Let me entertain you

with this Cisco field notice.

Certain types of snagless Ethernet cables have protective boots that extend too far forward and above the plastic latching tab.

When this type of cable is installed in Port 1 of any 48-port model of the Cisco Catalyst C3650 or C3850 Series switches, the boot might press and hold the Mode button, which invokes Express Setup and reboots the system.


Monitoring by customer is one way to monitor services. In some cases customers will start looking for similar service somewhere else, in some cases you are in trouble because you break your SLAs.

Ans do monitor all related services. One common example are SSL certificates. Here are three other examples:

1. When you are running an IRC Server and have your domain secured with DNSSEC monitor your server, your service and your DNSSEC signatures.

2. When you are running DNSSEC secured domains for a customer and are using an HSM (Hardware Security Module), monitor your servers, your services, your DNSSEC signatures and the rest of the infrastructure including the HSM.

3. If you are using DANE (for SMTP) and are communicating with other people using DANE your communication will fail when your DNSSEC signatures are expired. And when you fixed your setup do not wonder about all the mail you are getting. And on the other side you should monitor your log files.

And when you do monitor DNSSEC: When the signatures are expired it’s too late. You should get a warning

For 1 and 2: I’m using check_dnssec_expiration (https://github.com/MonitoringPlug/monitoringplug)

For 3: status=deferred (Server certificate not trusted) should be the correct term in you postfix log file.

Told you so

I’ve been saying it for years: “Even if you don’t implement IPv6 right away make sure that new hard- and software you are buying supports IPv6.”

In the last couple of month I hear lot of complaints: “We can’t do IPv6. We just bought $product last year and it does not support IPV6.”

IPv6 support for a given domain

Sometimes I like to know if a given domain uses IPv6 (and DNSSEC).

I finished a small shell script last week to automate this task.

jens@screen:~/check_dns.git$ ./check_dns.sh quux.de
Domain has DNSSEC
Host has at least one AAAA record
At least one nameserver has an AAAA record
At least one MX has an AAAA record

Maybe I’ll add some checks to see if those IPv6 addresses are really accessible.

Getting SNMP MIBs

I’m just working on a distributed Icinga2 setup (I’ll write more about it later this month). There is a lot SNMP monitoring involved an today I tried to get some MIBs

1. Why do I need an account (and probably a support contract) to download MIBs?
2. Naming an archive mib.zip is a stupid idea. I now have several files with the same name. All from different vendors.
3. Advertising SNMP and then only returning sysUptime, sysLocation, etc. is also ….