Open Source …

sucks. Two weeks ago I asked about IPv6 support on the check_mk mailing list. So far no reaction from the developers. And it’s not the first time I asked and I’m not the only one to ask.

is great. A couple of weeks ago I encountered a problem with powerdns. After I asked on the powerdns IRC channel and had a fixed version about an hour later and I learned something about DNS while reading the discussion. Thanks!

quux.de and DNSSEC

After being payed for implementing DNS(SEC) for a customer it was time to implement DNSSEC for my own domains as well.
So quux.de and some of my other domains are DNSSEC signed for a about a week now. So far I haven’t heard of any problems.

If you are using Bind on Debian the following links will be quite helpful:

https://wiki.debian.org/DNSSEC

http://www.howtoforge.com/configuring-dnssec-on-bind9-9.7.3-on-debian-squeeze-ubuntu-11.10

DANE is next on the todo list

check_mk and IPv6

I really like using the check_mk agent. Problem is that I have several IPv6 only hosts and the check_mk developers are ignoring IPv6 for quite some time (see my mail form may 2012).

Recovering from a cold I played around and found a temporary (as in “untill the next update”) solution:

As the agent is run via xinetd this part is quite simple: just add flags = ipv6 to the xinetd config starting the agent and restart xinetd.

The part queering the agent is a little more complex. Stefan Neufeind published a patch on the check_mk mailing list. which still works.

The next problem is that check_mk calls check_icmp and check_icmp does not support IPv6.

As a quick and dirty soloution I replaced check_icmp check-mk-ping command inside check_mk_templates.cfg with check_ping:


define command {
command_name check-mk-ping
command_line /usr/lib/nagios/plugins/check_ping -H $HOSTADDRESS$ -w 120,90% -c 150,95%
}

The warning and critical values in the above example still require some tuning on my side.

“I’ve read your profile with great interest…”

“… and I’d like to talk to you about a very interesting project!”

Yes, you may have a very interesting project to offer
No, – you haven’t read my profile, or what is so hard to understand about “I’m currently not looking for any projects”?

Social networks. Sometimes it’s better to not use them.

Dual-stack

Dual-stacking your servers and services is more then just running another protocol.

Having two protocols means having more work to do and also that more things can go wrong (or missed while configuring). While troubleshooting you have to thing of both protocols (most of the time) and
you also have to monitor both protocols.

So my advice: Single Stack where you can, DualStack where you must. Prefer IPv6 over v4 where you can. And test, test, test before doing so.

Give your admins / developers / help-desk the possibility to check and test all: IPv4, IPv6 and Dual-Stack.

Why?

Two questions I’ve been asking myself in the last couple of days:

– Why do people still believe that they can put a Linux server onto the internet and never ever have to take care of updates?

– Why do people still believe that DNS only uses TCP for zone transfers?

IPv6 addresses

While looking at these slides by Fernando Gont and Jen Linkova, I decided too look at Alexa top 1 Milion myself[1].

Using host I got the AAAA for the domains and used a small Perl script to analyze the data. I got a total of 70750 AAAA records not all of them global unicast.

70502 GLOBAL-UNICAST
94 IPV4MAP
50 LOOPBACK
49 LINK-LOCAL-UNICAST
30 RESERVED
19 IPV4COMP
5 UNSPECIFIED
1 UNIQUE-LOCAL-UNICAST

If you are interested I going to repeat this monthly.

[1] Alexa data file was from July 28th, it took a couple of days to do all the name lookups.

Dual-Stack Monitoring

I recently got one of those shiny new domain under one of those new TLDs (has something to do with my first and last name ;-).

I added the BIND configuration by copying another zone file and the replaced the relevant parts. I also created a new Apache vhost, restarted both services and tested from my computer. Everything worked.

Well not everything. I only tested using IPv6 and not v4. I had a wrong IPv4 address in my zone file. :-(

If you run dual-stacked services always test and monitor both protocols. If your using Icinga / Nagios take a look at check_v46 .

If you have both A and AAAA record for the host you are monitoring check_v6 will run a plugin for both address types:


root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H blog.quux.de
OK: IPv6/blog.quux.de OK, IPv4/blog.quux.de OK | ipv6_a1_time=4.708759s;;;0.000000 ipv6_a1_size=26086B;;;0 ipv4_a1_time=2.244641s;;;0.000000 ipv4_a1_size=26061B;;;0
Status details:
IPv6/blog.quux.de:
HTTP OK: HTTP/1.1 200 OK - 26086 bytes in 4.709 second response time
IPv4/blog.quux.de:
HTTP OK: HTTP/1.1 200 OK - 26061 bytes in 2.245 second response time

If you only have A or AAAA only there will be only one check:


root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H www.wordpress.org
OK: IPv4/www.wordpress.org OK | ipv4_a1_time=0.383439s;;;0.000000 ipv4_a1_size=275B;;;0
Status details:
IPv4/www.wordpress.org:
HTTP OK: HTTP/1.1 301 Moved Permanently - 275 bytes in 0.383 second response time