• Mine seems to have the decent Synaptics touchpad - read The Register’s review for the warning about the other one.
• You really need to use headphones with it if apps you’re listening to don’t have a very good sound level - inevitably in a device this size, the speakers aren’t great, especially at full volume.

How the Linux install on it goes is something I shall let y’all know shortly…

1. Anyone could do a ‘dig @ns.dnorth.net dnorth.net AXFR’ to retrieve a listing of all my DNS records - not great from a security point of view. This is a capability that should only be turned on for secondary DNS servers which need to fetch from the master.
2. The server would perform arbitrary lookups [for any domain] on request. This means it’s operating in ‘recursive mode’, which is a Bad Thing for various reasons.

The solutions were:

1. Add “allow-transfer { “slaves”; };” (without the double quotes) to the section of the configuration beginning “zone ‘dnorth.net’”. Then add a section defining the “slaves” access control list to be the local server, plus the secondaries: “acl slaves { 127.0.0.1; 123.45.67.89; }” replacing 123.45.67.89 by the IP address(es) of your secondary nameserver(s).
2. Add “recursion: no;” to the “options” section of the configuration.

Then restart the BIND9 service - on Debian, this is “/etc/init.d/bind9 restart”.

Health warning: Don’t do (2) above if you rely on your server to do its own DNS resolution - follow the crashrecovery tutorial above instead.

Last week, after upgrading to a 64bit version of Ubuntu for the first time, I finally ditched gq, after running into identical symptoms to this Debian bug.

The good news is that there’s an alternative that actually works: it’s called Luma.

Have fun.

My personal email has been on a rough ride over the years: from a reasonably nice (Microsoft based!) school email setup in 1999, which sadly got removed when Windows 98 was introduced, I went through three Hotmail accounts. I had a brief flirtation with GMail, but not being all that keen on the means of delivering advertising, I ended up back on Hotmail.

Registering dnorth.net last year at least ensured my email address would no longer change, but the technical capabilities of the two mail servers holding the mail still left much to be desired: flaky, unreliable spam scoring, no facilities for server-side filtering/sorting, sheer lack of customisability…

Last week, I finally did something about it. At my disposal was my VPS, running Debian Linux 4 (’etch’). On the wishlist were:

• Accurate server-side spam scoring with SMTP-time rejection of the most obvious spam
• Sender verification
• Sieve filters for server-side sorting into folders
• All mail stored on the server and accessible over secure IMAP

Thankfully, none of the above is too difficult: some pretty good instructions are Out There for most of it. The ones I used were:

• Exim4 on Debian with SpamAssassin, ClamAV, Virtual Domain Alias Files and Message Size Limits per Domain
• Exim + Sieve + Avelsieve Howto
• Handling mail for multiple virtual domains with exim4

Please remember, I am not responsible for the content of external sites (e.g., the links above), nor can I accept any responsibility for the consequences of acting on the points below…

I ran into a couple of issues:

• Permissions on the .sievesource files generated by AvelSieve - I needed to chmod g+w on /var/lib/squirrelmail/data and chown it to www-data:www-data in order to reach a state where Exim could read the file, and Avelsieve could write it.
• Exim4’s native sieve implementation only has the core features in it, not the extensions defined in RFC 3431. I dodged the issue by matching the number of *s in the X-Spam-Score header using string matching, rather than numeric checks on the X-Spam-Score.

All in all, though, it’s working a treat. Email perfection at last!

Twelve minutes ago, I got the wireless card working with my WPA-PSK home network.

A combination of the progress made on drivers over the last year, and finding which of the squillions of instruction sets out there Actually Worked has finally got things going - rather than recount it all here, I’ll point owners of the HP Pavilion dv5157eu to this page, and advise everyone else as to how I found it: do a Google search for some combination of ‘ubuntu’, ‘wireless’ and your laptop’s exact model number.

Edit: My wireless happiness sadly didn’t survive a hibernate or a reboot. Turns out the line of the page which says do ’sudo echo ndiswrapper > /etc/module’ actually means, as far as I can tell, that you should do:

sudo -s
echo ndiswrapper >> /etc/modules

As ever, follow my advice at your own risk.

So, full term ended yesterday, and I had to get over to Cambridge for a dinner. The X5 bus proved reasonable, both in terms of cost (£15 open return) and time, though the long stop to change drivers in Bedford lengthened an already long enough journey.

After a very pleasant afternoon being shown round Cambridge, I’ll have to begrudgingly admit to being impressed by it. King’s College Chapel, in particular, was spectacular. Even the weather wasn’t bad.

The train journey home from Oxford was tolerable, though prolonged by a needless half hour stop in Birmingham - it wasn’t so much the stop that annoyed me, but the fact that nobody bothered to tell us about it.

Yesterday only served to reaffirm my belief that public transport is mediocre at best, and ghastly at worst. Our rulers will have to try harder if they want to convince me not to use the driving licence lurking in my wallet, as soon as I can afford to…

The answer turns out to be that hitting scroll lock locks the terminal so that the arrow keys scroll it rather than cycling through previous commands, and this also prevents key presses updating the display. My Yakuake hotkey is F12, which is next to scroll lock on my laptop.

So now you know.

Here’s how I implemented this for my Debian server, with Bind9 handling my DNS:

1. Generate the DNS records by typing this at a shell prompt on the system whose fingerprints you want to publish (make sure you include the trailing dot after the hostname):

   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_dsa_key.pub
   
   ssh-keygen -r thehostname.thedomain.wherever.
   Enter file in which the key is (/home/david/.ssh/id_rsa): /etc/ssh/ssh_host_rsa_key.pub

2. The above will print two records, each a line beginning “thehost.thedomain.wherever IN SSHFP”. Paste them into the Bind9 zone file on the primary DNS server for the relevant domain/subdomain, each on a new line.
3. Reload Bind9 service on the DNS server by typing

   sudo /etc/init.d/bind9 reload

Before:

$ ssh jasper.dnorth.net
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Are you sure you want to continue connecting (yes/no)?

After:

$ ssh jasper.dnorth.net -o VerifyHostKeyDNS=yes
The authenticity of host 'jasper.dnorth.net (67.207.132.102)' can't be established.
RSA key fingerprint is 40:0d:3b:42:ff:4a:86:31:66:1b:9f:43:9d:f7:69:79.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Note that you have to force the OpenSSH client to check for the key in DNS with the -o VerifyHostKeyDNS=yes option, which you can of course put in your ~/.ssh/config file too - see “man 5 ssh_config” for more.

Note also that PuTTY has yet to implement the RFC, as per this page, and I agree with their doubts over whether it’s worth any immediate attention. Still, it’s quite nice to have around as an extra layer of reassurance.

In other news, I appear to have reached the end of another Oxford term with my sanity intact. The first six weeks were great, it just got a bit wearing for the last two. Some of the non-academic stuff, sadly, is going to have to take a back seat after Christmas, but ah well.