Friday, August 31, 2007

MaraDNS snap; POSIX thoughts

I have released a new snapshot of MaraDNS on the MaraDNS snapshot page today. This is a very minor set of improvements: I have added a couple of shell scripts in the tools/misc directory that make it easier for me to release new versions of MaraDNS. There's nothing here for end-users of MaraDNS.

Starting tomorrow, MaraDNS snapshots will be in this directory.




Looking at the POSIX specification, there's some cruft in there, notably the uucp program. UUCP was a way of transferring files between UNIX computers that was popular in the 1980s and lingered on through the 1990s. It was a way of getting email and USENET on a computer that would only be online for a short period of time. I remember around 1997, when NetCom (my first dot-com job) finally completely canceled UUCP access, since the UUCP programs we had were acting up and no one knew how to fix them.

Thursday, August 30, 2007

There's more to DNS than BIND and DjbDNS

Back in early 2001, there were only two DNS servers available: BIND and DjbDNS. Both DNS servers had problems: BIND constantly had security problems in it that gave attackers remote root access to systems. DjbDNS had a non-open source license and a disregard for standards that made using it problematic.

The feeling was that a new DNS server needed to be made. So I started developing MaraDNS. It was a lot of work; DNS is a non-trivial protocol.

Six years have passed since then and a number of DNS servers have come and gone. The ones that are still being actively maintained are my own MaraDNS, NSD, and PowerDNS. [1]

However, whenever a discussion about DNS servers comes up, we get the same BIND-vs-DjbDNS flame war rehashed over and over again. The flame wars are based on the following outdated bits of information:
  • BIND has privilege escalation security holes coming out every month (not true since BIND9 became viable in 2002 or 2003)
  • DjbDNS has no security holes (not true: DjbDNS has an unpatched remote denial of service security hole)
  • There are no free DNS servers besides BIND and DjbDNS (Not true; there are three other active open-source DNS servers)
Here is an example posting showing how people are still living in 2001 when it comes to DNS servers.

So, people, wake up and smell the coffee. There are no less than three other DNS servers. Being actively maintained. We are no longer in a BIND-and-DjbDNS world. BIND is no longer a remote root exploit waiting to happen.

- Sam

[1] There are some other DNS servers that are no longer actively maintained or on life support: pdnsd (the last update is from a year ago) and posadis (last update three years ago). There's also MyDNS (last update almost two years ago), which is a "one trick pony" DNS server for people who want to use a database to manage DNS records.

Wednesday, August 29, 2007

MaraDNS update: All versions

The good news is that it only took me about 15 minutes to find and reproduce the bug that was causing the improper resource record rotation. The bad news is that the bug that causes the rotation is one that enables a remote denial of service. Hence, I updated all three supported versions of MaraDNS (1.0, 1.2, and 1.3) last night to fix this bug.

Basically, someone can send a specially crafted DNS packet to the DNS server that will make an authoritative CNAME record not resolve. The workaround to disable this denial of service is to add the following line to the mararc file:

max_ar_chain = 2

The fix is to download MaraDNS 1.0.41/1.2.12.08/1.3.07.04 from the MaraDNS download page or to download MaraDNS 1.2.12.08 from the Sourceforge MaraDNS page

All distributions are strongly encouraged to update to 1.2.12.08, or to 1.0.41 if still using the 1.0 branch of MaraDNS. Please remember, 1.0 users, that non-security bugfixes in MaraDNS 1.0 will no longer be applied after December 21 of this year.

I would like to thank Michael Krieger, whose bug report helped me find and fix this problem.

Tuesday, August 28, 2007

MaraDNS snapshot update

For people who have been looking at the August 2007 MaraDNS snapshot directory, I quietly uploaded a couple of updates this weekend. Both of these updates were minor typo-fix updates; I would like to thank Joerg Sonnenberger and Brandon Holbrook for their bug reports.

Today, the update is a little more major. I have made a script that runs all of the SQA regressions, as a single script. I have also updated the SQA tests to be easily pass/fail tested, so that the script can figure out if a given test has succeeded. While the script takes a couple of minutes to run, this allows me to easily run the script whenever I want to make sure a given release is ready to make public.

