The Swede in the middle of Silicon Valley

Friday, December 19, 2008

Leaving the US for xmas

It's the time of the year again, xmas, since my family lives back in Sweden I'm somewhat obligated to go there, (un)luckely enough I have a 10 hour layover in Chicago so I'll be able to kill some time going downtown with a friend of mine, should be fun.

Sunday, December 14, 2008

The phone-call of change

Meetings, and phone-calls, small ideas that turns into a revolution.

I got a phone-call last Friday, and it will indeed turn things into a revolution.

Stay tuned...

Friday, November 21, 2008

The stupidity of spending money

Since I started getting a decent salary I've just given price tags a blind eye, and a deaf ear to what customer reps are saying, i.e. I never ask or check what the price for something is.

So tomorrow I'm going to a wedding, friend of mine is getting married. Since this week has been pretty stressful I didn't end up doing it until today. Getting into the store all the reps are friendly as always, shows me different options and I select something I think looks good.

After fitting I go our to the cashier to pay, as a small surprise the cashier says, that's $1299. Ugh, my credit-card has a limit of $700 and my debit card is limited to something similar. So I end up buying a gift-card to split the cost on. But oh yeah, that hurt, really bad, especially since I wear suits like, 1 time per year, based out of this I ought it to myself to wear it every freaking day.

Yes I'm stupid and I'll try to start looking at the price tags, for now it's shop-stop for the rest of the year (I've already bought my family xmas-presents).

*sigh*

Sunday, November 2, 2008

Dear Santa Jobs

The other day me and my colleagues were discussing what the next step for the iPhone could be. One of them proposed that it could make sense to integrate the mini-DisplayPort, and further use it as a portable computer. This idea tingled me a lot. If I would be able to carry my actual computer in my pocket, dock it and be ready to run with the data and apps it would be golden. What might make more sense is to put some of the cababilities in the dock, say core OS but let the iPhone do the actual CPU work.

Looking at the technical aspect of this there might be some possibilities using the Intel Atom CPU which supports clock-frequencies of 800Mhz-1.87GHz. The current CPU in the iPhone is an ARM 1176 620@412 MHz. If the iPhone were to use the Atom CPU it could run at a slower clock-rate in "phone-mode" and faster in "computer-mode". As far as the graphics goes this might be a more valid concern, I've some doubts that the PowerVR GPU would be able to handle the 1920x1200 pxls of an Apple Cinema Display.

So please Apple and Mr. Santa Jobs get to work. I bet this would tingle more people than me!

Monday, October 27, 2008

Network and multimedia updates

DRAFT

So I figured it was time for some updates on my home network/multimedia setup since I moved 2 weeks back. As we're now 4 people on the network rather than 1 I've done some slight changes.

Network
The network is controlled by 2 units, my Linux server and an Apple Time Capsule. The Linux server hosts DNS, DHCP, UPnP, NTP, Samba, AFP, NFS, OpenVPN etc. it also acts as a router/gateway/firewall.

The Time Capsule acts as an 802.11n AP and switch for my multimedia equipment that requires more bandwidth than ~150Mbit or equipment that doesn't support wifi.

An issue we stumbled upon when moving in was that nothing in the house was pre-wired. For us to be able to wire our equipment we would have to drill etc. To make this easier I started playing with the idea of using wire-less bridges, thus I picked up an Airport Extreme, giving me a 802.11n wireless bridge and an Ethernet port to connect a switch to. Since my roommates didn't want to spend the $99 we took some old Linksys's we had laying around and flashed them with dd-wrt which gave us the same functionality. The result: Wired connections in every room without any physical labor.

As you may have seen Boxee was recently released for AppleTV, this has built in support for UPnP and supports way more codecs than my PS3 and takes less power. After flashing the ATV with atvusb-creator we were up and running. This didn't really eliminate the need for any of iTunes streaming servers I have since I'm still getting legal content of the iTunes store but at least I can save some of my power-bill for not having to use my PS3 to watch downloadable content.
As far as music goes things are pretty much the same. One nice addition was the Airport Express which support AirTunes allowing me to stream music over the air from any room.



Thursday, September 18, 2008

Updated media setup and streaming

Due to various reasons I've started to extend my multimedia setup at home. Mostly for convenience but also to get a good reason to do some hacking after hours.

As posted earlier here's the physical setup of my multimedia center.


So this is all old news so lets get to the new ones. I recently purchased a new server for home to do some hacking on, try out new stuff etc. As of earlier I haven't really had a good way of distributing media across my devices. For example, if I wanted to watch a divx movie on my projector I either had to run a 25ft cable from my Mac Mini or put the movie on an external hard-drive and plug it into my PS3. Sure this isn't all that much work but it's still a pain as it could be easier.

So the PS3 has a nice features whereas it supports UPnP (Universal Plug and Play) this allows for network devices to stream media over a standardized protocol to devices that supports this, in this case my PS3. I did some experimenting with this when I initially got my PS3 but it wasn't all that successful.

Today I stumbled upon a new daemon called MediaTomb that works with the PS3 UPnP setup pretty much out of the box (1 row of config had to be added). MediaTomb also has some nice features whereas it scans set folders within a set time-interval to identify new media-content. Other daemons such as Deluge doesn't so you have to do it manually each time you want to stream new content.

Now thanks to a script me an my colleague developed, I enable a download, the content is unpacked an placed in an appropriate folder, MediaTomb scans the folder and voila, the Media is accessible on my PS3 using only with 1 mouse-click at my computer.

