Volume 23, Number 3 - March 2007
| Next Meeting |
|---|
| Daylight Saving Time Postmortem
The Usual Suspects Thursday, March 15, 7:00 PM |
The CACTUS Newsletter is a monthly publication, distributed to our members and other interested people. Visit the CACTUS Newsletter on the web at http://www.cactus.org/CACTUS/Newsletter/. There you will find archives of back issues, as well as instructions on how to subscribe to the e-mail distribution. We welcome newsletter submissions by our members. Please contact newsletter [at] cactus <dot> org for more information.
Bring you left over equipment from the gratuitous daylight savings change--generators, spare fuel, ammunition, etc. We'll discuss why the doom is still pending.
The next CACTUS meeting will be held on Thursday, March 15, 2007 at 7:00 PM (doors open at 6:30 PM for pizza and informal discussion), at Mangia Pizza at the corner of Burnet Rd./Mopac service road and Gracy Farms Ln. (See end of newsletter for directions to the facility).
Complaining about increasingly bad performance of FreeBSD 6.2, Gil Kloepfer exclaimed that he was having an "I hate BSD" moment. There are currently four flavours of BSD: FreeBSD, OpenBSD, NetBSD and Dragonfly.
The food order was delayed, because the restaurant's computers were down. The membership was pretty sure which operating system was to blame. Several offered to reinstall their computers.
Membership chair Mark Scarborough, noted that James Johnson had rejoined CACTUS. There were two additional new memberships.
Program chair Brad Knowles offered a menu of presentations: IMAP, Sendmail or DNS. The majority selected DNS. Brad brought not only a video projector, but an extension cord.
While Brad was setting up, Gil was explaining how one could buy a flux capacitor. If you already own a Delorean automobile, it's free. Just go to:
http://delorean.com/dmcstore/onlinestore-search.asp
Then enter the part number: 18851985Brad Knowles was ready by the time that we realized that no one present owned a Delorean, and we were doomed to remain in the present.
Brad's presentation was a comparison of Domain Name Server (DNS) software. He'd previously presented this at LISA in 2002 and Reseaux IP Europeen (RIPE). Brad compared the following versions:
A number of others were not considered: QuickDNS, MaraDNS, Pdnsd, Posadis, MyDNS, LDAPDNS, UltraDNS, Cisco Network Registrar and Incognito DNS Commander.
To perform a survey of the top level domains (TLD), Brad originally thought he would synthesize it. He discovered he could obtain a copy of it. Using old hardware in his basement, he configured these DNS servers and put them through their paces.
In the course of his investigation, he discovered that UUNET DNS servers were configured to be open and recursive. This made them vulnerable to cache pollution or poisoning. After he published this, UUNET corrected the problem. Open recursive servers are vulnerable to phishing or spearphishing.
Brad used the TLD and the .tv zone, which was the largest zone (about 20 MB) that he could get. By listing the responses of the various servers to particular requests, Brad was able to identify which server software many of the top level domains were using. For instance, he identified Bind 8 was used by the root TLD and arpa, com, edu, gov, mil and org.
Brad explained how to obtain and build all of these DNS servers. He went into detail about how he measured the performance. He also gave a general description of the tested servers.
ISC's Bind is the gold standard. Bind 8 is legacy/spaghetti code, with some security risk, and doesn't support IPv6. But it's a little faster than Bind 9. Bind 9 supports multi-processors, has enhanced protocol support and improved standard conformance.
Bernstein's dbjdns is actually two pieces: dnscache and tinydns. It violates RFC's. By default, it does not support zone transfers. By default, it does not provide referrals, nor does it support TCP by default. It also truncates reponses illegally. It has limited hardware support, and the author does not seem intent on supporting new DNS features. It does address security issues in Bind 8.
Name Server Daemon (NSD) is an authorative only, high performance, simple open-source name server. It was developed under the auspices of NLnet Labs. It's for the experienced DNS administrator. Not much hand holding provided. It precomputes all possible questions and answers for the zone it serves and generates an indexed database to provide the mapping. This makes it very fast for an authoritive only server.