The only other TODO I have for the 1.3 branch before christening it stable is to find and fix the bug that causes improper RR rotation. Also, if anyone who uses pkgsrc wants to contribute some patches to make MaraDNS more pkgsrc-friendly, please do so. The people who whine complain to me about MaraDNS not playing well with pkgsrc strangely become silent when I ask them for patches to actually fix the problem.

I'll probably also make sure the documentation is OK.

I may be able to declare MaraDNS stable on September 21, 2007, if everything continues to go well.

- Sam

Friday, August 24, 2007

Linux fanboys are annoying

You know, as a long-time Linux advocate, I find Linux fanboys to be very annoying. The thing that is most annoying about them is that they are loud-mouthed, deluded, and have an irrational hatred of Microsoft. Linux Weekly News has been somewhat immune from the invasion of the Linux fanboys until fairly recently, probably because you have to pay or (like myself) wait a week before reading their news. However, this is changing; Here is an example of the fanboys being annoying on LWN. Here, the fanboys go on with their anti-Microsoft shills in an article about the Python programming language, of all things, simply because the linked article had a Microsoft ad in it.

Ugh.

They also spread nonsense like OpenOffice being just as full-featured as Microsoft Office. It isn't. Let me give you just one example: Microsoft Office, since at least Office 2000, has an easy way for you to assign special symbols to keypress combinations. OpenOffice doesn't. This is a known bug. The reason why MS Office can have this feature and OO doesn't is because OO doesn't have the manpower to add features like this. This is because you didn't pay for the software, so their isn't enough money to pay developers to make the software as feature-full as MS Office is.

Another example: I have installed Firefox on countless Windows machines. It was clean; in particular, since I am bilingual, I like to have its built-in spellchecker switch between English and Spanish easily, depending on which language I'm writing in. All I had to do in Windows is add Spanish, and the list can be quickly used, since it only has English and Spanish. In Ubuntu, Firefox had dozens of languages in it. There was no way, in the package management system (Synaptic), to remove these languages. I finally had to go in to /usr/lib/firefox/dictionaries and remove the dictionaries by hand.

Ugh again.

Now, Linux does have advantages over Windows. The price is better. The development and *NIX environment is a very productive environment for someone who knows UNIX's arcane commands. I really like the FVWM1 window manager, which was a fast and light window manager in 1995, and is today lightning-fast. But Linux isn't ready to be a end-user desktop. Not yet.

- Sam

Thursday, August 23, 2007

MaraDNS snapshot update

I have made some minor updates to the MaraDNS snapshot. I have verified that the example mararc file included in the zoneserver manpage works as advertised. I have also added a couple of other tests to the SQA process.

My next step is to automate the SQA process so that all one has to do, on a Linux system with valgrind, is run a single script, which will run each SQA test and tell you if you have passed or failed the SQA test, and stop testing if any of the tests fail.

I also want to move the documentation for many of the SQA tests from the single top-level README file in to README files in the corresponding folders--the newer tests already have documentation in this form; the older tests do not.

I also have a patch from Joerg Sonnenberger that I will apply to the 1.3 series of MaraDNS.

After that, I will work on the "records rotate when they shouldn't" bug; in particular, I will see if I can reproduce it.

- Sam

Monday, August 20, 2007

MaraDNS snapshot update

I uploaded another MaraDNS snapshot today. In this snapshot, there are no major changes (Read: No new bugs found and fixed. Maybe MaraDNS is becoming 100% bug-free). However, I have added a few more SQA tests, and have updated the zoneserver man page and fixed a couple of typos in the tutorial documentation. After making the release, I realized that the example mararc in the zoneserver man page is a little inaccurate. This will have to wait until my next snapshot of MaraDNS.

The snapshot is available on the MaraDNS webpage.




In related news, I am also updating MOAM-CD.

I have managed to squeeze out more unused stuff; I got rid of a lot of kernel modules that won't be used on a basic web terminal, such as bluetooth drivers, non-X video drivers and a number of filesystems like reiserfs. This cleanup saved about five megs of space. I also removed some Cyrillic fonts (This CD is only for English and Western European language speakers).

For some reason, the .jar files (which is just another name for .zip) in Firefox's Chrome folder are really poorly compressed; I used advancedcomp to recompress these files, saving 2.8 megs of space there. I also removed the C development environment, saving about 10 megs of space.

