Re: DNS servers
I just wanna add my 2c's here. We're discussing the example cd /service/tinydns/root ./add-host lion.x.mil 1.2.3.4 make 1) Why do you need to use /service? 2) Whats wrong with inetd ? 3) What prevents debian from packaging djbdns in your licence? I'm reluctant to use djbdns because of this thread and the fact that none of your software is packaged for Debian. Wouldn't it make sense to change the way your licence is worded? [DISCLAIMER: I use bind8, im happy with bind8 and only host ~100 domains, I'm nobody special.] -- Brad Lay ([EMAIL PROTECTED]) Systems Administrator Samford Net P) +61 7 3855 2233 F) +61 7 3289 5458 W) http://www.samford.net You will contract a disease for which the cure is so expensive that you will die of poverty. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Being new to Debian...
On Fri, 15 Nov 2002 15:22:27 -0600, Sonny Kupka [EMAIL PROTECTED] wrote: Being new to Debian distro, I was just wondering what people's thoughts were on running testing in a ISP environment on a main server.. Don't do this. testing is the worst choice when you have to worry about security. Security-wise, stable is best (the security team taking care of it). unstable is next since the package maintainer can upload security updates. These security updates take at least three days until they migrate to testing, leaving you vulnerable in the mean time. If you absolutely must have later versions of certain packages than in stable, take the unstable package and try building them on a stable system (effectively backporting them). Then track them yourself, security wise. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bind8 to Bind9
On Sat, 16 Nov 2002 15:19:02 -0500, Peter Billson [EMAIL PROTECTED] wrote: I am planning the move from Bind8 to Bind9 on woody and was wondering if anyone has any tips, gotchas or pointers I should know before the move. Here is the script that I intend to use for bind8 to bind9 migration (moving from a normal bind8 to a chroot-non-root bind9 in the process). Use at your own risk, and keep a backup of your configuration. #!/bin/bash set -v set -e cd /var/local/ mkdir bind cd bind/ mkdir dev cp -a /dev/random dev/ chmod 444 dev/random mkdir -p usr/share/zoneinfo/Europe cp -a /usr/share/zoneinfo/Europe/Berlin usr/share/zoneinfo/Europe/ mkdir -p var/cache/bind var/run/bind adduser --ingroup nogroup --uid 130 --disabled-password --gecos bind,,, --shell /bin/false bind chown bind:nogroup var/cache/bind var/run/bind mkdir etc cd etc/ ln -s /usr/share/zoneinfo/Europe/Berlin localtime mv /etc/bind/ . apt-get --download-only install bind9 dpkg --purge bind apt-get install bind9 sleep 1 kill $(cat /var/run/named.pid) rm -rf /etc/bind ln -s /var/local/bind/etc/bind /etc/bind rndc-confgen bind/rndc.conf echo 'pid-file /var/run/bind/named.pid;' bind/rndc.addition bind/rndc.conf sed -n '/^# Use with the following/,/# End of named.conf/{/^# U se with the following/d;/^# End of named.conf/d;s/^# //;p;}' bind/rndc.additi on jed bind/named.conf bind/rndc.addition rm bind/rndc.addition cat /etc/default/bind9 EOF CHROOT=/var/local/bind USER=bind OPTS= [ -n $USER ] OPTS=$OPTS -u $USER [ -n $CHROOT ] OPTS=$OPTS -t $CHROOT EOF cat /etc/init.d/bind9 EOF #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin # for a chrooted server: -u nobody -t /var/lib/named OPTS= test -f /etc/default/bind9 . /etc/default/bind9 test -x /usr/sbin/named || exit 0 case $1 in start) echo -n Starting domain name service: named start-stop-daemon --start --quiet \ --pidfile /var/run/named.pid --exec /usr/sbin/named -- $OPTS echo . ;; stop) echo -n Stopping domain name service: named /usr/sbin/rndc stop echo . ;; reload) /usr/sbin/rndc reload ;; restart|force-reload) $0 stop sleep 2 $0 start ;; *) echo Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload} 2 exit 1 ;; esac exit 0 EOF /etc/init.d/bind9 start The script will drop you into an editor, asking you to manually incorporate a pidfile line, and the rndc configuration into named.conf. Be aware that you will be without name service for the run time of the script. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Perl module for Apache configuration
Craig Sanders [EMAIL PROTECTED] writes: On Thu, Nov 21, 2002 at 10:34:20AM -0500, Gene Grimm wrote: Are there any Perl modules that can help modify a configuration file for Apache? libapache-configfile-perl can parse apache config files. for writing them, you're on your own AFAIK (not very hard, it's plain text with a well-defined format, easy to generate). BTW Apache::Admin::Config does the job with respect of the file indentation. It's not part of Debian but you can find the debian package at: ftp://ftp.rhapsodyk.net/pub/devel/perl/Apache-Admin-Config/. This module is 1 year old, and it's ready for production use. Feedback is welcome. -- __ O l i v i e rP o i t r e y -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Being new to Debian...