The second problem I've been working on this week is to gain access to my Music library from work, surely my iPhone is an awesome music player but I can't drain my battery all day long and quite honestly, iTunes does a better job.

Due to this I started thinking of a networked solution that would allow me to achieve this goal. First of was me.com, aka .mac which with its function BacktoMyMac allows me to access my disk remotely from any Mac enabled with my .mac account. I immediately ran into problems with this as it required my firewall to be opened up on the fly, this was solved using the upnpd daemon in Fedora but I honestly don't want to leave the security of my network into code I haven't or wont investigate further. Secondary this wasn't all that effective, as I played songs in iTunes I saw delays up to 30 seconds when changing songs which is quite painful. BackToMyMac wouldn't allow me to see mounted shares either.

I figured I had to take another approach so I decided to install an OpenVPN server at home, as I'm using OS X I was a bit reluctant to this idea as OpenVPN hasn't worked all that well with OS X by history, luckily enough most issues has been worked out and it's running smoothly nowadays.

Once I had my OpenVPN connection established I started sharing my content folders using Samba. The reason I choosed Samba was easy, it simply works in any OS. Once the share was mounted I started syncing my media in iTunes. The initial sync took a while but not any-longer than I expected it too. Once up and running the song shift was cut from 30 seconds to 2-5 depending on the size of the song. While playing without changing songs manually the lag was 0 as iTunes seams to cache the data.

This setup would not have worked prior to iTunes 8 as version 7 had issues with media stored on a networked device resulting in labeling all content as unavailable until the user double-clicked on every single file. This issue was resolved as of version 8.

The last approach which I haven't had time to investigate further yet is using daap daemon at my server and share music as if my server was an iTunes server. The cons with this is that you can only share music, nothing else and it only works with iTunes.

UPDATE: The daap-server seams to handle the latency a lot better than the Samba-share. Change of songs are instantaneous but then again, music only so I think I'll stick with Samba.

UPDATE2: Turns out that Samba works really bad with OS X, due to this I tried NFS and AFP as well. AFP ended up being the best choice as far as OS X clients goes, however I decided to keep NFS and Samba around for non OS X clients.

So that's it, down is a diagram of the new setup, if there's any questions feel free to post in the comment section.


A notice, as far as the daap connection between my Mac Mini and Apple TV goes it's all fine and dandy with both music and video. Whichever way Apple has solved it they've done a good work. My shows are downloaded automatically, stored on my NAS and streamed by my Mac Mini to my Apple TV.

Friday, September 5, 2008

The Panic Button

*ring*....*ring*...*ring*
- "Hello?"

It's 4am in the morning and like too many other nights something is down.

- "Our call-centers seams to be having issues can you have a look at them?"
- "Sure..."

I log in and the more I start looking the more things keep crashing, suddenly I crash. I press the PANIC button.

3.59am: I wake up sweaty and scared to death.

I need some vacation....

"For whatever liable reason now that I work for Sun, no our call-centers wasn't down, as a matter of fact nothing was down, I just had a nightmare about work and it was awefully realistic"

Saturday, July 19, 2008

New multimedia installation

So I made the decision to buy a Playstation 3, unfortunately my existing multimedia setup at home didn't cut it so I had to buy a new speaker system as well. After looking around and talking to friends I decided on the Logitech Z-5500 system.

Since I'm starting to get a significant amount of systems at home I decided to put together a diagram for the connections.

I'll post further updates as I receive my equipment.

Sunday, July 6, 2008

Appetizer #2

Scallops with shrimp-omelet and spinach stew.

Saturday, June 21, 2008

Appetizer

Egg with caviar and shrimp.



Monday, June 16, 2008

Diskless linux boot

DRAFT!

Prep DHCP

# yum install dhcp

# emacs /etc/dhcpd.conf

allow bootp;
allow booting;

ddns-update-style interim;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.254;
default-lease-time 3600;
max-lease-time 4800;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option subnet-mask 255.255.255.0;

filename "pxelinux.0";
next-server 192.168.0.1;
}

Prep TFTP
# yum install tftp-server dhcp syslinux
# emacs /etc/xinet.d/tftp
disabled = no

# mkdir /tftpboot/pxelinux.cfg
# cp /usr/lib/syslinux/pxelinux.0 /tftpboot/

# cd /tftpboot/pxelinux.cfg
# emacs 01-FF-FF-FF-FF-FF-FF
prompt 0
default linux
timeout 1000

label linux
kernel vmlinuz-.nfsboot.
append init=/sbin/init root=/dev/nfs rw nfsroot=192.168.0.254:0.0.0.0:192.168.0.1:255.255.255.0 noapic acpi=off


Install CHROOT environment

# mkdir -p /nfsroot/slave1
# emacs installslave.sh

MYCHROOT=/nfsroot/slave1

mkdir -p $MYCHROOT/etc $MYCHROOT/dev $MYCHROOT/dev $MYCHROOT/proc $MYCHROOT/sys

cp /var/cache/yum/fedora/mirrorlist.txt /nfsroot/slave1/var/cache/yum/fedora/
cp /var/cache/yum/updates/mirrorlist.txt /nfsroot/slave1/var/cache/yum/updates/

cp -r /etc/yum* $MYCHROOT/etc
touch $MYCHROOT/etc/fstab

mknod $MYCHROOT/dev/null c 1 3
chmod 666 $MYCHROOT/dev/null

mount --bind /proc $MYCHROOT/proc
mount --bind /sys $MYCHROOT/sys

yum --installroot=$MYCHROOT groupinstall "Base"

umount $MYCHROOT/proc
umount $MYCHROOT/sys

./installslave.sh

NFS
# emacs /etc/exports
/nfsroot/slave1 192.168.0.254(rw,no_all_squash,no_root_squash)

