David North

I’ve been aware for some time that my DNS isn’t quite as securely configured as I’d like. http://crashrecovery.org/named/ looks pretty good, but the two main issues bugging me were:

1. Anyone could do a ‘dig @ns.dnorth.net dnorth.net AXFR’ to retrieve a listing of all my DNS records - not great from a security point of view. This is a capability that should only be turned on for secondary DNS servers which need to fetch from the master.
2. The server would perform arbitrary lookups [for any domain] on request. This means it’s operating in ‘recursive mode’, which is a Bad Thing for various reasons.

The solutions were:

1. Add “allow-transfer { “slaves”; };” (without the double quotes) to the section of the configuration beginning “zone ‘dnorth.net’”. Then add a section defining the “slaves” access control list to be the local server, plus the secondaries: “acl slaves { 127.0.0.1; 123.45.67.89; }” replacing 123.45.67.89 by the IP address(es) of your secondary nameserver(s).
2. Add “recursion: no;” to the “options” section of the configuration.

Then restart the BIND9 service - on Debian, this is “/etc/init.d/bind9 restart”.

I did a lightning talk to CompSoc last night on whether 64bit is ready for use on the desktop - if you’re bored, you can download the slides and the second of my famous sketch and scanned graphs.

gq has been a necessary evil in my life for some time now. I need a graphical LDAP client for use on the CompSoc systems, but gq (to be fair, the versions of gq packaged for Ubuntu) seems to be very buggy, segfaulting all over the place if you try to do anything other than browse with it.

Last week, after upgrading to a 64bit version of Ubuntu for the first time, I finally ditched gq, after running into identical symptoms to this Debian bug.

The good news is that there’s an alternative that actually works: it’s called Luma.

Have fun.

The epic tale of how my new mail setup was born

My personal email has been on a rough ride over the years: from a reasonably nice (Microsoft based!) school email setup in 1999, which sadly got removed when Windows 98 was introduced, I went through three Hotmail accounts. I had a brief flirtation with GMail, but not being all that keen on the means of delivering advertising, I ended up back on Hotmail.

Registering dnorth.net last year at least ensured my email address would no longer change, but the technical capabilities of the two mail servers holding the mail still left much to be desired: flaky, unreliable spam scoring, no facilities for server-side filtering/sorting, sheer lack of customisability…

Last week, I finally did something about it. At my disposal was my VPS, running Debian Linux 4 (’etch’). On the wishlist were:

• Accurate server-side spam scoring with SMTP-time rejection of the most obvious spam
• Sender verification
• Sieve filters for server-side sorting into folders
• All mail stored on the server and accessible over secure IMAP

Thankfully, none of the above is too difficult: some pretty good instructions are Out There for most of it. The ones I used were:

• Exim4 on Debian with SpamAssassin, ClamAV, Virtual Domain Alias Files and Message Size Limits per Domain
• Exim + Sieve + Avelsieve Howto
• Handling mail for multiple virtual domains with exim4

Please remember, I am not responsible for the content of external sites (e.g., the links above), nor can I accept any responsibility for the consequences of acting on the points below…

I ran into a couple of issues:

• Permissions on the .sievesource files generated by AvelSieve - I needed to chmod g+w on /var/lib/squirrelmail/data and chown it to www-data:www-data in order to reach a state where Exim could read the file, and Avelsieve could write it.
• Exim4’s native sieve implementation only has the core features in it, not the extensions defined in RFC 3431. I dodged the issue by matching the number of *s in the X-Spam-Score header using string matching, rather than numeric checks on the X-Spam-Score.

All in all, though, it’s working a treat. Email perfection at last!

Twelve months ago, I installed Linux (Kubuntu) on my laptop.

Twelve minutes ago, I got the wireless card working with my WPA-PSK home network.

A combination of the progress made on drivers over the last year, and finding which of the squillions of instruction sets out there Actually Worked has finally got things going - rather than recount it all here, I’ll point owners of the HP Pavilion dv5157eu to this page, and advise everyone else as to how I found it: do a Google search for some combination of ‘ubuntu’, ‘wireless’ and your laptop’s exact model number.

