stereochrome

Latest inklings

Flexbox Froggy

A possibly overly cute game for teaching CSS flexboxes.

Tip of the day: reversed git bisect

git bisect is great for finding where things went wrong, but not so great at finding where they went right, such as when a fix was introduced for an issue. This explains how to trick git bisect into letting you do just that.

Vertex

Vertex is a theme for GTK 3, GTK 2, Gnome-Shell and Cinnamon

And quite a pretty one at that.

Hi, NewsGator users (all two of you)!

The feed for this site seems to have been broken in NewsGator as they do some canonicalisation of URLs that doesn’t play well with the code for this site.

I’ve added a quick fix to the code to allow it to work again.

I’m not sure if the problem is on NewsGator’s end or mine, but I’ll investigate the relevant RFCs to see if I’m not canonicalising URLs properly on my end.

Installing FreeNAS on a HP MicroServer Gen8

This evening’s mini-project.

I’ve been told that there’s some awkwardness with it and UEFI, but this looks like it works with FreeNAS pretty much out of the box, which is nice!

Building and installing Tarsnap on Debian

Again, this is going on my RPi 3.

How to setup a DNS server with PowerDNS on Raspberry Pi

Because I’m considering making my RPi 3 a hidden master DNS server and possibly doing DNSSEC zone signing on it rather than out in the wild.

Properly Close a Frozen SSH Session

Huh. That’s interesting.

Stuff Goes Bad: Erlang in Anger

This book intends to be a little guide about how to be the Erlang medic in a time of war. It is first and foremost a collection of tips and tricks to help understand where failures come from, and a dictionary of different code snippets and practices that helped developers debug production systems that were built in Erlang.

From the author of Learn You Some Erlang For Great Good!, which I’m going back over again to refamiliarise myself with the language after… oh… quite a long time.

Go best practices, six years in (2016)

Tarte au citron: Lemon Tart Recipe

Napoleon

A less horrible format for Python docstrings in Sphinx.

Plain Text Accounting

Keeping track of this stuff is something I’ve meant to do for a very long time, but never have. It’s not so much that I have a tight budget that I need to stick to so much as it would be nice to have traceability.

Pagination Done the Right Way

Practical Unix Manpages

riot.js

Kind of like a lightweight React. Not sure if I’m sold on it, but I know a couple of personal projects where it might be worth trying out.

Real Crypto Has Broken Curves

The Matasano Crypto Challenges

Should do these. Probably won’t, but probably should.

vim-plug

A Vim plugin manager, like Pathogen or Vundle, but better!

I like the fact that it can do lazy loading and it can also automate a lot of nonsense surrounding updates.

All the Little Things by Sandi Metz

"I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why."

Linux is a shitfest (from a BSD user’s perspective), but Windows is an even bigger shitfest, apparently.

The Hot News or 'After' Perfect in Irish English

Sorry for the downtime

You might’ve noticed this site was down.

What happened is that lir, the server it was running on, started experiencing drive issues. I’ve had to migrate as much as I can over to a VM in the meantime.

One pleasant upshot is that it’s allowing me to try out some stuff I hadn’t tried before. For instance, this site is now running on Nginx rather than Apache, and I’ve switched to using FreeBSD packages rather than ports. This latter change has its upsides and downsides, such as no longer running the site over HTTP/2 any longer, but overall is probably a positive.

The worst part so far was dealing with DNS as the VM formerly acted as a secondary nameserver running Knot DNS 1. In moving over, I switched from Knot DNS 1 to Knot DNS 2, which was painless enough in itself, but as I didn’t want the pain of setting up OpenDNSSEC again, I decided to using Knot DNS 2 to do zone signing… which lead to a number of zonefiles being overwritten. Thankfully, I keep everything in a git repo, so recovering the originals was straightforward, and I’ve updated the two most important domains - stereochro.me and talideon.com - with new DS records. I’ve two .eu domains (which aren’t actively used, and are mainly testbeds) where I need to provide the updated DNSKEY records to the registry.

Last up will be setting up mail again. I’m moving from Postfix to OpenSMTPd.

This isn’t really how I’d wanted to spend Paddy’s Day, but it’s the first free day I’ve had to do all this stuff.

