Why I don’t like projects written in ruby

From the manual:

curl http://........ | sudo bash

Sure. People doing that without checking also click on attachment ending with .exe under windows.

But wait. I’m not finished. I downloaded the shell script, checked it was harmless. Just adding something to /etc/apt/apt.conf.d and running apt-get update. Well actually apt-get update &> /dev/null. Without checking the return value. Which is bad when it fails.

No IPv6 is better than broken IPv6

Some time ago I read  this mail.

First things first: You can run but you can not hide. IPv6 is here. You’ll have to work with it sooner or later. (alt least if you still want to work in IT in the next couple of years). About 20% of all users from Germany access Google via IPV6..

But: If you don’t take it seriously don’t do it. Implementing dual-stacked services is more work.

Some advice:

1. Monitor your dual-stacked service and take care if something breaks.

2. Use IPv6 on your work computer. It’s a good way too learn, maybe the only way to notice if something is broken and enables you to troubleshoot problems

3.  Spread the knowledge. If you are the only person who knows and cares about IPv6 you have a problem.

IPv6 and OpenSource Projects

After reading about this mail on a mailing list I decided too see if you could build something small like Linux from Scratch (LfS) in an IPv6 only environment. The answer is: No.

LfS provides a list of files you’ll have to download to make the project work. Using some shell commands I came up whit a list of 25 different host. Two of them where ftp and only ftp.vim.org has a AAAA-record, ftp.astron.com has not.

Out of the remaining 23 only these 7 answered to HTTP requests via IPv6:

alpha.gnu.org HTTP OK: HTTP/1.1 200 OK
dev.gentoo.org HTTP OK: HTTP/1.1 302 Found
ftp.gnu.org HTTP OK: HTTP/1.1 200 OK
www.bzip.org HTTP OK: HTTP/1.1 200 OK
www.cpan.org HTTP OK: HTTP/1.1 200 OK
www.iana.org HTTP OK: HTTP/1.1 200 OK
www.kernel.org HTTP OK: HTTP/1.1 301 Moved Permanently

And here are the remaining 15:

anduin.linuxfromscratch.org Name or service not known
cpan.metacpan.org Name or service not known
download.savannah.gnu.org Name or service not known
downloads.sourceforge.net Name or service not known
launchpad.net Name or service not known
pkgconfig.freedesktop.org Name or service not known
pkg-shadow.alioth.debian.org Name or service not known
prdownloads.sourceforge.net Name or service not known
sourceforge.net Name or service not known
tukaani.org Name or service not known
www.greenwoodsoftware.com Name or service not known
www.infodrom.org Name or service not known
www.mpfr.org Name or service not known
www.multiprecision.org Name or service not known
www.zlib.net Name or service not known

Let me entertain you

with this Cisco field notice.

Certain types of snagless Ethernet cables have protective boots that extend too far forward and above the plastic latching tab.

When this type of cable is installed in Port 1 of any 48-port model of the Cisco Catalyst C3650 or C3850 Series switches, the boot might press and hold the Mode button, which invokes Express Setup and reboots the system.


Monitoring by customer is one way to monitor services. In some cases customers will start looking for similar service somewhere else, in some cases you are in trouble because you break your SLAs.

Ans do monitor all related services. One common example are SSL certificates. Here are three other examples:

1. When you are running an IRC Server and have your domain secured with DNSSEC monitor your server, your service and your DNSSEC signatures.

2. When you are running DNSSEC secured domains for a customer and are using an HSM (Hardware Security Module), monitor your servers, your services, your DNSSEC signatures and the rest of the infrastructure including the HSM.

3. If you are using DANE (for SMTP) and are communicating with other people using DANE your communication will fail when your DNSSEC signatures are expired. And when you fixed your setup do not wonder about all the mail you are getting. And on the other side you should monitor your log files.

And when you do monitor DNSSEC: When the signatures are expired it’s too late. You should get a warning

For 1 and 2: I’m using check_dnssec_expiration (https://github.com/MonitoringPlug/monitoringplug)

For 3: status=deferred (Server certificate not trusted) should be the correct term in you postfix log file.