/home/lord

Lock your /etc/resolv.conf in OpenWRT

Sat, 07 Apr 2018 18:41:29 +0200

OpenWRT hate me and I hate it too !

Yes it’s a weird intro but it’s true. Each time i need to edit any setting on their web interface i start cleaning the flat or find something else to do. I’m used to managing classic Linux systems via SSH but I can’t find anything in their system.

Even defining you DNS resolver is hard on their system.

Ma Internet connection is provided thanks to DHCP which means i get the IP settings AND a DNS resolver.

Except, I don’t need this service from my ISP as I already have my own resolver. And this funny OpenWRT doesn’t try to ease my pain.

So I SSH into the router and try the famous chattr +i /etc/resolv.conf.

chattr: Operation not supported while reading flags on /etc/resolv.conf

O___o Dafuck !

Hoo it’s a symbolic link to /tmp/etc/resolv.conf . Well … why not ?

So I try to chattr +i this file.

It fails too with the same error.

GRRRRRRRR I HATE NOT BEING ABLE TO DO WHAT I WANT ON MY DEVICES !

Breathe

rm /tmp/etc/resolv.conf

rm /etc/resolv.conf

Breathe again

crontab -e

* * * * * printf "#SET VIA CRONTAB\nnameserver 10.2.0.1\nnameserver 10.2.0.2\n" > /etc/resolv.conf

We wait one minute.

If the file is right :

chattr +i /etc/resolv.conf

Here it is !

No more trouble.

As usual I fight against stranges choices from this linux distro but at least it’s a Linux so you can fiddle with this !

This technique is « ceinture + bretelles » ( belt + braces ) but now I’m sure not to use my ISP’s resolvers.

Web ≠ Internet

Thu, 29 Mar 2018 22:29:14 +0200

There are some things bothering me.

For some it’s the Interpunct (there is a global french crisis about it in France), for others it’s la digitalisation (in France the translation for digital it numérique which comes from numbers (0 and 1) but many use the world digital which in French is an adjective meaning “about fingers” like fingerprints are empreintes (prints) digitales), others despise blockchan leading to disrputions but my Nemesis is using « Web » and « Internet » exchangeably.

Web ≠ Internet

You know why it pisses me off ?

Because those are two different things !

Internet is a network of networks

Internet is an amalgation of many networks talking the same language interconnected. One giant worldwide network talking IP which means Internet Protocol.

The web is a protocol to transfers data

The Web or World Wide Web is a system to share data (most of the time in only one-way) some Hypertext documents. Hypertext is a systèm to link many documents to each others only with some text

This ← this is an hypertext link. It will let you read another document at another adress without you needing to finish to read this actual document. We could call Gamebooks Hypertext books as you won’t read them linearly but follows link.

Anyway, I digress.

Those two can work independantly

Internet was created in 1983 with the adoption of IP (but it existed for at least two decades).

The web was created in early 90s so wayyyyyyy later !

Before the web, people were already sending mails. It’s the oldest social network still in use !

It’s possible to do Web without Internet : you can setup a webserver without connecting it to the Internet. That’s not rare at all actually as many Intranets works this way and many IoT provide web Interfaces without accessing the Net.

You can use the Internet without using the web. When you open a webpage, before using the web, you’ll use the DNS (from 1983 too, before the web itself). If you are using emails, you’ll probably won’t use the web. If you are chatting in IRC you’ll use the Internet but not the web. When you are playing an online video game, you’ll use the Internet, not the web.

Web ≠ Internet

Even if those last years, lots of people are trying to push everything in HTTP (the web protocol, Hyper Text Transport Protocol), you should not exchange those two terms.

AV1 is released !

Wed, 28 Mar 2018 15:48:38 +0200

You may not be waiting for it but it’s coming. AV1 is a brand new video codec. One more but this one is made by AOMedia and that’s what matters.

AOMedia : Alliance for Open Media

AOMedia is a new consortium quite which aims to provide the world with a royalty-free codec. It may looks strange but nearly every major video codec came from a single actor : the MPEG-LA which specialized in selling licences for all its codecs. AOMedia regroups many big companies and foundations tired of feeding the MPEG-LA.

There is Google, VideoLan, Nvidia, Netflix, Mozilla, Xiph, Facebook, Cisco, Arm, AMD, Microsoft, Intel and many more.

AV1

It’s a new video codec which merges many different tries.

Xiph and Mozilla were working on Daala.

Cisco on Thor.

Google whith VP10 (sorry it’s a VP9 link but trust me they were working on VP10).

They choosed to all work together to replace their need for H265 and bring a new alternative. This codec can be used freely and safely without infringing patents anywhere in the word.

If all goes well, it will spread quite fast (will all those supporters it should be easy). Performances are announced to be at least as good as H265 and maybe better. It will probably become the next codec on web videos in a future html5 revision to replace vp8 and vp9 in webm.

The source code can be found here. Gstreamer 1.4 already provides an experimental support and VLC3 too.

I’m excited to try it to see if it’s usable without hardware (en|de)coder.

Sisyphus the spam mover

Tue, 20 Mar 2018 15:33:09 +0100

I already talked about my mail stack. Some months ago i added a new antispam to it.

Firstç there is Postscreen in frontline (almost in before Postfix) which rejects something like 80% of spam before using any resources.
Then I use Rspamd which works after Postfix and before Dovecot which also removes all the remaining spam.
Last there is Sisyphus which works after Dovecot, directly on the maildir.

Yes, it’s clearly overkill. I know, i already chanted Postscreen and Rspamd (sorry, only in french) and now I announce a use a third one…

Why three antispam ?

Well, Postscreen removes the dumb spam. All non targeted mails from bad spammers using bad scripts but consisting of most of the flood. With it, you lighten the load on your mail stack by sparring yourself cpu/ram/disk. You’ll drop spam before entering your stack. It’s the bare minimum to install. Rspamd could replace it but it would require more resources.

Then Rspamd is the real antispam. It’s way smarter than Postscreen and Sisyphus and could be enough. It uses lots of rules with mostly good defaults But I don’t want to spend time tweaking it. I hate mails. Even after lowering the required score to be rejected i keep getting spam in my inbox. I have one or two spam reaching my inbox and 0 false positive. I could add rules, or refine existing ones to crush those last two spams a week but it’s too much work.

Then i discovered Sisyphus ! It’s very lightweight, nothing to configure. Nothing to change in Postfix/Rspamd/Dovecot/Rainloop. And it succeeds to remove those last two fucking spams. It can even be used on the client side directly in your local maildir. I wasn’t looking for a new antispam but it fits my new needs.

Sisyphus watizit ?

It’s not a full-featured antispam with a large ruleset and all. It’s just a small Go program which reads your spam and your ham and analyzes all the words to feed a bayesian filter. When you throw a mail to the spam folder it will learn. If you move a mail from it, it will learn too.

