the zoo’s Schroedinger’s cat mail server

oh yes they are

Its behind you, no its not makes this post sound like a pantomime thanks to systemd (my blog) i have a postfix instance active (my blog) that postfix even thinks is not active.

Schroedinger would be proud.

So i changed the bind address and server name using .lan tld as .local and corp are now paid tld’s.  Making no sense of up or down an nmap scan says it is working.

I give up at this point and let this paradox be

The next day i notice that the new zoo,lan is sending email  when technically it is not running I am baffled and apart from the postfix instance changes notes  i have not been changing the configuration of it.

Oh well thats systemd for you

rfc ignorant email servers and software things

I am constantly reminded of bad email servers since i get a report each detailing the unclued  and dumb who think email is easy.

Your email server may kind of work but it does has to worry about non email things too as they can reek havoc.   Somebody had all the right things but the sending server screwed up the header, so our spam bot decided to not deliver the email.  I had no issues with that.

The dmarc report sent (my blog) might say we got it but it never hit a human,

Commercial list software is also odd with dmarc two ‘signed up marketing message’ lists also added the dmarc reporing address to them.

Quite how the dmarc address got on the list is something i’d love to know

Since our virus bot is working unlike those email lists and knows a bad header i was happy to accept its judgement as to not being seen by a human, dmarc is working correctly too

So if you think you email is getting through and it is 100% human signed up for it may not be so and if you wish to send the email to the dmarc user or reject dmarc mail because of the compressed file well that’s your choice.

Your still an idiot..

Lets encrypt in the wild

So i have tlsa (my blog) entries for a letsencrypt (my blog) domain name here in the zoo,   Since le certs magically renew (my blog) with at least a month on them it throws off my dnssec schedule all the time. The fact that my tlsa records might be off is liveable with.

Lets encrypt appears to be one of the few ca’s with ethical owners – Symantec/Startcom and others have falllen by the wayside with comodo now owned by a firm that sells tls breaking services to governments

My calendar is kept busy getting updates to its frustrating – i think i will sign the zone some point in the future and  then discover that the letsencrypt cert means it was already needing it.

gay oxbridge spies perfect government employees!

The tls market appears to be collapsing and none of it is the fault of customers.  I can cron my way out of it and as most people have never heard of tlsa or even check it it is not the end of the world.

I can live with tlsa out of sync issue after all if the only choice i have is to buy tls from a firm that also breaks it if your a government.  An odd deal.

lets encrypt tls

Been using for a while now and now i using dns entries to validate , the certbot software (my blog\ is a lot better than it used to be as it does not stacktrace every two seconds.

Having to do multihost is also possible.- although tlsa records is something i have yet to automate in the zone files when the tls renewal happens.

Not that anybody checks those anyhow.

After the change of ownership of paid ssl providers to include a firm that hacks ssl/tls for governments this is not me being cheap but ethical – how safe are those issued certificates (ny blog) from the hacking firm also owned by the parent company.

curious caa records

The zoo has a tls supplier without caa support (my blog) for one domain (zoo4) it means no ca (as in ssl) can issue a certificate with its caa record

While correct it also means that the issuer of the current certificate cannot sell us a new one but all will inform us that somebody tries to.

mafia run ssl

So if your tls issuer and cannot be bothered to support caa like my zoo4 example i do not think you will be selling us another.

I can change the caa record but if you make it pointless why should i. Guess they don’t care for money.

Makes life harder for us all and the ssl mafia ..  Renewal time shall be fun if they check the caa record..

Cleaning up challenges
Failed authorization procedure. mail2.zoo (dns-01): urn:acme:error:caa :: CAA record for mail2.zoo prevents issuance

Security …

Wesley Perkins scumbag & Cheryl Jillions poor admin skills

Wesley Perkins aka Annabel

Bananas read about a Mr Wesley Perkins who is pictured to right who lives in essex who uses a number of aliases probably including a Tracey and a no doubt an Annabel. to mask it.   I have a gmail person (my blog) trying this who very well might be comrade Wesley.

What ‘he’ does is register/taste domain names expired and then charge extortionate prices just like this lovely amercian (my blog) who worked for (my blog).

The error begins when people ignore the six or seven emails from there registrar and also do not pay the extortionate** grp fee when open.  Domains used to have a three month or longer period in the registry before being able to be bought once again.

So either these upset ex domain renters clearly are incompetence or dislike there registrar say godaddy. An example of a retard is Cheryl Jillions who lives somewhere in suffolk and either imports orphaned children into the uk from elsewhere (non eu) as adopting children here in the the uk is too hard requiring people to be the ethnic and pro islamic suicide bomber correct or provides training for fosterers.

‘Days’* apparently after the expiry a shit show began and Annabel made a fee request that resulted in perhaps the wrong attention.

The newspaper did not ask icann [very slow to act] or wipo (my blog) for comment and the msm assumes that no blame can be attributed to Cheryl Jillions who clearly shits golden eggs having done nothing wrong by ignoring lots of emails and stuff.  However it cost her more money than usual to return things to normal

Jilliions (not a form of expressing numbers after x digits) should be congratulated on alerting us to an Adam Dicker version two  but wins no plaudits for her shit admin skills of failure to choose a better registrar rather than one who decides its not yours but there’s if you do not pay.

Both persons have fault at there door but this clearly is not reflected by the newspaper.  It is a shame that is not stated. Take Sony have also forgotten to renew domains (my blog) and did not have to deal with Perkins. So there is more to the story than stated.