Edit: My wireless happiness sadly didn’t survive a hibernate or a reboot. Turns out the line of the page which says do ’sudo echo ndiswrapper > /etc/module’ actually means, as far as I can tell, that you should do:

sudo -s
echo ndiswrapper >> /etc/modules

As ever, follow my advice at your own risk.

Musings on public transport, and a look round The Other University

So, full term ended yesterday, and I had to get over to Cambridge for a dinner. The X5 bus proved reasonable, both in terms of cost (£15 open return) and time, though the long stop to change drivers in Bedford lengthened an already long enough journey.

After a very pleasant afternoon being shown round Cambridge, I’ll have to begrudgingly admit to being impressed by it. King’s College Chapel, in particular, was spectacular. Even the weather wasn’t bad.

The train journey home from Oxford was tolerable, though prolonged by a needless half hour stop in Birmingham - it wasn’t so much the stop that annoyed me, but the fact that nobody bothered to tell us about it.

Yesterday only served to reaffirm my belief that public transport is mediocre at best, and ghastly at worst. Our rulers will have to try harder if they want to convince me not to use the driving licence lurking in my wallet, as soon as I can afford to…

A problem which has been bugging me for a while is my Konsole and Yakuake terminal sessions ceasing to respond to input for no apparent reason. The symptoms are always the same: the session seemingly stops responding to key presses, yet if I was running screen inside the session, reattaching it elsewhere reveals the characters from the missing key presses.

The answer turns out to be that hitting scroll lock locks the terminal so that the arrow keys scroll it rather than cycling through previous commands, and this also prevents key presses updating the display. My Yakuake hotkey is F12, which is next to scroll lock on my laptop.

So now you know.

See the relevant RFC for the background.

Here’s how I implemented this for my Debian server, with Bind9 handling my DNS:

1. Generate the DNS records by typing this at a shell prompt on the system whose fingerprints you want to publish (make sure you include the trailing dot after the hostname):

   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_dsa_key.pub
   
   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_rsa_key.pub

2. The above will print two records, each a line beginning “thehost.thedomain.wherever IN SSHFP”. Paste them into the Bind9 zone file on the primary DNS server for the relevant domain/subdomain, each on a new line.
3. Reload Bind9 service on the DNS server by typing

   sudo /etc/init.d/bind9 reload

Before:

$ ssh jasper.dnorth.net
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Are you sure you want to continue connecting (yes/no)?

After:

$ ssh jasper.dnorth.net -o VerifyHostKeyDNS=yes
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Note that you have to force the OpenSSH client to check for the key in DNS with the -o VerifyHostKeyDNS=yes option, which you can of course put in your ~/.ssh/config file too - see “man 5 ssh_config” for more.

Note also that PuTTY has yet to implement the RFC, as per this page, and I agree with their doubts over whether it’s worth any immediate attention. Still, it’s quite nice to have around as an extra layer of reassurance.

Spam. It’s not going away, and nor is my increasing annoyance at some of the things we need to do to avoid it. Like making a separate email forwarder for every service I sign up to. Or, like CAPTCHAs. I can see exactly why we need them, but deciphering squiggly letters against a low-contrast background isn’t easy on the eyes. I was intrigued to see a possible alternative solution called Asirra, which Microsoft Research have come up with. Who knows, I might give it a try myself to keep the bots away from my comments section - although Bad Behavior seems to be doing a good job at the moment.

In other news, I appear to have reached the end of another Oxford term with my sanity intact. The first six weeks were great, it just got a bit wearing for the last two. Some of the non-academic stuff, sadly, is going to have to take a back seat after Christmas, but ah well.

Last week, I gave a Lightning talk to CompSoc on the subject “Linux vs. Windows- which is better?”. It seemed to go down fairly well (I wasn’t lynched outside afterwards…), and following a request from Will for the, er, “interesting” graph that was on one of my slides, here they are. There’s also a JPEG of the graph as I scanned it, and my speaker’s notes.