Be careful with isc-bind 9.13.1

  • named can no longer use the EDNS CLIENT-SUBNET option for view selection. In its existing form, the authoritative ECS feature was not fully RFC-compliant, and could not realistically have been deployed in production for an authoritative server; its only practical use was for testing and experimentation. In the interest of code simplification, this feature has now been removed.The ECS option is still supported in dig and mdig via the +subnet argument, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The geoip-use-ecs option is now obsolete; a warning will be logged if it is used in named.conf. ecs tags in an ACL definition are also obsolete, and will cause the configuration to fail to load if they are used. [GL #32]

If in front of your dns authoritive  DNS server you have load balancer like dnsdist,  and you use „useClientSubnet=true“ into his configuration, the views in bind are going useless.

So the possible way to do similar things is to use dnsdist and to implement bind views into dnsdist using configuration like this

Problem with transmission and IPv6

The problem with net-p2p/transmission-daemon and IPv6 is that transmission developers are … not willing to implement such functionality as visible from: https://trac.transmissionbt.com/ticket/4197

So the user who need to use IPv6 but NOT use IPv6 with transmission are left alone.

So you can use this quick patch:

cd /usr/ports/net-p2p/transmission-daemon ;
make extract ;
cd work/transmission-2.93/libtransmission/ ;
vi net.c

@@ -598,7 +598,7 @@
{
int addrlen = 16;
const int rc = tr_globalAddress( AF_INET6,
ipv6, &addrlen );
– have_ipv6 = ( rc >= 0 ) && ( addrlen == 16 );
+ have_ipv6 = 0; /** NO, we do not have IPv6 **/
last_time = now;
}

cd ../../../ ; make deinstall install package clean ;
service transmission restart

 

Enjoy your non-ipv6 enabled daemon on ipv6/ipv4 dualstack system!

DualStack/tcp46 web and mail server

You can verify it via commands

dig www.ostreff.info AAAA

traceroute6 www.ostreff.info

curl -6 www.ostreff.info

IPv6 Certification Badge for jostreff

 

It’s funny to see that in ipv6 worlds my site is 6 hop away. In ipv4 it’s 7 hops away.

 

Jordan-Ostreffs-MBP:~ jostreff$ traceroute6 www.ostreff.info
traceroute6 to jsp.ostreff.info (2001:470:1f0a:1830::2) from 2001:470:1f15:1303:31ca:10e:17ec:fdd8, 64 hops max, 12 byte packets
1 2001:470:1f15:1303:ba8d:12ff:fe5b:1ff0 1.168 ms 1.502 ms 0.762 ms
2 jostreff-1.tunnel.tserv11.ams1.ipv6.he.net 37.673 ms 36.499 ms 36.333 ms
3 10ge11-20.core1.ams1.he.net 35.521 ms 33.730 ms 51.334 ms
4 100ge5-1.core1.fra1.he.net 44.787 ms 37.329 ms 41.756 ms
5 tserv1.fra1.he.net 42.740 ms 42.329 ms 43.809 ms
6 jostreff-2-pt.tunnel.tserv6.fra1.ipv6.he.net 75.220 ms 72.095 ms 72.247 ms

Jordan-Ostreffs-MBP:~ jostreff$ traceroute www.ostreff.info
traceroute to jsp.ostreff.info (84.54.160.14), 64 hops max, 52 byte packets
1 10.0.1.1 (10.0.1.1) 1.455 ms 0.874 ms 0.847 ms
2 82-137-110-2.ip.btc-net.bg (82.137.110.2) 2.043 ms 1.629 ms 1.429 ms
3 83-228-105-49.ip.btc-net.bg (83.228.105.49) 7.621 ms 8.028 ms 7.951 ms
4 83-228-105-50.ip.btc-net.bg (83.228.105.50) 13.347 ms 11.934 ms 10.202 ms
5 * * *
6 classic.classic-bg.net (84.54.160.14) 13.115 ms 9.090 ms 8.943 ms
7 classic.classic-bg.net (84.54.160.14) 9.356 ms 9.351 ms 9.125 ms

Next task to build dualstack tcp46 mail system.

Already passed also ipv6 enabled mail system.

DualStack ipv46 home network achieved

IPv6 Certification Badge for jostreff

 

 

 

 

~ jostreff$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:470:1f15:1303:e813:c674:204e:ff54 –> 2a00:1450:4017:809::200e
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=0 hlim=53 time=73.786 ms
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=1 hlim=53 time=76.331 ms
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=2 hlim=53 time=76.304 ms
^C
– google.com ping6 statistics –
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 73.786/75.474/76.331/1.193 ms

 

Next task – to made https://www.ostreff.info live in ipv6 world!

Suppress warning messages using mysql from within Terminal, but password written in shell script

Here’s how I got my bash script for my daily mysqldump database backups to work more securely.
1. First use mysql_config_editor (comes with mysql 5.6+) to set up the encrypted password file. Suppose your username is „db_user“. Running from the shell prompt:

mysql_config_editor set –login-path=local –host=localhost –user=db_user –password

It prompts for the password. Once you enter it, the user/pass are saved encrypted. Of course, change „system_username“ to your username on the server.

2. Change your shell script from this:

mysqldump -u db_user -pInsecurePassword my_database | gzip > db_backup.tar.gz

to this:

mysqldump –login-path=local my_database | gzip > db_backup.tar.gz

No more exposed passwords.