You don’t need to configure anything.

How to use it ?

First, your mails must be stored in a Maildir but we are in 2018, nobody uses anything else (well, except Thunderbird). Then you install Sisyphus as you install everything else. In my case git clone then make build and it’s ok (thanks Go).

Well you still need to tell Sisyphus where is your maildir. export SISYPHUS_DIRS=“/home/lord/Maildir”

And now launch it sisyphu run& .

It’s done.

You’ll now see your mail moving by themselves to your junk folder.

Sisyphus needs some time to learn your mails

You can run sisyphus stats to see if it is working right or not. It will build its database alone like a grown-up (notice that the db is very small).

I may remove Rspamd in the future if it works well enough. I’ll see. After more than 3 months running it’s getting quite accurate.

GLSA from Gentoo

Tue, 06 Mar 2018 23:02:14 +0100

I realized I never talk about Gentoo on my blog. It’s by far the best Linux distribution.

Instead of trolling, Gentoo is good because (but not limited to) you can quickly check if your system is vulnerable to a known security breach.

GLSA

Gentoo isn’t a giant distro with lots of devs but is still pretty well staffed. There are multiple dev teams with different focus with one dedicated to security. This team publish security reports called GLSA wich stands for Gentoo Linux Security Advisories.

These are regularly published and lets you being informed about new breaches in multiple softwares provided throught portage. To read them their are multiple ways. I follow their RSS feed with Nib.

GLSA-Check

But to be sure i use glsa-check which is a small tool in gentoolkit (a set of tools to use in Gentoo).

A little glsa-check -l (one a day) will list all the known vulnerabilities affecting your system. If it find anything, you can also get more info thanks to glsa-check -d XXXXX-XX. You’ll know when this vulnerability was discovered, which packages are affected in which version, what’s the impact and how to fix it.

Then you can directly glsa-check -f XXXXX-XX to fix the vulnerability by itself. It will often just upgrade a package or two to the right version.

This small tool isn’t very popular but it is very efficient and fast. It won’t replace a sane updating policy but it will let you get enough information on a running system. Keep on emerge -uDnav @world regularly.

By the way, if you want to add another interesting feed to you rss aggregator, Debian publish their DSA.

Reverse proxy, 6 months later

Thu, 01 Mar 2018 10:55:02 +0100

Last september i wrote about setting up an nginx micro-cache in reverse proxy, so here i a little feedback.

Since then i didn’t changed the settings excepting the caching duration which i increased to 10 minutes.

On the maintenance side, nothing to do. Everything works fine on its own. Sometime I want to clear the cache manually to try some edits without waiting cache expiration. In those case a little rm /var/www/lecache/* and it’s done.

I didn’t mentionned it in the first post but the cache is on a tmpfs (so in RAM) instead of the disk. It’s a bit faster and it spares the NAND from the host. I allocated only 100MB which is more than enough in my case to host my entire blog (i only need 12Mo for now).

Little reminder on how it works

The client (you the reader) requests a webpage.

The reverse proxy receive the request and consults its cache. If thea page isn’t there or is outdated, it reaches the upstream to get the page.

The proxy receives the page from the upstream and transmits it to the client and stores it in its cache.

While the cache doesn’t expire, the reverse proxy won’t contact the upstream server.

How do I collect stats from my site ?

You may have noticed my site is quite … minimalist. It displays well in console web browsers so i hope it also works well with screen readers. Excepting some rare blogposts with images, a page only need 3 requests to render properlx : one for the webpage, one for the CSS and a last one for the optionnal favicon.

Iç don’t use javascript nor fake 1px images to track visitors.

I only read the logs from the webserver. I use GoAccess which gives a beautifull TUI with some stats. It’s way more basic than Google Analytics or Piwik but I don’t need more.

It’s just a personnal blog. I only write for my own pleasure even if it’s pleasing to learn that people read it.

Reverse proxy impact on the upstream server

My upstream server is a small Atom D510 from 2011 which could take the load without troubles.

The reverse proxy is a smaller machine. It’s a LXC container on a Turris Omnia.

To see the impact of the reverse proxy, the easiest way is to compare the nginx logs from the upstream and proxy servers.

I see clear difference (it’s even clearer since I changed from 1s to 10minutes).

During “little days” the difference is quite small but during “big days” the proxy provides more or less two third of the traffic without reaching the upstream.

I now can stop the upstream server while the website keeps being served by the turris (the spof is now the turris).

Numbaz !

Here is February :

	Upstream	Proxy
Total requests	56389	131813
Unique Visitors	12848	19894
Log Size	9.93MB	22.61MB
Bandwidth	4.35GiB	7.55GiB

We all depend on registrars and registries

Wed, 21 Feb 2018 14:02:59 +0100

Purism just suffered from a massive dns outage. All their websites were down.

What caused this ? It appears their domain name was unreachable. After looking for a bug in their DNS servers, their was nothing to be found.

The registrar

It came from their registrar. The registrar is the entity from which you rent your domain name (no you don’t buy a domain name). They phoned to the hotline but apparently nothing were wrong on their side. They tried to reach their .sm specialist which was unavailable until the morning.

So they waited.

On the morning, the specialist checked everything and found nothing.

We need to go Deeper !

The registry

Deeper their is the registry which sells licences to registrar to rent domain name from their TLD (top level domain, the right part of a domain name).

Bad luck .sm comes from the San Marino in Europe.

So they waited, again, while everything was off.

Purism bypassed their registrar and directly contacted the .sm registry.

The registrar didn’t payed the registration fee.

Hahahahaha, i’d love seeing the faces of Purism’s technicians when they learned that their registrar was faulty.

So, everything get fixed, everything now works fine.

Conclusion ?

** Choosing a registrar can have direct consequences on the availability of your infrastructure.**

You may have RAID, VM with high availability, a multi-homed network, in multiple datacenters, your domain name and your registrar will ever be your SPOF (single point of failure).

Purism choose to take another domain name in another registrar on another TLD but that’s not a perfect solution : if your clients don’t try to reach you by your backup domain name… you have no backup.

** Choosing a registry can have direct consequences on the availability of your infrastructure.**

Like you registrar, your registry (it means the TLD you choose) is crucial. Choosing a TLD for its œsthetics can be a future outage.

Even if you host your own DNS servers with fine management, you can still suffer from an outage of your underlying layers.

International Fixed Calendar or CAL13

Tue, 20 Feb 2018 11:24:31 +0100

International Fixed Calendar or CAL13 is a different calendar system than ours.

It uses 7 days a week.

With 4 weeks a month.

So each month last 28 days.

And there is 13 months a year.

Just add a white day each year as a day off to get your 365 days a year.

What does it looks like ?

Here is your monthly calendar which works for every months.

Lun	Mar	Mer	Jeu	Ven	Sam	Dim
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28

There are multiple propositions for where to place the thirteen month ? and which day should start a week ?.

