Mon, 15 Nov 2010
DNSSEC Problems
In July, I have written about DNSSEC tools.
Our zone is still not signed yet, but I have at least enabled DNSSEC
valiadtion on our recursive servers at that time, asked the
maintainer of the muni.cz domain about the DNSSEC enrollment
process, and suggested we should discuss it further.
I have got no reply for several weeks, and then he suddenly replied: "I have
signed the muni.cz domain". Evening before this e-mail,
our recursive servers stopped resolving even names from our own subdomain,
fi.muni.cz. It was a major service disruption (the whole
IS MU cluster disintegrated, etc.). I was on a holiday, so my colleagues
just switched off the DNSSEC processing altogether. I did not have
time to look into this problem until last week. I have tried to
reenable DNSSEC, and the same problem appeared. Part of the DNS queries
just got dropped. Digging into this further (thanks,
Dan!) I have discovered that one out
of three authoritative DNS servers for muni.cz
(ns.ces.net) has DNSSEC disabled. So 1/3 of the
queries were replied to without signatures, and got dropped by validating
resolvers.
The morale of the story is:
- Virtually nobody uses DNSSEC for validation. Otherwise there should
have been complaints about everything under
muni.czbeing occasionally unreachable since August and counting. - DNSSEC is very volatile, and has too many subtle ways how to fail. For example, expired signatures are not visible without complicated monitoring tool before it is too late. Or the above problem with the non-DNSSEC authoritative nameserver is not visible, when your resolvers use the other two authoritative nameservers as recursive nameservers. Etc.
Do you use validating resolvers, my dear lazyweb? And are all your zones signed?
Fri, 05 Nov 2010
C++ Frequently Questioned Answers
As many of you probably know, I am not very fond of C++. Recently I've came across an excellent set of texts, which explicitly name many faults of this language.
Let me point you to a great means of procrastination document:
C++ Frequently Questioned Answers.
It tries to provide alternative answers to questions from C++ FAQ,
describing how faulty the design of C++ is. It is quite a long text,
so if you are in a hurry, the main points are summarized in
Defective C++.
It is not very happy read, especially if you have already used C++ for some bigger project. I wonder how e.g. KDE can survive using C++. For what kinds of projects would you use C++? I think plain old C is better for the system and performance critical stuff, with some interpreted language like Perl or Python for everything else.
Tue, 02 Nov 2010
Fedora 14
I have been using Fedora 14 on my laptop since Friday and on both my work and home workstations since yesterday, and so far I have not ran into any serious problem.
The only nontrivial problem was to upgrade from the experimental
version of TeXlive
(maintained by Jindřich Nový, thanks!) to packages of the same version,
built for F14 (on one of the computers I simply did "rpm -e --nodeps `rpm -qa | grep texlive | fgrep .f12.`", then installed the texlive-f14-release package with Jindřicȟ's repository info, and finally
re-installed TeXlive from this repository.
It is a shame that systemd has made it into F14 as a preview only. It looks like a cool piece of technology, at least for the desktop use.
Recently there has been exactly zero development in the area of
multiseat,
but for me it remains in the "mostly working" state (using xdm instead
of gdm, using system-wide PulseAudio, manually binding keyboards
and mice to the appropriate seats in xorg.conf, and automatic mounting of pluggable disks on one seat only because of lacking ConsoleKit support),
which is acceptable for me.
Anyway, keep up the good work, Fedora team! So far this is the best release in several years (if not the best ever).