2020-01-24 Longest matching IPv6 address selection biting me 1 day ago
Trying to get devuan updates, I see:Err:5 http://nl.mirror.devuan.org/merged ascii Release 404 Not Found [IP: 2001:878:346::116 80] Err:6 http://nl.mirror.devuan.org/merged ascii-security Release 404 Not Found [IP: 2001:878:346::116 80] Err:7 http://nl.mirror.devuan.org/merged ascii-updates Release 404 Not Found [IP: 2001:878:346::116 80]While nl.mirror.devuan.org has no shortage of IPv6 and IPv4 addresses:;; ANSWER SECTION: nl.mirror.devuan.org. 78083 IN CNAME deb.devuan.org. deb.devuan.org. 78083 IN CNAME deb.roundr.devuan.org. deb.roundr.devuan.org. 845 IN AAAA 2001:638:a000:1021:21::1 deb.roundr.devuan.org. 845 IN AAAA 2a01:4f8:140:1102:2b76:955d:b48f:bdf3 deb.roundr.devuan.org. 845 IN AAAA 2001:878:346::116 deb.roundr.devuan.org. 845 IN AAAA 2a01:4f8:162:7293::14 deb.roundr.devuan.org. 845 IN AAAA 2800:a8:c001::a deb.roundr.devuan.org. 845 IN AAAA 2a01:4f9:2a:fa9::2 deb.roundr.devuan.org. 845 IN AAAA 2001:590:3803::31:151 deb.roundr.devuan.org. 845 IN AAAA 2001:4ca0:4300::1:19 deb.roundr.devuan.org. 845 IN AAAA 2a02:2a38:1:400:422a:422a:422a:422a deb.roundr.devuan.org. 845 IN AAAA 2a0a:e5c0:2:2:400:c8ff:fe68:bef3 ;; ANSWER SECTION: nl.mirror.devuan.org. 78063 IN CNAME deb.devuan.org. deb.devuan.org. 78063 IN CNAME deb.roundr.devuan.org. deb.roundr.devuan.org. 824 IN A 188.8.131.52 deb.roundr.devuan.org. 824 IN A 184.108.40.206 deb.roundr.devuan.org. 824 IN A 220.127.116.11 deb.roundr.devuan.org. 824 IN A 18.104.22.168 deb.roundr.devuan.org. 824 IN A 22.214.171.124 deb.roundr.devuan.org. 824 IN A 126.96.36.199 deb.roundr.devuan.org. 824 IN A 188.8.131.52 deb.roundr.devuan.org. 824 IN A 184.108.40.206 deb.roundr.devuan.org. 824 IN A 220.127.116.11 deb.roundr.devuan.org. 824 IN A 18.104.22.168 deb.roundr.devuan.org. 824 IN A 22.214.171.124I always get the error for 2001:878:346::116 when connecting. This site seems to have a problem with the devuan mirror at the moment, so I'd like to use another one, but apt keeps going back to the same source. This has to do with IPv6 address destination selection (RFC 3484 / RFC 6724). A good explanation at IPv6 Destination Address Selection – what, why, how - Karl Auer with:Rule 9, “use longest matching prefix“, will prefer the candidate destination address that shares the greatest number of contiguous leading bits with the source address that would be chosen for it. Such an address is likely to be topologically closer to the source address.Indeed that address is close to my home network addresses:2001:0878:0346:0000:0000:0000:0000:0116 2001:0980:14ca:0001::/64So the "roundr" round robin isn't very round for IPv6 users. Workaround: reject the address that is giving me problems:# ip -6 route add unreachable 2001:878:346::116 # apt update Get:1 http://nl.mirror.devuan.org/merged ascii InRelease [25.6 kB] Get:2 http://nl.mirror.devuan.org/merged ascii-security InRelease [25.6 kB] Get:3 http://nl.mirror.devuan.org/merged ascii-updates InRelease [25.6 kB] Get:5 http://nl.mirror.devuan.org/merged ascii-security/main Sources [185 kB] Hit:4 http://packages.roundr.devuan.org/merged ascii InRelease Get:6 http://nl.mirror.devuan.org/merged ascii-security/main amd64 Packages [480 kB]
2020-01-21 Suricata and ppp: restart of suricata needed after ppp down/up 4 days ago
Suricata is running and detecting attacks, but it was causing a 100% cpu load after a restart of the ppp connection (the DSL here uses PPP over Ethernet). The errors point at the problem starting when the ppp connection restarts:21/1/2020 -- 00:59:36 - <Error> - [ERRCODE: SC_ERR_AFP_READ(191)] - Error reading data from iface 'ppp0': (100u) Network is down 21/1/2020 -- 00:59:37 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't set fanout mode, error Invalid argumentWhich also starts to fill the system log with:Jan 21 00:59:42 xxxxxxxx kernel: [11347441.726755] device ppp0 left promiscuous mode Jan 21 01:00:13 xxxxxxxx kernel: [11347472.055712] device ppp0 entered promiscuous mode Jan 21 01:00:13 xxxxxxxx kernel: [11347472.071533] device ppp0 left promiscuous mode Jan 21 01:00:13 xxxxxxxx kernel: [11347472.091653] device ppp0 entered promiscuous modeThe interesting part is that this causes higher power usage about five and a half hours later. Solution: restart suricata in an /etc/ppp/ip-up.d/ script.
