I've left out as much explanation of what's going as possible. If you have questions about how DNSSEC works or what any of these commands are doing in detail there are copious amounts of data on the Internet. Also, I'm using flat files, and the keys are just getting dumped in the same "master" directory as the zone file. This works for very simple setups, but I would not recommend organizing a large site this way.
Before starting make sure your TLD and Registrar support DNSSEC. If they don't support it this is all for naught.
Create the "Key Signing Key", this should be a reasonably good key and doesn't get used/transmitted much.
# dnssec-keygen -f KSK -a ECDSAP384SHA384 -b4096 -n ZONE example.com Generating key pair........+++ ...............................+++ Kexample.com.+014+51367
Create the "Zone Signing Key", this one signs all the zones for this domain. If you are concerned about security you should change this key regularly.
# dnssec-keygen -a ECDSAP384SHA384 -b 4096 -n ZONE example.com Generating key pair......++++++++ ......++++++++ Kexample.com.+014+09261
You should now have four new files, two public and two private keys.
I recommend to rename the generated files to include which kind of keys they are.
# mv Kexample.com.+014+51367.key Kexample.com.+014+51367.ksk.key # mv Kexample.com.+014+51367.private Kexample.com.+014+51367.ksk.private # mv Kexample.com.+014+09261.key Kexample.com.+014+09261.zsk.key # mv Kexample.com.+014+09261.private Kexample.com.+014+09261.zsk.private
Include the created public keys in your existing zone file, something like this:
$TTL 2h @ IN SOA ns1.example.com. root.example.com. ( 1; serial 3h; refresh 10m; retry 3w; expiry 2h ); minimum IN NS ns1 IN NS ns2 IN A 192.168.2.1 IN AAAA fe80::21e:67ff:feec:3c92 ns1 IN A 192.168.2.2 ns1 IN AAAA fe80::fd7d:2db0:e6c1:4e59 ns2 IN A 192.168.2.3 ns2 IN AAAA fe80::250:56ff:feba:21a9 $INCLUDE Kexample.com.+014+51367.ksk.key $INCLUDE Kexample.com.+014+09261.zsk.key ; vim: sw=4 et
Sign your zone file. This generates a new "signed" version. Keep the unsigned version, update it whenever necessary and repeat the signing processes to generate a new signed version.
# dnssec-signzone -o example.com example.com.zone Kexample.com.+014+51367.ksk.key Kexample.com.+014+09261.zsk.key Verifying the zone using the following algorithms: ECDSAP384SHA384. Zone fully signed: Algorithm: ECDSAP384SHA384: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 0 revoked example.com.zone.signed
Make sure you pass the arguments in this exact order.
Edit your 'named.conf' or wherever the zone is specified, make sure you are pulling from the "signed" file and not the original. Something like:
zone "example.com" { type master; file "master/example.com.zone.signed"; };
The world needs to know your fingerprint, otherwise any server could be serving "trusted" signed DNS records.
# dnssec-dsfromkey -a SHA-384 -f example.com.zone.signed example.com example.com. IN DS 17677 14 4 531F4B4324399490BEBC45EBA9624967C8AB8650481E53AB53CA982D7B4ADC710DFE6FD4873BCDE965ED67540C85EB18
You're registrar will have a page where you can "upload" this information. There are 4 key pieces of information from that output. The Key "Tag" is the 5 digit number, "17677" in this example. The Algorithm is the next number "14". The Digest Type is the next number "4". Finally the Digest is the long hex string at the end.
Keep in mind that it might take a few hours before you can verify your configuration. If it's still failing after a day contact their support to see what is holding up the process. For a basic verification that signed records are accessible:
# dig +dnssec +short example.com 192.0.2.1 192.168.2.1 A 14 2 7200 20170302174936 20170131174936 21675 example.com. JPDk2tgoldOY/alcJko+91LCzxSHd5wNu2wn4Ds2rS7GaHoRITgK+yEZ 35hfnb5pi+AVIv63o5GuqHcFgjvQvTTM+SJXsWui3Maltn88hgKfBYS4 VNfXwdJodhYeHgRh
For a complete verification at every level, you first need a copy of the root keys:
# dig . DNSKEY | grep -Ev '^($|;)' > root.keys
You will also need a copy of 'dig' built with the '-DDIG_SIGCHASE' option. Most *nix systems should have that already buitin. You can then run:
# dig +dnssec +sigchase +topdown +trusted-key=root.keys example.com <-- Snipped output: there's a lot of diagnostic details in here --> ;; The Answer: example.com. 6981 IN A 192.168.2.1 ;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS ;; cleanandgo
We got the correct Answer and a successful validation of the chain of "trust", it's working.
