Trend-Watcher

On Death and Rollovers

Fri, 12 Feb 2010 14:29:48 +0100

I just posted this to the unbound-users list In Geoff Huston's recent ISP Column "Roll Over and Die?" , Roy Arends made a thorough analysis of the behavior of Unbound in the face of increased traffic towards authoritative servers after a failed key-rollover. Key of Roy's analysis is the observation that Unbound holds back after finding a bogus DNSKEY but does that on a per query instead of a per zone basis. The default value of 60 seconds causes UNBOUND to restrain itself. However, since its a per-message cache, it only restrains itself for that qname/qclass/qtype tuple. Hence, if a different query is asked, UNBOUND needs to validate the response, sees a bogus DNSKEY in the cache and starts to re-fetch the dnskey keyset. In other words, a lame root key will cause DNSKEY queries for every unique query seen per 60 second window. We will address this using a caching mechanism that will treat DNSSEC validation failures on a zone wide basis instead of treating them as intermittent RR-set failures. That should reduce the traffic to authoritative servers significantly. The reason why this particular problem is interesting is that, as developers, we are constantly trying to make the tradeoff between the ability to recover from failure and the costs that those recovery mechanism impose on third parties. Failure to validate a signature can have many reasons, varying from misconfiguration or synchronization failure at the authoritative side, to on-path failure or attack, to misconfiguration a the receiving side. In this case we have not been conservative enough when making the trade-offs. The fact that these sort of issues are identified are a healthy sign of what is still early deployment and we are eager to learn from these experiences. We use two resources for gathering experience that can help us making implementation choices: the IETF DNSOP working group and OARC . OARC is an organization where data is collected and shared so that impact of certain implementation behavior is quantified. We would like to ask people to contribute measurement data and share experiences. Back to the particular issue of stale keys. The column points out that there are mechanisms to prevent stale keys being retained after a key rollover: the mechanism described in RFC5011. As of version 1.4.0 Unbound has native support for maintaining the trust-anchor for key-rollovers based on RFC5011. We have also made "autotrust" available for cases where trust-anchors need to be maintained and Unbound is not used. In the particular case described in the columnm, RFC5011 methodology might not have worked; an old OS distribution carrying a stale key that is several generations old cannot be tracked using RFC5011 techniques. Wijngaards and Kolkman have been working on a proposal to fix that particular issue: " DNSSEC Trust Anchor History Service

Beef Wellington

Sun, 27 Dec 2009 15:40:34 +0100

Beef Wellington is a dish made with a fine piece Tenderloin ('Ossehaas' in Dutch). It is a good piece of meat for days with festivities because part of the preparation can be done in the morning (they take about 30 min) and part of the preparation can be done approximately one hour before the dish is to be served. Since it needs to sit in the oven for about 30 min+ 5-10 min resting time. You have a time slot to prepare for your vegetables. Early in the day. Clarify butter. Starts off by preparing 'Duxelles'. A dry mixture of finely chopped shallots and mushroom. 500 gr finely chopped mushrooms 3-4 shallots finely chopped shallots 4 tablespoons of Madeira (you can use Port wine too) 4 tablespoons of cream Fry the shallots and mushrooms in the clarified butter until all moisture has evaporated from the mix. Then add the Madeira and the cream. Keep steering until the mix occurs dry. If the mix is to wet it will interact badly with the dough in bad ways later. Next step is to brown the beef (a Tenderloin of 1-1.5 kg). As always with beef use a heavy pan (high heat capacity), make sure you use plenty of fat (also heat capacity) and keep moving the meet around while browning it. In about 5 minutes your beef will be golden brow. Let it rest for at least 10 min (but you can allow it to cool down until the afternoon). Timewarp About 1 hour before serving you will need to finish the Duxelles by mixing it with about 125 gr of Pate de Foix Gras d'Oi. Then take your beef and cover the lot with the Duxelles. Now take sufficient leaves of prefab (ouch) puff pastry and stick them together with egg-whites. You should have sufficient area to cover the whole beef. Put the Beef on top of the pastry and close the pastry. Put the lot on a piece of baking paper with the puff pastry seams down. Cut a few figures and put on top. Cover with egg-yoke in order to achieve a nice color. Bake in the oven for about 30 minutes and let rest for another 10 minutes.