Build kernel
$ su -c 'yum install yum-utils rpmdevtools'
$ rpmdev-setuptree
$ yumdownloader --source kernel
$ su -c 'yum-builddep kernel-.src.rpm'
$ rpm -Uvh kernel-.src.rpm
$ cd ~/rpmbuild/SPECS
$ rpmbuild -bp --target=`uname -m` kernel.spec
$ cd ~/rpmbuild/BUILD/kernel-/linux-./
$ cp configs/ .config
$ make oldconfig
$ make menuconfig
$ cp .config ~/rpmbuild/SOURCES/config-
$ cd ~/rpmbuild/SPECS
$ emacs kernel.spec
% define buildid .nfsboot

$ rpmbuild -bb --with baseonly --without debuginfo --target=`uname -m` kernel.spec
$ cp ~/rpmbuild/RPMS//kernel-..rpm /nfsroot/slave1
# chroot /nfsroot/slave1
# rpm -ivh ~/rpmbuild/RPMS//kernel-..rpm
# exit
# cp /nfsroot/slave1/boot/vmlinuz-.nfsboot. /tftpboot


emacs /nfsroot/slave1/etc/rc.local
/bin/mount 192.168.0.1:/nfsroot/slave1 /

pwconv

http://www.digitalpeer.com/id/linuxnfs
http://fedoraproject.org/wiki/Docs/CustomKernel

Thursday, June 12, 2008

Wednesday, June 4, 2008

Automatic update of DNS with Time Capsule and BIND dyndns

I doubt that anyone has the same setup as I have, but anyhow here's a
script I made to update the DNS record of my home-server:

To get a sense of what the script is doing let me explain my setup.

I've a hosted server where I host all my domains. One of the record is pointing at my home-server. As this server is on a consumer Internet transit it tends to change IP every now and then which can be a pain in the neck when you need to access it from a remote location and don't know the IP.

So what this script is doing is:
- Pulls IP information from my Time Capsule (which also is my router).
- Compares the IP information with a file containing the last known IP, if this file doesn't exist it is created once the updates are finished.
- Provided that the IP pulled from the Time Capsule doesn't match the last known IP the script logs into my DNS server, executes a script that updates the record pointing at my home server
- Once an update is finished it sends an email to AT&T which converts to an SMS with me as the recipient

This runs with cron every minute.

#!/usr/bin/perl

use IO::File;
my $oldip_file = "/root/oldip";

open (SNMP, "/usr/bin/snmpgetnext -cpublic -v1 192.168.1.1 IP-
MIB::ipAdEntIfIndex |");
while (<>) {
$data = $_;
};
close SNMP;

@ip = split('\.|\ ', $data);
$ip = $ip[1].".".$ip[2].".".$ip[3].".".$ip[4];

my $oldip = new IO::File('<'.$oldip_file); if ($ip != <$oldip>) {
system ("ssh -i /root/.ssh/id_rsa.dnsadmin dnsadmin
\@**** '/home/dnsadmin/scripts/update.sh ".$ip."'");
system ('echo "**** has a new IP '.$ip.'" | sendmail 408*******@txt.att.net
');

open FILE, ">".$oldip_file;
print FILE $ip;
close (FILE);
};


If you're going to use this remove the spaces by "< SNMP >" blogspot thinks this is a HTML tag and wont let me post it.

Saturday, May 3, 2008

BIND: Semi-dual master


Lately I've tried to figure out a couple of ways to have a redudant master setup of BIND. BIND itself doesn't have any features to support this which has been bothering me as it would be useful to fail over to a secondary slave.

After numerous discussins on the bind-users list I've reached the conclusion of how I would do it, described in the picture to the right.

BIND slaves is able to notify other slaves when changes occur. To utilize this I would have 1 primary master, and a secondary master which acts as a slave towards the primary. Both of these servers wouldn't allow queries from clients but they would feed the slave-servers acting as DNS-servers for clients on the network.

Unfortunatly this doesn't solve the entire problem as the slave doesn't take flags such as allow-update, or update-policy. The best way to solve this is most likely going to be some kind of script syncing the primary config to a standby file at the secondary.

I'll be working on this solution the coming weeks and post further info I gather along the way.

Friday, March 14, 2008

Sometimes you just want to kill yourself

Yes, sometimes you want to kill yourself and take others with you in the fall.

Since I came home today I've spent a great deal of time trying to collaborate Samba, OpenLDAP and BIND to act as an Active Directory server. By history I've dealt a great deal with Active Directory servers and like the idea behind it but I've never liked the implementation.

Anyhow, as I was reading up on how AD works and how to implement it I just realized minute by minute what a horrible LDAP implementation AD is. Surely I knew this before I started off but can someone really make LDAP _this_ bad?

Anyhow, 5 hours into it I gave up, I would describe the experience as trying to touch your toes with your hands when standing up. I bet there's someone who can do it but it's simply not normal!

To move on I was going to implement IPsec (the horrible VPN protocol) on the same server, but no-no, you can't run IPsec of 1 single interface, it has to be 2. Intellegent ideas such as bridging is something completely unknown to IPsec.