If you don't have 'dig' available you can use Sandia Nation Laboratories' online DNSViz tool to verify a variety of DNS functionality, including DNSSEC. It tends to be a bit slow, so have patience with it.
Original Source: https://stoneyforest.net/~chris/blog/freebsd/dns/dnssec-zone.html
This has been modified.
How NOT to sync the time on your box
The following commands will completely wipe out the selected disk without warning, so make sure you select the proper disk!
Get the ISO file of your desired version of Windows (7, 8, 10, Server, etc.).
diskpart
list disk
select disk $NumberOfTheUsbStick
list disk
clean
create partition primary
select partition 1
active
format fs=ntfs quick label=”Windows Setup”
exit
F:
cd boot
bootsect /nt60 E:
xcopy F:\*.* E:\ /E /H /F
tail -f /var/log/messages | awk '/printer on fire/ { system("date; doSomething & echo -e \"I've done something about it.\" | EMAIL=\"FromName <FromUser@example.com>\" mutt -s \"Printer on fire!\" \"ToName <ToUser@example.com>\"; wait;") }'
Get all groups (SID's and sAMAccountName) of the current user using PowerShell and without the need for ActiveDirectory-Modules or some other foo.
$AdUser=[System.Security.Principal.WindowsIdentity]::GetCurrent(); $DomainName=[System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name; $DomainName=$DomainName[0..$($DomainName.IndexOf('.') - 1)] -join ""; $GroupSids=@(); $GroupAccountNames=@(); $AdUser.Groups | ForEach-Object { $GroupSid = $_.Value; $GroupAccountNames += (New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount]).ToString() | Where-Object { $_.ToLower().StartsWith("$DomainName"); } | ForEach-Object { $_.ToLower().TrimStart("${DomainName}\"); $GroupSids += $GroupSid; }; };
If you want to query for an other than the current user, replace the first line with the following one:
Add-Type -AssemblyName System.DirectoryServices.AccountManagement; $AdUser=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity([System.DirectoryServices.AccountManagement.ContextType]::Domain, "Compilenix");
Note: To find out which input format's are supported visit the MSDN documentation -> here.
Here are some little C# snippets / utils i've created.
Compton not only looks nice and just works, i got rid of my everyday-screen-tearing, too. :)
~/.xinitrcexec compton -b --vsync opengl-swc --backend glx --blur-background-frame --config ~/.config/compton.conf exec $Your_Session
shadow = true; # Enabled client-side shadows on windows. no-dock-shadow = true; # Avoid drawing shadows on dock/panel windows. no-dnd-shadow = true; # Don't draw shadows on DND windows. clear-shadow = true; # Zero the part of the shadow's mask behind the window (experimental). shadow-radius = 15; # The blur radius for shadows. (default 12) shadow-offset-x = -20; # The left offset for shadows. (default -15) shadow-offset-y = -20; # The top offset for shadows. (default -15) shadow-opacity = 1.0; # The translucency for shadows. (default .75) # shadow-red = 0.0; # Red color value of shadow. (0.0 - 1.0, defaults to 0) # shadow-green = 0.0; # Green color value of shadow. (0.0 - 1.0, defaults to 0) # shadow-blue = 0.0; # Blue color value of shadow. (0.0 - 1.0, defaults to 0) shadow-exclude = [ "! name~=''", "name = 'Notification'", "name = 'Plank'", "name = 'Docky'", "name = 'Kupfer'", "name = 'xfce4-notifyd'", "name *= 'VLC'", "name *= 'compton'", "name *= 'Chromium'", "name *= 'Chrome'", "name *= 'Firefox'", "class_g = 'Conky'", "class_g = 'Kupfer'", "class_g = 'Synapse'", "class_g ?= 'Notify-osd'", "class_g ?= 'Cairo-dock'", "class_g ?= 'Xfce4-notifyd'", "class_g ?= 'Xfce4-power-manager'" ]; shadow-ignore-shaped = true; # Opacity menu-opacity = 1.0; # The opacity for menus. (default 1.0) inactive-opacity = 1.0; # Opacity of inactive windows. (0.1 - 1.0) frame-opacity = 1.0; # Opacity of window titlebars and borders. (0.1 - 1.0) inactive-opacity-override = true; # Inactive opacity set by 'inactive-opacity' overrides value of _NET_WM_OPACITY. # Fading fading = true; # Fade windows during opacity changes. fade-delta = 4; # The time between steps in a fade in milliseconds. (default 10). fade-in-step = 0.03; # Opacity change between steps while fading in. (default 0.028). fade-out-step = 0.03; # Opacity change between steps while fading out. (default 0.03). no-fading-openclose = false; # Fade windows in/out when opening/closing. # Other # inactive-dim = 0.5; # Dim inactive windows. (0.0 - 1.0, defaults to 0). mark-wmwin-focused = true; # Try to detect WM windows and mark them as active. mark-ovredir-focused = true; detect-rounded-corners = true; # Window type settings wintypes: { tooltip = { fade = false; shadow = false; opacity = 0.75; }; };
Perhaps you're a special creative snowflake... Well guess what? You're not that special. -- someone
Quickly adding and aktivating a (thick provisioned) swapfile to your Linux.