Once compressed, the amount of space saved was, in total, some ten megs. Yes, I now have a usable web browsing system complete with Firefox 1.5 in only about 27 megs. Which gives me a lot more space for other stuff, and even allows the system to fit on one of those square 30 megger business card CDs.

I have also updated the variable-width font, and Firefox is updated to be current with Firefox 2.0.0.5's security fixes. The two 2.0.0.6 security updates are not critical; the one critical bugfix is caused by Microsoft Windows' broken security model, and doesn't impact Linux.

In addition, I have added the VIA chipset Unichrome driver. X's auto-probe script is smart enough that, as soon as this driver was compiled and placed in /lib/xorg/modules/drivers, it auto-probes for the chipset. I tested things on a computer that I know uses this chipset, and the driver works like a dream.


I should have a release of moam-cd-0.6 later on this week. I need to make the width of the space "character" a little wider at 14 points with the "Sandals" font, and should make the 12-point "A" a little narrower (not as important, and harder to fix; the space fix is a one-character change in the appropriate .bdf file).

Thursday, August 16, 2007

MaraDNS releases: 1.2.12.07 and 1.3.07.03

Today I have released not one, but two major releases of MaraDNS: 1.2.12.07, the latest bugfix update to the stable branch of MaraDNS, and 1.3.07.03, the latest bugfix, SQA, and documentation update to the beta-test branch of MaraDNS.

1.2.12.07 fixes a number of fairly important bugs which were fixed a while ago in 1.3:
  • Bugfix: If bind_star_handling was set to 2, MaraDNS would leak memory when the existance of another RR stopped resolution using a star record.
  • Bugfix: bind_star_handling, when set to 2, now appears to do the right thing.
  • Bugfix: Non-critical double-free() removed.
  • Bugfix: askmara no longer goes in to an infinite loop when it receives an invalid TXT record.
  • Bugfix: csv2 parser now makes sure that TXT chunks are no longer than 255 characters in all cases.

1.3.07.03 has two bugfixes, five SQA tests added, and some other updates. Not noted in the changelog is that I have moved the udpsuccess() function call in to its own file. The thinking is to make the main MaraDNS.c fils smaller, to make things more tidy and to make re-compiles faster.

My next plan for MaraDNS has not changed: Find the bug that is causing inappropriate rotation of resource records. This one appears to affect 1.0, 1.2, and 1.3, so I would like to find it. If I can't find it, I will completely rewrite the relevant RR rotation code.

I hope to find this bug before 1.0 becomes security-only updates on December 21st.

It would seem that some versions of BSD use a system called pkgsrc that basically assumes you use autoconf for building your program, something MaraDNS does not do. This makes it difficult for pkgsrc packagers to package MaraDNS. I won't fix this in 1.2, but it may be something worth changing for 1.3 if the changes do not disrupt things too much.

Tuesday, August 14, 2007

MaraDNS snapshot update

I have made a minor update to the MaraDNS snapshot today: I fixed the recurse_delegation test to give accurate test results. Currently, both 1.2 and 1.3 always, when both subdelegating and acting as a recursive resolver, give out the delegation records when asked for a name in a subdelegated domain. This is OK in 1.2; one should not have the same DNS server both subdelegating domains and performing recursion. This is a bug in 1.3; 1.3 should let you choose what MaraDNS does in this circumstance.

I will fix the 1.3 bug later on this week, and should release 1.2.12.07 Friday.

MaraDNS snapshot download link

- Sam

Monday, August 13, 2007

New MaraDNS snapshot

I made a lot of progress with MaraDNS yesterday. I have done most of the SQA tests I set out to do. I have found and fixed one bug: csv2_default_zonefile did not work without other zone files in the 1.3 branch of MaraDNS.

I may have found another bug: It looks like there are problems with recurse_delegation in 1.3; I will have to do some 1.3 and 1.2 tests. If there is a problem in 1.2, I will hold off the 1.2 release until I find and fix the bug.

I am also starting to split off the huge MaraDNS.c file; the large udpsuccess() routine now has its own file. This way, the code should be a little easier to manage.

My short term plans for MaraDNS: Later on this week, or possibly early next week, release 1.2.12.07, which has a number of non-critical bugfixes compared to 1.2.12.06 released three months ago. I also plan on releasing 1.3.07.03 later on this week, possibly even on the same day as 1.2.12.07.