The most popular is to name the month Sol and to place it between June and July. The beginning of the week could be Sunday or Monday.

Advantages

You’ll know which day is the 24 of any month.
Each month last the same duration, no more long months and short months.
One extra day off !
No more Friday the thirteen !
Being synchronized with the moon.
Being synchronized with the average menstrual cycle.

Origins

Many people tried to ditch the Gregorian calendar.

The first person was Hugh Jones in 1745. Then Auguste Comte also proposed to adopt the Positivist Calendar in 1849. A bit closer was Moses B. Costworth in the 1900s.

Why no one use it ?

The actual system is good enough not to inflict ourselves an incredible amount of work to adopt it. There is a lot of inertia to fight in order to change as usual. It’s the same old story as the US adoption of the metrics system.

The Kodak Company relied on this calendar between 1928 and 1989… it probably was a tremendous hassle to work with the two systems in parallel.

On top of the difficulty to use a new system, it would be even harder for historians to play with a new calendar to synchronize old dates to new ones.

What if instead of using a wrong starting reference (no Jesus wasn’t born on the first of January 0 (nor the 25 of December -1)) we used a new reference ? The Holocene Calendar chooses to start in -10 000 with the start of the human civilisation.

Meta-news about the blog

Sun, 11 Feb 2018 10:34:48 +0100

Two months after introducing fast-posts here a small report.

Rythm

I think i reached a nice regular rythm to publish new articles. It’s not a difficulty anymore. It’s now easier and more natural to write content. It’s a even a real pleasure to write.

Creating a distinction between traditionnal posts and fast-posts was a good decision which let me being more spontaneous.

Layout

I tweaked a bit the site layout.

First, i added the last edition date (if there is one). It’s manual for now but i may change that later by using the file git metadata.

I then corrected fast-posts colors in list pages. For those who haven’t noticed yet (mainly the rss readers), fast-posts have a blueish tint. This slight blue wasn’t applied in lists.

Lists ? It was half broken but I repaired page lists. When you click in articles tags (like “meta”, “hugo”, “blog”, “git” on the top), you go to a page which lists every articles from this category. You may not know it but it was broken but it’s better now. I tweaked my hand-crafted hugo theme (it’s probably not the best place to change it but you know…). One day I’ll publish the theme somewhere.

As I repaired categories, I added a lot of tags to existing articles.

CSS

Let’s talk about the æsthetics changes in CSS.

Stylized a little bit the last edition date in articles.

I also changed the <hr> style which where awful to now reach the meh-level.

I indented list items which where a bit too much on the left.

I centered images.

And also added some style to <table> which you’ll see in a future article.

How do i do it ?

I always have one or two articles waiting before releasing them.

I put them off for some days before returning to it. This increase the quality of articles.

Before, i wrote article and released them without waiting. Hours/days after being published, i often had to add/remove things from the articles. By letting them sit on my cold computer for some days and then re-reading them before releasing, i can change them, see typos and all. This way all articles have a second pass before being published.

Having always some articles close to be published i can maintain a good publishing rythm. It’s a small tip which increase quality without any downside.

Which tools to publish ?

How it’s done ?

cd ~/www - That’s where i keep the sources files
hugo new posts/xx-titre-du-post.md - to create the file with metadata
amp - to start amp and write text
hugo server –navigateToChanged -F -D –disableFastRender - to be able to browse edits in realtime.
git add content/posts/xx-titre-du-post.md - to add the new file to the git repo
git commit !$ -m “[BLOG] ajout article xx titre du post” - to commit files and add a comment to the repo
git push - to save the repo and publish on the website.

What if you built your blog ?

Multi keyboard layouts in Xorg

Wed, 31 Jan 2018 21:18:40 +0100

I really like keyboards. I often plug multiple keyboards on my computer… at the same time. It’s a bit pointless but I like fiddling with keyboards. My main keyboard is in a slightly tweaked bépo (a dvorak-style french layout) while most of the others are in azerty and even some in qwerty. So I configured Xorg to provide these features :

My main board must provide bépo, azerty and qwerty
Other keyboards must provide azerty, bépo, qwerty
Right Ctrl must be the Compose key
Ctrl-Alt-Backspace must kill the Xorg session
Left-Shift + Right-Shift must cycle the layouts

So all of this can be configured in /etc/X11/xorg.conf . Some linux distros replaced this file with a folder containing multiple files to split the xorg.conf, find the one containing input devices.

Section "InputClass"
    Identifier "evdev keyboard catchall"
    MatchIsKeyboard "on"
    MatchDevicePath "/dev/input/event*"
    Driver "evdev"
    Option "XkbLayout"      "fr,fr,us"
    Option "XkbVariant"     "oss,bepo, "
    Option "XkbOptions"     "compose:rctrl,terminate:ctrl_alt_bksp,grp:caps_toggle"
EndSection

Section "InputClass"
    Identifier "Custom Keyboard"
    MatchIsKeyboard "on"
    MatchDevicePath "/dev/input/event*"
    MatchVendor "Lord_Corp"
    Driver "evdev"
    Option "XkbLayout"      "fr,fr,us"
    Option "XkbVariant"     "bepo,oss, "
    Option "XkbOptions"     "compose:rctrl,terminate:ctrl_alt_bksp,grp:caps_toggle"
EndSection

As simple as that

How does it work ?

So Xorg works with some “drivers” where one is evdev which must find all the input devices and configure them. It works by scanning /dev/input/ and reading each file corresponding to every input devices found by the kernel.

Depending on the type of a device (mouse/keyboard/tactile board/…) it will apply a different configuration. It does this thanks to catchall rules.

Evdev is generous as it lets you apply specific configuration to specific a device by selecting it with additional match. In my case, i pick the Vendor field (provided by the device) matching Lord_Corp.

Where do I find matching criteria ?

Easy: xinput –list –long

Filmmenu, a little script to launch movies

Sat, 27 Jan 2018 12:57:33 +0100

Here is a quick blogpost to show you filmmenu. I use a NAS at home with many hard drives and many partitions. I don’t have a RAID (no need) so my files are scattered in all partitions.

All my datas are well sorted except for movies which are in multiple partitions. So when I’m looking for a specific movie, I never know where to look at. So I wrote this think :

#! /bin/sh
DB="/var/db/filmmenu"
if [ $(mountpoint -q /mnt/bender) ]
then
        timeout 3 i3-nagbar -m "/mnt/bender n'est pas mount ! Un ptit coup de sshfs au préalable"
        exit
fi
if [ -r $DB ]
then
        if [  $(date -r "$DB" +%s) -lt $(date +%s --date '45 days ago') ]
        then
                timeout 4 i3-nagbar -t warning -m "DB de plus de 45 jours, update !"
        fi
                exec mpv "$(cat "$DB" | dmenu -i -l 10 -lh 40 -fn 'Droid Sans Mono-15')"
  exit
else
        printf "Création de la DB\n"
        timeout 3 i3-nagbar -t warning -m "Création de $DB, on vous prévient quand c'est fini"
        find /mnt/bender/stockage/*/films/ > "$DB"
        timeout 3 i3-nagbar -t warning -m "$DB créé, c'est tout bon. Vous pouvez relancer la commande"
fi

I launch it with Alt è in i3. Here what it does :

Mountpoint checks that the NAS is mounted on the right place. If it’s not it spits an i3-nagbar which is a small utility from i3 displaying a bar with a configured message.

