named

PF states limit reached – on three different host at nearly the same time

What are the chances that three different hosts, in thee different datacenters all display these messages within seconds of each other? The uptimes: [dvl@r720-02:~] $ uptime 1:42PM up 62 days, 15:01, 2 users, load averages: 0.04, 0.12, 0.18 [13:42 tallboy dvl ~] % uptime 1:42PM up 62 days, 15:37, 2 users, load averages: 0.17, 0.37, 0.34 [13:42 zuul dan ~] % uptime 1:42PM up 62 days, 14:56, 2 users, load averages: 0.24, 0.25, […]

PF states limit reached – on three different host at nearly the same time Read More »

Copying an existing jail to try bind918

bind916 will be EOL in a few months (April 2024). In this post, I’m going to copy an existing jail (running bind916) and configure it to run the new bind. If all goes well, the new jail will replace the old jail. This has an added benefit of effectively renaming the old jail (toiler) to dns2 (my other dns server at home is called dns1). Given the jail runs both dhcpd and named,

Copying an existing jail to try bind918 Read More »

Use of K* file pairs for HMAC is deprecated – acme.sh

On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~]

Use of K* file pairs for HMAC is deprecated – acme.sh Read More »

nsupdate – update failed: REFUSED

A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects. That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It took a few hours for it to catch up to Let’s Encrypt renewals. To be fair, this $5

nsupdate – update failed: REFUSED Read More »

How I took my name servers offline by adding a new hostname

To be fair, the name servers weren’t offline, just the two zone files I amended. The effect: none of my services at home were available to anything at home. The other day, I was working on some procedures for adding a jail to a host and then a jail within that jail. I wanted to document the procedure to make it easier to implement when the time comes. The first step, create the

How I took my name servers offline by adding a new hostname Read More »

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of: host server – A FreeBSD host which contains the other nodes database – holds

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »

Creating a very specific TXT only nsupdate connection for Let’s Encrypt

In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include mentioning newer BIND tools which necessitated an update to an older blog post. The worst of them all,

Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »

Using split DNS for websites hosted locally

The dev.freshports.org website is hosted on server in my basement. For you, that IP addresses resolves to a publicly available IP address. For me, that IP address resolves to an RFC 1918 address: $ host dev.freshports.org dev.freshports.org has address 10.55.0.24 Sometimes this is referred to as split dns, also known as split-horizon DNS, split-view DNS, split-brain DNS, or a fricking stupid thing to do). How? I have a DNS zone file at home

Using split DNS for websites hosted locally Read More »

hostmask on an ip address can affect jail DNS

I encountered, and later solved, a DNS issue on a FreeBSD jail. The jail is my web proxy, of sorts. I have one public IP address, which is dynamic (not relevant, but mentioned only in passing) so all incoming web traffic goes to a single internal RFC-1918 IP address. From there, nginx does reverse proxies out to the various hosts: devgit.freshports.org dev.freshports.org test.freshports.org stage.freshports.org There are more, but you get the idea. Each

hostmask on an ip address can affect jail DNS Read More »

Reviewing /var/log/pflog contents

I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync. I suspect firewall rules. Reviewing pflog It is because I use: block log all in /etc/pf.conf pflog_enable=”YES” in /etc/rc.conf that I

Reviewing /var/log/pflog contents Read More »

Scroll to Top