My medium term plans for MaraDNS: I plan on making the 1.3 branch stable on December 21, 2007. There is a long-term bug which has been reported to me twice: Sometimes records which should not rotate are rotated. The problem is probably either in udpsuccess() or udpany(); I will investigate this concern some more and hope to reproduce it. This code affects both 1.0 and apparently 1.2. If all else fails, I will completely rewrite the round robin rotation code for the 1.3.07 stable release of MaraDNS.

My long term plan is to write a stand-alone DNS recursor that will not use threads; there is a need for a truly open source small DNS recursor.

The snapshot can be downloaded here

Friday, August 10, 2007

Linux annonyance: /dev/hda now has large file problems

Ever since the creation of Linux in 1991, the way to mount IDE hard disks and CD-ROMS was to type in something like mount /dev/hda1 /mnt, or for an IDE CD-ROM drive, something like mount /dev/hdc /mnt. However, this no longer works that well in the kernel that comes with Ubuntu 7.04 (2.6.20-16-generic). If there is a DVD which is larger than four gigabytes in size, the CD/DVD-ROM drive can not access the files past the four gig limit. This was not a problem with older Linux kernels; the kernel developers broke something that has been working for years.

Instead, one has to get the udftools package via sudo apt-get install udftools, configure the file /etc/default/udftools to point to the CD/DVD-ROM device, and then mount the DVD as /dev/pktcdvd/0. Ugh. As an aside, there are online guides for making UDF packet-writing DVDs (DVD-RWs that you can write to as if they were a huge floppy disk) that give bad directions. Please read the directions in the file /usr/share/doc/udftools/README.Debian.gz for correctly formatting a packet DVD. I now have two coasters that used to be DVD-RW blanks because I did not follow these directions, but instead trusted inaccurate on-line directions. In particular, I didn't do the essential growisofs -Z /dev/hdc=/dev/zero step between formatting the DVD-RW and putting the UDF filesystem on the DVD-RW, since the on-line guide did not mention this step.

Also, when mounting a DVD-RW, you really want to mount it like mount -o noatime /dev/pktcdvd/0 /mnt since otherwise it will do very slow writes when all you want to do is read some files. Yes, I actually learned something useful from reading a Slashdot discussion. Naturally, Slashdot misattributed a quote to Linus, but hey at least the information in this thread is useful.

Thursday, August 9, 2007

MaraDNS snapshot update

Another MaraDNS snapshot update today.

There are two main updates: I have updated the sqa/regressions/truncation test to run both on MaraDNS 1.3 and in MaraDNS 1.2 (so I can verify that the test shows the presence of the bug in old 1.2 releases but the non-presence of the bug in 1.3). I have also made some minor touch-up to the bind2csv2.py documentation.

It is available here.

Tuesday, August 7, 2007

MaraDNS snapshot updated

OK, after neglecting MaraDNS for over a month (I was on vacation and did not have a computer to do MaraDNS work on during the vacation), I have finally released another snapshot of MaraDNS. This is only a very minor change: I have added a readme file to the sqa/regressions directory describing the various regression tests.

The big change is behind the scenes; I have sucessfully moved the MaraDNS development environment to my new Dell laptop runinng Ubuntu. While I will still compile the Windows and CentOS binaries on my older Thinkpad, the majority of the development will now happen on the newer Dell.

I hope to have more significant updates to the 1.3 branch soon.

I also plan on releasing 1.2.12.07 in a week or two; there are a number of 1.3 bugfixes that I have already backported.

- Sam

Wednesday, August 1, 2007

Linux distribution choosing made easy

One common complaint people have about Linux is that there are too many distributions to choose from. In response to this complaint, here is a simple list telling you what Linux distribution you should use:
  • If your computer was made in the last three years, get Ubuntu
  • If your computer is between three and six years old, get Xubuntu
  • If your computer is anything older, and is a 486 with 16 or megabytes of ram or better, get DeLi Linux
  • If your computer is even older than that, choosing which Linux distribution to use should be the least of your worries. Computers that old are usually falling apart; it can be nay-to-impossible to get an antique like that to power on, much less install Linux on


- Sam