Bryan Cantrill on Jails and Solaris Zones

Fantastic talk!

Why is Vertical Rhythm an Important Typography Practice?

Please avoid "3 0 1" and "3 0 2" DANE TLSA records with LE certificates

Also, mistakes to avoid with DNSSEC and TLSA records.

Go channels are bad and you should feel bad

The title’s a bit inflammatory, but the article itself is good. The headings mostly give a good summary:

  • You probably won’t end up using just channels (due to dead goroutine leaks)
  • Channels are slower than implementing it yourself
  • Channels don’t compose well with other concurrency primitives
  • Callbacks are strictly more powerful and don’t require unnecessary goroutines
  • The channel API is inconsistent and just cray-cray

Also, linked half-duplex channels would be help the garbage collector, and it would be nice to be able to select on condition variables.

Learn You an Agda and Achieve Enlightenment!

Also, here’s a one-page version.

Inside Libpostal - a fast, multilingual, international street address parser trained on OpenStreetMap data

libpostal is super, super impressive!

Simple job queue in Bash using a FIFO

Nice use of FIFOs and simple lock files in a shell.

A Git Horror Story: Repository Integrity With Signed Commits

tk.phpautodoc

tk.phpautodoc is sphinx extension to embed PHPDocs to sphinx document. It works like sphinx.ext.autodoc.

I’ve some legacy PHP stuff that needs documenting, and phpDocumentor is useless because it does only automated API documentation, and seems to be incapable of dealing with prose documentation, which, frankly, is a big bloody thing to omit from a documentation tool!

tk.phpautodoc looks like reasonable way of doing what phpDocumentor can do, except with Sphinx.

RFC 7517: JSON Web Keys

How to C (as of 2016)

Corporations and OSS don't mix

Go read. It’s not just about the toxic relationship between business and FLOSS, but also about toxicity within FLOSS communities that exacerbates the problem.

mpv

A fork of mplayer2. Might be worth giving a look.

Hieroglyph

Hieroglyph is an extension for Sphinx which builds HTML slides from ReStructured Text documents.

Looks like it produces nice results.

How I manage domain zones signed with DNSSEC

Given I’m setting up a domain, I’d might as well document some of the process. These notes are rough, and I may have missed something. I’ll be going over the process to correct any issues. This doesn’t cover the process of setting up OpenDNSSEC and nsd initially.

Here’s the layout of /usr/local/etc/nsd on my server, lir:

-rw-r--r--  1 nsd   wheel  1544 31 Jul 12:10 nsd.conf
-rw-r--r--  1 root  wheel  8120 22 Sep 15:18 nsd.conf.sample
-rw-------  1 nsd   wheel  1277 30 Jan  2014 nsd_control.key
-rw-------  1 nsd   wheel   790 30 Jan  2014 nsd_control.pem
-rw-------  1 nsd   wheel  1277 30 Jan  2014 nsd_server.key
-rw-------  1 nsd   wheel   782 30 Jan  2014 nsd_server.pem
-rw-------  1 nsd   wheel   461  2 Apr  2015 secrets.conf
-rw-r--r--  1 nsd   wheel   247  1 Jul 13:56 slave-zones.conf
drwxr-xr-x  2 nsd   wheel  1536  6 Feb  2015 zones/
-rw-r--r--  1 nsd   wheel  1918  6 Feb  2015 zones.conf

I don’t keep everything in the one file. Rather, I separate out my zone list into zones.conf, any slave zones I’m hosting for others into slave-zones.conf, and I keep the zone transfer keys in secrets.conf.

To keep complexity down, I use patterns. This means that I can collect together all the settings for any set of zones into one place, which makes managing zones, if you’ve more than just a few, much easier. That’s one of the reasons why my zones.conf file is so small.