2020-01-13 I participated in the UBA PSK63 prefix contest 1 week ago
Like in previous years I participated in the UBA PSK63 Prefix Contest in the weekend. Overall it was a nice contest, with 111 contacts in total which makes this a good contest score. I started in the 20 meter band on Saturday, moved to the 40 meter band after propagation died down due to the sun going down. On Sunday morning I started on the 40 meter band but soon gave up, there was a lot of interference on that band. I switched to 20 meters and made some more contacts. In the end: 38 contacts in the 20 meter band and 73 in the 40 meter band.
2020-01-08 Changed to a new alerting option for radio amateurs 2 weeks ago
I turned on the remote radio today and saw in the DX cluster that the ZC4UW dxpedition was still active although 7 January was the last day. The signals were never good enough to make the contact, but this made me rethink the DX alerting options I have. I used 'DX Alert' on Android before, but this program had some difficulties and I can't find it anymore on the google play store which suggests it's really going out of support. The new suggestion is HamAlert which processes data from the DX Cluster network, PSKreporter, Reverse Beacon network and Sotawatch, allows the user to set triggers and report via push notification to a Android/Iphone when the HamAlert android app or equivalent iPhone app is installed. I created an account, installed the app and set up my first triggers: countries in and around Europe I don't yet have confirmed in bands/modes that I can use. It's a lot easier in HamAlert to set these up compared to DX Alert because it can all be done on the HamAlert website and can be customized more easily. Update 2020-01-12: First score: I activated the alerts today because I had some time to get on the radio between other things. I saw alerts for E44RU which is in Palestine on a non-standard FT8 frequency. I spun the dial, adjusted a bit and made the contact. And that's a new country for me.
2020-01-06 I participated in the ARRL RTTY Roundup 2020 2 weeks ago
This weekend was the ARRL RTTY Roundup edition 2020 and I participated. Late Saturday evening I saw a few US stations come up on 40 meters. Sunday afternoon I made a lot of contacts to mostly European stations on 20 meters. In the evening after dark the contacts from Europe seemed to stop after the first 24 hours were over but when I checked again late in the evening more US and some Canadian stations were decoded on my end and I worked them. In the end 110 contacts, a nice score for this contest. Claimed score: 110 qso points * 33 multipliers = 3630. The one that got away: I saw a station from California calling and giving state 'CA' in contacts, but he never heard me. That's the first time I heard or saw anything from one of the western US states.
2020-01-06 Security tools can help practise morse 2 weeks ago
Today I needed blocks of random letters to practise sending morse. What better tool to create those blocks than good old pwgen with the right settings:$ pwgen -0 -A 5 12 ahhud eizaa kuoku ahyoo aequi epiis eiwei eimap sohsh papai ikeit ouchoAnd the trick for generating groups of five digits is a bit longer:$ pwgen -r abcdefghijklmnopqrstuvwxyz -A 5 12 97228 85996 98876 38451 06091 98556 53369 73632 29509 29032 89601 16078Use better parameters with pwgen to generate actual passwords.
2020-01-03 No longer amazon.com associate on The Virtual Bookcase 3 weeks ago
I received a message from amazon that The Virtual Bookcase no longer qualifies as an amazon.com associate. That was no big surprise as I haven't done a lot of maintenance on the site and haven't added a lot of content in the last years. The only serious maintenance was for the migration to the new web server where php 7.0 is the standard version. I wish to some day migrate to perl but haven't found time yet. So I removed all amazon affiliate links I could find. This also means I can't use the amazon.com API anymore.Read the rest of No longer amazon.com associate on The Virtual Bookcase
2020-01-01 Closing 2019 in amateur radio, time to plot the number of contacts and look back 3 weeks ago
Time for a new plot of the number of radio contacts. Months with contests are quite visible. After the peak in number of contacts in July there was first a holday and after that no big peaks in number of contacts. December 2019 jumps out a bit again due to the FT8 roundup on 8/9 December in which I made 66 contacts and later in the month the troposperic ducting allowing contacts over interesting distances in the 70 centimeter and 2 meter band added to a sprint at the end. In 2019 I made a few more contacts than in the previous record year 2017. Looking back at my amateur radio resolutions for 2019 I think most came true. If I look at them one by one:
Now I have to think about 2020, but the year is still young.
- Keep learning morse! - I'm still working on my morse, but there is measurable improvement. I have learned the full set for the Belgian CW exam and I'm working on accuracy and speed.
- Get more countries on more HF bands in the log - More countries and more slots on HF are in the log. I also use the club station to achieve that goal. The ARRL DXCC Award shows that I'm getting somewhere.
- Moonbounce on 2 meter - I've listened on the right frequencies to the moon on 2 meter. Nothing heard.
- Those digimode contests, and maybe a few phone contests - I participated in two phone contests and a number of digimode contests. No serious improvement in scores.
- Operate HF outside - I operated HF outside. Not as much as I would like.
- At least one satellite contact - Multiple satellite contacts have been made!
2019-12-29 New countries.. on the 70 centimeter band 3 weeks ago
I saw reports of special propagation on the 2 meter band and even on 70 centimeters today. Normally I can get something further than line of sight on 2 meter and line of sight is the hard limit on 70 centimeter. But with some propagation types it's different and signals can get further. So I tried FT8 on both bands and got Belgium, France, Germany and England in the log on 70cm and new callsigns on both bands. Denmark still got away, I had an almost-contact with a Danish station on 70 centimeters but it stopped after the initial exchange. This is all with the vertical antenna on the roof. I wonder what a beam or big wheel antenna for 70cm or 2meter could do. At the same time I spun the dial on the remote HF radio so I also got some calls in the log on 20 meters. Update: Current distance record on the 70 cm band is 803 kilometers to F8DBF in France and the first contact with Denmark has been made.
2019-12-27 First radio contacts with the radio and antenna setup at a remote location 4 weeks ago
The main unit of the Kenwood TS-480SAT radio is now at a different location and the frontpanel is at home. With an OpenVPN connection between them so it's not exposed to the big bad internet. And it's working! I currently have access to a 10/15/17/20 meter antenna and I have already heard stations I wouldn't dream of receiving at home. And the first country in SSB in the log that I only had in digital modes before: Ceuta and Melilla, the Spain enclaves in Africa. Lag is minimal, audio is less delayed than listening to the utwente websdr to the same signal. Control works fine, so I can control the radio like I'm sitting behind it, including menu settings. Comparing received signals on the local radio with the attic dipole and the remote radio is hell and heaven: local noise is S9+ and the remote location has almost no local noise (while still being in an urban environment) so I can hear even weak stations fine. I leave the noise blanker off most of the time because it's not needed to hear signals fine. Not making loads and loads of contacts yet, propagation isn't cooperating very well and there aren't many people calling CQ. But when a somewhat special station calls CQ there are a lot of answers so there are numerous amateurs active. Or I guess they go to their set when they see an interesting callsign on the DX-cluster. I also got morse keying by paddle working beforehand. Hearing the sidetone from the radio with just a bit of lag got annoying fast when doing morse at a bit of speed so the sidetone is now from the control unit and the sidetone in the radio is silent. It's still set to the same audio frequency as the sidetone in the control unit to allow for finding the zero beat frequency.