Then we test if the database exists and if it’s not older than 45 days. If it’s not we create the file with a basic find redirected to a file (the database).

We then give the file to dmenu which prompts the user to select which movie to watch. Then mpv gets the movie path and plays it.

Quick & Easy

Mozilla starts restricting new Firefox features to HTTPS-served pages

Wed, 17 Jan 2018 13:00:08 +0100

In its quest to a safer web, Mozilla just announced they are going to restrict new firefox features to webpages served through HTTPS.

Even if i’m completely convinced that HTTPS should be used everywhere i reckon that it can’t be done in all cases.

Sometimes it’s not possible to deploy HTTPS. Here is some examples which come to my mind : - If the webserver isn’t connected to the Internet, it’s getting complicated to get a valid cert (it’s a completely legitimate use case to deploy a webserver without Internet access). - If the webclient can’t keep the timedate while off it can be complicated to validate a cert too (many devices don’t have a realtime clock like all the raspberries). - When you are using a machine with an outdated openssl not too old but old enough to not being compatible with modern crypto…

That’s for all these reasons that contrary to many common guidelines, I don’t redirect unencrypted trafic to HTTPS. It’s a choice i let to my visitors. If they wan’t secure content they can have it, if they don’t I won’t force them.

Well, I hope Mozilla won’t extend this restriction to their older features.

The death of Vimperator : how does an opensource software die ?

Wed, 10 Jan 2018 11:51:39 +0100

It’s over for Vimperator. While Firefox dropped its old API, Vimperator couldn’t survive. I don’t know why but it’s with a pinch in the heart that I see the closing of the github issue which could have saved it.

There is nothing new. We knew it for more than a year but today is the day. Just with the little red icon notifying the end. The repo will still be there with the code and all to be archived. A testimony of a finished era.

But don’t be too sad, it’s legacy will remain strong. There is a small community of addons mimicking vimperator which rise from its hashes. Qutebrowser also is gaining some users. So all is not lost. Vimperator is now a fertilizer for a lot of new opensource projects so it’s a good news !

Monoculture disaster in the CPU world in early 2018

Tue, 02 Jan 2018 22:05:14 +0100

Monocultures proved multiple times they were risky not only in the IT world. When you plant only one type of vegetables, you risk losing everything when an insect or a disease chooses you. Today, time has come for Intel CPUs to suffer.

Intel’s monopoly

Intel is a leader in CPU for many decades and sometimes it becomes a monopoly. It’s like this for at least ten years. AMD is just recovering thanks to its new Zen architecture after ten years of despair. Intel is alone in the server world (Xeon are everywhere) and only some left overs is shared to AMD in the laptop/desktop world. We can also notice that those last 7 years, CPU’s performances stalled a bit. My current computer hasn’t changed for six years and is still competitive today (but it’s another story). The actual monopoly is a strong monoculture of Intel CPUs in the amd64 world.

So what ?

Well, a security breach has been found. We still don’t know everything as there is an embargo for now to let some time to the devs to publish patches. Apparently every Intel systems are affected (from the last 10 years).

This breach comes from a bug in the hardware architecture of the cpu. There is a patch for the linux kernel but it comes with a major drawback. There is a 5 to 50% performance loss on some syscalls

We also now know that AMD isn’t affected thanks to a second patch.

Official logo of the Meltdown attack

Is it serious SERIOUS or just serious ?

It is SERIOUS. This breach is exploitable on many levels. Virtualized systems are impacted. Apparently it can even be used through specially crafted javascript.

So, even a personal machine could be affected through a web page. Every VM hoster is probably patching as soon as possible.

We don’t know for now every details but as usual we don’t know if it’s already used in the wild.

Official logo of the Meltdown attack

What to do ?

Patch as soon as your OS release the update.

And for the next time, buy some AMD system to lessen the Intel monopoly. The new Zen architecture is performing more or less the same as Intel and you can have more cores for the same price.

A bit more reading :

PS :

We have a lot more information. First there is 2 breaches. One called Spectre and another one Meltdown and there is now an official website which confirms more or less everything we suspected. It’s still unclear if AMD and/or ARM is affected or not.

PS2 :

05/01/2018 : We now know that this breach can be exploited from javascript. Web browsers need to be patched. You could disable javascript while waiting for a patch. You’ll see that the web from 2018 is quite fast without js.

Last 2017 Firefox' Drama

Sun, 17 Dec 2017 10:43:22 +0100

Mozilla had a great year. Since Chrome’s first release and its gigantic marketing (remember those video ads, giants billboards in all inhabited place, and all those links on Google’s websites…), Firefox’s market shares slowly diminished. But Mozilla is awakening and many of its efforts starts to show off.

Now Mozilla release “oxidized” Firefox (it means they are implementing more and more code written in Rust (rust… oxide… it’s not my idea, it’s semi-official)) and rebuild all its infrastructure with some trade offs. The biggest one is the end of all the ancients addon’s API and the adoption of a new one : webextension. It’s a big loss but it’s for better stability and security. Many users felt betrayed and choose to change their browser (mainly to adopt browsers with the same new addons api than firefox (ironic)), me included. But finally the ultimate drama of 2017 is elsewhere.

SpyGlass

Mozilla pushed to all Firefoxes a small unactivated addon. But if you accidentally go to about:config and change the right setting, to the right value, you could have activated this addon which adds headers and other references to Mr Robot. Such a drama !

Seriously, if you are panicking because an unwanted addon has been auto installed but not activated without your consent you should stand back a little. You just have a self-updating browser (in most cases), which can add code you (probably) can’t see (whereas you can see a new installed addon), which add code you can’t remove (whereas you can remove an addon) and which is limited (whereas actual code can access your filesystem, network and hardware).

Moreover, if your reaction is to adopt a closed-source browser (most other browsers), you expose yourself to the exact same thing but without all the advantages from an addon (security, restricted access, removability, discoverability) and you can add all the bad stuff that comes with closed-sources software…

I reckon Mozilla’s attitude is pretty bad. No communication at all, it looks like an ad and/or hacking attempt. But it’s far from all the closed-source problems.

Mozilla started communicating about it in its knowledge pase.

AMD Graphic Drivers 2017

Thu, 14 Dec 2017 17:02:52 +0100

In 2007, AMD adopted a new strategy about their graphics drivers after their ATI acquisition. They decided to help opensource graphics drivers developers by releasing a lot of documentation.

