FreeBSD Developer Summit – BSDCan 2014 – DNS WG

Posted by on July 16, 2014 1 comment

The DNS Working Group at the FreeBSD Developer Summit at BSDCan this year was off to a good start by noticing that DNSSEC validation could not work on the University of Ottawa’s wireless network. The university’s resolvers added additional records to the root zone, thus failing validation at the root. This led to some discussion on how to provide a user-friendly way to explain this in an understandable way to the user and giver the user a choice of turning off validation or find another network. This certainly is going to be a major problem when turning on validation by default as broken resolvers are very common at hotels, coffee shops, etc. etc.

On a more positive note, all the FreeBSD projects zones are DNSSEC signed and all project-owned servers have SSHFP records in the zone. Dog food was eaten.

Dag-Erling Smørgrav started off by giving an overview of the current state of affairs. ldns and unbound are imported into base in HEAD and 10.x. unbound is meant to act as a local resolver only and as it is not linked to libevent, it will not scale to anything else. For a network-wide resolver or any other configuration, it is recommended to install unbound from ports. DES further went into some of the implementation details on how the base unbound is installed to make sure it does not conflict with an unbound installed from ports.

DES explained some issues he encountered with local and RFC1918 zones which are filtered by default by unbound. Others reported no issues with the right configuration options, so more investigation is needed.

Some people reported having difficulty getting patches accepted upstream by NLNetLabs, which gave some cause for concern as we clearly want a good and active working relationship with our DNS vendor. Others reported no problem working with NLNetLabs, quite the opposite, they are very interested to see the work going on in operation systems, so we’ll just need to build upon that relationship and make sure to invite them to the next WG meeting. Patches that are currently being worked on, DES has some code cleanups, Björn a DNS64 feature, should be submitted through the “normal” submission process and review with NLNetLabs and we’ll see how that goes.

Erwin Lansing started the brainstorm session on future work. Some command line tools would be nice to have; drill does most things one wants, but people are too used to writing dig and dig has many more options; Peter Wemm would like to see contrib scripts line ldns-dane, which are just really easy to use; the control socket should be a unix socket, there’s a patch floating around and should be submitted upstream.

The “Starbucks” problem came up again, with a proposal to turn on val-permissive-mode by default. Another solution may be by looking at how unbound-trigger does its magic.

After a coffee break, Peter Losher, ISC, went over some of the recent changes at ISC. BIND10 development has been handed over to a new project and ISC will concentrate on BIND9 and a stand-alone project for the DHCP component. BIND 9.10 was recently released and plans are in place for 9.11. ISC is open to suggestions and feature requests.

Peter brought up the topic of clientID for which a IETF draft (draft-edns0-client-subnet) is available. This would help client find the nearest CDN node, etc. ISC wants this to be an opt-out in operating systems as it will peel off a layer of anonymisation, and should be controllable by the user.

Next up was Michael Bentkofsky, Verisign, who, while not involved in the project himself, gave an introduction into the getDNS API, which is a replacement for getaddrinfo and allows the stub resolver to get validation information down at the client level. It’s available in ports. The discussion went into more of a brainstorm on how applications should get DNS and DNSSEC information and who gets to make decisions about its security. There should be a clear separation between policy and mechanism, where application programmers should not have to worry about this; it should be a system policy. There should be a higher level API where an application basically can ask the operating system for a “connection” and the operation system takes care of everything behind the scenes, DNS, DNSSEC, SSL, DANE, etc. and just return a socket, with some information on how the connection was established and which security mechanisms were used. In FreeBSD, it would make sense to let the Casper daemon hand out the different sub-tasks to ensure all lookups, cryptography, etc. are properly compartmentalised. One potential problem with passing on additional information is that all DNS lookups currently go through nsswitch, which would need to grow knowledge about that data as well. Are people still using other mechanisms for hostname lookups besides the hosts file and DNS? We can probably just remove nsswitch for the hostname lookups.

The session ended with some aims for the 11.0 release. We’ll need to have a wider discussion about the aforementioned removal of nsswitch out of the hostname lookups. We’ll also need a better understanding of what API capabilities applications may need. Can Casper provide all these? Can it run unbound behind the scenes to do all the DNS “stuff” for it? Can we capsicumize unbound and will that be accepted upstream? Enough food for thought and even more for writing code.

Thanks again to DK Hostmaster for sponsoring my trip to BSDCan this year, and see you at the DNS WG meet up at EuroBSDCon in Sofia in September.

ICANN49, Singapore

Posted by on April 2, 2014 No comments

For those who haven’t noticed in any of the other media, I attended the ICANN49 conference in Singapore last week. We live in interesting times, with the NTIA announcement taking the spotlight, but lots of developments in (DNS) security and DNSSEC in particular. For now though, here’s some pictures.

20140402-205345.jpg

New PGP key

Posted by on September 28, 2013 No comments

As my old PGP key has passed it’s 15th birthday and improvements in cryptology in the meantime, it is about time to roll my key.

