Politics and Technology.

Thursday, March 26, 2009

nsupdate By Key From RHEL

We have a DNS zone here at DJ that's used for allowing nsupdates, typically in the case of applications with an HA capability between VLANS out on the WAN (when migrating the production IP is not an option).

While we have used ACLs for the allow-update stanza in bind's named.conf, I wanted to make the push towards key based authentication. The following how to is what I did to make that work.

First, generate the key. This will create two files, containing the same key, due to backwards compatibility issues with the library used to create the key. The options to pass to the "dnssec-keygen" tool (part of the bind RPM) are simple. The "-r /dev/urandom" bit below uses the psuedo-random driver to generate the key; something perfectly sufficient for this case IMHO. The name you use for the key is not important. Though it looks like an FQDN, it can be "fuzzydice" if you want it to be. The convention in all things BIND seems to be "something.yourdomain.com".

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST -r /dev/urandom some.meaningful.name.com
# ls *meaningful*
Ksome.meaningful.name.com.+157+01885.key Ksome.meaningful.name.com.+157+01885.private

I prefer to copy the key string from the ".private" key file as it doesn't have any spaces in the key string. Its contents would look like this.

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==

The next step is to allow this key's use by named. You will need to edit "named.conf" in at least one place, possibly two.

First, update your "allow-update" line in the zone entry. For example see below.

zone "ha.yourdomain.com" in {
type master;
file "db.ha.yourdomain.com";
forwarders {};
allow-update { key some.meaningful.name.com; };

You can mix ACLs, hosts, and keys on the same "allow-update".

allow-update { key some.meaningful.name.com;; my_trusted_acl; };

Secondly, you need to include the key for named to pick up. This is typically done in one of two ways: directly in the "named.conf" file or in an included file. RHEL's named.conf, out of the box, should have the following line.

include "/etc/key.conf";

Ideally, this is where you put the key to avoid a messy "named.conf" but you could put the key directly in. Either way, your entry should look something like this.

key some.meaningful.name.com. {
algorithm hmac-md5;
secret "sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==";

Don't forget to reload named.

# rndc reload

Now that was the hard part. The easy part is to actually use the key. The "nsupdate" tool is well documented in RHEL's man page, so I'll just show an example case. What isn't so well documented is that you need BOTH ".key" and ".private" files even though you only refer to one on the command line. Keep both of those files in the same directory.

# nsupdate -k Ksome.meaningful.name.com.+157+01885.private
> server
> update delete virtualhost.ha.yourdomain.com. CNAME
> update add virtualhost.ha.yourdomain.com. 300 CNAME virtualhost.otherdc.yourdomain.com.
> send
> quit

You can script this action by putting the nsupdate commands in a "conf" file that is passed to "nsupdate" as an option.

Friday, March 20, 2009

When a $100 is not a $100

In today's WSJ, an editorial by Alan Blinder, a professor of economics and public affairs at Princeton University and a former vice chairman of the Federal Reserve Board, uses math with which any "man on the street" should be struck dumbfounded. My typical fair disclosure applies: I work for Dow Jones.

The crux of the article, "Why Obama Is No Socialist", is to argue that the president is merely left-leaning and not a socialist. I can see many ways to validly argue this point and am certain that many editorials have made rather convincing arguments to that effect. As I read the article, hoping to see thoughtful discourse, I stopped dead in my tracks. Whatever the point of Professor Binder's article is, the tools used to strengthen his argument are clumsily used. The object of my derision is the following passage.

As the law now stands, when a family that does not itemize deductions on its tax return donates $100 to its favorite charity, the donation costs the family $100. But when an itemizing family in the 25% bracket donates $100, it costs them only $75 after tax. And when an itemizer in the 35% bracket donates $100, the after-tax cost is only $65. Thus the richer you are, the less it costs. Is it socialistic to say that seems a little backwards?

Somehow, only in Princeton Univeristy, is $100 not $100. If I am with this non-itemizing family, I spent $100 on the charity. If we did itemize our deduction, I still shelled out $100 on this charity. If I don't claim this donation, I'm out an extra amount: the taxes I would have owed on that $100.

