DNSSEC + unbound local DNS

I’ve been playing with dnssec-trigger, a neat little utility from NLnet labs which configures a local instance of Unbound (a caching recursive DNS resolver) and a utility which listens for network configuration changes. It can then reconfigure your system’s DNS settings on the fly to ensure you’re always using DNSSEC secured resolvers (while still taking advantage of locally configured recursive resolvers assigned by DHCP).

I think that’s pretty cool ­čÖé

Only pitfall so far is that it doesn’t play nicely with VPN for accessing work. I think I can probably work around that by setting up a stub resolver configuration in Unbound though.

Further info:

http://jpmens.net/2011/10/21/automating-unbound-for-dnssec-on-your-workstation/
http://jpmens.net/2011/11/05/dnssec-trigger-on-mac-os-x/

It works nicely with the DNSSEC Validator Firefox addon (by CZ.NIC Labs).

Makes me really want to get my domain DNSSEC enabled now!

SixOrNot 0.7.0


It’s been a long time coming, but I finally finished off a new release. There’s actually an 0.7.1 which fixes a few additional bugs but that’s awaiting review.

So what’s new? Most visibly the UI has been replaced with a new panel-based design. This allows more information to be shown. This is needed because the addon now shows you not only the IPv6 status of the main domain you’re visiting, but also the status for all the domains contacted during the loading of the page. This is particularly useful for highlighting when a site’s CDN (content delivery network) isn’t IPv6 enabled despite the site itself claiming to be!

Another major change is that SixOrNot now takes advantage of changes to the Firefox API which allow you to find the actual IP address used to connect to a remote site. When the addon was first conceived this was not possible and I had to take the approach of using DNS lookups along with local address information to guess at the transport being used. This wasn’t 100% reliable however, and in dual-stack environments was only a best-guess as to the actual state. Now SixOrNot tells you the actual address you’re connecting to.

Of course it still shows the DNS information, and so can still show you when a site could potentially be contacted using IPv6. As far as I’m aware it’s the only addon which does this combined approach.

Under the hood I’ve completely re-engineered the way the addon works. Previously a polling loop was used (a hangover to the old code which was lifted from the Flagfox addon – now all completely re-written), now the architecture is entirely event-driven. This makes the addon much more efficient and reduces memory/CPU usage.

The code has also been heavily re-factored and re-organised. This aids maintainability and provides a good basis for new features. On that subject I’m planning on adding back the local IP address information (along with an optional lookup of your external IP address(es). The documentation also needs a major overhaul, and a proper website is on my todo list as well.

You can download SixOrNot from the Mozilla addons website here:

https://addons.mozilla.org/en-US/firefox/addon/sixornot/

The source code is available on Github:

https://github.com/tbentropy/sixornot

SCCM 2012 PowerShell automation library

So my latest project is to build a library to permit automated configuration of SCCM 2012. Currently this is in release candidate form, though a final release date is expected at MMS later this year. So far despite rumours there is no firm information about whether native PowerShell support (e.g. SCCM-specific cmdlets) will be provided by Microsoft.

We need this right now at work to start building test environments so I have a copy of the RC2 beta installed, a copy of the /\/\o\/\/ PowerShell WMI Explorer and a certain grim determination to produce a damn fine PowerShell library.

So far I’ve finished Boundaries and BoundaryGroups, currently working on Discovery Methods (via an interesting diversion into the world of CIM_DATETIME strings and SMS Schedules…)

I’ll be posting more as I build it. Code will be pushed to github:

https://github.com/tbentropy/SCCM2012PowerShell

SCCM scripted install note: Webdav prerequisite

http://technet.microsoft.com/en-us/library/cc431377.aspx

Installing SCCM 2007 on Server 2008 or Server 2008 R2 has a number of prerequisites related to IIS, namely:

– Remote Differential Compression
– IIS 7.0 for 2008, IIS 7.5 for 2008 R2
– BITS Server Extensions/Background Intelligent Transfer Services (BITS), Remote Differential Compression, WebDAV Publishing (2008 R2 only), ASP.NET, Windows Authentication
– On 2008, webdav needs to be installed manually

Most of these can be easily taken care of by installing the correct roles/role services on the platforms in question. This is easy to do on 2008/2008R2 using servermanagercmd.exe, e.g.:


servermanagercmd.exe -install BITS Web-Asp-Net

Once you have IIS installed (and on 2008, have manually installed webdav) you need to configure webdav. This can be done using the following scripted commands via the appcmd.exe utility which comes with IIS7.