2019-12-24 First tries with DNSSEC on subzones: no success 1 month ago
I tried adding subzones with DNSSEC by adding the DS record to the parent zone, but in both tries I got errors from DNSViz. Different errors even: in one case the signature on the DS record was seen as invalid and in another case there was no signature at all. The errors are reproducable, even after waiting for caches to empty.
2019-12-19 Removing an RRTYPE for a DNS name causes an expired RRSIG for that record 1 month ago
I kept seeing warnings about an expired signature when running named-checkzone or dnssec-signzone and it took some searching before I found the reason. Recently I removed the records with type SPF from my zones since the recommended approach is to use TXT records with SPF data. The RRSIG records for the SPF records were left in the signed zonefile, but not updated so they expired and started to give warnings. The SPF records were for names that had other data too which seems to trigger this. Removing a record completely (no RRTYPEs left for the name) removes all signatures. The things in DNSSEC I haven't tested yet are a signed subzone, a ZSK rollover and a KSK rollover. Those will eventually happen too.
2019-12-14 Moved the first domain registration to TransIP 1 month ago
The machine ns3.idefix.net moved so I had to do the whole update dance with the glue records again. Since the IPv6 glue records 'vanished' when I added DNSSEC to idefix.net I decided to move idefix.net to a different registrar where IPv6 glue records and DNSSEC are normal and don't require an extra support call. Since I have an account with TransIP anyway for the stack storage service I just had to add (and pay for) domain services. Interesting bit is that TransIP says I have to pay again next year. According to the registry the domain is registered until 11 august 2024 at the moment. Adding DNSSEC gave problems at first, the format they expect is from the public part of the key signing key, which is a different format from the dsset-idefix.net. file which gets generated by dnssec-signzone. After some tries and searching I found the right source and format. The error message was about the Key Tag which was confusing as that is a number where there isn't much to go wrong.
2019-12-12 Adding the first TLSA records for secured services 1 month ago
Now I have DNSSEC running ok on my domains I can start looking at security innovations that rely on DNSSEC. The first one is DANE for the mailserver, in which the public key signature is published in DNS record secured with DNSSEC to give a separate path to verify the public key during the SMTP session. The public key of the mailserver is also signed by LetsEncrypt as described in Automating Let's Encrypt certificates further and Automating Let's Encrypt certificates with DNS-01 protocol so there are two completely independent paths to verify the identity of the mail server. To find the public key of the mailserver for a given domain:$ dig +short idefix.net mx 10 postbox.idefix.net. $ dig +short _25._tcp.postbox.idefix.net tlsa 3 1 2 2B55764A99A47AEC5B66D8EB4E741F2646BF6352CABC9BE3F37D2F42 0BD7EF56B5BE3058E7B10964BA963777364443057E45599E07A82375 7A812F1A7014356AI found the tlsa tool from package hash-slinger by Paul Wouters to create these records. This can be both from the protocol which has certain risks (if that connection is intercepted) or from the public key file. Or via the web tool Generate TLSA Record by Shumon Huque. TLSA records are generically linked to a TCP or UDP port. The next step will probably be to start adding records for other public services with TLS like https. There was a time that some people were convinced DANE was going to replace certificate authorities for https, but at this moment it is very limited. I have added TLSA records for https (tcp/443) for camp-wireless.com and www.camp-wireless.com for now and I'm testing with these. For now one of my favourite checkers isn't convinced. This does increase the chances for things to go wrong. With the tlsa program it is possible to verify records too, so I can use this to verify TLSA records.$ tlsa --verify -6 --starttls smtp --port 25 postbox.idefix.net SUCCESS (Usage 3 [DANE-EE]): Certificate offered by the server matches the TLSA record (2001:980:14ca:1::23)Although this certificate is a valid LetsEncrypt certificate, DNS-based Authentication of Named Entities (DANE) does not support usage 1 (check the certificate public key and verify certificate chain to a known root) for SMTP with STARTTLS, so it is usage 3 (just check the certificate public key). The tlsa program does not check this specifically, but the web checker at DANE TLSA Server checker found the issue, so I corrected that. I use selector 1 to just check the public key because the complete certificate changes with every LetsEncrypt renewal. My choice for mtype 2 (sha512) is just a wish for a strong hashing algorithm. This also makes the link between service configuration and DNS contents a lot stronger. Maybe this needs secure automated updates.