A few years later they helped more by dedicating some of their devs to the opensource driver.

Again, they later adopted a new architecture where their proprietary driver and the opensource one share the same kernel module to mutualize devs efforts.

What did they just do ? They opensourced their Vulkan implementation. There is now two opensource implementations available for radeon users. The historic one in mesa whose performance are still far from optimal but fully functional. The new one from AMD burrow a lot of code with their Window’s vulkan implementation.

They also released a new installer which let user choose which parts they want to install : you can mix proprietary and libre. What to expect more ? (nVidia ? Would you do the same ?)

And in Gentoo ?

I recently replaced my old radeon 6950 with a radeon rx580. To do this i edited /etc/portage/make.conf to change the right variable VIDEO_CARDS=“amdgpu radeonsi” , then emerge -uDnav @world the last thing to do is putting the new firmware in /lib/firmware and edit /usr/src/linux/.config to add it :

CONFIG_EXTRA_FIRMWARE="amdgpu/polaris10_ce_2.bin amdgpu/polaris10_ce.bin \
amdgpu/polaris10_k_smc.bin amdgpu/polaris10_mc.bin amdgpu/polaris10_me_2.bin \
amdgpu/polaris10_me.bin amdgpu/polaris10_mec2_2.bin amdgpu/polaris10_mec_2.bin \
amdgpu/polaris10_mec2.bin amdgpu/polaris10_mec.bin amdgpu/polaris10_pfp_2.bin \
amdgpu/polaris10_pfp.bin amdgpu/polaris10_rlc.bin amdgpu/polaris10_sdma1.bin \
amdgpu/polaris10_sdma.bin amdgpu/polaris10_smc.bin amdgpu/polaris10_smc_sk.bin \ 
amdgpu/polaris10_uvd.bin amdgpu/polaris10_vce.bin"

And voilà ! A kernel compilation and a reboot later and it’s ok…

Fast-Posts

Wed, 13 Dec 2017 22:35:07 +0100

Here is a new section on my web site. Fast posts. I post more and more on my site. I try to produce content of better quality. Articles become longer and need more work.

You probably notice that i greatly increased the release rythm. At first it was tedious but it comes more naturally now. I find it quite appealing writing on my site. I’d like publishing more regularly but if i stick to big complexes articles I won’t be able to sustain this effort for long. So I decided to open a new section dedicated to shorter articles. I’ll probably react to news headlines.

For now I’m not sure how to differentiate the content on the site. I tweaked the theme i use and probably continue in the following weeks. I hope my english writing skills will improve. I do my best but even in the French version there are a lot of spelling mistakes.

My software wishlist : Vol1

Wed, 22 Nov 2017 15:08:53 +0100

Here’s my 2017 letter to Santa Code. I don’t think all my wishes will be answered but we never know…

||| : Le magic pipe

You know what really grinds my gear ? I frequently open many terminal emulators. Often i connect to various remote boxes. Sometimes with multiple jumps. Even sometime on machines without Internet access (containers and VM accessed from the hypevisor).

Well. You just want to transfer a file between two of your terms… it’s only spaced by some pixels on your screen but they can’t connect each other !

GRRRRRRRRRRR

Close your eyes.

Breathe slowly.

Hold back your tears.

Open a new tmux session.

Curse yourself.

Reconnect to your machines.

Struggle with tmux to write the scrollback buffer while praying it’s big enough to fit everything you need.

You see the mess. What I propose is : cat my file ||| in one term and in another one ||| > my file. It looks unrealistic, I know. But frankly : who wouldn’t want this ? I could be done on tmux’s layer or below, directly on the terminal’s level (with a daemon or something else).

OpenSSH Escape Sequence to initialize file transfert

As seen above i often connect to multiple remote machines with SSH. You are deep in you filesystem tree and you need to transfer a file. I keeps bugging me to have to open a new term to launch a SCP command.

My simple solution would be to create a new escape sequence in OpenSSH (you know ? Commands beggining with ~. to disconnect or ~? to see all commands available). For now, you can create a new tunnel or close one but that’s more or less all you can do.

Adding ~u and ~d for example to upload or download a file in the actual connexion (it’s permitted by the protocol itself). This feature exist in some obscure ssh client elsewhere but who doesn’t use openSSH ?

Learn to the linux kernel to scan devices before mounting a Raid BTRFS

I’m now a happy user of a RAID6 BTRFS (I am the DANGER, I am the one who loose all its data) but i had to create an initramfs to be able to mount the root filesystem. To mount a multi devices btrfs you must scan all the devices before doing it (btrfs device scan) and then you can mount your fs. The linux kernel could do it by itself but no :-(

Qutebrowser

Wed, 08 Nov 2017 16:03:10 +0100

It’s been some months now that i migrated to Qutebrowser. It’s a small web browser not so popular which differentiate itself not by it’s engine (but in fact yes a bit !) but thanks to it’s user interface. It’s clearly not intuitive but it’s blazingly fast and efficient !

Web engineS

Qute can use many engines. First there is the good old webkit in it’s Qt flavor. But this one is on the road to deprecation Then you can use webkit-ng which is the direct successor. More or less the same thing… Finally you can choose qt-webengine.

You may not know this one but in fact it’s Blink the google made chrome webengine but in a qt flavor. That’s the one i choose.

The User Interface

The main advantage of QuteBrowser (or just Qute or QB) is it’s interface. It’s inspired by famous firefox’s addons : Pentadactyl and Vimperator. The idea is to ditch most of the visible interface and to rely on keybindings and commands from vim. You can now throw your mouse away and sit confortably with your keyboard !

All your interactions will use the keyboard. The only remaining graphic interface is the status bar on the bottom where you have the actual URL, the scrolling percentage, and the tabs.

Qutebrowser's interface showing the french version of my blog

As you can see, it’s quite minimalist.

All your interactions will be the same as in vim. You’ll use the famous hjkl (i don’t use them as my keyboard layout doesn’t match at all) to move yourself. The G and gg to go directly to the beginning/end of the page.

One crucial thing is f which will let you hint all the links. It will add a small label on every links you’ll have to type to open the corresponding link. In my case, i changed the mode to number (:set hints.mode number). I now just type f then i enter some letters of the link’s text and if there is only one match it’s done. If there is more than one, i just type the number of the label and it’s good.

Hint mode

After i typed home

It may seems slow and counter-intuitive at first but after a couple hours you’ll never go back. It’s way faster than the traditionnal system especially if you are already a vimist.

Using it

Text edition

Like vim, Qute is modal. By default you are in normal mode. If you go to a text field (with f or by clicking), qute will automatically switch to – INSERT MODE – but sometimes it doesn’t (thanks js) so you must manually press i. If you are on a page using hotkeys, you’ll have to manually go to this mode too.