Íà ïò, 2002-11-22 â 12:20, Marc Haber çàïèñà: On Fri, 15 Nov 2002 15:22:27 -0600, Sonny Kupka [EMAIL PROTECTED] wrote: Being new to Debian distro, I was just wondering what people's thoughts were on running testing in a ISP environment on a main server.. Don't do this. testing is the worst choice when you have to worry about security. Security-wise, stable is best (the security team taking care of it). unstable is next since the package maintainer can upload security updates. These security updates take at least three days until they migrate to testing, leaving you vulnerable in the mean time. That was true before woody became stable, the new policy is that when there is a security alert, the secrity team releases for potato,woody,sarge, and sid, you can check the latest DSAs. So, to be no the no-so-bleeding edge, you can use testing with security updates, and live happy :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Hi All, I think this thread is becoming less a thread about which nameserver to use and more people defending the time, money and effort they have spent learning/writing the particular software package they use. Of course nobody is going to instantly change their software package and have to re-learn how it is implemented in the new one. People should certainly be aware about what is available and feel free to try other pieces of software but nobody is obligated to use one or the other. People must accept that different people have different needs (tastes even) and so may use something else. A comprehensive analysis of what is required in *your* organisation is needed, then pick software based on that. And if someone else likes something else, then fine, good for him/her. They may have different requirements. To conclude, nobody is forcing anyone to use one software package or the other. Cool headed analysis is required, not name calling. Cheers, Fred. -- Fred Clausen - Systems Administrator Unique Interactive, part of UBC Media Group plc Winners of the 2002 CRCA NTL New Media Award http://www.ubcmedia.com http://www.uniqueinteractive.co.uk T: +44 (0)20 7453 1677 F: +44 (0)20 7486 5081 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Being new to Debian...
Âàñèë Êîëåâ wrote: Íà ïò, 2002-11-22 â 12:20, Marc Haber çàïèñà: On Fri, 15 Nov 2002 15:22:27 -0600, Sonny Kupka [EMAIL PROTECTED] wrote: Being new to Debian distro, I was just wondering what people's thoughts were on running testing in a ISP environment on a main server.. Don't do this. testing is the worst choice when you have to worry about security. Security-wise, stable is best (the security team taking care of it). unstable is next since the package maintainer can upload security updates. These security updates take at least three days until they migrate to testing, leaving you vulnerable in the mean time. That was true before woody became stable, the new policy is that when there is a security alert, the secrity team releases for potato,woody,sarge, and sid, you can check the latest DSAs. So, to be no the no-so-bleeding edge, you can use testing with security updates, and live happy :) Hello Marc, can you point us to a reference explaining this recent change of policy? I was under the impression that a stable's security is handled for maybe a month after it's replaced with a newest distribution, and never heard anything about a change. Thanks. -- Robin Y. Millette (aka Lord D. Nattor) http://rym.waglo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to upgrade dozens of debian servers
On Mon, 18 Nov 2002 11:28:14 -0800, Kirk Ismay [EMAIL PROTECTED] wrote: In a cron job I use the following to alert me when new packages are available for my systems: # update Debian package list 0 2 * * * /usr/bin/apt-get -q update # This produces a report of updated Debian packages 30 10 * * * /usr/bin/apt-get -s dist-upgrade | /bin/grep Inst This sends me an email for each system, so I know what needs an upgrade. When you think about it, it's already in Debian. See the cron-apt package which does a pretty similiar job. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Before I will start defending Craig, I would like to point out that the discussion is NOT just about taste. The boat left, and you weren't on it. It's about how the software is build up, what is put in to the package, and why the hell people have to think that they are better then the rest by non-quoting, non-reading, and displaying these featurs in a obnoxious way by thinking they have a point. We got 2 packs here, djbdns and bind. The first obnoxious part I'm reffering to is the attitude of the maintainer, and the crew building the djbdns pack. The second part I find extremly irritating is the amount of people getting exited by words on their screen, telling them it's way better, fantastic to work with etc..etc.. And as you have seen I havn't even referred to any technical spec what so ever wich was/is in debate right now. IMO this discussie went astray when the quoting started. If you start ripping pieces of text apart, and start quoting what you please, you're you have missed the context and the point. With this said, I stand with Craig for the full 100%, and would love to see some improvements. I might not be the best Sysadmin to go in to a discussion on the specs, but I sure as hell know when people are screwing with each other. The reason I singned up for this was to enjoy the occasional flamewar, get a bit of info, and try to add a bit where I could. Strange huh.. a friggn' rookie opening his mouth, asking politly to not piss each other of by manipulating words. Mark On Fri, Nov 22, 2002 at 02:14:17PM +, Fred Clausen wrote: Hi All, I think this thread is becoming less a thread about which nameserver to use and more people defending the time, money and effort they have spent learning/writing the particular software package they use. Of course nobody is going to instantly change their software package and have to re-learn how it is implemented in the new one. People should certainly be aware about what is available and feel free to try other pieces of software but nobody is obligated to use one or the other. People must accept that different people have different needs (tastes even) and so may use something else. A comprehensive analysis of what is required in *your* organisation is needed, then pick software based on that. And if someone else likes something else, then fine, good for him/her. They may have different requirements. To conclude, nobody is forcing anyone to use one software package or the other. Cool headed analysis is required, not name calling. Cheers, Fred. -- Fred Clausen - Systems Administrator Unique Interactive, part of UBC Media Group plc Winners of the 2002 CRCA NTL New Media Award http://www.ubcmedia.com http://www.uniqueinteractive.co.uk T: +44 (0)20 7453 1677 F: +44 (0)20 7486 5081 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- -- Mark Lijftogt -- http://sans.rondom.org -- http://www.lijftogt.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Being new to Debian...