So to add up:
I'm not running any windows computers so I really don't have a need of AD, just wanted to see how it could be done.
IPsec, I was planning to run this along with OpenVPN, but why bother, OpenVPN it sure as hell a much better choice all categories.

Conclusion: Proprietary and old network standards can go to hell. Long live open source and innovation!

Tuesday, March 4, 2008

So what's happened to be due to the acquisition

As you may know Sun Microsystems has acquired MySQL as of Q1 this year. The first thing that came to my mind because of this was; Do I have a job? Do I get to stay in the US? If not can I work in Sweden?

So last week I received an offer letter from Sun, I get to stay 9 months and gets a decent raise on top of it.

So where does this leave me? Surely I might be out of a job in 9 months or I may find something within or outside Sun. Overall I think it's exiting to be a part of a merge of two opensource companies but I'm sad about loosing the general MySQL spirit that has been with us for so long. Hopefully we'll be able to affect Sun with our spirit and create something great together.

3 firstnames?

I've had a couple of interesting days lately dealing with different governmental departments.

Somehow I managed to find out that I was supposed to inform the Swedish national registration that I've emigrated the USA, so I ended up sending them an email informing about this.

Couple of weeks later I received a snail-mail stating that the process was finished, but I noticed something that I found odd. The section stating my first, middle and lastname didn't have any fields for my middle names, they were all written as firstnames, seams odd right? So I decided to check this up, after a couple of emails back and forth the national registration verified that I don't have any middle names, I just have first-names, and 3 of them!

Now this was getting complicated as the name I use is Jonathan, but this is actually my third firstname, so on all my documents it says "name1 name2 Jonathan Petersson". Overall this has worked out fine since I came to the US both with immigration, social security, banks etc. I was simply Jonathan. But the DMV didn't agree at all, my name was clearly my first firstname.

Based on this I now have to go through a horde of paperwork, AGAIN! Renew my social security, notify all agencies, get new contracts and so on just because I was using my de facto firstname.

Luckily enough Sun (yeah Sun bought MySQL if you didn't know) has a splendid immigration department and it seams like they will be able to solve all the issues for me.

So overall, don't think your name is X, it might be Y, it took me 20 years to get to know about it.

Saturday, March 1, 2008

Saturday, February 2, 2008

How to enable BIND with DNSSEC and Secure Dynamic Update using SIG(0)

For the last couple of days I've been struggling trying to figure out how to get DNSSEC with SDU (Secure Dynamic updates) to work using SIG(0) keys. I was almost at the edge of giving up when a colleague of mine proposed to try it out in RHEL 5.1 and file a bug report to RedHat, and so I did only to get the surprise that it worked perfectly fine.

Since I've spent so much time on this I decided to blog on how to do this. I hope someone get use of this blogpost.

First off please notice that this configuration was made using:

Red Hat Enterprise Linux Server release 5.1 (Tikanga)
Linux dl360-g5-i.mysql.com 2.6.18-53.1.6.el5 #1 SMP Wed Jan 16 03:56:43 EST 2008 i686 i686 i386 GNU/Linux
bind-chroot-9.3.3-10.el5



I can not guarantee that it will work with whatever setup you're using!

The tools used to enable DNSSEC and SDU is:

  • dnssec-keygen
  • dnssec-signzone
  • nsupdate
First off we need to configure named.conf, here's an example configuration:

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";

version "secret";

querylog yes;

allow-transfer { 127.0.0.1; };

key-directory "/etc/keys";
};

logging {
channel my_security_channel {
file "/var/logs/named_log.txt" versions 20 size 40m;
print-time yes;
severity debug 2;
};

channel my_dynamic_channel {
file "/var/logs/dynamic_log.txt" versions 2 size 40m;
print-time yes;
severity debug 65535;
};

category default { my_security_channel; };

category default { my_dynamic_channel; };
category client { my_dynamic_channel; };
category config { my_dynamic_channel; };
category database { my_dynamic_channel; };
category delegation-only { my_dynamic_channel; };
category dispatch { my_dynamic_channel; };
category dnssec { my_dynamic_channel; };
category general { my_dynamic_channel; };
category lame-servers { my_dynamic_channel; };
category network { my_dynamic_channel; };
category notify { my_dynamic_channel; };
category queries { my_dynamic_channel; };
category resolver { my_dynamic_channel; };
category security { my_dynamic_channel; };
category unmatched { my_dynamic_channel; };
category update { my_dynamic_channel; };
category update-security { my_dynamic_channel; };
category xfer-in { my_dynamic_channel; };
category xfer-out { my_dynamic_channel; };

};

view "internal" {
match-clients { 127.0.0.1; };

recursion yes;
allow-recursion { localhost; };

zone "example.com" IN {
type master;
file "data/example.com.db.signed";
update-policy {
grant example.com subdomain example.com. any;
};
};
};

include "/etc/rndc.key";


This configuration is pretty straight forward and doesn't have to many elements to it but to an unknown user there might be some unknowns.

version "secret";
First off we want to make sure that a potential intruder isn't aware of which version of BIND we're using. If an intruder has knowledge about the flaws in a certain version of BIND we're taking the risk of being exploited.

key-directory "/etc/keys"
BIND needs to be aware of your private keys when doing updates, otherwise the changes you'll make will not be signed and you'll have to do a manual resign of the zone which kills the purpose of dynamic updates.

