Friday, August 13, 2010

Configure TSIG between DNS master and slave

Generating SIG(0) Keys

SIG(0) keys are generated with the following command:

$ dnssec-keygen -a -b -n HOST

is the desired algorithm of the key and can be any of the following values: RSAMD5, RSASHA1, DSA. We recommend that you use RSAMD5.

is the desired size in bits of the key and the ranges are different depending on the algorithm:

* RSAMD5: 512 to 4096 (recommended size 1024)
* RSASHA1: 512 to 4096 (recommended size 1024)
* DSA: 512 to 1024 (must be divisible by 64, recommended size 1024)

is the name of the key. Since it must be published in the zone file, it should be a subname of the zone that it is being published in. It is recommended that the keyname be the fully qualified domain name of the host so that the update-policy self works correctly. (see Section 6.2.22.4 of the BIND ARM for more information on update-policy).

The key will be stored in the file K++.private

is an identity tag to be able to differentiate between different keys under the same name.

There will also be a corresponding K++.key file that contains a DNS KEY resource record formatted for inclusion in the zone file.

One possible problem that can be encountered with dnssec-keygen is that it might use up all the entropy in /dev/random before it is done generating the key. This will make dnssec-keygen appear to hang, when in fact it is simply waiting for more entropy. One solution to this is to use the -r parameter that allows you to specify another random device, such as /dev/urandom.
Configuring the DNS Server

Configuring the server also depends on which type of key you choose.
TSIG Keys

The /etc/named.conf file must be edited to configure the server for dynamic update.

The first step is to configure the server to use the key. This is accomplished with the following lines in the /etc/named.conf file:

key {
algorithm HMAC-MD5;
secret "";
};

is the name of the key chosen when the key was generated (See the previous step, Generating TSIG keys).

is the string after the Key: line in the generated key file (See the previous step, Generating TSIG keys).
SIG(0) Keys

Only the zone file must be edited to configure the server for dynamic update with sig(0). No changes are needed in /etc/named.conf as the client's public, not private, key is in the zone file.

The first step is to add the generated key, using the K++.key file, to the zone file. This generated key file contains a properly formatted resource record that can be simply copy-and-pasted into the zone file.

If you are using DNSSEC signed zones, then the next step is to resign your zone.
Allowing Updates

The final step is to configure the zone to allow updates using the key. The following statements should be added to the zone options block in /etc/named.conf. The simplest configuration is to add:

update-policy {
grant name A TXT;
};

e.g.

zone "example.com" {
type master;
file "master/example.com";

update-policy {
grant foo.example.com. name foo.example.com. A TXT;
};
};

Complex example with a number of hosts allowed to update only their own A+TXT records and one master key allowed to update anything:

update-policy {
grant host1.example.com. name host1.example.com. A TXT;
grant host2.example.com. name host2.example.com. A TXT;
grant host3.example.com. name host3.example.com. A TXT;
grant host4.example.com. name host4.example.com. A TXT;
grant bofh.example.com. subdomain example.com. ANY;
};

Simple example where every key can update the A+TXT records of its matching hostname:

update-policy {
grant * self * A TXT;
};

Note: update-policy is described further in Section 6.2.22.4 of the BIND ARM.

The allow-update statement can also be used, which allows the key to modify any data in the zone. Using more fine grained access control with update-policy is recommended.

allow-update {
key ;
};

is the name of the key chosen when the key was generated (See the previous step, Keys)

http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Wednesday, July 14, 2010

Reset mysql root password - in LAMP / XAMPP

Once I forgot the mysql root password of my laptop computer in which I have Fedora 10 and also XAMPP running in it.

When I searched on Web there are soooo many solutions and none of them worked for me. However I could get un understanding about the issue....

With that I worked out in following way to get rid of the issue :

1. Stop mysqld
2. start /opt/lampp/sbin/mysqld --skip-grant-priviledges --user=nobody
3. open new terminal and type : mysql -u root
4. excute following commands in order :
shell> mysql
mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> exit

Now its done.

You may think that you can do use phpmyadmin after the step-2 to reset the root password. But it was not working for me though I have a phpmyadmin. So I worked our in mysql prompt.

After this everything were working wellll...

but I was not sure with one thing that I could not stop / restart mysql service as usual...
SO what I did is, I restarted the machine... SO simple ha!... but this is not possible in production servers....

Anyone of you know the solution for this?

Enjoy!....

Wednesday, June 30, 2010

Launch of .ලංකා and .இலங்கை domains

28th of June 2010, the .ලංකා and .இலங்கை were formally opened for registration. Now any people who is having a .lk domain can request for .ලංකා and .இலங்கை domains for free.

This launch was held at Mount Lavinia hotel and many people around the world have participated in it including an ICANN board member.

This is an historic event. Because .lk domain was added to root servers on 15th June 1990. Till that date the Sri Lanka was identified the two words .lk. But from 28th June 2010 onwards the country can be indexed using .ලංකා and .இலங்கை.

The another notable point is, these are the two domains which are going to be added to the root servers in the South Asian region and .இலங்கை is the first Tamil domain which is going to be added.

Though the only people in Sri Lanka can access these Sinhala and Tamil domain now, from august onwards all the world should be able to type URL in Sinhala and Tamil and reach respective web sites.

currently there are few IDNs assigned to government sites.
eg
http://தளம்.பாராளுமன்றம்.இலங்கை
http://වෙබ්.පාර්ලිමේන්තුව.ලංකා

I am very happy that I also could take part in this developments and event.

visit www.nic.lk to register and also visit www.idns.lk to get more information about this.

Tuesday, June 29, 2010

Niue - A country - Population is 1000

I had a chance to attend APTLD (Asia Pacific Top Level Domain) meeting which was held at Mount Lavinia hotel on 27 - 28 June, 2010. Many people from Asia pacific region who maintain Domain registries also came for that meeting.
I met a person called Stafford Guest. His native country is Nieu!

Nieu! first time I hear that name. This is an island located near New Zealand. Though it got the Independence in 1974, still getting the symbotic support from New Zealand.

The interesting things to note are :
- Population of the country is 1000!
- The total intetnet bandwidth the country has is 4mbps :-) I have more than that in my PC
- Only one hotel is there
- Only flights can reach there and also those operates once in a week. Therefore if you would like to attend a meeting some there else you may need to leave atlease 8 days before.....
- No Cinema...
- No big shopping malls....

Cant Believe isnt it!

I was really supprised when he tells all these!

But you know it looks soooooo beautiful. Nice beaches (though it rough)... Full of cocunut treess (I saw some picture in Google images)

Also found that Nieu means "Behold! Coconut"

Monday, May 10, 2010

bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/openldap-data: (2) Expect poor performance

"bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/openldap-data: (2) Expect poor performance for suffix XXXXXXXX"


When I work on openLDAP on Fedora 10 platform I got above error.

Solution :

cp /usr/share/doc/openldap-servers-2.4.XX/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
service ldap restart

This was working for me. Hope it will for you too. Gd lk.

To view the solutions for other platforms visit : http://readthefuckingmanual.net/error/1256/