Nominum provides two pieces: Foundation Authoritative Name Server (ANS) and Caching Name Server (CNS). These are carrier class products. Paul Mockapetris invented DNS in 1983, and now serves as chief scientist for Nominum. They're fast and easy to use.
PowerDNS nameserver is a modern, advanced and high performance authoritative-only name server. It was written from scratch and conforms to all relevant DNS standards. It can interface with almost any database, and it's now open source. Commercial support and consulting are available. PowerDNS also sells domain and WEB hosting. Their documentation needs work.
Brad displayed performance graphs for authoritative name server and caching performance for each of the servers examined.
A couple of members indicated that while they had worked with DNS for years, much of the presentation went over their heads. This report does not begin to scratch the surface.
The complete presentation is a available at:
http://www.shub-internet.org/brad/papers/dnscomparison
Thanks to Mangia Pizza for the hospitality, and Brad Knowles for the excellent presentation.
Some of you may not have noticed, but Linux.cactus.org has a new IP address. Outserv.net, who graciously hosts some of our machines at their facility, has changed upstream Internet providers. Our packets are no longer being handled by TexLink, but are now traveling down a much fatter pipe provided by Time Warner Cable Commercial Services. This turned out to be a moderately big deal because Linux.cactus.org is the primary name server for our domain. It took a couple hours to iron out all the wrinkles, but everything has been working fine since then. Many thanks to Dave Maynard and the folks at Outserv for making this transition as painless as possible.
Other changes are going to be happening soon as well. After much delay and discussion, Unix shell account services and mail services on Linux.cactus.org and Bubba.cactus.org are going to be moved. Both of these machines are running obsolete Linux versions and need to be upgraded. Plus, our mail server configuration hasn't been updated in years and just isn't coping well with the fact that 99% of the mail messages it receives are all SPAM.
I've got the newest machine, Outserv.cactus.org, already configured with Postfix, Procmail, and Dovecot. The new machine will become the primary mail exchanger for cactus.org on April 19th. POP and IMAP services will be available at pop-server.cactus.org and imap-server.cactus.org, and both services will be protected with SSL so there won't be any issue with cleartext passwords going over the Internet. There are some additional details to nail down before then, but you'll be able to see all that on our Cactus Wiki page:
https://outserv.cactus.org/mediawiki/
Operating System upgrades on Bubba.cactus.org and Linux.cactus.org will begin after the May 17th meeting, so all the home directories on both of those systems will have to be moved to Outserv.cactus.org before that can begin.
If you've got any questions, suggestions, or a burning desire to help, please come to the next meeting so you can put your two cents in.
There are two interesting bills filed with the Texas Legislature this session that should be of interest to CACTUS members. Texas bill SB-446, for instance, mandates that each electronic document created by a state agency must be in an open XML file format that is:
To borrow a phrase from our Honorable Governor Rick Perry, this bill says "Adios, MoFo" to proprietary file formats.
Another bill has been filed in the Texas House that addresses electronic voting issues. Texas bill HB-3119 tries to address three concerns:
You can track the progress of these bills on the Texas Legislature's web site:
I'd encourage everyone to read these bills and contact your representatives to let them know what you think.
CACTUS would like to thank David Crow, John Kingman, and Gil Kloepfer for renewing their memberships.
Special thanks to Ray Solanik for his continued sponsorship of CACTUS!
To renew your membership, please send check or money order payable to CACTUS ($30/yr for regular membership and $100/yr for corporate sponsorship):
CACTUS
PO BOX 9786
Austin, TX 78766-9786
You can also pay in person at the general meetings. Please direct any inquiries or address changes to membership [at] cactus <dot> org.
CACTUS meets on the third Thursday of each month at the Mangia Pizza (Gracy Farms location):
Mangia Pizza - Gracy Farms
12,001 Burnet Road at Gracy Farms Ln.
Austin, TX 78758
(512) 832-5550
http://www.mangiapizza.com/33/Gracy_Farms.html
This location is approximately 2 miles north of our previous meeting location at ARL. Note that the Mapquest map on Mangia's web site is slightly wrong.
Mangia pizza is on the north-east corner of the Mopac service road and Gracy Farms Ln.
Note: If you pass Mangia Pizza, there is a U-turn on the left just a little past the store cluster. Follow the directions for Mopac coming from the north.