logging
When dealing with DNSSEC it's important to know what's going on, in the example configuration pretty much all logging is enabled to give us a wide picture of what kind of connections and data-transfers that's passing to and from your server. All of it isn't a necessary but logs are always more useful than one think.

view "internal"
This element isn't really necessary in this simple setup but if you have a DNS server that hosts different zones in different networks (external/internal) this is crucial to not distribute your internal zones. It also to enable the right person to get the right data.

recursion "yes"
Recursion allows clients to resolve domains and or hosts that your server isn't authoritative for. This isn't necessary in this example but can be useful.

allow-recursion { localhost };
This is yet an element which isn't necessary in this setup but it's important to know that you don't want to have recursion enabled for anyone but trusted sources. Your DNS server should only host your domains unless it's internal or intended to allow recursive traffic.

file "data/example.com.db.signed"
Usually you would probably use something like example.com.db but when signing the zone-file the name is changed to .signed there is however a flag in dnssec-signzone letting you decide the output name of the file so it's really up to you if you want to use the .signed suffix or not.

update-policy
To enable us to do dynamic updates we need to have permission to do it. The grant statements tells the BIND server what which key is allowed to change. There's multiple options for this but for now we want this key to be able to change anything.

Now that we've a configured named.conf we want to create a couple of directories for the files to be placed in. In this example we're using the chrooted package from RedHat, notice that you're setup might be different.

First of we want to create directories for the keys and log files
mkdir /var/named/chroot/var/logs
mkdir /var/named/chroot/etc/keys
Followed by that is a couple of symlinks to make our life easier when accessing files.
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
ln -s /var/named/chroot/etc/keys /etc/keys
We also need to make sure that BIND has full permission of the folders, unless it has it wont be able to pick up the keys necessary.
chown -R named:named /var/named/chroot/var/logs
chown -R named:named /var/named/chroot/etc/keys
Now that we've all of the directories available we need to create a zone-file. Go to /var/named/chroot/var/named/data and open up your favorite editor. When you're in the editor you want to post the following conf:
$ORIGIN .
$TTL 3600 ; 1 hour
example.com IN SOA ns1.example.com. hostmaster.example.com (
2008020201 ; serial
7200 ; refresh
3600 ; retry
604800 ; expire
3600 ; minimum
)
NS ns1.example.com.
$ORIGIN example.com.
ns1 A 127.0.0.1
Remember that your settings may vary.

As we're finished with the zone file we need to create a couple of keys, one for DNSSEC and one for SDU. The reason why we've two different keys is because DNSSEC leverage DNSKEY while SDU uses KEY. This also adds an additional set of security by separating signing from updating.

To create the keys go to your key folder /etc/keys and execute the following commands:
dnssec-keygen -a rsasha1 -b 1024 -n zone example.com
dnssec-keygen -k -a rsasha1 -b 1024 -n zone example.com
The first command generates the keys you need to sign your zone, meanwhile the second generates the keys for the updates. When finished you'll have 4 keys named Kexample.com.+005+12345.private and .key.

What we need to do now is to add our DNSKEY and KEY to our zone file, you can either copy and paste the content in the .key files or execute the following command:
cat /etc/keys/Kexample.com.*.key >> /var/named/chroot/var/named/data/example.com.db
You'll now have two entries at the bottom of the zone file looking similar to this:
example.com. IN KEY 256 3 5 AwEAAcldVDO9D1NM7zVCOt2hrXoKJw8Vd2O37N5ykJcK2ODgDlCnXo6R lt/HjzIPZq4A04a0X/9AJVpDk8sZQP4kkbcv4WkXpmKSFJyhIW3B7b+k ouWnyPkym0EEFrSmIaKKQw4asMaH2Ei\
WBpOEWPeFWRtD2lX8YZRVm1tE Si8GH/oT
example.com. IN DNSKEY 256 3 5 AwEAActFWDC3bvmy6U5URVjz+EzmP/vbkUu8c0SUPpce3mv11DptfEo9 +BiY3A0NUPNfLXgIH1h75A6ZUPDBGApU54NsYJNo9bBPlcvWj7MA0VX6 wdPODqUNhuRfVrA8a3nuUC0PzSN1\
wC+sl396P91sWq9lYbYLjujm/nEg tREih0EB
We're now ready to sign our zone.

Go to your data directory /var/named/chroot/var/named/data/. It's now important that you sign with the correct key, compare the content in both .key keys and remember the name of the one containing the DNSKEY statement, this is the key we're going to use to sign our zone.
To sign the zone execute the following command:
dnssec-signzone -t -g -o example.com example.com.db /etc/keys/Kexample.com.+005+12345.private
This should give you an output that's similar to this:
example.com.db.signed
Signatures generated: 21
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Runtime in seconds: 0.114
Signatures per second: 182.734
If you get the errormessage dnssec-signzone: cannot load dnskey /etc/keys/Kexample.com.+005+26385.private: bad key type
you tried to use an incorrect key.

