This is mostly for my future reference, for when this happens the next time. I hope it saves me 10-15 minutes of pondering. EDIT 2025-11-20: Since I wrote this post, the locations for various scripts and files has changed. That was my doing; I’m the port maintainer for dns/dns-blackhole. I noticed this problem a few days ago. I was clicking on links in an email from Disney. The hostname didn’t resolve. I passed […]
Can’t get to some Disney links Read More »
What are the chances that three different hosts, in thee different datacenters all display these messages within seconds of each other? The uptimes: [dvl@r720-02:~] $ uptime 1:42PM up 62 days, 15:01, 2 users, load averages: 0.04, 0.12, 0.18 [13:42 tallboy dvl ~] % uptime 1:42PM up 62 days, 15:37, 2 users, load averages: 0.17, 0.37, 0.34 [13:42 zuul dan ~] % uptime 1:42PM up 62 days, 14:56, 2 users, load averages: 0.24, 0.25,
PF states limit reached – on three different host at nearly the same time Read More »
bind916 will be EOL in a few months (April 2024). In this post, I’m going to copy an existing jail (running bind916) and configure it to run the new bind. If all goes well, the new jail will replace the old jail. This has an added benefit of effectively renaming the old jail (toiler) to dns2 (my other dns server at home is called dns1). Given the jail runs both dhcpd and named,
Copying an existing jail to try bind918 Read More »
On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~]
Use of K* file pairs for HMAC is deprecated – acme.sh Read More »
A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects. That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It took a few hours for it to catch up to Let’s Encrypt renewals. To be fair, this $5
nsupdate – update failed: REFUSED Read More »
To be fair, the name servers weren’t offline, just the two zone files I amended. The effect: none of my services at home were available to anything at home. The other day, I was working on some procedures for adding a jail to a host and then a jail within that jail. I wanted to document the procedure to make it easier to implement when the time comes. The first step, create the
How I took my name servers offline by adding a new hostname Read More »
Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of: host server – A FreeBSD host which contains the other nodes database – holds
Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »
In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include mentioning newer BIND tools which necessitated an update to an older blog post. The worst of them all,
Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »
The dev.freshports.org website is hosted on server in my basement. For you, that IP addresses resolves to a publicly available IP address. For me, that IP address resolves to an RFC 1918 address: $ host dev.freshports.org dev.freshports.org has address 10.55.0.24 Sometimes this is referred to as split dns, also known as split-horizon DNS, split-view DNS, split-brain DNS, or a fricking stupid thing to do). How? I have a DNS zone file at home
Using split DNS for websites hosted locally Read More »
I encountered, and later solved, a DNS issue on a FreeBSD jail. The jail is my web proxy, of sorts. I have one public IP address, which is dynamic (not relevant, but mentioned only in passing) so all incoming web traffic goes to a single internal RFC-1918 IP address. From there, nginx does reverse proxies out to the various hosts: devgit.freshports.org dev.freshports.org test.freshports.org stage.freshports.org There are more, but you get the idea. Each
hostmask on an ip address can affect jail DNS Read More »