One of them will not do that again i think.

*ignoring the six,three,one month,two weeks,,one week renewal requests along with few others…, plus the grace redemption fee period [30 days] so that is a lie. ** Compared with the normal renew

opendnssec in debian stretch

Confuses me and i have no damm clue as to how to set it up.  Supposedly it automates key resigning but quite how it works and the less good versions in previous debian mean the jump 1.2 to 2 mean your config files are  rubbish working or otherwise.

Commands have been changed

ds-ksmutil setup
<13>Aug * 13:42:30 ods-ksmutil: The ODS-KSMUTIL command is DEPRECATED and should be replaced by ods-enforcer in the caller with pid 19568: bash
Unable to connect to engine. connect() failed: No such file or directory (“/run/opendnssec/enforcer.sock”)

Having looked at blogs and the documentation in the .deb i was not the wiser.even after gzipping them and it appears that with a version 5 algorithm it is painfully awful or that was my attempt at setting it up from before (jessie) until i got bored.

opendnssec-enforcerstart-stop-daemon: warning: this system is not able to track process names

Sisyphus is still a role model

So i looked at non debian documentation opendnssec was nice to read but fragmented.

It seems opendnssec/* is used by about three people in debian who use the untested version and either it is a compile from source job

Tried and failed again with this software.  I suppose it compiles and runs and as far as debian is concerned it is a runner even if it seems to not function.

dns zone testers

lets poison the gin

The zoo records stuff and one day i got bored and decided to see who was testing our dns zone transfers.

We also record other ‘odd’ dns behaviour (my blog0

A few lookups later and this is the result for the zone testers.

Attempt whois origin actual entity ip
1 DE sc Closco Ltd
5 FR
5 FR
2 IE
2 IE
11 NL gb
6 SE
7 US
2 US
2 US
12 US
16 US
36 US
1 VN


So i might be responsible for the versign ones as they do scan our dnssec (my blog) the rest i leave to your guess.

Good see crooked microsoft (my blog) doing something evil.

I dont mind being probed by academics but the sc thing looks a lot like shodan (my blog)

Its not a large list but interesting.

Dns protocol abusers by country

Got logs ? of bad dns senders/probers – the zoo does

So who sends the most bad protocol traffic to the zoo – I set a cutoff of 90 errors and above found in our nameserver error file sorted and made it presentable

You might have to open this post in a new browser tab due to the liimitations of the css design a problem i have when i use tables.

Otherwise i would bore you to death with grep/awk and python things most of you find boring.

Country attempts 90+ Cn %
Switzerland 146 0.32%
Pakistan 160 0.35%
Brazil 260 0.57%
Australia 530 1.16%
Japan 584 1.28%
South Korea 680 1.49%
Spain 730 1.60%
France 735 1.61%
China 1124 2.47%
Russia 1447 3.17%
Lithuania 1656 3.63%
United Kingdom 1938 4.25%
Romania 3358 7.37%
Bulgaria 3471 7.62%
Netherlands 4686 10.28%
Finland 6440 14.13%
United States 7180 15.75%
Germany 10453 22.93%

bomb russia

Interesting results – those of you thinking it must be North Korea you better stop smoking that Hillary Clinton substance.  The good news is the US was number 2 in sending shit requests.   Germany appears to host shodan of which i have mentioned once or twice.

Being me here is a summary of all  countries some like switzerland like to have whole subnets scanning addresses – it gets logged if one bad attempt is made or many it does not care.  I assume some of these need fixing rather than be probers


1 AE
1 BA
1 BD
1 BY
1 CO
1 CR
1 DO
1 DZ
1 EC
1 GI
1 HU
1 IE
1 JM
1 KZ
1 LU
1 MQ
1 TW
2 EG
2 EU
2 GP
2 GR
2 ID
2 LV
2 PK
2 VN
3 AT
3 FI
3 HR
4 PA
5 RS
5 TH
6 IL
6 KR
6 LT
6 MX
6 NO
6 SG
6 TR
7 AL
7 IN
8 CZ
9 AR
9 MA
9 MD
9 NZ
10 DK
10 IR
10 SE
11 AU
12 JP
12 SA
14 BE
15 PT
15 UA
16 IT
17 HK
18 BG
19 PL
27 None
28 RO
48 SC
53 CA
56 GB
63 DE
81 BR
98 ES
106 RU
112 NL
120 CN
146 CH
149 FR
759 US


So a count by addresses shows that the United States wins by a mile of neer do wells by means of dns probes.

If your looking for north korea then they are non listed once again.

I like doing stuff like this.

opendnssec daemon

opendnssec is a daemon that automatically signs dnssec  zones

the man who became a pig

the man who became a pig

Its a pig, but after some mass printing of pdfs and seemingly billions of google searches..

in /etc/softhsm you need to run some commands to initialise the database but in debian there is a typo /var/car so that will break everything.

I also added opendnssec user and grouip as xml syntax in the /etc/opendnssec/conf.xml

However i was still getting rights issues from the ods contol program with softhsm.conf, so i edited group and gave softhsm and opendnssec rights to each other, then that seemed to pass opendnssec’s tests.

I have one zoo setup and opendnssec actually still did not do key rollover

Once again it seems the stable version might compile but will not work doing what it is supposed to do.  Maybe in anoother three years this thing might work but i doubt it.