On 22 Nov 2002 14:58:41 +0100, ÷ÁÓÉÌ ëÏÌÅ× [EMAIL PROTECTED] wrote: That was true before woody became stable, the new policy is that when there is a security alert, the secrity team releases for potato,woody,sarge, and sid, you can check the latest DSAs. So, to be no the no-so-bleeding edge, you can use testing with security updates, and live happy :) http://www.debian.org/security/faq#handling Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release. The web page dates Nov 14, 2002. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Sanders writes: the alleged documentation for tinydns-data is atrocious too, it's ALL done by example, no syntax definition, no overview. In fact, http://cr.yp.to/djbdns/tinydns-data.html contains the syntax definition, a bunch of examples, and a link to a tutorial page. [ the tinydns data syntax is ``bizarre and broken'' because ] the PTR record is automagically created when you create the A record In fact, you're perfectly free to create just an A record (+fqdn:ip), just a PTR record (^blah.arpa:fqdn), just an MX record (@fqdn::mx), just an NS record (fqdn::ns), just an SOA record (Z...), etc. You can play with TTLs, serial numbers, and so on, in as much detail as with BIND. Or you can work with slightly higher-level concepts such as hosts (=fqdn:ip, creating A+PTR), mail exchangers (@fqdn:ip, creating MX+A), and name servers (.fqdn:ip, creating SOA+NS+A)---concepts that BIND doesn't support because they can involve more than one zone. get this, it really takes the cake, either or both of the A PTR records are completely ignored unless there are appropriately corresponding NS records somewhere in the file. In fact, the text you're talking about---``Remember to specify name servers for some suffix of fqdn; otherwise tinydns will not respond to queries about fqdn''---refers to a basic part of the DNS architecture. The equivalent BIND rule is that every record needs to be in a zone. you can't find the A records for a given hostname just by searching for the = lines, you also have to parse every other line in case an A record is automagically defined elsewhere, e.g. in or . or @ lines. If you want a program to work with A records rather than higher-level concepts, you can use tinydns-get to do a particular address lookup, or you can use the following script to print out every address and name: #!/bin/sh sed 's/[ ]*$//' /service/tinydns/root/data | awk -F: ' function printx(type) { if (!match($3,/\./)) $3 = $3 . type . substr($1,2) sub(/^\./,,$3) print $2,$3 } /^@/ { if ($2) printx(mx) } /^[\.]/ { if ($2) printx(ns) } /^[=+]/ { if ($2) print $2,substr($1,2) } ' This is another example of how easy it is to parse the tinydns configuration syntax. Can you show me a script for BIND that reliably does the same thing? Parse named.conf to figure out the active zone files; parse the zone files; don't forget to deal with $ORIGIN and $INCLUDE and $GENERATE ... Of course, the above script can easily be modified to change a selected IP address, or to start your editor on the appropriate line in the data file, or to adjust TTLs, etc. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LDAP and email
Me and my fellow admins have a decent working solution using debian, exim, openldap, tied into pam with uw-imap and pop3, also uses all administered through apache w/ php. You are more than welcome to take a look at the current stable release (ugly but works) or our developement stuff, doesn't work but the code is readable. We are currently administering email for 40+ domains on this and it works well and is fairly easy to implement on a debian box. Cheers, Ehren System Administrator Echostar Solutions [EMAIL PROTECTED] wrote: Has anyone LDAPized their email system, along with /etc/aliases? If so, can you give me a pointer how you did that? Thanks, Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
Hi, On Thu, Nov 21, 2002 at 06:55:52PM +0100, Russell Coker wrote: On Thu, 21 Nov 2002 17:53, Toni Mueller wrote: There is only one Unix way to use them (fortunately), and that's BIND. There is also nsd. I've spent about 10 minutes playing with nsd and it looks very promising, I've put in some bind zone files and they work. It was ok - I didn't know about nsd. LDAP or SQL backed DNS isn't an option unless performance is not required. A LDAP or SQL query takes far longer than I want my DNS lookups to take. Here I'd like to re-use the words of DJB: Profile, don't speculate. Apart from the fact that LDAP (and SQL) performance varies wildly across different servers - eg. Fefe once claimed that his LDAP server ran several orders of magnitude faster than OpenLDAP at a time, and in a special situation that was important for him - we already know about tinydns' ability to serve some 6000 requests per second on decent dual cpu PC hardware, and we also know that on average, the ldapdns by Mrs. Brisby runs twice as fast as tinydns using OpenLDAP. This software serves it's data directly from the LDAP backend to the best of my knowledge - having no intermediate format was a design goal. How fast do you need to get? Of course that plan doesn't work so well if you are hired by a company that doesn't see the value of a lab and provides no decent resources for testing. Hmmm... A company that has no idea of the value of a lab??? There was one time I was setting up some fully loaded E4500 machines as LDAP servers and I had to use my Thinkpad for some tests because there was nothing else that I could use. A Thinkpad running Linux is not much good for testing the client and server sides of an operation that will be deployed on an E4500, but it was the best I had. Ouch! Ok, define 'lab'... Having some spare equipment that can be used to set up experimental networks to check things out is not only a basic business requirement, but also (mostly) cheap. Best, --Toni++ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