So what the professor misses is that no matter who you are, you gave $100 to this charity. You have exactly $100 less in your pocket. Fortunately, you don't have to pay taxes on that $100, but you are still out $100. It didn't "cost" (does giving to charity "cost" you or does it relieve you?) me $65, $75, or $0. It cost me $100. The government is seeking additional money from me, taxing money I gave away to a charity and does not apply to my gross income, which is why you freaking claim the donation in the first place.

Even if you live in the bizarro math world of the Economics professor who failed Finance 101, his argument hinges on the first family NOT CLAIMING THE DONATION. This is not "apples to apples, oranges to oranges" comparison making.

To put it in a vernacular that the professor could appreciate, he assumed a can opener for one family, but not the others.

Go back and re-work your model, Professor.

I am so glad I went to RU and avoided this guy in the few econ courses I've taken.

Wednesday, March 11, 2009

Let's Buy Some Beer

Found this on digg.com today:

Suppose that every day, ten men go out for beer and the bill for all ten comes to $100. If they paid their bill the way we pay our taxes, it would go something like this:

The first four men (the poorest) would pay nothing.
The fifth would pay $1.
The sixth would pay $3.
The seventh would pay $7.
The eighth would pay $12.
The ninth would pay $18.
The tenth man (the richest) would pay $59.
So, that’s what they decided to do. The ten men drank in the bar every day and seemed quite happy with the arrangement, until one day, the owner threw them a curve. ‘Since you are all such good customers, he said, ‘I’m going to reduce the cost of your daily beer by $20. Drinks for the ten now cost just $80.

The group still wanted to pay their bill the way we pay our taxes so the first four men were unaffected. They would still drink for free. But what about the other six men - the paying customers? How could they divide the $20 windfall so that everyone would get his ‘fair share?’ They realized that $20 divided by six is $3.33. But if they subtracted that from everybody’s share, then the fifth man and the sixth man would each end up being paid to drink his beer. So, the bar owner suggested that it would be fair to reduce each man’s bill by roughly the same amount, and he proceeded to work out the amounts each should pay.

And so:

The fifth man, like the first four, now paid nothing (100% savings).
The sixth now paid $2 instead of $3 (33%savings).
The seventh now pay $5 instead of $7 (28%savings).
The eighth now paid $9 instead of $12 (25% savings).
The ninth now paid $14 instead of $18 (22% savings).
The tenth now paid $49 instead of $59 (16% savings).
Each of the six was better off than before. And the first four continued to drink for free. But once outside the restaurant, the men began to compare their savings.

‘I only got a dollar out of the $20,’declared the sixth man. He pointed to the tenth man,’ but he got $10!’

‘Yeah, that’s right,’ exclaimed the fifth man. ‘I only saved a dollar, too. It’s unfair that he got ten times more than I!’

‘That’s true!!’ shouted the seventh man. ‘Why should he get $10 back when I got only two? The wealthy get all the breaks!’

‘Wait a minute,’ yelled the first four men in unison. ‘We didn’t get anything at all. The system exploits the poor!’

The nine men surrounded the tenth and beat him up.

The next night the tenth man didn’t show up for drinks, so the nine sat down and had beers without him. But when it came time to pay the bill, they discovered something important. They didn’t have enough money between all of them for even half of the bill!

And that, boys and girls, journalists and college professors, is how our tax system works. The people who pay the highest taxes get the most benefit from a tax reduction. Tax them too much, attack them for being wealthy, and they just may not show up anymore. In fact, they might start drinking overseas where the atmosphere is somewhat friendlier.

This above (meme) is falsely attributed to David R. Kamerschen, Ph.D., Professor of Economics, University of Georgia.

Monday, March 9, 2009

The Corner Turned, again

Well, it seems I spoke too soon. The US Treasuries 2 year spread has, over the last four weeks, headed north again, this morning sitting at around 77.25. This upward trend has accelerated over the past two weeks.

Gee, I wonder what happened over the past two weeks to spook the markets so?

The pace of recovery will be tempered by how much the government muddles the natural tendency of markets to self-adjust. The government should be more concerned with cushioning the blow that market variance has on individuals rather than quixotically attempting to control that variance.