%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoring /enabled:true /commit:apphost
%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoringRules /+[users='*',path='*',access='Read'] /commit:apphost
%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost
%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoring /properties.allowAnonymousPropfind:true /commit:apphost
%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoring /properties.allowInfinitePropfindDepth:true /commit:apphost
%WinDir%\System32\InetSrv\appcmd.exe set config "Default Web Site" /section:system.webServer/webdav/authoring /properties.allowCustomProperties:false /commit:apphost

This performs the same actions as the instructions here.

Fileserver upgrades

The PSU on my fileserver (singularity) broke recently, and I decided to take the opportunity to upgrade it a bit.

New hardware:

Asus M4A88T-M motherboard
AMD Sempron 145 2.8GHz
4GB ECC DDR3 memory

This isn’t a massive upgrade over the old system, however it does give me ECC memory capability (the motherboard/CPU both support it – a nice feature of AMD kit that even their bottom-of-the-line kit has this) as well as a better-supported chipset for FreeBSD (the old motherboard used an nVidia chipset which never really worked well).

Here’s the dmesg for the new system:


Copyright (c) 1992-2011 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011
root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Sempron(tm) 145 Processor (2812.64-MHz K8-class CPU)
Origin = "AuthenticAMD" Id = 0x100f63 Family = 10 Model = 6 Stepping = 3
Features=0x78bfbff
Features2=0x802009
AMD Features=0xee500800
AMD Features2=0x37fd
TSC: P-state invariant
real memory = 4294967296 (4096 MB)
avail memory = 3841773568 (3663 MB)
ACPI APIC Table:
ACPI Warning: Optional field Pm2ControlBlock has zero address or length: 0x0000000000000000/0x1 (20101013/tbfadt-655)
ioapic0 irqs 0-23 on motherboard
kbd1 at kbdmux0
acpi0: on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
acpi0: reservation of fee00000, 1000 (3) failed
acpi0: reservation of ffb80000, 80000 (3) failed
acpi0: reservation of fec10000, 20 (3) failed
acpi0: reservation of fed40000, 5000 (3) failed
acpi0: reservation of 100000, cfe00000 (3) failed
acpi0: reservation of 0, a0000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: port 0x808-0x80b on acpi0
cpu0: on acpi0
acpi_hpet0: iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
pcib0: port 0xcf8-0xcff on acpi0
pci0: on pcib0
pcib1: at device 1.0 on pci0
pci1: on pcib1
vgapci0: port 0xd000-0xd0ff mem 0xd0000000-0xdfffffff,0xfeaf0000-0xfeafffff,0xfe900000-0xfe9fffff irq 18 at device 5.0 on pci1
pci1: at device 5.1 (no driver attached)
pcib2: irq 18 at device 2.0 on pci0
pci2: on pcib2
pcib3: at device 0.0 on pci2
pci3: on pcib3
arcmsr0: <Areca SATA Host Adapter RAID Controller
> mem 0xfebfb000-0xfebfbfff,0xfd800000-0xfdbfffff irq 16 at device 14.0 on pci3
ARECA RAID ADAPTER0: Driver Version 1.20.00.19 2010-11-11
ARECA RAID ADAPTER0: FIRMWARE VERSION V1.48 2009-12-31
arcmsr0: [ITHREAD]
pcib4: at device 0.2 on pci2
pci4: on pcib4
pcib5: irq 18 at device 10.0 on pci0
pci5: on pcib5
re0: port 0xe800-0xe8ff mem 0xfdfff000-0xfdffffff,0xfdff8000-0xfdffbfff irq 18 at device 0.0 on pci5
re0: Using 1 MSI messages
re0: Chip rev. 0x2c000000
re0: MAC rev. 0x00000000
miibus0: on re0
rgephy0: PHY 1 on miibus0
rgephy0: 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow
re0: Ethernet address: 14:da:e9:b7:f1:a9
re0: [FILTER]
atapci0: port 0xc000-0xc007,0xb000-0xb003,0xa000-0xa007,0x9000-0x9003,0x8000-0x800f mem 0xfe8ffc00-0xfe8fffff irq 22 at device 17.0 on pci0
atapci0: [ITHREAD]
atapci0: AHCI v1.10 controller with 4 3Gbps ports, PM supported
ata2: on atapci0
ata2: [ITHREAD]
ata3: on atapci0
ata3: [ITHREAD]
ata4: on atapci0
ata4: [ITHREAD]
ata5: on atapci0
ata5: [ITHREAD]
ohci0: mem 0xfe8fe000-0xfe8fefff irq 16 at device 18.0 on pci0
ohci0: [ITHREAD]
usbus0: on ohci0
ohci1: mem 0xfe8fd000-0xfe8fdfff irq 16 at device 18.1 on pci0
ohci1: [ITHREAD]
usbus1: on ohci1
ehci0: mem 0xfe8ff800-0xfe8ff8ff irq 17 at device 18.2 on pci0
ehci0: [ITHREAD]
usbus2: EHCI version 1.0
usbus2: on ehci0
ohci2: mem 0xfe8fc000-0xfe8fcfff irq 18 at device 19.0 on pci0
ohci2: [ITHREAD]
usbus3: on ohci2
ohci3: mem 0xfe8fb000-0xfe8fbfff irq 18 at device 19.1 on pci0
ohci3: [ITHREAD]
usbus4: on ohci3
ehci1: mem 0xfe8ff400-0xfe8ff4ff irq 19 at device 19.2 on pci0
ehci1: [ITHREAD]
usbus5: EHCI version 1.0
usbus5: on ehci1
pci0: at device 20.0 (no driver attached)
atapci1: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff00-0xff0f at device 20.1 on pci0
ata0: on atapci1
ata0: [ITHREAD]
ata1: on atapci1
ata1: [ITHREAD]
isab0: at device 20.3 on pci0
isa0: on isab0
pcib6: at device 20.4 on pci0
pci6: on pcib6
ohci4: mem 0xfe8fa000-0xfe8fafff irq 18 at device 20.5 on pci0
ohci4: [ITHREAD]
usbus6: on ohci4
acpi_button0: on acpi0
atrtc0: port 0x70-0x71 irq 8 on acpi0
ppc0: port 0x378-0x37f irq 7 on acpi0
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppc0: [ITHREAD]
ppbus0: on ppc0
plip0: on ppbus0
plip0: [ITHREAD]
lpt0: on ppbus0
lpt0: [ITHREAD]
lpt0: Interrupt-driven port
ppi0: on ppbus0
acpi_hpet1: iomem 0xfed00000-0xfed003ff on acpi0
device_attach: acpi_hpet1 attach returned 12
uart0: port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: [FILTER]
orm0: at iomem 0xc0000-0xcefff on isa0
sc0: at flags 0x100 on isa0
sc0: VGA
vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
atkbdc0: at port 0x60,0x64 on isa0
atkbd0: irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
acpi_throttle0: on cpu0
hwpstate0: on cpu0
Timecounter "TSC" frequency 2812644637 Hz quality 800
Timecounters tick every 1.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 480Mbps High Speed USB v2.0
usbus3: 12Mbps Full Speed USB v1.0
usbus4: 12Mbps Full Speed USB v1.0
usbus5: 480Mbps High Speed USB v2.0
usbus6: 12Mbps Full Speed USB v1.0
ugen0.1: at usbus0
uhub0: on usbus0
ugen1.1: at usbus1
uhub1: on usbus1
ugen2.1: at usbus2
uhub2: on usbus2
ugen3.1: at usbus3
uhub3: on usbus3
ugen4.1: at usbus4
uhub4: on usbus4
ugen5.1: at usbus5
uhub5: on usbus5
ugen6.1: at usbus6
uhub6: on usbus6
ad0: 152627MB at ata0-master UDMA100
uhub6: 2 ports with 2 removable, self powered
uhub0: 3 ports with 3 removable, self powered
uhub1: 3 ports with 3 removable, self powered
uhub3: 3 ports with 3 removable, self powered
uhub4: 3 ports with 3 removable, self powered
uhub2: 6 ports with 6 removable, self powered
uhub5: 6 ports with 6 removable, self powered
pass1 at arcmsr0 bus 0 scbus0 target 16 lun 0
pass1: Fixed Processor SCSI-0 device
da0 at arcmsr0 bus 0 scbus0 target 0 lun 0
da0: Fixed Direct Access SCSI-5 device
da0: 166.666MB/s transfers (83.333MHz, offset 32, 16bit)
da0: Command Queueing enabled
da0: 5722045MB (11718749184 512 byte sectors: 255H 63S/T 729458C)
ugen1.2: at usbus1
ukbd0: on usbus1
kbd2 at ukbd0
uhid0: on usbus1
Trying to mount root from ufs:/dev/ad0s1a
re0: link state changed to DOWN
re0: link state changed to UP
acpi_aiboost0: on acpi0
acpi_hpet1: iomem 0xfed00000-0xfed003ff on acpi0
device_attach: acpi_hpet1 attach returned 12

The system uses an Areca 1210 hardware RAID card (highly recommended) attached to 4 2TB Western Digital disks to provide the primary storage array. The next step is to copy the system from the current 160GB IDE drive over to an old 320GB SATA drive I have (the previous motherboard only had 4 SATA ports, all of which were used for the backup drive array).

PowerShell remoting and certificates

Trying to use PowerShell remoting to connect to a server and I see:


[servername] Connecting to remote server failed with the following error message
: The WinRM client received an HTTP server error status (500), but the remote
service did not include any other information about the cause of the failure. F
or more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:Re
moteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed

Mysterious. Checking the event logs on the remote machine reveals:


A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

So it’s trying to read from a certificate and failing. The certificate in question is stored under:


C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

(Found by searching for the above error message).

It looks like the certificates have rolled over, so the old certificate which winrm has a reference to is no longer valid. I’m not actually even making use of certificate-based authentication so the easiest solution is to remove the CertificateThumbprint parameter from winrm configuration:


winrm set winrm/config/service @{CertificateThumbprint=""}

Make sure you don’t try running that from a PowerShell prompt though, as it’ll complain about it being an invalid command line even when it isn’t (since the @{} syntax is interpreted by PowerShell)…

And the working winrm configuration:


C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys>winrm get winrm/config
Config
MaxEnvelopeSizekb = 800
MaxTimeoutms = 600000
MaxBatchItems = 20
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = true
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
Service
RootSDDL =
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 200
EnumerationTimeoutms = 600000
MaxConnections = 15
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = true
EnableCompatibilityHttpsListener = false
CertificateThumbprint
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 180000
MaxConcurrentUsers = 5
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 15
MaxMemoryPerShellMB = 150
MaxShellsPerUser = 5

This does I think mean that HTTPS transport for Winrm/remoting is disabled, but that’s not important in my environment. A better fix would be to switch it to use the most recent machine certificate, or even better to use a certificate created for this exact purpose (and then update it when it expires…)

Time Machine

I decided to set up Time Machine backups for my new Macbook Air using my FreeBSD based file server. This server was already configured to serve files over AFP and Samba and I had multicast DNS set up on it. The Time Machine setup was really an incremental improvement of the existing functionality.

There are a lot of guides around describing this kind of setup and a lot of them are out of date (not applicable to OSX 10.7). I found that using the latest version of Netatalk and Avahi along with a little bit of bait-and-switch for the disk image itself gave a satisfactory outcome.

Note: This guide assumes you are running OSX 10.7 and using a FreeBSD 8.2 server.

First thing to do was to update my FreeBSD ports collection and then do a full port upgrade. This took quite a long time (I am a bit lax about keeping ports up to date on this machine).

The relevant commands:

# portsnap fetch extract update
# portmanager -u

If you don’t have portmanager installed:

# cd /usr/ports/ports-mgmt/portmanager && make install clean

Wait a long time, occasionally selecting configuration options at random such that you can’t just leave it running. Oh and try and make sure you avoid anything which selects an optional dependency on gtk or X11 to avoid pulling in the entire universe…

At this point I found some conflicts and had to remove some of the conflicting ports manually using pkg_delete, these were:

# pkg_delete ghostscript8-nox11-8.71_8

# pkg_delete howl-1.0.0_1
# pkg_delete bash3-3.2.51

This is probably very specific to the state of my ports collection however!

When ports are up-to-date the versions of Netatalk and Avahi ought to be (or better):

avahi-app-0.6.29

netatalk-2.2.0_3,1
nss_mdns-0.10_2
samba35-3.5.11

Netatalk 2.2 in particular is needed to support some of the functionality Time Machine requires.

Configure /usr/local/etc/AppleVolumes.default:

/ "" options:noadouble,tm allow:,

e.g.

/store "store" options:noadouble,tm allow:bob,luke

(The “tm” option indicates to OSX that this is a valid Time Machine backup share so it’ll appear in the Time Machine list without having to use the infamous “defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1” hack.)

Configure /usr/local/etc/avahi/avahi-daemon.conf

-- use-ipv6=no

++ use-ipv6=yes

Create /usr/local/etc/avahi/services/afpd.service with contents:





%h


_device-info._tcp
0
model=Xserve


(This will mean the file share shows up with a nice Xserve icon in the Finder and elsewhere. You don’t need to explicitly set up Avahi to advertise AFP since Netatalk 2.2 can automatically register with Avahi – Make sure you configure Netatalk with Avahi support (same for Samba) and if not switch to the port directory in question and do make config to change it).

You’re pretty much done for server configuration at this point. Restart all the applicable services:

# /usr/local/etc/rc.d/dbus restart && /usr/local/etc/rc.d/avahi-daemon restart && /usr/local/etc/rc.d/netatalk restart

On the client side, enable Time Machine and select your file store under “Select Disk”. By default it’ll create a sparsebundle as big as the containing volume (obviously being sparse it’ll only take up space as you start to back up to it). Obviously you will want some control over how big it gets. For example my Mac only has 120GB of disk space so I don’t want the backup set to grow to more than 300GB (to permit some storage of history of files etc.) There isn’t by default a way to easily specify how big the disk image should grow via the UI so this requires a bit of trickery. Also, if you want to enable encryption for your backup you also need to perform some magic.

Say your Mac is called neutrino, like mine, Time Machine will create a sparsebundle disk image at the root of your file share called “neutrino.sparsebundle”. This will by default be unencrypted and as big as the file store. After this is created Time Machine will start to backup to it. Interrupt the backup at this point (make sure the image has been created and that it’s on the “backing up” stage) and disable Time Machine.

Rename “neutrino.sparsebundle” to “neutrino-old.sparsebundle”. Open the disk image in Disk Utility. Create a new sparsebundle in Disk Utility with the settings:

Name: Time Machine Backups

Size:

Format: Mac OS Extended (Case-sensitive, Journaled)

Encryption: 128-bit AES encryption (optional, but why would you want an unencrypted backup?!)

Partitions: Single Partition – Apple Partition Map (default)

Image Format: sparse bundle disk image

Save it as “neutrino.sparsebundle” under the root of your Time Machine file share.

Next step is the clever bit. Make sure you have both old and new sparsebundles mounted in Disk Utility and then restore the “Time Machine Backups” volume from the old one onto the new one, replacing the existing (empty) volume.

When this process completes delete the old sparsebundle and unmount the new one. Time Machine can then be re-enabled and will use the new encrypted and size-limited sparsebundle to perform backups to in future.

You may find you need to use the MAC address trick to get Time Machine to recognise that your sparsebundle is the correct one. If after the steps above it still tries to create a new bundle when performing the backup rename the “neutrino.sparsebundle” file to “neutrinoYOURMACADDR.sparsebundle”. So for example if the MAC address of en0 on your machine happens to be: 00:11:22:33:44:55 then you’d rename the file to: “neutrino001122334455.sparsebundle”. Time Machine ought to rename this to just “neutrino.sparsebundle” when it runs the first time.

It would sure be nice if Apple allowed us to configure these kind of things in a less arcane way, but it works nicely once it’s set up.

Useful links:

http://www.freebsd.org/doc/handbook/portsnap.html

http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html

http://blog.stfu.se/?p=24

http://www.fmepnet.org/time_machine.html

http://www.moeding.net/archives/23-Using-FreeBSD-as-Time-Machine-server.html

http://thomas.pelletier.im/2010/01/time-machine-freebsd-and-afp-are-on-a-little-boat/

http://www.bootc.net/archives/2010/11/07/apple-time-machine-and-netatalk/

http://www.trollop.org/2011/07/23/os-x-10-7-lion-time-machine-netatalk-2-2/

http://www.dreness.com/blog/?p=48

http://www.simonwheatley.co.uk/2008/04/06/avahi-finder-icons/

http://forums.macrumors.com/showthread.php?t=434960

http://hints.macworld.com/article.php?story=20071108020121567