load average question
Hi Gang: A few weeks ago we talked about me moving a server from BSDi to Debian. As luck would have it that BSDi server gave out last Monday and I had to move fast to replace it. Knowing I can do a RH install in about 30 minutes I went the route of familiar territory and installed 7.2 with Sendmail/QPopper/Apache/OpenWebMail. I am paying for that now with a huge performance problem. I am seeing Load Averages spiking above 6 during the day. Hardware is a Dual P3-600 with a gig of ram on a IBM Netfinity Raid 5 controller. The owner of the company wants to go back to BSD, but I want to pursue Debian. So the question is: is anyone running a similar set up with either Sendmail or Posrtfix servicing 2,000+ email accounts with any performance issues? Thank you for your time. -Scott --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.419 / Virus Database: 235 - Release Date: 11/13/2002
Re: DNS servers
[...] TM ... When I turned TM from BIND to djbdns, I discovered that I had several errors in TM my name server setup, despite the fact that I thought I had TM double-checked each time I messed with the server. [...] Just out of curiosity, what kind of errors were these? [...] TM Just the matter of handling the various dots right, and not TM forgetting the serial number, makes for a lot of chances to TM mess things up, especially if you're tired. Of course, but don't be root when you are that tired. Don't even sudo. Surely djbdns can't help there to the extent you imply. [...] TM Like checking all the reverse-mapping hassle that's going on TM on the Internet. Most people don't do it right, no? Doing it TM right with BIND is work. [...] Doing it right usually entails reading RFC-2317 these days. You will find that many admins are illiterate when it comes to this, so they screw it up. This is not a config file format issue, IMHO. TM Doing it right with djbdns comes for TM free if someone likes to delegate the reverse mapping to you, TM and/or accepts to pull it from you. [...] Ok, I admit I don't see how. I'll go read the site when I get a chance. I'd love to see the problem I allude to above solved for free. Or maybe you mean generating PTR records automatically when A records are defined, in which case I kinda regret wasting time on this. cheers, BM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh and pam_mkhomedir
Simce I'm well on my way to being fully LDAP, I decided to try the pam_mkhomedir module with ssh on a machine that actually will allow a limited number of users shell access (controlled by the host attribute). Well, it doesn't work, I think because of the priv. separation that the Debian package defaults to. The only way to have the /home mode 777, or owned by sshd, neither of which I'm real keen on. Anyone else run into this, and actually found a way around it? Tim -- Tim Sailer (at home) Coastal Internet,Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED][EMAIL PROTECTED] (631)924-3728 (888) 924-3728 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
On Fri, 22 Nov 2002 23:35, Toni Mueller wrote: Like checking all the reverse-mapping hassle that's going on on the Internet. Most people don't do it right, no? Doing it right with BIND is work. Doing it right with djbdns comes for free if someone likes to delegate the reverse mapping to you, and/or accepts to pull it from you. For a large number of zones forward and reverse are handled by different servers and this won't solve the problem (only reduce it's prevalence). dlint is the way to solve the problem. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: load average question
On Fri, 22 Nov 2002 23:51, Scott St. John wrote: A few weeks ago we talked about me moving a server from BSDi to Debian. As luck would have it that BSDi server gave out last Monday and I had to move fast to replace it. Knowing I can do a RH install in about 30 minutes I went the route of familiar territory and installed 7.2 with Sendmail/QPopper/Apache/OpenWebMail. I am paying for that now with a huge performance problem. I am seeing Load Averages spiking above 6 during the day. Hardware is a Dual P3-600 with a gig of ram on a IBM Netfinity Raid 5 controller. The owner of the company wants to go back to BSD, but I want to pursue Debian. So the question is: is anyone running a similar set up with either Sendmail or Posrtfix servicing 2,000+ email accounts with any performance issues? Apart from webmail that should be a trivial load. Webmail systems seem to take up lots of resources in my experience, is it an option to have a separate machine for webmail? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]