After running the script you'll have 3 new files in the data-directory:
  • example.com.db.signed
  • dsset-example.com
  • keyset-example.com

The one that's of interest for us is the example.com.db.signed file which should look similar to this:
$ORIGIN .
$TTL 3600 ; 1 hour
example.com IN SOA ns1.example.com. hostmaster.example.com. (
2008020202 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
RRSIG SOA 5 2 3600 20080304065047 (
20080203055047 51525 example.com.
TZNrgK8y35vEcDrB4pMVvf0+nV5HRcL+9gQvfxrlPV6F
rt9+8WjSQTug63G3YdpEWIPXB1hZvgovpWRrK6MsImex
Vvx8US59jJLjjQowG7DiD2XYcfg23ufgHfpNv71X0QuM
ZkyntzvGOL7wn+SgbJDglersJkbKJzFv5FJrBks= )
NS ns1.example.com.
RRSIG NS 5 2 3600 20080304054131 (
20080203054131 51525 example.com.
hTQF3MyTnlvfkvSCtUAvQltzyIo5vvo3K33cDzD+Ahc2
z9hBelkGLZu6XO0B3bvWLbzKzCFkUVjjMDtWPMnd3Srx
RGqspo1HGqvU0gT6W6OTXeevgKbcHZ0Ctt6gDF03EgEI
qmAlWlpRhWMCdgJ7XhM41fvsSE7LdiKsiX3XrE8= )
KEY 256 3 5 (
AwEAAcldVDO9D1NM7zVCOt2hrXoKJw8Vd2O37N5ykJcK
2ODgDlCnXo6Rlt/HjzIPZq4A04a0X/9AJVpDk8sZQP4k
kbcv4WkXpmKSFJyhIW3B7b+kouWnyPkym0EEFrSmIaKK
Qw4asMaH2EiWBpOEWPeFWRtD2lX8YZRVm1tESi8GH/oT
) ; key id = 17781
RRSIG KEY 5 2 3600 20080304054131 (
20080203054131 51525 example.com.
YpfIG5nM45Ty3HSpD0sGbeM84WhNCtVP9wayQPt9F6zd
6Tdu+NanfoAdiQ0oIDTd5nLToTk81sihcNClvAHPwpff
VtkQ2g+vEjJuPEL53vN6WL81Fh//a+6P8O410wxNGajC
rrYt5WI2bId8SJ+Sw0kzBgzxRoH+7F1+/O3zL2o= )
NSEC ns1.example.com. NS SOA KEY RRSIG NSEC DNSKEY
RRSIG NSEC 5 2 3600 20080304054131 (
20080203054131 51525 example.com.
rcQlAb+bS62KuNA4EpFFKpbmy+bFxw3sSZO+unB4CmM1
5PycFPbFm4m2+OQLoy20IM85ugszUsReOfCtEe/JEe6Q
eEQGm/JmFnQJ2mf5yYn4cN+DId8+FVwG6kvIcjCjmNbC
pz7NWYdM1lbeBFASIXF+es9rSg4kjSmJmS2f5Pg= )
DNSKEY 256 3 5 (
AwEAActFWDC3bvmy6U5URVjz+EzmP/vbkUu8c0SUPpce
3mv11DptfEo9+BiY3A0NUPNfLXgIH1h75A6ZUPDBGApU
54NsYJNo9bBPlcvWj7MA0VX6wdPODqUNhuRfVrA8a3nu
UC0PzSN1wC+sl396P91sWq9lYbYLjujm/nEgtREih0EB
) ; key id = 51525
RRSIG DNSKEY 5 2 3600 20080304054131 (
20080203054131 51525 example.com.
mkegJTmyMG6uEC9DkG7KUExvHOj3q2iDgaEmw7o9RB1s
ETUvwd8uteCH13TvBZ3EXMxdpEFaE4EhccYIArUlqarA
z1kzeCyslyIGS4TwsZTR94/cQY8F6Yv8cv8u+ISxSoO+
hZCLXOrQ9wyMhx82smT/NycwvLzHxtgikvWLWw4= )
$ORIGIN example.com.
ns1 A 127.0.0.1
RRSIG A 5 3 3600 20080304054131 (
20080203054131 51525 example.com.
BzvAbDGuu4rEE6kDjXehVIULkGajBJXF/B6D27k9DWIH
9MJ/vi9frE/E4jLz/frY3rHdDgtolGX05SphuEsFdmMo
G1a1yQIvfJVHY5L0Xc03qMquhsXVd5yJS5DwyxEZuxqZ
DMgeLjp0bm9M1FabOhpIcm4gQqu5JTxHo/5CEtw= )
NSEC testing A RRSIG NSEC
RRSIG NSEC 5 3 3600 20080304065047 (
20080203055047 51525 example.com.
tNNunF81mxfWJaUYtwtAkirNaV7J9cUKni7pZTL2FAMi
kmQDnTKQUP5a4nogDT9zB0gRxr0pL1lpVC3vSV7tJAl7
t7/R9DE6wO7I3VA08wTyKc2k9rS0xA06C4SPwWJGHZXl
nxxck4gAunaum+FXlqnY9YILnCbapWlCQGTkCa8= )
testing CNAME example.com.
RRSIG CNAME 5 3 3600 20080304065047 (
20080203055047 51525 example.com.
RknsWLMnxfD1ixiNezyHNLRSK/GKf19N9EXvQopa7pji
ziyqf3uYWKrJtnGQoe8vdpy8GbTrWw5ZzdxlYVe66cGC
q+saQEc9KdTOo6kDCH7WrXnY9Tko6+tPTZqM61XvyLQa
BqZKKi6bkktJv6orhbyx4KuyFdVTL/wW4h3HpUs= )
NSEC example.com. CNAME RRSIG NSEC
RRSIG NSEC 5 3 3600 20080304065047 (
20080203055047 51525 example.com.
GtV/5WFPMph2EVoPNe/fbhOxZG8sANoAw4GayI1esMqV
qTshx4yWlJt02TTtNc4AsAjk6NBi7ctQWXgtHitDeAzJ
pRhImA9RRY082WkG2GCCVCf4a/ldcf4SQt6E3C6wj+5P
iI+Uz4BjAAEHxfT7mB19m1YLo7MVhxlKe6QFW1c= )

Our zone is now signed and we can start bind.
/etc/init.d/named start
If the startup script complains about anything have a look at the permission and the config file.