Ringo Kun

Mon, 21 Dec 2009 13:16:31 +0100

To be posted in the IETF Journal Although the result is seemingly trivial this cartoon was a bit of a challenge as I was trying to get a Manga look and feel. Both sketching and inking and the digital post-processing took some practicing and a few retries. The puny-code and the two big characters represent the word "Manga". The name of the protagonist in this cartoon 'Ringo Kun' is written in the head band. The name is a obscure reference... a bit of a bad joke actually.

Old documentation

Wed, 30 Sep 2009 23:39:17 +0200

In 1993 I had to serve and as my civil service I worked on the User Documentation for the Westerbork Synthesis Radio telescope. I found the material in a forgotten directory. I looked whether it was still available on the web but couldn't find it. For historic purposes and sentimental reasons: Part 0 THE WESTERBORK SYNTHESIS RADIO TELESCOPE USER DOCUMENTATION Part 1 PROPOSING FOR WSRT OBSERVING TIME Part 2 INTRODUCTION TO THE THEORY OF APERTURE SYNTHESIS Part 3 SPECIFIC ASPECTS OF THE WSRT Part 4 CALIBRATION AND REDUCTION OF WSRT DATA Part 5 VARIOUS Update 1 UPDATE All this material is hopelessly out of date. Check http://www.astron.nl/ for current information on the WSRT.

Net Neutrality

Tue, 22 Sep 2009 12:08:02 +0200

To be posted in the IETF Journal

woord van de dag

Fri, 03 Jul 2009 15:01:10 +0200

draalloos synoniem voor onverwijld (het woord van de week)

Limerick of the day

Wed, 01 Jul 2009 13:18:53 +0200

Waarschuwing Aan meisjes met kokette laarsjes voor een man die woont in De Baarsjes wees op je hoede voor die engerd z'n roede want hij steekt hem heel gaarne in aarsjes (S preek uit : k o -kette in plaats van ko-k e tte)

Marvelous Idea

Thu, 14 May 2009 23:46:10 +0200

To be posted in the IETF Journal

Welcome Wagon (Welcome to)

Fri, 16 Jan 2009 14:13:51 +0100

A few weeks ago I listened to "Welcome to the Welcome Wagon" on the excellent VPRO Luisterpaal (http://3voor12.vpro.nl/luisterpaal/). I ordered the CD and today it has been delivered by mail. The reason I happily pay a few extra bucks for a CD is that there is artwork included and in this case the artwork provides a little background about the work. This album was recorded and produced by Sufjan Steven and his musical touch stands out. What I did not know is that the music was composed and performed by Pastor Vito Aiuto and his Monique Aiuto. The music classifies itself as folk/gospel. I do not regularly look at music in the Gospel category. The reason is twofold. First the message does not appeal to me, and second, and more important, is that Gospel music is often stereotypical and not inspired. This album is different. Although it clearly has a religious message it is inspired, made with the appropriate lower belly feelings, and sometimes has a touch of humor. The album is cleanly produced, lighthearted but still has balls. Proof? At the moment I wrote this paragraph the tune "American Legion" is played, it brings tears to my eyes... While I do not believe in God there are emotions that one could classify as religious. Sometimes they are communicated through music. And while not true for all tracks this album contains such an examples. Read more about "Welcome to the Welcome Wagon" at Asthmatic Kitty Records .

Pillow Talk

Tue, 06 Jan 2009 20:59:32 +0100

B : I hate your guts D : Why? Do I remind you of yourself? B : Nah... you murdering sonofabitch. I only scare them, break their legs, and occasionally cause a cardiac arrest --frighten them to death-- while you continue to cross the line. D : Which line, your line? I never cross my line. Harry's code helps me to ... B : Henry's fucking code. You working on my nerves, damned. It never takes more than 20 seconds before you bring up Henry's code. Its a damned lame excuse for your nocturnal cutting-a-psychopath tours. D : And how are those different from your nocturnal scaring-a-psychopath tour? ... [silence] ... D : and his name is Harry, not Henry, you fuckface B : You sound like your sister now .. [silence] ... D : According to the code I should kill you B : And I should make you relive your worst nightmare a dozen times... That kind of terror worked with others. D : Not with me, not with me, thanks to Harry. B : Fuck Harry. D : Fuck you, Bruce B : Not today Dexter, sleep well. D : sleep well, sweet dreams