I am using IPv6 and it is great, I am using it as the only available Protocol on my Servers.
But the V6 Infrastructure still has a few problems, that do manifest as soon v6 is used as primary protocol.
So far what I discovered:
- IPv6 root nameservers do not resolve These nameservers do forward your DNS Request, but if the targeted DNS Server does not have IPv6 it could not reached. Which means it cant even answer some V6 enabled domains, I worked around this problem by asking the IPv4 nameservers over their NAT64 address counterparts.
- DNS blocklists are not NAT64 aware For time and stability reasons I solved this by giving my primary mailservers an additional v4 Address with NAT. (that DNSBL translator stuff I tried to make, at my last post does not work well yet)
- Apps tent to get IPv6-IPv4 fallback wrong Just recently an app is trying IPv4 Address, which fails, but does not try the IPv6 Addr wich would work fine, only solution here is to write as many bugreports as you can.
I wrote a small piece of code today, addressing the problem that DNS Blocklists are not working for Mailservers in a NAT64 enviromnent.
$ host -t A 9.0.a.d.a.e.b.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.126.96.36.199.dnsbl.fnordpol.de 127.0.0.1
Using domain server:
9.0.a.d.a.e.b.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.188.8.131.52.dnsbl.fnordpol.de has address 127.0.0.2
this is currently working on my development laptop. It is a small python script which thinks that all it gets is a NAT64 prefixed IPv4 so it builds an ipv4 query out of the V6 address and forwards that thing to the real blocklist provider.
It surely needs some refinement, to make it operative.
I am using puppet to manage my containers. This might have some disadvantages in form of speed but the advantage is that it is
only the puppet service that needs to be secured, not an lxd or some other service. So what…
lets see how that works, the following hiera stencil defines me a virtual machine, this time without an
ip addess, but it can come with one at all:
# this is the tun tap device
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0
as soon as I enable
the machinery starts its work: it checks for any lxc maintainace scripts and a logindefs class to set subuids, as soon as all prereqs are there it
- creates a user
- creates subuid and subgid ranges in lxc configuration
- creates network permissions
- installs a local debian os template with puppet node
- configures puppet and hostname
- modifies permissions so that no one exept root and the vm user can access vm data
- configures container backup via duplicity
- starts the container
It may not that easy to actualy move containers, but creation really is that easy… it also has a mode where it can automatically migrate a priviledged container into an unpriviledged one…
by the way, one short notice, if one sees manuals pointing that you should write: your-username veth lxcbr0 10 I am not really happy with that example, because I cant think of any user who needs more than 1 simultaniously connected ethernet devices for his unpriviledged containers. so you may want to write 1 here. because if you really want to seperate your containers you might consider having one user that holds exactly one container, running with one specific range of subuids.
I started to change the rear member of my defender, unfortunately i discovered later in that repair, that my extensions are gone as well, so i ordered long extensions and will go for another try next week…
So I hope it will not overcrowd my blog and I also hope that my readers are aware that not every link they click on is actually good for them. 😉
A few years ago I decided to stop using wordpress and to start using blogofile, a static website and blog generator. It was mainly the spam maintanance in my wordpress instance which forced me to do that.
Unfortunately as of today it seems that I have to fork a complete virtual environment for blogofile which breaks down whenever I try to write a post due to system upgrades.
So I decided to switch back to wordpress and here I am.
I hope that I can provide you with stuff more frequently, in the future. So don’t forget to add be to your rss feed, and also to follow me on Twitter and Youtube.
I just brought my first ever NAT64 up and running!
64 bytes from 64:ff9b::808:808: icmp_seq=501 ttl=57 time=1.42 ms
64 bytes from 64:ff9b::808:808: icmp_seq=502 ttl=57 time=1.48 ms
64 bytes from 64:ff9b::808:808: icmp_seq=503 ttl=57 time=1.50 ms
64 bytes from 64:ff9b::808:808: icmp_seq=504 ttl=57 time=1.43 ms
64 bytes from 64:ff9b::808:808: icmp_seq=505 ttl=57 time=1.36 ms
64 bytes from 64:ff9b::808:808: icmp_seq=506 ttl=57 time=1.51 ms
64 bytes from 64:ff9b::808:808: icmp_seq=507 ttl=57 time=1.55 ms
64 bytes from 64:ff9b::808:808: icmp_seq=508 ttl=57 time=1.45 ms
64 bytes from 64:ff9b::808:808: icmp_seq=509 ttl=57 time=1.53 ms
64 bytes from 64:ff9b::808:808: icmp_seq=510 ttl=57 time=1.35 ms
64 bytes from 64:ff9b::808:808: icmp_seq=511 ttl=57 time=1.35 ms
64 bytes from 64:ff9b::808:808: icmp_seq=512 ttl=57 time=1.37 ms
64 bytes from 64:ff9b::808:808: icmp_seq=513 ttl=57 time=1.56 ms
it can ping googles nameserver now.
V6 only infrastructure is coming.
Two days ago I cleaned up my key management.
I created new gnupg keys and I figured out that gnupg is able to
deal with many more things than I thought of today.
You can use the Keys in you GPG storage to authenticate your ssh logins.
You can use the Keys for signing and ancrypting with both PGP and S/MIME
The GPG Agent keeps your keys painlessly locked away when you are not
using them for a while, but I do not have to enter my passphrase every
minute just to check my mail.
There is only one Option that I really miss: I want to authenticate
against Facebook, Google and others via using GnuPG, it is the
obvious next step. That means a Webbrowser who is aware of Gnupg and
a multipart signed mime post request. There are rumors that browsers
already have such a thing, but I was not able to find anything on the
So my private keys are now saver than before.
But lets start from scratch:
- everyone uses electronic signatures, on webpages and for your eBanking
- most people do know nothing about electronic signatures
- not knowing is is dangerous
If you don’t know anything about Public Key and Signatures you definately
An electronic signature is the other way round, you
encrypt private and decrypt public.
How easy is that? The only big issue is, that you have to keep your keys save.
So far, cu next time. Oh by the way, my new GnuPG Key is:
- ID: 5F94E76B Keygrip: 977A0623F543190A41D7DE2A0D297B023E9868DD
Note the Fatique crack.
I am heading off with a car now.
Here a late picture of the CW fieldday in Bruck/Leitha where the participants of the course in which
we learned CW made a fieldday in the end of July where we started using our new skills.