The zones directory mostly contains symlinks into two directories, /usr/local/var/opendnssec/signed and /usr/local/var/opendnssec/unsigned. The former contains files generated by OpenDNSSEC, and the latter is a git repo containing the unsigned zones. The latter also contains a file called rebuild.sh, which rebuilds the zones.conf list. Here’s what it looks like:

#!/bin/sh

ODS_ROOT=/usr/local/var/opendnssec
NSD_ZONES=/usr/local/etc/nsd/zones

get_zones () {
    # Unsigned zones have the lowest priority, so we link them first.
    find $ODS_ROOT/unsigned -depth 1 -type f \
        -and ! \( -name README.md -or -name .gitignore -or -name rebuild.sh \)
    # Then we link signed zones, which will overwrite the links for any
    # unsigned zones.
    find $ODS_ROOT/signed -depth 1 -type f
}

write_zone () {
    cat <<EOZ
zone:
    name: "$1"
    include-pattern: "master"
EOZ
}

get_zones | while read zone; do
    ln -s -f $zone $NSD_ZONES/$(basename $zone).zone
done

for zonefile in $NSD_ZONES/*; do
    if test -L $zonefile; then
        write_zone $(basename $zonefile .zone)
    fi
done > $NSD_ZONES/../zones.conf

The nice thing is that if there are two files with the same name in signed and unsigned, then the one in signed with trump the one in unsigned.

So, that’s the layout, now let’s configure a zone. I’m adding the zone cíat.eu, which is an IDN, so the file name is actually xn—cat-rma.eu. Adding the zone is as simple as this:

sudo ods-ksmutil zone add --zone xn--cat-rma.eu

That will add the file with that name in /usr/local/var/opendnssec/unsigned to the database and update the zonelist.xml file. Now run:

sudo ods-ksmutil update zonelist

Which should result in the configuration for the signer daemon being written out. When you list your keys, you should see that it’s been published:

$ sudo ods-ksmutil key list --zone xn--cat-rma.eu
Keys:
Zone:                           Keytype:      State:    Date of next transition:
xn--cat-rma.eu                  KSK           publish   2015-10-21 04:10:44
xn--cat-rma.eu                  ZSK           active    2016-01-18 14:10:44

You can’t push the key or delegation signer (DS) record up to the registry just yet. Rather, you have to wait until the date given for the key until it’s safe to publish the key or DS record with the registry. In this case, we have to wait until ‘2015-10-21 04:10:44’ before the key or DS record can be published. This is to give time for the signed zone to propagate so you won’t end up with weird issues where a resolver is seeing that a zone should be signed, but the cached copy they have hasn’t yet been signed.

Now, you can publish the zone. For this, I run my rebuild.sh script, which rebuilds my zones.conf file. You could do it manually, or use the script I gave above to automate the process. Once that’s done, nsd needs to be notified to reload the zone:

% sudo nsd-control reload xn--cat-rma.eu

The zone should now be published and start propagating.

When the state of the KSK transitions, you can then publish the DS record or public key with the registry to establish the chain of trust.

Setting up DNSSEC with EURid (for OpenDNSSEC users)

For most registries, setting up DNSSEC is straightforward: you configure the domain in OpenDNSSEC, wait while the updated zone propagates, and then when the domain’s state is ‘ready’, you export the delegation signer (DS) records:

% sudo ods-ksmutil key export --zone talideon.com --ds

Which will give you something like the following:

;ready KSK DS record (SHA1):
talideon.com.   3600    IN  DS  42 8 1 deadbeefdeadbeefdeadbeefdeadbeefdeadbeef

;ready KSK DS record (SHA256):
talideon.com.   3600    IN  DS  42 8 2 deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef

EURid, however, doesn’t support DS records, so instead you have to provide the public key associated with the domain in question. This is what ods-ksmutil key export prints out by default without the --ds flag:

% sudo ods-ksmutil key export --zone talideon.eu

Running that will give you something like the following:

;ready KSK DNSKEY record:
talideon.eu.    3600    IN  DNSKEY  257 3 8 PUBLICKEY===

In that, ‘257’ indicates that the public key is for the key-signing key (KSK); ‘3’ is the protocol; ‘8’ indicates the algorithm, which in this case is ‘RSA/SHA-256’; and finally the base64-encoded public key. You will need to provide this information to the registrar, and they will submit it to EURid. When the key has been submitted, get they keytag of the KSK:

% sudo ods-ksmutil key list --zone talideon.eu --verbose

Give OpenDNSSEC the ds-seen notification:

% sudo ods-ksmutil key ds-seen --zone talideon.eu --keytag 42

And you’re done.

OpenPGP Best Practices