2019-12-08 Out of IPv4 addresses, way past time to start using IPv6 1 month ago
2019-12-06 Received ISS SSTV again 1 month ago
This week had an opportunity to receive ISS SSTV pictures. The Russian on the ISS were transmitting SSTV images as part of the Inter-MAI-75 project. The pass had a partial first image, a nice decode of one full image and the start of a third image. Even the good receives are a bit noisy/unsharp, I'm not sure whether that's an artifact of the PD120 mode or some local noise ending up in the image. This is one of the rare occasions where living close to Russia is a good thing: the Russians time the passes to optimize reception in Russia.
2019-12-02 Remembering the IBM PC RT.. and its powerusage 1 month ago
For a number of years between 1993 and 1997 I not only had a BBS running at home but also an IBM RT 6150 computer. It was a bigtower I got for free including the system floppy disks. I had to reinstall it because I had no idea of the root password and the only contact at the previous owners wasn't willing to give it up. So I swapped 1.2 megabyte 5.25 inch floppies for a while until I had a complete running system with AIX complete with graphical environment and a working TCP/IP stack. The IBM RT 6150 I had came with 3 builtin harddisks (full-height). For as far as I remember those were 70 megabyte each. Eventually I had enough AIX installed to also have a working compiler. One downside of this system was the powerusage. It used quite a lot of electricity. The rest of BBS Koos z'n Doos also used a lot of power. When I moved out of my parents' house in a December month the effect on the electricity bill was remarkable. Next December my parents got a call about what changed because the electricity bill had halved. And I did put 'computers' on the form for the new electricity contract but that same december I received a bill because the electricity for that house was double what the electricity company expected.
2019-12-01 Better audio for learning morse 1 month ago
I installed xcwcp from the unixcw packages on a different system and noticed it did not use PulseAudio. It said it could not find PulseAudio and skipped to ALSA. The downside of ALSA in xcwcp is that it pushes audio 10 characters ahead, with PulseAudio the buffer is smaller. Some searching using strace found that xcwcp tries to open libpulse-simple.so which wasn't found on that system. It is available on my laptop, as part of:$ dpkg -S /usr/lib/x86_64-linux-gnu/libpulse-simple.so libpulse-dev:amd64: /usr/lib/x86_64-linux-gnu/libpulse-simple.sowhile the files linked to a part of the runtime package:$ dpkg -S /usr/lib/x86_64-linux-gnu/libpulse-simple.so.0 libpulse0:amd64: /usr/lib/x86_64-linux-gnu/libpulse-simple.so.0 $ dpkg -S /usr/lib/x86_64-linux-gnu/libpulse-simple.so.0.1.1 libpulse0:amd64: /usr/lib/x86_64-linux-gnu/libpulse-simple.so.0.1.1But I don't have package libpulse-dev on that other system. Solution: make the symlink by hand in /usr/lib/x86_64-linux-gnu with:user@system:/usr/lib/x86_64-linux-gnu$ sudo ln -sf libpulse-simple.so.0 libpulse-simple.soAnd I reported it as a bug for ubuntu: Bug #1854630: xcwcp doesn't use pulseaudio but given the list of bugs in Ubuntu I reported or commented on before with a lot of 'undecided' and not a lot of progress I'm not sure anything will happen. Back to practising morse after this diversion!
2019-11-24 Morse with the Kenwood TS-480 and remoterig 2 months agoOlder news items for tag english ⇒
The next thing I want to get working is morse with the remoterig and the Kenwood TS-480. The good thing is that the remoterig has a built-in morse keyer to overcome jitter problems. And that keyer has the option to make a winkeyer usb interface available. I did some minor testing with the winkeydaemon driver together with the paddle and it works. So I can use both the keyer from the computer and the paddle at the same time, just like with the nanokeyer and the FT-857 radio. There is one strange thing though: this keyer responds somewhat different from the nanokeyer when I do a fast dah-dit. I expect the dit to follow after the dah even when I already stopped touching the left paddle (dit) before the dah ends.