It’s nice and all but you edit something longer than usual like a wiki page or a mail will you really write it on your browser ? Nahhh. You’ll use vim ! In a text field press ^e and your favorite (vim of course (or maybe emacs (really ? nano ?!))) will spawn. Once saved and closed all your text will appear in qute by magic ! (To change the editor :set editor.command ‘[“alacritty”, “-e”, “vim”, “{}”]’ ).

Thee status bar

Like in vim, you can launch commands with : . For example : :set content.javascript.enabled false or i don’t know :view-source … There is a good autocompletion system.

It’s also here that you’ll type your searches and url. You can launch :open your search or :open lord.re or just type o then your url. If you want to edit the current url it’s O.

Search engines

By default, if you type a string of text which isn’t an url it will search your string in your default search engine.

But you can add other search enginges which you can choose by typing their character. For example i use a lot :open w linux to open the wikipedia page for linux. And also :open y slayer to open the youtube’s results for slayer. To configure Qute like this just :set url.searchengines ‘{“DEFAULT”: “https://duckduckgo.com/?q={}", “w”: “https://fr.wikipedia.org/w/index.php?search={}", “y”: “https://www.youtube.com/results?search_query={}"}'

Settings

As we’ve see in the articles, you can edit settings with :set your.setting . It’s really fast but sometimes you won’t find what you want. To see every settings available you can open qute://settings.

Tabs

Tabs are called buffers (as in vim). As already explained in 2012, i don’t use tabs but only rely on windows. I manage them with my window manager. Qute is well thought and provide you a nice way to enable this with :set tabs.tabs_are_windows which is the most explicit settings of all :-)

Conclusion

It’s a really good web browser wich can replace vimperator without too much troubles. Some features aren’s already here but they will come and now you can do 90% of what you did in vimperator. It’s a young browser made by a young coder. It’s community is growing slowly and its irc channel is very welcoming and active.

Future evolutions are quite promising. The main dev wants to add a way to have per-domain settings. The ultimate goal is to be able to replicate uMatrix which is the only addon i miss from Firefox.

The official github repo
The official website

Tips concerning videos

I don’t like watching videos inside the web browser but i’m a big watcher of tv replays from arte or youtube videos and sometimes twitch’s streams. What i do is open the web page then ask MPV to open the page to play the video with m.

I also added an hint mode to open the page with MPV instead of qute with Fm.

:set bindings.commands ‘{“normal”: {“F”: null, “Fm”: “hint links spawn –detach mpv {hint-url}”, “m”: “spawn –detach mpv {url}”}}’

Ultimate DNS guide v1

Fri, 27 Oct 2017 13:05:06 +0200

I’m revamping my DNS stack. For the two of you won’t don’t know what DNS is, it’s the reference directory of the Internet. It’s oversimplifying to say it like that. If fact DNS is a replicated, delegated big database. Translating an hostname to an IP is only of its purpose. Let’s go for the 2017 DNS Mega guide !

If you are the lonely regular english reader of my blog you’ll see that there will be some redundant information from some previous blog posts but that’s I want this article to be quite exhaustive.

Where does it come ?

Historically, when you tried to reach a remote host on the Internet, you had to know it’s IP adress. As the network grew it quicly became tedious to know all the adresses. So they used a text file containing the list of all the machines (the famous hosts file). Syncing it was complex and it was a manual task of sending floppies with the file. And then : BIM ! DNS was born. A new distributed/replicated/delegated mondial database !

DNS is organized as a tree where each branch is/can be delegated. As an example www.lord.re actually is www.lord.re. (notice the dot in the end). It’s a path which must be read from right to left.

First we have the root . on the far right. It’s managed by the ICANN.
The comes .re which is the TLD (Top Level Domain, aka domain name extension), which isn’t managed by ICANN but delegated to AFNIC (which manage all french domains like .re (which is from La Réunion a french island in the Pacific Ocean).
Then we find .lord which isn’t managed by AFNIC but by me (as I rent the domain to a registrar).
Finally www which targets my server which I also manage but i could have delegated to someone else.

Now we will go deeper in the technical side of it. We will setup an authoritative DNS server on my -your- domain.

Take yourself a domain name and launch your server

First you won’t buy a domain name but you’ll rent it for one to ten years to a registrar (an authorized seller). Most of registrars can host your domain name but frankly… it’s way funnier to do it ourselves !

In your registrar you’ll have to fill the Glue records. It’s what links your domain name server to the parent’t zone. So you’ll have to give the IP adress and hostname of your DNS server. In my case zapp.lord.re is the server and its adress is 62.210.201.160 . Once done, you’ll mostly won’t have any more contacts with your registrar (except for dnssec and renewing).

Now installing your DNS server… DIY. In my case I didn’t choose the venerable Bind but the almighty Knot which i find way better. Setting it up is easier than Bind especially with DNSSEC. Knot is developped by Nic.cz which is the entity managing all .cz domains. They also developped Bird which is a routing open source software. They also build Turris routers like the Omnia i’m using right now. They build lot of opensource softwares and many infrastuctures tools. They are pushing DNSSEC adoption with their browser extension to check DANE signatures from websites you are browsing.

Confing Knot DNS

Once knot is installed you’ll have to create the config file. The file is quite logic and straight forward. I’ll put almost all of it there :

server:
    user: knot:knot
    listen: [ "0.0.0.0@53", "::@53" ]
log:
  - target: /var/log/knot.log
    any : info
acl:
  - id: acl_localupdate
    address: 127.0.0.1
    action: update
control:
    listen: knot.sock
remote:
  - id: localupdate
    address: 127.0.0.1
template:
  - id: default
    storage: /var/lib/knot/zones
    acl: [ "acl_localupdate" ]
    kasp-db: /var/lib/knot/kasp
zone:
  - domain: lord.re.
    file: lord.re
    dnssec-signing: on
    dnssec-policy: default

Everything is well sorted. Now you’ll have to put your zones files in /var/lib/knot/zones. Knot will generate all the needed keys and will sign your zone by itself.

Gérer la redondance

Setup a secondary DNS server.

This will come later. Sorry ;-)

Publishing your DNSKEY or DS Record to your registrar

The last thing to do with your registrar is giving them your DS record or DNSKEY of your KSK. Written like this it looks very hard but it’s not. This is the last required step to complete the trust chain needed by DNSSEC. Depending of your registrar you’ll give them the DNSKEY or the DS Record.

To find your DS : keymgr lord.re list will show all your active keys. You must find the KSK et memorized its tag. Now keymgr lord.re ds 42754 (42754 is my ksk’s tag). The command will give you three records. It’s the three time the same but with different hash method. You’ll have to choose one (the bigger the better).
To get your DNSKEY it’s the nearly the same story : keymgr lord.re dnskey 42754 and there you go.

Each time you’ll rollover (change) your KSK (it’s recommanded to do it every year or two) you’ll have to do it again. In fact DNSSEC use two type of keys :

ZSK (Zone Signing Key) which are used to sign each record in your zone. This key is quite small (to stay fast) so it must be renewed every month or so.
KSK (Key Signing Key) is only used to sign the KSK. This key is way bigger than zsk so it can be used longer and can be published to you registrar to be in the parent’s zone.

Now you can close your registrar’s web interface and only get there to renew your domain in one year ;-)

What to put in your zone ?

We can put many things in it, let’s start with the most common one :

SOA : Start Of Authority is a mandatory record which gives some required information about the zone, who is the master server, which mail to contact, the serial and some timeout valuess. Here is mine :
```
lord.re.          3600    IN      SOA     zapp.lord.re. lord.lord.re. 2015033233 3600 7200 3600 180
```

The master server (or authoritative) is zapp.lord.re., the contact mail is lord.lord.re. (notice the strange syntax. The arobase is replaced by a dot (it’s easy to forge an invalid email adress)). Then come the serial 2015033233 which must be incremented each time you’ll edit your zone (you’ll forget and will encounter strange behaviors) then some expiry values.

MX : Mail eXchange gives server(s) to receive emails to your domain. You can have multiple servers give them different priorities. You can of course put servers from another domain than yours.
```
lord.re.                2600    IN      MX      10 zapp.lord.re.
```
Here we see that my mail server is zapp.lord.re and it’s assigned priority is 10.
NS : Name Server will give the different DNS servers which know your zone. The main practice is to give hostname to at least two servers and also to have the associated A records to these hostnames (like the glue records seen previously).
```
lord.re.                3600    IN      NS      zapp.lord.re.
```
The (lonely) nameserver for my zone is (once again) zapp.lord.re.
A and AAAA : They are the most famous records. They bind an hostname to an IPv4 (A) or IPv6 (AAAA) adress.
```
lord.re.                600     IN      A       92.167.84.9
```
Here we see that lord.re. can be found in 92.167.84.9.

With this you’ll have most of your required records. Later in this blog post we will see more exotics records.

Editing your zone

There are three ways to edit your zone.

The first is the dirtiest : editing the zone file with your editor and tell Knot to reload the zone from the file. Not a good way to do it. Moreover, you must increment your serial. The problem is that knot will not update this file by itself so if there is an edit, your file won’t be synced.
The second way is clean and standardized. I used it for years as i’ve already written in March 2015. It means using nsupdate (or it’s knot variant knsupdate). It’s clean, the syntax is understandable but i can’t remember it. Each time i have to reread my article.
The third is more recent and is knot-specific : using knotc to do all the edits.

1 : Barbaric edits

You open the file /var/lib/knot/zones/lord.re with your favorite editor and you edit it. You take care of the syntax and don’t forget to increment the serial. Then you test the file with knotc zone-check lord.re and then you reload with knotc zone-reload lord.re. Job’s Done.

2 : Interactive (k)nsupdate

You launch knsupdate which will result in an interactive shell.

    server 127.0.0.1 (you could edit a remote server by specifying its adress here)
    zone lord.re.
    update add|del lechamps 600 A 1.2.3.4 (choose if you want to add or delete a record)
    send

Done. It’s fast and easy. You can also put all the commands in a text file and give it to nsupdate directly which is a good way to script it (but the third method is better to script).

3 : The Knot’s way

You’ll do everything in your shell with knotc :

    knotc zone-begin lord.re
    knotc zone-(un)set lord.re. truc.lord.re. 600 A 1.2.3.4 (you can specify multiple commands like this one)
    knotc zone-diff lord.re. (this is facultative but you'll get a little summary of the expected result)
    knotc zone-commit lord.re.

and there you go. No need to reload or increment serial.

How to send DNS requests ?

You’ll need to know a bit of a new tool : dig (or kdig it’s knot’s variant). It’s a bit verbose but easy to use and understand. Here’s the output of dig lord.re :

; <<>> DiG 9.11.2 <<>> lord.re
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13708
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lord.re.                       IN      A
;; ANSWER SECTION:
lord.re.                600     IN      A       92.167.84.9
;; Query time: 13 msec
;; SERVER: 10.0.0.254#53(10.0.0.254)
;; WHEN: Wed Oct 11 19:03:54 CEST 2017
;; MSG SIZE  rcvd: 52

So what’s interesting in all this ? Hmmm… status: NOERROR first. It means that there was no error (don’t thank me, it’s all for you). You will encounter other responses like NXDOMAIN which means Non eXistant Domain (the same thing as error 404 from http) and sometime SERVFAIL which means an error from the server (bad configuration, bad zone or else (read your logs)).

Next you’ll check the flags. You’ll want the ad flag which indicate that the response is DNSSEC valid.

Then you have the QUESTION SECTION which shows what’s your request followed by the ANSWER SECTION which comes from the server. You also have the time it took to receive the answer and the adress of the server.

You can query a specific server by adding @8.8.8.8 for example. You can also specify which record you want to get and also if you want to have a trustable answer with dnssec. dig lord.re @8.8.8.8 +dnssec MX or dig @8.8.8.8 +dnssec lord.re MX (i find this order more logic).

With this small howto you should be able to do almost all queries to debug all your dns problems !

Other exotic uses of DNS

Most of the time we use dns as simple directory to translate hostnames to IP adresses. But there are other uses.

A frequent use is DNSBL systems : DNS Black List. It’s a way to query public (or paywalled) blacklists thanks to DNS requests. It’s quite popular among antispam systems. You just need to query a specifically designed dns server with the domain name of the sender mail server and the dns server will answer with predefined answers. For example where is mail.sender.spam.com ? and the dnsbl’s response will be 127.a.b.c where a, b and c corresponds to specific values indicating the spamminess level of the hostname. It’s a fast system very efficient. A good layer on your antispam.

Let’s see some cases we will use. With time, we added a lot of new record types in the DNS which some are now crucial.

When you connect to an SSH server, it will send its fingerprint. It’s the only way to be sure the server IS the server you want and not another one : if the fingerprints changed from a previous session you SSH client will print you it’s prettiest error message. But but but ! How to know if the first time you connect to the server that its fingerprint is the good one ? Well, just publish it in your DNS zone ?

Your SSH fingerprint can be put in an SSHFP record. To generate it, on your SSH server just send ssh-keygen -r lord.re.

lord.re IN SSHFP 1 1 1516af909e7de59af0e4b7cbaefb81c5ddf36b70
lord.re IN SSHFP 1 2 f144fd71beb47a02cc904e305cc35c6ffe034e67b92aa54d1e382c1c1900a104
lord.re IN SSHFP 2 1 83664295d1e46c80cc3ba7865294cbd1649f6350
lord.re IN SSHFP 2 2 c1c1de2b19e6d4e451a9057a3ccc40a53ca29b69c7e2dd006ff4e8884c062ee6
lord.re IN SSHFP 3 1 1929f7d32788a5884d862d2c28a226c73fd62944
lord.re IN SSHFP 3 2 990dfb4b2f3486fb6bf5e5e5a3dd02344da6f42ce5b02992385dfbde30c5d24d
lord.re IN SSHFP 4 1 493848772bcb5b6225424e58e5274984d825f01a
lord.re IN SSHFP 4 2 335d5e9ec2d901b7ffd693fe614f73e4ad0afa40c72d9867dadfd155016c0029

You have now a well formatted record to copy paste in your zone.

It’s a good new default for ssh clients to check these records. In /etc/ssh/ssh_config you should add VerifyHostKeyDns yes (or ask). With this in place you have greatly reduced the TOFU threat of SSH (Trust On First Use). You should really do it for all your SSH servers).

CAA

As previously seen, CAA records will avoid legit CA to sign a certificate for your domain if they are not the one you choose. I consider this new record almost mandatory now. It won’t protect you from a rogue CA but that’s not the same threat level. It can prevent another adminsys from using another CA behind your back. So here’s the only three lines you’ll need :

lord.re.                600     IN      CAA     0 iodef "mailto:lord-x509@lord.re"
lord.re.                600     IN      CAA     0 issue "letsencrypt.org"
lord.re.                600     IN      CAA     0 issuewild "letsencrypt.org"

The first line is the mail adress a CA will contact in case of an attempt to sign without consent. The second line designate the authorized CA for classic certs and the third for wildcard certificates.

TLSA

TLSA is a bit more complex. It’s part of the DANE standard (DNS Authentication of Named Entities) which lets you publish your cert (or its hash) of a TLS secured service. The ultimate goal of DANE is to get rid of CA and putting the trust chain in the DNS. Instead of relying on a third party to attest your certificate is trustable this role is now in your DNS server and DNSSEC. Bad news : nothing implements it. Only postfix and some plugins for your browser, that’s all. But you can have a CA and publish TLSA record. Braces and leather belt (french). You can use DANE/TLSA on any service relying on TLS : http, smtp, imap, irc, … anything.

We won’t work to much, we will do as everybody and use the popular well-made generator.

You fill the fields (3/1/1)
You paste your cert (not your private key !)
You put the port number of your service (443 for https for example)
the used protocol (tcp for https)
and you add your domain (lord.re or eventually www.lord.re)

Pouf ! The generate button will create your record. To be valid with DANE, your zone MUST bet served with DNSSEC (in my case lord.re can’t because of my registrar which can’t take a DS record -___- ).

Here is where the party is ! The email being one of the oldest Internet’s use, it grew with lots of new protocols and other fancy stuffs. Most of what we will see are attemps to bring new features to mail mostly on the security side : authentication for the most part. Let’s start slowly.

SPF

The easiest of the band. This record will define wich machines/IP are authorized to send mails from your domain. Most of the time, you’ll only expect to send mails from your MX machines.

There is an SPF record type but it’s now deprecated (too bad), in favor of a simple TXT.

lord.re.                600 IN  TXT "v=spf1 mx -all"

It means mx machines are allowed whereas all are disallowed to send mails. It’s just an information. When someone receive a mail they can look for this information.

DKIM

Domain Key Identified Mail is one step higher. It’s a cryptographic system to sign your outcoming mails and it’s headers. Receiving servers will check that you mail match the signature in your DNS’s zone. It’s a way to prevent another mail server to send mail from your domain. It’s also a way to assure the receiver that your mail hasn’t been modified by any intermediate server.

This time you’ll have to setup your mail stack to sign outgoing mails. There are may ways to do this and as it’s out of the scope of this article … well … you’ll have to duckduckgo it (I use rspamd to do it with postfix). You’ll get a public key that you have to publish in your zone in a TXT record :

default._domainkey.lord.re.     3600    IN      TXT     "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC06MC2/9/YtSn9BS09oMN26UdKO6DMGlCWYsodQ8P+t2CzsSzqUJxaszJmWZglqZyXRjaCMAFUoOF7GiyhXhqM4rSLGxaPHfrLK7f9YlJYAnqdhzEJdEjP8/vkJoMTJxINP9gEBi+wGSGEhoha514NHHtZ4g+QbJZliahwAjl0BQIDAQAB"

Now that you’ve set up SPF and DKIM, other mails servers won’t know what to do if your mails aren’t DKIM-valid or if SPF isn’t respected.

DMARC

Here is the way to tell other servers what to do if there is something wrong with SPF or DKIM. DMARC is the next step after SPF and DKIM. It’s still a TXT record :

_dmarc.lord.re.    600 IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:lord-dmarc@lord.re;ruf=mailto:lord-dmarc@lord.re;sp=none;adkim=s;aspf=s"

It’s straight forward :

p=none is the policy others must adopt. With none they do what they want. If you are sure about your stack you can put quarantine or even stricter reject.
rua and ruf is an email adress to contact to report any problem
Last : adkim=s and aspf=s means that you want a strict check of SPF and DKIM. With this, your hostname must perfectly match (the r mode (for relaxed) lets you send with subdomains too).

My advice is to slow start with none and if everything works fine step up to quarantine and maybe later to reject. Don’t go too fast or all your mails will fall in spam boxes.

STS

This one is brand new. It’s not official yet but it’s promising even if it’s a bit hard to deploy it. You’ll need a web server where you’ll put a bit of json in the .well-known directory of your web root. Because of that i didn’t add it yet.

This new record is a way to inform other MTAs how to connect to your server : you can tell them to reject a plaintext connection. It’s a good way to protect your privacy.

The record looks like this _mta-sts.lord.re. IN TXT "v=STSv1; id=20160831085700Z;".

It contains an id of policy which MTAs will have to fetch from your web server. It could have been written directly in the dns record but… no they decided to go overkill.

OPENPGPKEY

I don’t use this one either (in fact i don’t use pgp for my mails). It’s a way to publish public keys in your DNS’s zone. From a certain point of view it can be considered better than relying on a Public Key Server. As I don’t use theme I’ll let you use this generator.

Mail summary

Now you protect yourself from server spoofing thanks to DKIM and SPF. You make sure no one edit your mails on the fly thanks to DKIM and DMARC. You force your mails to never travel on plaintext with STS (except on the emmiting and receiving ends). And you make sure that servers themselves can’t edit/read your mails thanks to PGP. You mail stack is now bulletproof !

Global thoughts ?

Hmmm yes. DNS now can hold many public informations where authenticity is critic. Editing DNS requests on the fly can become a severe attack to your privacy and have heavy consequences (ssh spoof, mail spoof, tls spoof…). Deploying DNSSEC is not an option anymore. Using a validating DNS recursor is also of the utmost importance. Deploying HTTP service without TLS became non-sense sinc Letsencrypt came. Deploying DNS without DNSSEC is now the same.