Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

November 17 2014

21:35
Play fullscreen
Lollipop battery saver - reduced animations
13:49
[Bug watch] Erlang and SHA256 SSL certificates

September 30 2014

18:17
Play fullscreen
Intel. Srsly.

September 01 2014

13:29
Your ticket system needs more monitoring
Reposted bygoatpr0n goatpr0n

June 06 2014

16:25
Play fullscreen
Plötzlich Schafe

May 28 2014

09:21
Amazon and Hachette

April 07 2014

12:58
Play fullscreen
Zooming.

March 22 2014

01:35
Authenticating sudo with the SSH agent
img: embedded image

March 20 2014

towo
10:44
0160 4e21

March 18 2014

23:04
Play fullscreen
Let's Titanrage

March 10 2014

17:04
Play fullscreen
Sorgenfreie Gefährdung

March 04 2014

09:35
Play fullscreen
Ganz besonders schlimm in der Mitte unterwegs
01:38
Play fullscreen
Warum von der Straße gehen?

February 22 2014

13:54

Amazon leads to spending, spending leads to gratification

Just saying.

[+] Processing    last30 	(  25 orders)... 	   1518.56 EUR
[+] Processing  months-6 	(  86 orders)... 	   3450.13 EUR
[+] Processing year-2014 	(  28 orders)... 	   1674.55 EUR
[+] Processing year-2013 	( 138 orders)... 	   3840.49 EUR
[+] Processing year-2012 	(  96 orders)... 	   1302.12 EUR
[+] Processing year-2011 	(  62 orders)... 	   2868.70 EUR
[+] Processing year-2010 	(  31 orders)... 	    890.68 EUR
[+] Processing year-2009 	(  23 orders)... 	   1030.52 EUR
[+] Processing year-2008 	(  16 orders)... 	    913.45 EUR
[+] Processing year-2007 	(   6 orders)... 	    456.43 EUR
[+] Processing year-2006 	(   2 orders)... 	     30.95 EUR
[+] Processing year-2005 	(   8 orders)... 	    152.38 EUR
[+] Processing year-2004 	(   9 orders)... 	    257.50 EUR
[+] Grand total (years only) 	( 419 orders)... 	  13417.77 EUR

Curious how you rate? Take a look at trehn's gist.

flattr this!

February 21 2014

16:06

Allowing your users to manage their DNS zone

You’ve been in this situation before. You’re being the host for a couple of friends (or straight out customers) whom you’re giving virtual machines on that blade server you’re likely renting from a hosting provider. You’ve got everything mostly set up right, even wrangled libvirt so that your users can connect remotely to restart and VNC their own machine (article on this is pending).

But then there’s the issue of allowing people to update the DNS. If you give them access to a zone file, that sort of works — but you’ve either got to give them access to the machine running the DNS server, or rig up some rather fuzzy and failure-prone system to transfer the zone files to where they’re actually useful. Both cases aren’t ideal.

So here’s how to do it right — by using TSIG keys and nsupdate. I assume you’re clever enough to replace obvious placeholder variables. If you aren’t, you shouldn’t be fiddling with this anyway.

The goal will be that users can rather simply use nsupdate on their end without ever having to hassle the DNS admin to enter a host into the zone file for them.

Generating TSIG keys

This a simple process; you need dnssec-keygen, which comes shippend with bind9utils, for example; you can install it without having to install bind itself, for what it’s worth. Then, you run:

# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST $username

For each user $username you want to give a key to. Simple as that. Be careful not to use anything else than HMAC-MD5, sadly enough, since that’s what TSIG wants to see.

You’ll end up with two files, namely K${username}+157+${somenumber}.{key,private}. .key contains the public key, .private contains the private key.

Server configuration

ISC BIND
Simple define resp. modify the following sections in your named configuration:
  1. Define the key
    key "$username." {
      algorithm hmac-md5;
      secret $(public key - contents of the .key file);
    };
    
  2. Allow the key to update the zone
    zone "some.zone.tld" {
            [...]
            allow-update { key "$username."; };
    };
    
PowerDNS
TSIG support is officially experimental in PDNS; I’m only copypasting the instructions here, I haven’t checked them for correctness. All input examples manipulate the SQL backend.
  1. Set experimental-rfc2136=yes. If you do not change allow-2136-from, any IP can push dynamic updates (as with the BIND setup).
  2. Push the TSIG key into your configuration:
    > insert into tsigkeys (name, algorithm, secret) \
      values ('$username', 'hmac-md5', '$(public key)');
    
  3. Allow updates by the key to the zone:
    > select id from domains where name='some.zone.tld';
    X
    > insert into domainmetadata (domain_id, kind, content) \ 
      values (X, 'TSIG-ALLOW-2136', '$username');
    
  4. Optionally, limit updates to a specific IP 1.2.3.4, X as above:
    insert into domainmetadata(domain_id, kind, content) \ 
      values (X, ‘ALLOW-2136-FROM’,’a.b.c.d/32’);
    
djbdns
You’re probably getting ready to berate me anyway, elitist schmuck. Do it yourself.

Client usage

Ensure that you supply the private key file to your user. (They don’t need the public key.)

Using nsupdate on a client is a rather simple (if not entirely trivial) affair. This is an example session:

nsupdate -k $privatekeyfile
> server dns.your.domain.tld
> zone some.zone.tld.
> update add host.some.zone.tld. 86400 A 5.6.7.8
> show
> send

This will add host.some.zone.tld as an A record with IP 5.6.7.8 to some.zone.tld.. You get the drift. The syntax is as you’d expect, and is very well documented in nsupdate(1).

You could also think about handing out pre-written files to your users, or a little script to do it for you, or handing out puppet manifests to get new machines to add themselves to your DNS.

Have fun.

flattr this!

Reposted bymetafnord metafnord

February 19 2014

15:08
Play fullscreen
Mercedesfahrer und ihre Interpretation von Spur

February 07 2014

00:34
Play fullscreen
Das Superklo

January 10 2014

01:10
Play fullscreen
Sitting by the Hearthstone #1

January 09 2014

17:47
Play fullscreen
Convenient side effects

December 28 2013

22:56
Play fullscreen
Seidenstraße Operations @30c3
Reposted bymetafnord metafnord
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.