As we're up and running we're now ready to run a Secure Dynamic update. For this we'll be using nsupdate.

To add a new A record execute the following:
nsupdate -d -v -k /etc/keys/Kexample.com.+005+12345.private
server 127.0.0.1
zone example.com
update add testing.example.com. 3600 A 127.0.0.1
show
send
show
Provided that you've all the permission and configuration right you should see something like this:
Creating key...
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: testing2.example.com. 3600 IN CNAME example.com. Sending update to 127.0.0.1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 61419 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;example.com. IN SOA ;; UPDATE SECTION: testing2.example.com. 3600 IN CNAME example.com. ;; SIG0 PSEUDOSECTION: . 0 ANY SIG 0 5 0 0 20080203081438 20080203080438 17781 example.com. aa+FdvAx/qpSSHEO2SHFeG+dSWgJ3L81UfLOeyxA2QkxEJV6pHrCL34k eBs2W/Ay7KPL7UMd/OAyVo1tjotbeNFkbO8O/+/sBltNttHOOYg6W4Cf gvOX3z/OwGqVQiu2OluRGsu7tN3LEl4IlgJMChIg1yJ+xl7bSaoa8QQI OmU= Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 61419 ;; flags: qr ra ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

You've now added an A record dynamically to your zone!

If you've a look in the log-file /var/named/chroot/var/logs/dynamic_log.txt you should see something similar to this:

03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: TCP request
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: using view 'internal'
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: request is not signed
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: recursion available
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: query
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: AXFR request
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: transfer of 'example.com/IN': AXFR question section OK
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: transfer of 'example.com/IN': AXFR authority section OK
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: zone transfer 'example.com/AXFR/IN' approved
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: ns_client_attach: ref = 1
03-Feb-2008 09:13:39.364 client 127.0.0.1#48060: view internal: transfer of 'example.com/IN': AXFR started
03-Feb-2008 09:13:39.364 example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2008020206 7200 3600 604800 3600
03-Feb-2008 09:13:39.364 example.com. 3600 IN RRSIG SOA 5 2 3600 20080304081335 20080203071335 51525 example.com. ars67v4wWyWVuf/HPPfScgSUvGi7lX+qq0+nzMq\
8+uoeSUBkg4d8OHn6 FZ39YVVie4CQ/aV8J4aanwnrPnbuHeDEODuYr4btXpZRsF4WtsCfesyH ZhzqzKw04GS90/NNlAIedT+r0ZsCkkLR8kon4LecEyo8qPqbO3aUuX2I FgY=
03-Feb-2008 09:13:39.364 example.com. 3600 IN NS ns1.example.com.
03-Feb-2008 09:13:39.364 example.com. 3600 IN RRSIG NS 5 2 3600 20080304054131 20080203054131 51525 example.com. hTQF3MyTnlvfkvSCtUAvQltzyIo5vvo3K33cDzD+\
Ahc2z9hBelkGLZu6 XO0B3bvWLbzKzCFkUVjjMDtWPMnd3SrxRGqspo1HGqvU0gT6W6OTXeev gKbcHZ0Ctt6gDF03EgEIqmAlWlpRhWMCdgJ7XhM41fvsSE7LdiKsiX3X rE8=
03-Feb-2008 09:13:39.365 example.com. 3600 IN KEY 256 3 5 AwEAAcldVDO9D1NM7zVCOt2hrXoKJw8Vd2O37N5ykJcK2ODgDlCnXo6R lt/HjzIPZq4A04a0X/9AJVpDk8sZQP4kkbcv\
4WkXpmKSFJyhIW3B7b+k ouWnyPkym0EEFrSmIaKKQw4asMaH2EiWBpOEWPeFWRtD2lX8YZRVm1tE Si8GH/oT
03-Feb-2008 09:13:39.365 example.com. 3600 IN RRSIG KEY 5 2 3600 20080304054131 20080203054131 51525 example.com. YpfIG5nM45Ty3HSpD0sGbeM84WhNCtVP9wayQPt\
9F6zd6Tdu+NanfoAd iQ0oIDTd5nLToTk81sihcNClvAHPwpffVtkQ2g+vEjJuPEL53vN6WL81 Fh//a+6P8O410wxNGajCrrYt5WI2bId8SJ+Sw0kzBgzxRoH+7F1+/O3z L2o=
03-Feb-2008 09:13:39.365 example.com. 3600 IN NSEC ns1.example.com. NS SOA KEY RRSIG NSEC DNSKEY
03-Feb-2008 09:13:39.365 example.com. 3600 IN RRSIG NSEC 5 2 3600 20080304054131 20080203054131 51525 example.com. rcQlAb+bS62KuNA4EpFFKpbmy+bFxw3sSZO+un\
B4CmM15PycFPbFm4m2 +OQLoy20IM85ugszUsReOfCtEe/JEe6QeEQGm/JmFnQJ2mf5yYn4cN+D Id8+FVwG6kvIcjCjmNbCpz7NWYdM1lbeBFASIXF+es9rSg4kjSmJmS2f 5Pg=
03-Feb-2008 09:13:39.365 example.com. 3600 IN DNSKEY 256 3 5 AwEAActFWDC3bvmy6U5URVjz+EzmP/vbkUu8c0SUPpce3mv11DptfEo9 +BiY3A0NUPNfLXgIH1h75A6ZUPDBGApU54Ns\
YJNo9bBPlcvWj7MA0VX6 wdPODqUNhuRfVrA8a3nuUC0PzSN1wC+sl396P91sWq9lYbYLjujm/nEg tREih0EB
03-Feb-2008 09:13:39.365 example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20080304054131 20080203054131 51525 example.com. mkegJTmyMG6uEC9DkG7KUExvHOj3q2iDgaEm\
w7o9RB1sETUvwd8uteCH 13TvBZ3EXMxdpEFaE4EhccYIArUlqarAz1kzeCyslyIGS4TwsZTR94/c QY8F6Yv8cv8u+ISxSoO+hZCLXOrQ9wyMhx82smT/NycwvLzHxtgikvWL Ww4=
03-Feb-2008 09:13:39.365 ns1.example.com. 3600 IN A 127.0.0.1
03-Feb-2008 09:13:39.365 ns1.example.com. 3600 IN RRSIG A 5 3 3600 20080304054131 20080203054131 51525 example.com. BzvAbDGuu4rEE6kDjXehVIULkGajBJXF/B6D27k9D\
WIH9MJ/vi9frE/E 4jLz/frY3rHdDgtolGX05SphuEsFdmMoG1a1yQIvfJVHY5L0Xc03qMqu hsXVd5yJS5DwyxEZuxqZDMgeLjp0bm9M1FabOhpIcm4gQqu5JTxHo/5C Etw=
03-Feb-2008 09:13:39.365 ns1.example.com. 3600 IN NSEC testing.example.com. A RRSIG NSEC
03-Feb-2008 09:13:39.365 ns1.example.com. 3600 IN RRSIG NSEC 5 3 3600 20080304081335 20080203071335 51525 example.com. q4HaSLSsYfO2SMw/MVnfiZsgxQ1PHCzHIaWmZG\
sZ4MkRwEYYPZN3ID1c kisMR2DUU+/5tzrJnflipOfyXTU0ecHGbIpiI8buuM/zqgHgEAxSFDJG TkA06pkqsXCfllDwh7ClLMaK/SeBdudvB2wXHNtUFfXNmmve+SHGsTE6 G+Q=
03-Feb-2008 09:13:39.365 testing.example.com. 3600 IN RRSIG NSEC 5 3 3600 20080304081335 20080203071335 51525 example.com. hVCltJNA9X2/dD77uwLzWrpmVYYvNEAkdTU4qV\
QL2+8ZHxt553DA3eFk DF5qd74L+rs2piDgVZ7L0qYzzPGO8pZAyw9HyGKF0adi40NdhVhPegy3 Tax1ThTcayuNTPE/t7nSwgfWKEDdSQVBjIZ4GFQKYIigAIGyKnmWKe2v 0JM=
03-Feb-2008 09:13:39.365 testing.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
03-Feb-2008 09:13:39.365 testing.example.com. 3600 IN RRSIG A 5 3 3600 20080304081335 20080203071335 51525 example.com. FZi8W+FsfUjSur8HfMVjrn6hJEOL0ewZoKuwBJ9QA\
lsqLwYs0TRA3HGU nSN6pXypaw0d0udBo+0IQq/lW4C3FScDpNwCZqWlSmjMEpR/C7d7uPNh jUARGcq9pXdSaJ439QtSARLXNL/8tVZjCUglwYAX8/4bbPvjNOIPrOi1 NHs=
03-Feb-2008 09:13:39.365 testing.example.com. 3600 IN A 127.0.0.1
03-Feb-2008 09:13:39.365 example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2008020206 7200 3600 604800 3600
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: view internal: transfer of 'example.com/IN': sending TCP message of 2109 bytes
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: view internal: transfer of 'example.com/IN': AXFR ended
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: view internal: next
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: view internal: ns_client_detach: ref = 0
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: view internal: endrequest
03-Feb-2008 09:13:39.365 client 127.0.0.1#48060: read


To completely verify that you're record has been added do a zone-transfer and grep for your entry:

host -t axfr example.com localhost | grep testing

testing.example.com. 3600 IN RRSIG NSEC 5 3 3600 20080304081335 20080203071335 51525 example.com. hVCltJNA9X2/dD77uwLzWrpmVYYvNEAkdTU4qVQL2+8ZHxt553DA3eFk DF5qd74L+rs2piDgVZ7L0qYzzPGO8pZAyw9HyGKF0adi40NdhVhPegy3 Tax1ThTcayuNTPE/t7nSwgfWKEDdSQVBjIZ4GFQKYIigAIGyKnmWKe2v 0JM=
testing.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
testing.example.com. 3600 IN RRSIG A 5 3 3600 20080304081335 20080203071335 51525 example.com. FZi8W+FsfUjSur8HfMVjrn6hJEOL0ewZoKuwBJ9QAlsqLwYs0TRA3HGU nSN6pXypaw0d0udBo+0IQq/lW4C3FScDpNwCZqWlSmjMEpR/C7d7uPNh jUARGcq9pXdSaJ439QtSARLXNL/8tVZjCUglwYAX8/4bbPvjNOIPrOi1 NHs=
testing.example.com. 3600 IN A 127.0.0.1
You now have a functioning DNSSEC and SDU setup.