passdb backend put the following lines in there as well:

ENABLE_PASSDB_AUTHENTICATION="0"
ENABLE_SSH_AUTHENTICATION="1" 

Fetch the 1.5 client for Windows (2.0 from Nomachine doesn’t work). Enter the correct details (enable "encrypt all data" if you want it to work through firewalls and NATs — that way you just have to open up SSH and be done with it). Enjoy!

Prepare for another blog storm… first a nice tip I found on this page …

Sometimes I use mutt to read my mail, which nicely autodecrypts and checks pgp/gpg signatures. But then I’d need to retrieve everybody’s public key, like the Ubuntu security etc (which I couldn’t find anywhere by the way), but no more! gnupg now automatically retrieves keys from the keyserver you specify just by adding keyserver-options “auto-key-retrieve” into ~/.gnupg/gpg.conf.

I don’t know if this makes it any less secure though… but WorksForMe(tm) 

I’ve been working on upgrading my mail gateway setup to something a little more decent, and as of tonight (in my new testsetup) I’ve implemented relay recipient maps in postfix. Should be way better the gateway mailqueue and also for the internet as a whole, since I won’t be generating any more blowback like I am doing now (when mailing to a nonexisting address, the gateway accepts the mail, tries to deliver, then creates a bounce message and tries to deliver that one, usually trying to email nonexisting users or innocent bystanders whose From: address was forged). Also implemented some SNMP polling for queue size, more to follow. Yay. 🙂

 PS: Thanks to DaViper for providing me with a virtual machine and a subnet to host my off-net DNS and Mailgateway on, much appreciated!

It seems DNS.be has made a bit of a booboo… They have billed all agents for march (instead of april), resulting in negative credit balances (somehow march is a month with way more registrations than april) for many agents. Affected are at least Openminds , Priorweb and Stone IS – probably more. If your .be registrations don’t work today and/or tomorrow, this is why.

 Of course, today being a public holiday doesn’t help things, as there will probably be noone there to fix the mistake before tomorrow. Unfortunately, business on the internet goes on, 24/7, and people will expect domain names to be registered…

Cool thing, which I missed when flying to Mexico last time… Internet on the plane. Using pretty funky networking techniques, and it’s fun to see how the data available on the internet (I could check it from my own BGP routers as well) can be used to see where planes are (not very accurate but still). Just a pity they had to waste a whole /24 per plane, and then not even use the IP addresses but NAT everyone… The registered block is a /16, so that’s enough for 256 planes; there may be more blocks, I didn’t check.

Just a note to myself (and perhaps even useful for others): Cisco phones (at least 7940/7960) can be rebooted by pressing * + 6 + Settings so you don’t have to go and yank out the power supply every time you want to reboot (telnet in and type reboot is also an option ofcourse, but requires you to know the ip address and the password).

 Also, the 7905G seems to be quite cheap and quite good! Seems to be priced at the same level as a budgetone thingy, so if I can choose between that or a nice cisco… I think I know! So if you have any 7905’s to spare… 😉

Since a little over a week our hobby network Phyxia got connected to the FreeBIX Internet Exchange . We seem to have some software issues which appear to be hardware issues sometimes, but overall everything is working nicely. We even got peering up with EDPnet ! Toys for the boys ! 😉

Sveasoft, maker of replacement firmware for the Linksys WRT54G, has been utilising GPL’d OpenWrt code in its releases without releasing source code. Sveasoft think this is OK because they’ve only released it to a few people – however the GPL says source code must always be given, no matter how small the distribution. I’m an avid user of the OpenWrt firmware and Free Software and cannot really condone what is going on here, parasiting (is that an English word?) on a nice free firmware, demanding money for it, not releasing the source, and denying doing anything wrong…