Nevertheless, i suggest doing this only if you have not a better solution.
# size in Megabytes
#size=512; dd if=/dev/zero of=/var/swap.bin bs=1M count=$size; mkswap -L swap_${size} /var/swap.bin; echo -e "/var/swap.bin\tnone\tswap\tsw\t0 0" >> /etc/fstab; chmod 0600 /var/swap.bin; swapon -a
https://stackoverflow.com/questions/1705008/simple-proof-that-guid-is-not-unique
Sometimes, too long is too long.
-- Joe Crowe
Why IEnumerable slow and List is fast?
This is because of deferred execution: the enumeration is produced by evaluating the sequence of filters for each item. When you do a ToList
, however, the sequence is "materialized" in memory, so all the evaluations are performed exactly once.
How to fix not working VMware vSphere Web Client Integration Plugin in Firefox.
Open a new Firefox-Tab and navigate to: about:config
Read the waring message and accept it.
Now search for: security.ssl3.dhe
and set both of the following settings to false, by doubleclicking it:
this should help... Happy working :-)
Opsi - Autoreport Client IP to opsiconfd
/etc/opsi/opsiconfd.conf
[session] update ip = yes # default: update ip = no
and restart the service
service opsiconfd restart
This asumes you already have installed a Debain based Linux; like Debian 8 or Ubuntu Server 14.04 LTS.
apt-get install wget lsof host python-mechanize p7zip-full cabextract samba samba-common smbclient cifs-utils
adding the OPSI package repo, pgp key, update apt and install the opsi packages. check if there is a corresponding repo to your Linux distro version: download.opensuse.org/repositories/...
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0 ./" | tee -a /etc/apt/sources.list.d/opsi40.list wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0/Release.key | apt-key add - apt-get update apt-get install opsi-atftpd opsi-depotserver opsi-configed
adding a new/existing system user, setup group memberships and set passwords.
opsi-admin -d task setPcpatchPassword useradd -m -s /bin/bash adminuser passwd adminuser smbpasswd -a adminuser adduser adminuser opsiadmin adduser adminuser pcpatch
configure your DHCP-Server to tell clients from where to get PXE-Images. In this case a Windows DHCP-Server.
On a Windows DHCP-Server it's option 66 and 67 ("Boot Server Host Name" and "Bootfile Name"):
At this point you are pretty much done. Run this if you want to install the default opsi packages from UIB
opsi-product-updater -i -vv
I've written some OPSI-Packages too, if you want to check it out head over to my Download area or the OPSI-Wiki:
LogonUI.exe Error
I've encountered an problem with the following combinations:
- Microsoft Windows 8.1
- Windows Update KB291935
- VMware Tools 9.4.15.2827462
- VMware Horizon View Client Agent 6.0.2.2331487 (customized setup)
- Adding all optional features
Now the troubles i had and how i solved it.
The initial situation was:
Installed:
- Microsoft Windows 8.1
- VMware Tools 9.4.15.2827462
To be installed:
- Windows 8.1 Update for x64-based Systems (KB2919355)
- VMware Horizon View Client Agent 6.0.2.2331487 (customized setup)
Result:
LogonUI.exe - Application Error
The Instruction at 0x629744 referenced memory at 0x5eefc000. The memory could not be written.
Click on OK to terminate the program
Solved by removing the Horizon View Agent feature "PCoIP-Smartcard". it may be required to also remove one or more of the Windows Updates, listed here:
- Windows 8.1 Update for x64-based Systems (KB2919355)
- Security Update for Windows 7 for x64-based Systems (KB3035131)
- There were more, but i don't remember.
sure why not...
And it does exactly what it suposed to to!
My nginx SSL and http header config snippet
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
proxy_ssl_session_reuse off;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;
more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload";
more_set_headers 'Public-Key-Pins: pin-sha256="+oXoiEF2sFHvQGpvaTU/4m0DKMnWBQoIHh7gNyZWun8="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="pM+iwkeddeZ4Dye7uu1YlGs0hj7w6QL06qDO7DcwGII="; max-age=7776000; includeSubDomains';
more_set_headers "Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.compilenix.org compilenix.org dharma.no-trust.org *.googleapis.com *.gstatic.com *.gravatar.com code.jquery.com; frame-ancestors 'self' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer;";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers 'X-XSS-Protection: 1; mode=block';
more_set_headers "X-Content-Type-Options: nosniff";
}
Ref: