Archive for September, 2007

I’m it!

2007-09-27

Peter tagged me! I’m like the school boy who, while lining up in the
playground to play one game, is suddenly rushed upon and touched in a
fleeting moment to the cheer of “tag” as the ascendant races off. I
liked playing tag, though I always preferred
“Stuck in the mud” (apparently known as Freeze Tag in some places).

So, five things you may not already know about me….

  1. Thinking that I may have had a very minor dairy intolerance I gave
    up eating dairy produce in my early twenties. Obviously this
    means no Milk, Cheese or Chocolate. But that’s only the half of
    it. Wey solids and powder are found in an amazing host of foods
    like biscuits, cakes and crackers. And all those really nice
    things like cakes (did I say that already), custard, pastries,
    and a whole lot more…. I’m not sure the diet had much
    effect on my Asthma, but I sure did put on the pounds
    once I came off of it (I have subsequently lost that weight,
    with help from the Hackers Diet) and my bicycles. I was certainly glad to no longer be having water on
    my morning cereal.

  2. This may not be so surprising to those paying close attention to
    my blog… OK, so its a surprise to you all! I used to be
    cleaner at Express Dairies.
    It helped me save up for the
    road “racing” bicycle that I still ride to this day.
    My section included a small hall with a free milk dispenser
    which was always in a real slimy and smelly state come the
    evening (people,
    be considerate with your unwanted beverages). I still remember
    with joy the first time I used the floor polishing machine. It
    whizzed around taking me with it and wrapping me around
    with the power cord. Took a few times to tame it, but it was
    always fun.

  3. Somewhat like
    Clingan
    at school I was interested in long distance running. I used to
    take part in the cross country race each year and for
    sports day entered the 1500m and 5km race. Though I never took
    it seriously, I just seemed to have a lot of stamina. These
    days I really don’t enjoy running and much prefer to be on my
    bike where my stamina still sees me through..

  4. I was in a Secondary School (high-school) production of “My Fair
    Lady”    . I was in the chorus and several non-speaking parts
    including a chimney sweep and ballroom dancer. I enjoyed every
    moment of it, especially learning the waltz (shame I don’t
    remember it now). I dare say it’s those memories why I
    encourage my girls to take up the thespian joys that
    they have. Mind, they can sing unlike myself.

  5. On the theme of Musicals, my favorites all time is the film “The Slipper and the Rose“, staring Richard Chamberlain and Gemma
    Craven. It is in my opinion the best adaptation of the
    Cinderella Story. My favorite bit is when the fairy god mother, played
    by Annette Crosbie, exclaims “I know, I’ll borrow time!” (or something to
    that effect) which
    for me explained why the magic had to be withdrawn at midnight.
    So why don’t the slippers disappear? Well that magic clearly wasn’t
    borrowed 😉

So, Jonathan, your it!

Stace

Posted in General | Leave a Comment »

Running BIND server ‘named’ as a different user on Solaris 10

2007-09-18

The named process is started by root and thus inherits roots privileges, as were traditionally needed, to access the DNS communication channel (port 53). BIND administrators know the named command accepts a -u username option which causes the process to switch user attributes after opening privileged interfaces. The idea being that should the service be compromised the effective user is not all powerful.

In the Solaris 10 Operating Environment the process privilege model, privileges(5), allows for a more fine-grained control. Coupled with the Service Management Facility, smf(5), services may inherit less privileges and alternative user process and group identities at start-up. Therefore under the Solaris 10 OE named may be configured at start to run with an alternative user identity making the -u option superfluous.

To have the BIND server named start with an alternative user
identity and group under the Solaris 10 OE complete the following
steps:

1. Add the user to the solaris.smf.manage.bind role

# usermod -A solaris.smf.manage.bind dnsadmin
# tail -1 /etc/user_attr
dnsadmin::::type=normal;auths=solaris.smf.manage.bind
#

Without this role the server, named, will be unable to manage it’s
SMF FMRI and named will automatically be restarted by SMF after an rndc
stop or halt command. As indicated by the syslog message “error: smf_disable_instance() failed for svc:/network/dns/server:default : insufficient privileges for action”

2. Modify the service properties

# svccfg
svc:> select svc:/network/dns/server:default
svc:/network/dns/server:default> setprop start/user = dnsadmin
svc:/network/dns/server:default> setprop start/group = dnsadmin
svc:/network/dns/server:default> exit
# svcadm refresh svc:/network/dns/server:default
# svcadm restart svc:/network/dns/server:default

3. Specify an alternative location for the pid-file

As only root has write access to create the default
pid-file; /var/run/named.pid named must be configured to
use an alternative path. For Example:

# mkdir /var/named/tmp
# chown dnsadmin /var/named/tmp</b
# head /etc/named.conf
options {
directory “/var/named”;
pid-file “/var/named/tmp/named.pid”;
};

zone “0.0.127.in-addr.arpa” in {
type master;
file “db.127.0.0”;
};
#

Updated 25 Feb 2009 with instructions on how to add user to authority.

Posted in BIND | 5 Comments »

BIND 9.3.4-P1 available with Solaris 10

2007-09-10

An upgrade to BIND 9.3.4-P1 is available for Solaris 10 Operating
Environment by installing patch 119783-05 for SPARC or 119784-05 for
x86 architectures.

BIND 9.3.4 provided a number of new features over BIND 8 which was
supplied with the Solaris 8 and 9 Operating Environments. Additionally BIND
9.3.4 provides a number of compatibility features not available in
BIND 9.2.4 (the FCS version of BIND in Solaris 10 OE). For details of
all the changes refer to the
migration
notes.

Summary of Differences between BIND 9.3 from BIND 9.2

BIND 9.3 has a number of new features over 9.2 including:

  • DNSSEC is now Delegation Signer (DS) based,
    RFC4033,
    RFC4034 and
    RFC4035.
    This collection of RFCs is otherwise known as DNSSEC-bis.

  • DNSSEC Look-aside Validation (DLV) (experimental),
    RFC4431

  • check-names is now implemented.

  • rrset-order is more complete.

  • IPv4/IPv6 transition support, “dual-stack-servers”.

  • IXFR deltas can now be generated when loading master files,
    “ixfr-from-differences”.

  • It is now possible to specify the size of a journal,
    “max-journal-size”.

  • It is now possible to define a named set of master servers
    to be used in masters clause, “masters”.

  • The advertised EDNS UDP size can now be set,
    “edns-udp-size”.

  • New Name Server SMF properties. With the introduction of BIND
    9.3.4 new Name Server smf(1) properties have been introduced to
    provide an SMF compliant method for setting BIND 9.3.4 command
    line options. Changing the “start method” property of the BIND 9
    service is no longer recommended.

For further information refer to the migration
notes as above.

Posted in BIND | 4 Comments »