This feed contains various notes on stuff I'd like to be able to look up again eventually.

RSS Atom
Migrating from OpenDNSSEC to DNSSEC-Tools

My first DNSSEC setups were using OpenDNSSEC, but at some point I prefered to migrate to DNSSEC-Tools.

Here's a hack (howto) to migrate the KSK keys to .krf format. The ZSK keys will be generated by the first zonesigner run.

#!/bin/sh

ZONE="$1"
KEY="$2"
ALGO="$3"

cd keys
sudo softhsm --export $ZONE.zsk --slot 0 --pin 1234 --id $KEY
softhsm-keyconv --tobind --in $ZONE.zsk --name $ZONE. --algorithm $ALGO

BINDKEY=$(ls K$ZONE*key)
sed -i -e 's/256/257/' $BINDKEY
BASEKEY=$(basename $BINDKEY .key)

cd ..

cat > $ZONE.krf <<EOF
zone    "$ZONE"
    serial      "2011112202"
    kskcur      "$ZONE-signset-00001"
    signedzone  "$ZONE.signed"
    kskcount    "1"
    archivedir  "/var/lib/dnssec-tools/archive"
    kskdirectory    "/cb/ns.df7cb.de/keys"
    zskdirectory    "/cb/ns.df7cb.de/keys"
    endtime     "+2592000"
    lastset     "$ZONE-signset-00004"
    zonefile    "$ZONE"
    keyrec_type "zone"
    keyrec_signsecs "1321964086"
    keyrec_signdate "Tue Nov 22 12:14:46 2011"

set "$ZONE-signset-00001"
    keys        "$BASEKEY"
    set_type    "kskcur"
    zonename    "$ZONE"
    keyrec_setsecs  "1321961247"
    keyrec_setdate  "Tue Nov 22 11:27:27 2011"

key "$BASEKEY"
    zonename    "$ZONE"
    keyrec_type "kskcur"
    algorithm   "$ALGO"
    random      "/dev/urandom"
    keypath     "/cb/ns.df7cb.de/keys/$BINDKEY"
    ksklength   "2048"
    ksklife     "15552000"
    revperiod   "3888000"
    keyrec_gensecs  "1321961248"
    keyrec_gendate  "Tue Nov 22 11:27:28 2011"

EOF

zonesigner -keydirectory keys -usensec3 -genzsk -verbose $ZONE

rollinit $ZONE >> all.rollrec

echo "/cb/ns.df7cb.de/$ZONE.signed $ZONE cb@df7cb.de" >> checkzones.txt

(The filenames at the end are those used by http://www.incertum.net/archives/11-DNSSEC-mit-Debiansqueeze-dnssec-tools,-bind9.html)

Posted Di 27 Dez 2011 18:01:45 CET Tags: notes
I need to look this up every time

I need to look this up every time I need a backport (mostly PostgreSQL) at a customer site with limited networking:

$ lftp -c 'mget http://backports.debian.org/debian-backports/pool/main/p/postgresql-8.4/*_8.4.5-1~bpo50+1_amd64.deb'

Hopefully I can remember this in the future.

Posted Fr 12 Nov 2010 11:25:04 CET Tags: notes
6to4

Setting up a 6to4 tunnel on freewrt:

#!/bin/sh
# http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html

ip -6 route flush dev tun6to4
ip link set dev tun6to4 down
ip tunnel del tun6to4

sleep 2

ttldefault=15
ipv4=$(ip a show ppp0 | sed -ne 's/.*inet \([^ ]*\).*/\1/p')
local6to4prefix=$(printf "2002:%02x%02x:%02x%02x" `echo $ipv4 | tr "." " "`)
local6to4address="$local6to4prefix::1"

ip tunnel add tun6to4 mode sit ttl $ttldefault remote any local $ipv4
ip link set dev tun6to4 up
ip -6 addr add $local6to4address/16 dev tun6to4
ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4

ip -6 addr add $local6to4address/64 dev eth0.0
ip -6 route add $local6to4address/64 dev eth0.0

sed -i -e "s/prefix.*/prefix $local6to4prefix::\\/64/" /etc/radvd.conf
/etc/init.d/S51radvd restart
Posted So 08 Mär 2009 19:58:37 CET Tags: notes
Apt options

Set dpkg options: -o DPkg::Options::=--force-confmiss

Turn off apt key verification: -o Apt::Get::AllowUnauthenticated=true

Posted Mi 06 Feb 2008 13:46:09 CET Tags: notes
C1VE

Setting up X.org on a Sony PCG C1VE on Debian/etch:

  • dpkg-reconfigure xserver-xorg
  • ati
  • rest default
  • edit xorg.conf:
  • Section "Monitor": ModeLine "1024x480" 65.00 1024 1032 1176 1344 480 488 494 560 -hsync -vsync
  • Section "Screen", SubSection "Display": Modes "1024x480" ...
Posted Mi 11 Jul 2007 22:50:41 CEST Tags: notes