The old key is:
pub 1024D/0xAB2F5A5B15256990 1998-07-03
Key fingerprint = FB58 9797 299A F18E 2D3E 73D6 AB2F 5A5B 1525 6990

And the new key:
pub 2048R/0x517BE614A5C1EEC7 2013-09-24 [expires: 2018-09-23]
Key fingerprint = 6AFC 44AA 53E9 82A4 4BC7 1DB7 517B E614 A5C1 EEC7

The new key is signed with the old key, so make sure to check the signatures when importing the new key. The old key will be valid for a while, but I would prefer to use the new key.

Vendor Summit at EuroBSDCon 2013

Posted by on August 9, 2013 No comments

For the third year in a row, we’ll be organizing a Vendor Summit during the Developer Summit prior to the EuroBSDCon conference, this year in Malta on September 26 and 27. In previous years, we’ve had a number of presentations by companies, like NETASQ, pfSense and Netflix, on how they successfully built their products and services on top of FreeBSD, and how contributing code back to the community actually can save them money in the long term by reducing internal maintenance costs.

This year, I’d like to change to focus more towards an open discussion between vendors and other large consumers, not only so you can learn from each other, but also so the FreeBSD community can learn more on how their product is used. We’ve long heard that binary packages were the Achilles heal of FreeBSD. Are we on the right track with PKGNG? Java-support is another issue, but is there anything else you are missing that maybe some other company may have an existing solution for they may be able to contribute, but hadn’t thought about anyone else was looking for? Or maybe you have an problem that’s too big for one company to fix, but can be fixed if some of you together fund a project to do so. The FreeBSD Foundation might be able to help.

This is an invitation-only event, please contact me at erwin@freebsdfoundation.org if you would like to attend. If you have anything to present or any topic you would like to discuss, please contact me as well. This will be an informal event, but we welcome a few short presentations.

Ports and Packages Summit at EuroBSDCon 2013

Posted by on August 9, 2013 No comments

The FreeBSD project has provided pre-built ready-to-install binary packages for many years on a best-effort basis. While these packages do work in a large number of cases, there are too many inconsistencies and failure combinations, from the unpredictable update frequency to dependency handling across upgrades, for them to be used on a wider scale. After many months of work, we’re nearing a paradigm shift in both the format of the packages, and the building and distribution of the packages with the new PKGNG tools.

At the upcoming Developer Summit at the EuroBSDCon conference in Malta on September 26 and 27, there will be another Ports and Packages Summit, which will center on a round-table brainstorm that begins with a summary of the tremendous progress made in the last 12 months, and closes with a discussion of the roadmap on how to improve binary package creation, distribution, installation and upgrading. Please contact me if you have any topics you’d like to present or discuss. It will be an informal gathering, no formal slides or presentations are required.

As always, the DevSummit is an invitation-only event, so also contact me at erwin@FreeBSD.org if you want to participate.

Cloud services

Posted by on April 28, 2013 No comments

After reading Jens Rohde’s post listing all his social media and other cloud activities, I thought I’d list mine as well.

  • WordPress (self-hosted) for blog and website, and some pictures as well.
  • Apache::Gallery (self-hosted) for all kinds of pictures, though not as much recently as I’d like to.
  • Twitter: yes, I’m there (and still don’t like them for punishing me with a 6 character minimum username as a first mover).
  • Facebook: yup, there as well, but don’t expect me to read it, it’s mostly a passive account.
  • Pocket: formerly Read-It-Later, the previous name describes it pretty well; really nice iPad app.
  • Newsblur: RSS feeds after Google shut down Reader. Great iPhone/iPad apps. I looked into tt-rss several times to host myself, but last time I looked, it did have a really nice web interface and iPhone web app, but neither of those work great on the larger touch screen on an iPad. A lot of development has happened since, so this may have changed.

Let me end with a shout out to Sparkleshare. Not so much social, but added as a bonus item. While I do use Dropbox as well, mostly for sharing between computers and iPhone/iPad, Sparkleshare is built around git and is independent of where it is hosted. If you want to use a more “cloudy” service, like github, it’s supported, but you can also set up your own server and no longer be bound by space limits (except for the harddisks you buy) or depend on a 3rd party provider with a random server in a random datacenter in some random country governed by a very long EULA and thus a lot more secure for you personal, financial, or otherwise sensitive documents. Unfortunately, no phone or tablet apps. For those without an always-on server somewhere, the Bittorrent Sync, just released in alpha, might be a better alternative.

Until the cows come home

Posted by on April 28, 2013 No comments


Which I’m sure they won’t be for a long time after being release into the fields for the first time after a long winter.

Welcome to Japan (while still in mainland China)

Posted by on April 10, 2013 No comments

20130411-005642.jpg

Luxury hotel amenities

Posted by on April 6, 2013 No comments

20130406-210305.jpg

Casablanca by night (fall)

Posted by on March 30, 2013 No comments

20130330-105803.jpg