From lgj at usenix.org Fri May 6 14:22:36 2011 From: lgj at usenix.org (Lionel Garth Jones) Date: Fri, 6 May 2011 14:22:36 -0700 Subject: Making It Easier to Submit Papers to USENIX LISA '11 Message-ID: <76CDE35C-8721-4F9D-BFB3-D3230FA948B9@usenix.org> We want YOU to submit a paper this year to the LISA conference. Really. Yes, you! Whether you are an academic developing new algorithms that improve system administration, a leader of an open source project that sysadmins find valuable, or a practitioner in industry that has written new software to improve productivity, we believe there's a paper inside all of you that wants to get out! (LISA '11 is December 4-9, 2011, in Boston). LISA is also a great venue for student papers: it is a friendly audience and we have a "Best Student Paper" award that pays cash. LISA '11 is doing three big things this year to make it easier to submit a paper: 1. We provide mentoring. Submitting a paper to a conference can be intimidating, a lot of work, and stressful. To make the process easier, the members of the LISA Program Committee (PC) are available to provide mentoring. You can bounce ideas off of us by email or phone, we'll proofread your drafts, and we'll try to answer any questions about the conference or submission process. Just write "assign me a mentor" in email to the conference co-chairs at lisa11chairs at usenix.org. Mentors can help turn your accepted abstract into a "print ready" final draft. We'll also work with you over video chat to rehearse and strengthen your presentation for the conference. 2. You don't have to submit a full paper. It can be heartbreaking to write a complete paper only to learn it wasn't accepted for this year's conference. Papers are 8 to 18 pages; that's a lot of writing. In recent years about 20 of the approximately 80 submitted papers were accepted. While you may submit a complete paper, we will also accept an "extended abstract" of 4-8 pages. You only write the full paper by the publication deadline if your abstract is accepted. In an extended abstract, you document the meat of your paper. You want to make sure you don't leave out important points such as what you have achieved along with how you achieved it. Phrases like "the full paper will reveal the new algorithm" don't allow the PC to evaluate your efforts. Working with a mentor can help you through this process to ensure you submit the best abstract possible. 3. You don't have to be a scientist. "But I haven't invented anything!" Refereed papers describe work that advances the art or practice of system administration and are held to high research standards. However, LISA has an additional category called "Practice and Experience Reports" (PER) that describe a substantial system administration project whose story reveals lessons worth sharing. In other words, you did something awesome and want to tell the world about it so they can learn from your mistakes. (Did I say mistakes? I meant "learn from your awesomeness.") Actually, failures are often worth documenting as we learn the most! A PER is judged on the basis of whether it addresses a pressing or rising need in the industry and the usefulness of the lessons learned. If accepted, a final draft of the full report (4-10 pages) is due by the publication deadline, just like refereed papers. The first paper I presented at a LISA conference would have been a PER, if the category had existed then. That was 1997! My paper wasn't rocket science (or even computer science), but we were able to explain some valuable insights into what to do (but mostly what not to do). We're also looking for proposals for general talks, special Q&A talks called "The Guru Is In," and posters. http://www.usenix.org/lisa11/cfpb Conclusion Every PC member is currently reaching out to friends, calling universities, and visiting user groups to encourage people to submit papers. We'd love for you to announce the Call for Participation at your local user group meetings (and we'll give you a little gift if you do). Let us know if you're interested in getting more involved by participating on a future PC. LISA '11 is making an extra big effort to seek out new papers and new authors. We're doing outreach, we're making the submission process easier, and we're providing mentoring. So, if you have never submitted an abstract to LISA, maybe this is your year. Contact us if you are on the fence. Maybe we can answer your questions and concerns to put you on the path to successful author. The submission deadline is June 9, 2011. That may seem far in the future but it creeps up on us very fast. Start brainstorming your paper now and we look forward to receiving your submission soon! Tom Limoncelli LISA '11 Program Co-Chair lisa11chairs at usenix.org Key dates: -- Submission deadline: June 9, 2011, 11:59 p.m. PDT: Extended abstracts, papers, experience reports, and proposals for invited talks, workshops, and tutorials -- Notification to all submitters: July 11, 2011 -- Publication deadline: September 15, 2011: Final papers and reports due -- Poster proposals due: November 11, 2011 ---------------------------------------------- From rick at linuxmafia.com Tue May 17 00:28:06 2011 From: rick at linuxmafia.com (Rick Moen) Date: Tue, 17 May 2011 00:28:06 -0700 Subject: Reminder: BayLISA meeting: THURSDAY May 19, 7:30pm, DTrace and OpenSolaris Message-ID: <20110517072806.GA6130@linuxmafia.com> BayLISA General Meeting: Thursday, May 19, at 7:30pm at LinkedIn (2029 Stierlin Ct, Mountain View) The topic is "DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X, and FreeBSD". Brendan Gregg, author the book of the same name, will talk to us about the software and his book. We should have a couple of copies of the book in paper form to give away, courtesy of Pearson North America (publishers of the book). We are also planning to discuss the state of OpenSolaris and Illumos. See details and please RSVP at http://meetup.com/BayLISA/ . Feel free to bring resumes, business cards, and job postings to share, as well as your suggestions for future speakers and topics. Also, there will be a meeting of the Board of Directors at 6pm. Board members are expected to attend; any other BayLISA members are invited to attend as well. Best Regards, Rick Moen for the BayLISA Board of Directors From rnovak at indyramp.com Wed May 18 19:39:23 2011 From: rnovak at indyramp.com (Robert Novak) Date: Wed, 18 May 2011 19:39:23 -0700 (PDT) Subject: April 2011 meeting videos posted now! Message-ID: Hi all, Back in the olden days, BayLISA had a lending library of VHS tapes, as a benefit of membership in the organization. And as cool as I feel having a working VHS recorder (that can in theory dub to DVD), we're moving into the 21st century with digital recording and online access. And we'll be working toward more benefit to BayLISA members in this area as well. The first successful recordings were made in April, with Phil Hollenback and Jordan Sissel. For a limited time they will be publicly available at Vimeo. http://vimeo.com/baylisa By the end of the year (probably sooner) we will have early access to the meeting videos restored, as a member benefit. If you'd like to vote for this benefit and help support BayLISA, I'd encourage you to check out: http://www.baylisa.org/members/join.shtml and join the organization. It's $45/year, $15 if you're a student, and we'll be releasing some new member discounts in the next month as well. As always, we welcome your feedback about meetings, benefits, and so forth. you can contact me directly, or drop a note to blw at baylisa.org. Thanks, and hope to see you all tomorrow night. Robert Novak BayLISA Secretary/Cheerleader From lgj at usenix.org Thu May 19 12:00:54 2011 From: lgj at usenix.org (Lionel Garth Jones) Date: Thu, 19 May 2011 12:00:54 -0700 Subject: 2011 USENIX Federated Conferences Week Events and Reminders Message-ID: <75E9FFA5-7EF4-47C3-8B2A-0450545416E6@usenix.org> You were recently invited to the 2011 USENIX Federated Conferences Week taking place June 14-17, 2011, in Portland, OR. The Early Bird Registration Deadline is approaching. Register online by May 23, 2011, for the greatest possible discount. http://www.usenix.org/fcw11/progb Planning to stay in the conference hotel? Rooms are going fast. Book your room today! http://www.usenix.org/events/fcw11/hotel.html The USENIX Federated Conferences Week offers a unique opportunity to gain insight into a variety of hot topics, while the joint lunches, breaks, and evening events provide cross-topic networking possibilities. Create Your Own Conference Experience USENIX is making it easier than ever to customize a program to meet your needs. Your daily registration gets you into all the events happening that day: tutorials, talks, workshops--you name it. Plus, registration packages offer expanded discounts. The more days you attend, the more you save! USENIX Federated Conferences Week includes: - HotCloud '11: 3rd USENIX Workshop on Hot Topics in Cloud Computing Tuesday-Wednesday, June 14-15, 2011 http://www.usenix.org/events/hotcloud11 HotCloud '11 will discuss challenges in the design, implementation, and deployment of cloud computing. It will be a forum for academics and practitioners to share their experiences and identify emerging trends. - HotStorage '11: 3rd USENIX Workshop on Hot Topics in Storage and File Systems Tuesday, June 14, 2011 http://www.usenix.org/events/hotstorage11 HotStorage '11 will discuss the new opportunities presented by the increase in the volume and variety of digital data, "big data," the proliferation of consumer-electronics storage devices, and more. - WIOV '11: 3rd Workshop on I/O Virtualization Tuesday, June 14, 2011 http://www.usenix.org/events/wiov11 The focus of WIOV '11 is on the interplay of I/O with virtualization and cloud technologies. Our goal is to provide a forum to discuss the impact and challenges of I/O virtualization along multiple dimensions. - Tutorial: Securing Linux Servers Tuesday, June 14, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#t1 This class for Linux sysadmins and security managers shows you how to maintain a strong security posture by minimizing risks through careful configuration and proper use of Linux tools and services. - USENIX ATC '11: 2011 USENIX Annual Technical Conference Wednesday-Friday, June 15-17, 2011 http://www.usenix.org/events/atc11 USENIX ATC '11 offers you cutting-edge systems research and insights into a variety of topics--virtualization, cloud computing, storage, security, distributed systems, personal devices, scheduling, and more. - WebApps '11: 2nd USENIX Conference on Web Application Development Wednesday-Thursday, June 15-16, 2011 http://www.usenix.org/events/webapps11 WebApps '11 is designed to bring together experts in all aspects of developing and deploying Web applications. The program includes refereed papers, posters, invited talks, and a panel. - Tutorial: SELinux (Security-Enhanced Linux) Wednesday, June 15, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#w1 Learn to work with SELinux: how to determine if SELinux is blocking an application and how to adjust policy to move beyond problems. This class is intended for Linux sysadmins and security managers. - Tutorial: VMware vCloud Overview and Design Considerations Wednesday, June 15, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#w2 Sysadmins and architects, get the knowledge you need to deploy a VMware cloud for use as an enterprise private cloud by learning how to implement and manage VMware vCloud technologies. - Tutorial: Linux Performance Tuning Thursday, June 16, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#r1 Intended for intermediate and advanced sysadmins, this class will cover the tools that can be used to monitor and analyze a Linux system, plus key tuning parameters to optimize Linux for server applications. - Tutorial: SANS Security 464: Hacker Detection for Systems Administrators Thursday-Friday, June 16-17, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#r2 This 2-day course is designed to help sysadmins better understand what is required by security teams and auditors and to turn into the human sensors for malicious activity. - Tutorial: Introduction to Automating System Administration with Cfengine 3 Friday, June 17, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#f1 This is your opportunity to get a thorough grounding in automated system administration and configuration using Cfengine v3, and the ability to implement configuration policies on your systems. Whether you are interested in the latest systems computing breakthroughs or want to get the low-down on Web application development, this week in June will have everything you need to stay ahead of the curve. See you in Portland! P.S. Connect with other attendees, check out additional discounts, and help spread the word! Facebook: http://www.facebook.com/event.php?eid=176554335729285 Twitter: http://twitter.com/usenix #FCW11 Additional Discounts: http://www.usenix.org/events/fcw11/discounts.html Help Promote: http://www.usenix.org/events/fcw11/promote.html From rick at linuxmafia.com Fri May 20 22:44:21 2011 From: rick at linuxmafia.com (Rick Moen) Date: Fri, 20 May 2011 22:44:21 -0700 Subject: Checking on DNS secondaries Message-ID: <20110521054421.GP14633@linuxmafia.com> What do folks use to check up on DNS secondaries? My nameserver does master nameservice for a user group's domain (scruz.org). A few days ago, I discovered that _all four_ secondaries had flaked out: Two reIPed and didn't tell me, one shut off scruz.org service and didn't tell me, one ceased all DNS service and didn't tell me. I found and fixed the problems, but monitoring also seemed called for. Output follows of my quick hack, an e-mailed report from a cronjob in /etc/cron.weekly/, followed by the cron script itself. However, does anyone use something better? ----- Forwarded message from root ----- Date: Fri, 20 May 2011 22:28:06 -0700 From: root To: rick at linuxmafia.com Subject: Domain scruz.org SOA check As of 2011-05-20, there are supposed to be six authoritative nameservers: ns1.scruz.org. 198.144.195.186, aka ns1.linuxmafia.com. (Rick Moen) ns1.svlug.org. 64.62.190.98 (Rick Moen) ns6.scruz.org. 38.102.132.186, aka ns1.phosphor.net. (Eric Cain) ns7.scruz.org. 209.237.247.49, aka ns.portalpotty.net. (Max Baker) ns8.scruz.org. 209.133.21.10, aka ns1.got.net. (got.net NOC) ns9.scruz.org. 207.111.232.23 aka ns2.got.net. (got.net NOC) If any is missing from reports below, or produces odd data, something is wrong. Zonefile S/Ns: 2011051900 on ns1.scruz.org. 2011051900 on ns1.svlug.org. 2011051900 on ns6.scruz.org. 2011051900 on ns7.scruz.org. 2011051900 on ns8.scruz.org. 2011051900 on ns9.scruz.org. Authoritative nameservers from whois: NS1.SCRUZ.ORG NS1.SVLUG.ORG NS7.SCRUZ.ORG NS6.SCRUZ.ORG NS8.SCRUZ.ORG NS9.SCRUZ.ORG Parent-zone NS records and matching A records (glue): ; <<>> DiG 9.4.2 <<>> -t ns scruz.org. @d0.org.afilias-nst.org. +nocmd +noquestion +nostats +nocomments ;; global options: printcmd scruz.org. 86400 IN NS ns7.scruz.org. scruz.org. 86400 IN NS ns1.svlug.org. scruz.org. 86400 IN NS ns8.scruz.org. scruz.org. 86400 IN NS ns9.scruz.org. scruz.org. 86400 IN NS ns1.scruz.org. scruz.org. 86400 IN NS ns6.scruz.org. ns1.scruz.org. 86400 IN A 198.144.195.186 ns1.svlug.org. 86400 IN A 64.62.190.98 ns6.scruz.org. 86400 IN A 38.102.132.186 ns7.scruz.org. 86400 IN A 209.237.247.49 ns8.scruz.org. 86400 IN A 209.133.21.10 ns9.scruz.org. 86400 IN A 207.111.232.23 In-domain NS records and matching A records: ; <<>> DiG 9.4.2 <<>> -t ns scruz.org. @ns7.scruz.org. +nocmd +noquestion +nostats +nocomments ;; global options: printcmd scruz.org. 86400 IN NS ns1.svlug.org. scruz.org. 86400 IN NS ns6.scruz.org. scruz.org. 86400 IN NS ns7.scruz.org. scruz.org. 86400 IN NS ns8.scruz.org. scruz.org. 86400 IN NS ns9.scruz.org. scruz.org. 86400 IN NS ns1.scruz.org. ns1.scruz.org. 86400 IN A 198.144.195.186 ns6.scruz.org. 86400 IN A 38.102.132.186 ns7.scruz.org. 86400 IN A 209.237.247.49 ns8.scruz.org. 86400 IN A 209.133.21.10 ns9.scruz.org. 86400 IN A 207.111.232.23 ----- End forwarded message ----- #!/bin/sh # smaug Cron script to sanity-check domain scruz.org's SOA records at # all of its authoritative nameservers, as a quick and # dirty way of making sure (1) they're all online and # (2) they're all serving up the same data (or at least # data with the same zonefile serial number). # # The script queries all six nameservers for their current # SOA value (for scruz.org), and then uses awk to parse # out of that verbose record just the S/N field, which is # field #3. The point is that you can visually spot offline # or aberrant nameservers by their S/Ns being (respectively) # missing or an out-of-step value. # # For good measure, we also report authoritative servers from # whois, NS-type records + their glue A records at the zone's # parent, then NS-type records + matching A records in the # zone itself. # # Written by Rick Moen (rick at linuxmafia.com) # $Id: cron.weekly,v 1.04 2011/05/20 21:47:05 rick # Copyright (C) Rick Moen, 2011. Do anything you want with this work. set -o errexit #aka "set -e": exit if any line returns non-true value set -o nounset #aka "set -u": exit upon finding an uninitialised variable test -x /usr/bin/mail || exit 0 test -x /usr/bin/whois || exit 0 test -x /usr/bin/awk || exit 0 test -x /bin/grep || exit 0 test -x /usr/bin/dig || exit 0 { echo "As of 2011-05-20, there are supposed to be six authoritative nameservers:" echo "" echo "ns1.scruz.org. 198.144.195.186, aka ns1.linuxmafia.com. (Rick Moen)" echo "ns1.svlug.org. 64.62.190.98 (Rick Moen)" echo "ns6.scruz.org. 38.102.132.186, aka ns1.phosphor.net. (Eric Cain)" echo "ns7.scruz.org. 209.237.247.49, aka ns.portalpotty.net. (Max Baker)" echo "ns8.scruz.org. 209.133.21.10, aka ns1.got.net. (got.net NOC)" echo "ns9.scruz.org. 207.111.232.23 aka ns2.got.net. (got.net NOC)" echo "" echo "If any is missing from reports below, or produces odd data, something is wrong." echo "" echo "Zonefile S/Ns:" echo "" dig -t soa scruz.org. @NS1.SCRUZ.ORG. +short | awk '{ print $3 " on ns1.scruz.org." }' dig -t soa scruz.org. @NS1.SVLUG.ORG. +short | awk '{ print $3 " on ns1.svlug.org." }' dig -t soa scruz.org. @NS6.SCRUZ.ORG. +short | awk '{ print $3 " on ns6.scruz.org." }' dig -t soa scruz.org. @NS7.SCRUZ.ORG. +short | awk '{ print $3 " on ns7.scruz.org."}' dig -t soa scruz.org. @NS8.SCRUZ.ORG. +short | awk '{ print $3 " on ns8.scruz.org."}' dig -t soa scruz.org. @NS9.SCRUZ.ORG. +short | awk '{ print $3 " on ns9.scruz.org."}' echo "" echo "Authoritative nameservers from whois:" echo "" whois scruz.org | grep 'Name Server' | awk -F: '{ print $2 }' | head -n 7 echo "" echo "Parent-zone NS records and matching A records (glue):" echo "" dig -t ns scruz.org. @$(dig -t ns org. +short | head -n 1) +nocmd +noquestion +nostats +nocomments echo "" echo "In-domain NS records and matching A records:" echo "" dig -t ns scruz.org. @$(dig -t ns scruz.org. +short | head -n 1) +nocmd +noquestion +nostats +nocomments } | mail -s "Domain scruz.org SOA check" rick at linuxmafia.com From louisk at cryptomonkeys.org Sat May 21 10:10:05 2011 From: louisk at cryptomonkeys.org (Louis Kowolowski) Date: Sat, 21 May 2011 10:10:05 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110521054421.GP14633@linuxmafia.com> References: <20110521054421.GP14633@linuxmafia.com> Message-ID: On May 20, 2011, at 10:44 PM, Rick Moen wrote: > What do folks use to check up on DNS secondaries? > > My nameserver does master nameservice for a user group's domain (scruz.org). > A few days ago, I discovered that _all four_ secondaries had flaked out: > Two reIPed and didn't tell me, one shut off scruz.org service and didn't > tell me, one ceased all DNS service and didn't tell me. I found and fixed > the problems, but monitoring also seemed called for. > > Output follows of my quick hack, an e-mailed report from a cronjob in > /etc/cron.weekly/, followed by the cron script itself. However, does > anyone use something better? > I would think there would be at least 1 log watching script/pkg available for Linux that would be able to roll this up in a daily or weekly general status email. Something that would show you zone transfer errors. Doing a quick google for 'logwatch zone transfer error' indicates that logwatch would likely do what you need. -- Louis Kowolowski louisk at cryptomonkeys.org Cryptomonkeys: http://www.cryptomonkeys.org/~louisk Making life more interesting for people since 1977 From rick at linuxmafia.com Sat May 21 12:55:59 2011 From: rick at linuxmafia.com (Rick Moen) Date: Sat, 21 May 2011 12:55:59 -0700 Subject: Checking on DNS secondaries In-Reply-To: References: <20110521054421.GP14633@linuxmafia.com> Message-ID: <20110521195559.GW14633@linuxmafia.com> Quoting Louis Kowolowski (louisk at cryptomonkeys.org): > I would think there would be at least 1 log watching script/pkg > available for Linux that would be able to roll this up in a daily or > weekly general status email. Something that would show you zone > transfer errors. Doing a quick google for 'logwatch zone transfer > error' indicates that logwatch would likely do what you need. Logcheck's the first thing I thought of. It catches two failure modes, one if run by admin of a domain's DNS master (primary), one if run by the domain of a DNS slave (secondary) -- in each case, attempted but failed zone transfer. Unfortunately, it fails to catch any _other_ of the common screwups. Thus, run on the master, logcheck can report any IP trying to pull down AXFR/IXFR who's not on the allowed-transfer ACL, and thus getting refused. This is arguably sometimes useful (if not overwhelmed by meaningless entries about attempts from random unrelated IPs), but completely fails to tell you 'Hey, secondary nameserver IP NN.NN.NN.NN for domain foo has stopped querying entirely' or 'secondary nameserver IP NN.NN.NN.NN for domain foo' is serving the wrong zonefile S/N'. The secondary could be pulling down AXFR/IXFR properly but failing to serve the zone. Logcheck's reporting of failed AXFR/IXFR tells you nothing about that. So, monitoring the secondary should logically include making sure the secondary is _serving the desired data_; hence my hacked cronjob's resort to 'dig -t soa'. Run on the slave (secondary) end, logcheck can notify the admin when the local nameserver gets refused on any outgoing AXFR/IXFR request, which would be certainly very useful if the master removes you from the allowed-transfer ACL and fails to tell you. I'm unsure whether it would give you useful data if the master reIPs and fails to tell you or shuts down and fails to tell you. The master might have removed your secondary from the authoritative list and failed to tell you, making my secondary a 'lame nameserver'. I've had this happen repeatedly: I set up secondary service for a friend's domain, and a year or two later check and find that my service has been silently dropped from the domain's authoritative list, i.e., my nameserver has for years been serving up the domain pointlessly. I bring this to the friend's attention, and he/she says 'Oh, I guess I forgot to tell you.' Logcheck doesn't report that at all. I'm surprised that I'm not hearing about people's solutions. It's not like these are new problems. My main idea is: 'management by exception' is a big mistake where DNS screwups are concerned, else you can suddenly find yourself missing all four DNS secondaries as I was with scruz.org, where the problem doubtless crept up gradually over several years and could have been noticed programmatically. I'm tired of hearing 'Oh, I guess I forgot to tell you' and want cron (or something) to notice for me. Separately, I helped a friend work out a nice perl cronjob for checking on pending domain expirations, to get warned of them in plenty of time and not have to rely on autorenew working. See: http://linuxmafia.com/~rick/preventing-expiration.html From robert.lanning at gmail.com Sat May 21 12:49:25 2011 From: robert.lanning at gmail.com (Robert Hajime Lanning) Date: Sat, 21 May 2011 12:49:25 -0700 Subject: Checking on DNS secondaries Message-ID: ps. I run my lanning.cc email server from home on my comcast business cablemodem. and I get this "(reason: 550 5.0.0 ... comcastbusiness.net needs a working abuse contact to send mail)" for both baylisa and svlug. On 05/20/11 22:44, Rick Moen wrote: > What do folks use to check up on DNS secondaries? > > My nameserver does master nameservice for a user group's domain (scruz.org). > A few days ago, I discovered that _all four_ secondaries had flaked out: > Two reIPed and didn't tell me, one shut off scruz.org service and didn't > tell me, one ceased all DNS service and didn't tell me. I found and fixed > the problems, but monitoring also seemed called for. > > Output follows of my quick hack, an e-mailed report from a cronjob in > /etc/cron.weekly/, followed by the cron script itself. However, does > anyone use something better? I run the script below (that I originally created to monitor slave replication.) It can be run via cron to give you a daily/weekly report. http://lanning.cc/pub/dnscheckserial And this was to check DNS GTM consistency: http://lanning.cc/pub/dnscheck -- And, did Galoka think the Ulus were too ugly to save? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? -Centauri From david at catwhisker.org Sat May 21 19:35:17 2011 From: david at catwhisker.org (David Wolfskill) Date: Sat, 21 May 2011 19:35:17 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110521054421.GP14633@linuxmafia.com> References: <20110521054421.GP14633@linuxmafia.com> Message-ID: <20110522023517.GF3946@albert.catwhisker.org> On Fri, May 20, 2011 at 10:44:21PM -0700, Rick Moen wrote: > What do folks use to check up on DNS secondaries? > > My nameserver does master nameservice for a user group's domain (scruz.org). > A few days ago, I discovered that _all four_ secondaries had flaked out: > Two reIPed and didn't tell me, one shut off scruz.org service and didn't > tell me, one ceased all DNS service and didn't tell me. I found and fixed > the problems, but monitoring also seemed called for. > .... You may find the information at of interest -- in particular, mentions (in part) "... We are missing the IP:s of five servers: ns9.scruz.org, ns6.scruz.org, ns8.scruz.org, ns7.scruz.org and ns1.scruz.org." Peace, david -- David H. Wolfskill david at catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From rick at linuxmafia.com Sat May 21 22:16:57 2011 From: rick at linuxmafia.com (Rick Moen) Date: Sat, 21 May 2011 22:16:57 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110522023517.GF3946@albert.catwhisker.org> References: <20110521054421.GP14633@linuxmafia.com> <20110522023517.GF3946@albert.catwhisker.org> Message-ID: <20110522051656.GK4536@linuxmafia.com> Quoting David Wolfskill (david at catwhisker.org): > You may find the information at > of interest -- in particular, > mentions (in part) > "... We are missing the IP:s of five servers: ns9.scruz.org, > ns6.scruz.org, ns8.scruz.org, ns7.scruz.org and ns1.scruz.org." Very odd: I respect that site highly (especially since it has nice things to say about linuxmafia.com ;-> ), but I cannot replicate that result. IPs in the parent-zone glue records: $ dig -t ns scruz.org. @$(dig -t ns scruz.org. +short | head -n 1) +nocmd +noquestion +nostats +noanswer ; <<>> DiG 9.6.0-APPLE-P2 <<>> -t ns scruz.org. @ns1.svlug.org. +nocmd +noquestion +nostats +noanswer ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62209 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; ADDITIONAL SECTION: ns1.scruz.org. 86400 IN A 198.144.195.186 ns6.scruz.org. 86400 IN A 38.102.132.186 ns7.scruz.org. 86400 IN A 209.237.247.49 ns8.scruz.org. 86400 IN A 209.133.21.10 ns9.scruz.org. 86400 IN A 207.111.232.23 $ IPs in the in-domain records: $ dig -t ns scruz.org. @ns1.scruz.org. +nocmd +noquestion +nostats +noanswer ; <<>> DiG 9.6.0-APPLE-P2 <<>> -t ns scruz.org. @ns1.scruz.org. +nocmd +noquestion +nostats +noanswer ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18908 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 6 ;; ADDITIONAL SECTION: ns1.scruz.org. 86400 IN A 198.144.195.186 ns1.svlug.org. 86400 IN A 64.62.190.98 ns6.scruz.org. 86400 IN A 38.102.132.186 ns7.scruz.org. 86400 IN A 209.237.247.49 ns8.scruz.org. 86400 IN A 209.133.21.10 ns9.scruz.org. 86400 IN A 207.111.232.23 $ It's a bit weird that the parent org. zone isn't supplying a glue record for ns1.svlug.org., though. I'll have to look into that. From jlewinson at earthlink.net Sun May 22 12:15:06 2011 From: jlewinson at earthlink.net (Jim Lewinson) Date: Sun, 22 May 2011 12:15:06 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110521195559.GW14633@linuxmafia.com> References: <20110521054421.GP14633@linuxmafia.com> <20110521195559.GW14633@linuxmafia.com> Message-ID: <4DD960BA.8070506@earthlink.net> I played with something similar recently, and actually ended up throwing in the +norecurse option on dig. That way, if the "secondary" didn't have the zone locally, you'd be able to tell because eventually any cached entries would timeout and the response would disappear. Jim From rjwitte at rjwitte.com Sun May 22 13:21:41 2011 From: rjwitte at rjwitte.com (Russ Witte) Date: Sun, 22 May 2011 13:21:41 -0700 Subject: Checking on DNS secondaries In-Reply-To: <4DD960BA.8070506@earthlink.net> References: <20110521054421.GP14633@linuxmafia.com> <20110521195559.GW14633@linuxmafia.com> <4DD960BA.8070506@earthlink.net> Message-ID: <25FE8DD9-9B72-4848-8ED1-512B4F88836C@rjwitte.com> I'm not at computer right now and am being a bit lazy ... But is there anyway to incorporate dnswalk into your testing? I frequently find my mistakes there... Russ Witte On May 22, 2011, at 12:15 PM, Jim Lewinson wrote: > I played with something similar recently, and actually ended up throwing in the > +norecurse option on dig. That way, if the "secondary" didn't have the zone locally, you'd > be able to tell because eventually any cached entries would timeout and the response would > disappear. > > Jim > > From rick at linuxmafia.com Sun May 22 21:09:12 2011 From: rick at linuxmafia.com (Rick Moen) Date: Sun, 22 May 2011 21:09:12 -0700 Subject: Checking on DNS secondaries In-Reply-To: <4DD960BA.8070506@earthlink.net> References: <20110521054421.GP14633@linuxmafia.com> <20110521195559.GW14633@linuxmafia.com> <4DD960BA.8070506@earthlink.net> Message-ID: <20110523040912.GN4536@linuxmafia.com> Quoting Jim Lewinson (jlewinson at earthlink.net): > I played with something similar recently, and actually ended up > throwing in the +norecurse option on dig. That way, if the > "secondary" didn't have the zone locally, you'd be able to tell > because eventually any cached entries would timeout and the response > would disappear. That's a really good point. Thanks. From rick at linuxmafia.com Sun May 22 21:40:54 2011 From: rick at linuxmafia.com (Rick Moen) Date: Sun, 22 May 2011 21:40:54 -0700 Subject: Checking on DNS secondaries In-Reply-To: <25FE8DD9-9B72-4848-8ED1-512B4F88836C@rjwitte.com> References: <20110521054421.GP14633@linuxmafia.com> <20110521195559.GW14633@linuxmafia.com> <4DD960BA.8070506@earthlink.net> <25FE8DD9-9B72-4848-8ED1-512B4F88836C@rjwitte.com> Message-ID: <20110523044054.GO4536@linuxmafia.com> Quoting Russ Witte (rjwitte at rjwitte.com): > I'm not at computer right now and am being a bit lazy ... But is there > anyway to incorporate dnswalk into your testing? I frequently find my > mistakes there... dnswalk is certainly useful for checking for common errors of particular entries in zonefiles that can be fetched to the local host via AXFR zone transfer. However, I can't see any use for it whatsoever in checking up on DNS slaves (secondaries). From rnovak at indyramp.com Mon May 23 02:24:22 2011 From: rnovak at indyramp.com (Robert Novak) Date: Mon, 23 May 2011 02:24:22 -0700 (PDT) Subject: Dynamic Tracing presentation now up on Vimeo Message-ID: Hi all, We're way ahead of last month's schedule for video posting... I've got the first hour and a half of Brendan Gregg's presentation on Dynamic Tracing converted and posted on Vimeo. Also, Brendan has posted his slides from the presentation--see below for details (also linked on the Vimeo page. I'll apologize for the noisiness of my keyboard from live-tweeting... and I hope the five or six folks with noisy cell phones will also apologize. But all things considered, I think it's a good recording. This video is available to the public free of charge. As I mentioned at the meeting, we will be moving back to an early-access-for-members model in a couple of months. If you'd like to support these efforts and our other works, and get benefits including early access to videos and various discounts, please consider becoming a member of BayLISA or having your company become a supporting member. Thanks, Robert Novak BayLISA Secretary/Cheerleader/Videographer ---------- Click this link to watch your video: http://vimeo.com/24027602 Brendan Gregg of Joyent spoke at BayLISA on May 19, 2011, about dynamic tracing, and the DTrace implementation for Solaris, FreeBSD, and Mac OS X. Slides from his presentation are available at http://dtrace.org/blogs/brendan/files/2011/05/BayLISA_DTrace.pdf BayLISA is a non-profit organization for the benefit of San Francisco/ Silicon Valley system administration professionals. Since 1992 we have provided a venue for tech professionals and organizations to meet, network, and learn about new technology as well as new uses of old technology. For more information about BayLISA's activities, and to become a member, visit baylisa.org From rick at linuxmafia.com Mon May 23 09:34:55 2011 From: rick at linuxmafia.com (Rick Moen) Date: Mon, 23 May 2011 09:34:55 -0700 Subject: Checking on DNS secondaries In-Reply-To: References: Message-ID: <20110523163455.GQ4536@linuxmafia.com> Quoting Robert Hajime Lanning (robert.lanning at gmail.com): > ps. I run my lanning.cc email server from home on my comcast business > cablemodem. > and I get this "(reason: 550 5.0.0 ... > comcastbusiness.net needs a working abuse contact to send mail)" > for both baylisa and svlug. I'll see if I can whitelist your address at the SVLUG mailing list host: That sounds like it must be part of Marc Merlin's antispam setup, and I'm sorry about the Comcast-induced collateral damage. As I'm sure you appreciate, refusing mail to sites that ignore the RFC madates for postmaster[1] and abuse [2] cuts out an overwhelming percentage of spambot mail at SMTP time. The pity of it is, Comcast must have gone out of their way to disable that function, as MTAs have default-supported incoming mail to both postmaster@ and abuse@ for some time, now. (I assume you're talking about sending address lanning at lanning.cc . If not, please advise. I have, I believe, now exempted that sender from callback checks.) > I run the script below (that I originally created to monitor slave > replication.) It can be run via cron to give you a daily/weekly report. > http://lanning.cc/pub/dnscheckserial > > And this was to check DNS GTM consistency: > http://lanning.cc/pub/dnscheck Nice work, Robert. FYI, the latter script breaks if the FQDN used as argument is an unqualified second-level domain. E.g., it yields false-positive 'NXDOMAIN'results on linuxmafia.com, but correct-IP ones if one uses the equivalent FQDN www.linuxmafia.com. You will probably find that your script breaks if it encounters some of the 'dig' results other than success or NXDOMAIN. In particular, I noticed that, if the tested nameserver is returning 'status: REFUSED' in the options section, then any dig query with the '+short' flag retnrns a null result (with, IIRC, value = 9). [1] http://www.rfc-ignorant.org/rfcs/rfc5321.php [2] http://www.rfc-ignorant.org/policy-abuse.php From rick at linuxmafia.com Mon May 23 09:52:13 2011 From: rick at linuxmafia.com (Rick Moen) Date: Mon, 23 May 2011 09:52:13 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110523163455.GQ4536@linuxmafia.com> References: <20110523163455.GQ4536@linuxmafia.com> Message-ID: <20110523165213.GR4536@linuxmafia.com> I wrote: > You will probably find that your script breaks if it encounters some of > the 'dig' results other than success or NXDOMAIN. In particular, I > noticed that, if the tested nameserver is returning 'status: REFUSED' in > the options section, then any dig query with the '+short' flag retnrns a > null result (with, IIRC, value = 9). ^^^^^ Sloppy typing. I meant 'return value', i.e., contents of '$?'. The initial version of my weekly checking script omitted the entire line for any nameserver returning 'status: REFUSED', because including the '+short' flag for dig resulted in null output. From lanning at lanning.cc Mon May 23 12:15:49 2011 From: lanning at lanning.cc (Robert Hajime Lanning) Date: Mon, 23 May 2011 12:15:49 -0700 Subject: Checking on DNS secondaries In-Reply-To: <20110523163455.GQ4536@linuxmafia.com> References: <20110523163455.GQ4536@linuxmafia.com> Message-ID: <4DDAB265.2070202@lanning.cc> On 05/23/11 09:34, Rick Moen wrote: > I'll see if I can whitelist your address at the SVLUG mailing list host: > That sounds like it must be part of Marc Merlin's antispam setup, and > I'm sorry about the Comcast-induced collateral damage. As I'm sure you > appreciate, refusing mail to sites that ignore the RFC madates for > postmaster[1] and abuse [2] cuts out an overwhelming percentage of > spambot mail at SMTP time. The pity of it is, Comcast must have gone > out of their way to disable that function, as MTAs have > default-supported incoming mail to both postmaster@ and abuse@ for some > time, now. > > (I assume you're talking about sending address lanning at lanning.cc . > If not, please advise. I have, I believe, now exempted that sender from > callback checks.) Yes "lanning at lanning.cc". Thanks. >> I run the script below (that I originally created to monitor slave >> replication.) It can be run via cron to give you a daily/weekly report. >> http://lanning.cc/pub/dnscheckserial >> >> And this was to check DNS GTM consistency: >> http://lanning.cc/pub/dnscheck > > Nice work, Robert. FYI, the latter script breaks if the FQDN used as > argument is an unqualified second-level domain. E.g., it yields > false-positive 'NXDOMAIN'results on linuxmafia.com, but correct-IP ones > if one uses the equivalent FQDN www.linuxmafia.com. > > You will probably find that your script breaks if it encounters some of > the 'dig' results other than success or NXDOMAIN. In particular, I > noticed that, if the tested nameserver is returning 'status: REFUSED' in > the options section, then any dig query with the '+short' flag retnrns a > null result (with, IIRC, value = 9). > hrm... I will have to look into these other failure modes. -- END OF LINE --MCP From lgj at usenix.org Tue May 24 16:32:49 2011 From: lgj at usenix.org (Lionel Garth Jones) Date: Tue, 24 May 2011 16:32:49 -0700 Subject: USENIX Training Program at Federated Conferences Week Message-ID: The USENIX Federated Conferences Week offers a unique opportunity to take part in the highly regarded USENIX Training Program at a deeply discounted rate. Full-day classes start at only $450 and the multi-day discount packages mean the more you attend, the more you save! As always, USENIX training classes survey the topic, then dive into the specifics of what to do and how to do it. Instructors are well-known experts in their fields, selected for their ability to teach complex subjects. http://www.usenix.org/events/fcw11/training/ Attend training at 2011 USENIX Federated Conferences Week and take valuable skills back to your company or organization. Classes include: - Securing Linux Servers Rik Farrow, Security Consultant Tuesday, June 14, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#t1 This class for Linux sysadmins and security managers shows you how to maintain a strong security posture by minimizing risks through careful configuration and proper use of Linux tools and services. - SELinux (Security-Enhanced Linux) Rik Farrow, Security Consultant Wednesday, June 15, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#w1 Learn to work with SELinux: how to determine if SELinux is blocking an application and how to adjust policy to move beyond problems. This class is intended for Linux sysadmins and security managers. - VMware vCloud Overview and Design Considerations Wednesday, June 15, 2011 John Arrasjid and Ben Lin, VMware http://www.usenix.org/events/fcw11/training/tutonefile.html#w2 Sysadmins and architects, get the knowledge you need to deploy a VMware cloud for use as an enterprise private cloud by learning how to implement and manage VMware vCloud technologies. - Linux Performance Tuning Theodore Ts'o, Google Thursday, June 16, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#r1 Intended for intermediate and advanced sysadmins, this class will cover the tools that can be used to monitor and analyze a Linux system, plus key tuning parameters to optimize Linux for server applications. - SANS Security 464: Hacker Detection for Systems Administrators James Shewmaker, SANS Thursday-Friday, June 16-17, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#r2 This 2-day course is designed to help sysadmins better understand what is required by security teams and auditors and to turn into the human sensors for malicious activity. - Introduction to Automating System Administration with Cfengine 3 Aleksey Tsalolikhin, Cfengine Enthusiast Friday, June 17, 2011 http://www.usenix.org/events/fcw11/training/tutonefile.html#f1 This is your opportunity to get a thorough grounding in automated system administration and configuration using Cfengine v3, and the ability to implement configuration policies on your systems. Plus, USENIX is making it easier than ever to customize a program to meet your needs. Your daily registration gets you into all the events happening that day: tutorials, talks, workshops--you name it. The Early Bird Registration Deadline has been extended to May 31, 2011! Register today! http://www.usenix.org/events/fcw11/registration/ Finally, connect with other attendees, check out additional discounts, and help spread the word! Facebook: http://www.facebook.com/event.php?eid=176554335729285 Twitter: http://twitter.com/usenix #FCW11 Additional Discounts: http://www.usenix.org/events/fcw11/discounts.html Help Promote: http://www.usenix.org/events/fcw11/promote.html From rnovak at indyramp.com Wed May 25 14:10:26 2011 From: rnovak at indyramp.com (Robert Novak) Date: Wed, 25 May 2011 14:10:26 -0700 (PDT) Subject: Meeting idea: Wrangling an environment into puppet/chef/cfengine etc Message-ID: Hi folks, Had a suggestion I thought I would ping you folks about. Have any of you recently (in the last year) pounded your production infrastructure into shape with a centralized configuration management system like puppet, chef, cfengine, bcfg2, or something else? Would you be willing to talk for 10 minutes at a BayLISA meeting about your experience? This would probably be July or later, so don't panic about Velocity or FCW. If you're interested in participating in this sort of topic, please contact me directly offlist. And of course, if you have suggestions/volunteers for speakers or topics for upcoming meetings, feel free to let me know. Our pipeline looks good through the July meeting but the following months are currently cloudy (with no chance of meatballs). Thanks, Robert Novak BayLISA Secretary/Cheerleader