Posts Tagged ‘Ubuntu’
Ubuntu, systemd-resolver and DVE-2018-0001
I noticed that systemd is spamming syslog with:
Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
DVE-2018-0001 is a workaround for some captive portals that respond to DNSSEC queries with NXDOMAIN. systemd-resolver in Ubuntu retries every one of these NXDOMAIN responses without EDNS0.
In practice this means one syslog entry every time a domain isn’t resolvable. This is surprising, so I dug further.
Ubuntu pulled in a PR to systemd implementing DVE-2018-0001 in systemd-resolved. It’s not configurable, except that it’s not attempted in DNSSEC strict mode.
As an aside, I feel like Ubuntu integrating unmerged upstream patches isn’t fair to systemd. I incorrectly assumed that it was systemd that was introducing these spammy log messages. Maybe they will eventually, but they haven’t yet.
I’m pretty sure it’s a terrible idea, but I enabled DNSSEC strict mode by setting DNSSEC=yes in /etc/systemd/resolved.conf. I’ll have to try to remember I did this in a few days when I can’t browse the web.
There’s a really good write-up at askubuntu.com of the underlying problem.
Fix your drifting pointer in GNOME
Plagued with a drifting pointer? I sure am.
For me this happens when I accidentally zoom using an accessibility “feature” in GNOME. Actually, it’s in Compiz and ambushes me when I accidentally hit Super (windows key) instead of Alt when resizing a window using the Alt+middle click+drag combination.
Compiz seems to be a little particular about getting the screen fully zoomed out again, but here’s a method that’s (so far) always reset the zoom without leaving me with a randomly drifting cursor.
To zoom out again, hold the super key and scroll down using your scroll wheel. I’m sure there’s a better way, but I don’t know it. Disabling zoom hotkeys in gconf-editor didn’t seem to work for me. If you’ve figured this out, please leave a comment!
ecryptfs mount options
I was having trouble tracking down the ecryptfs mount options that can be used to stop the mount.ecryptfs helper utility from prompting quite so much. I tested this on Ubuntu 10.10. ecryptfs_verbosity claims to be the option that I really want to change, but I couldn’t get this one working.
You can add these options to your /etc/fstab. Their values are partially documented here: http://ecryptfs.sourceforge.net/README
Here’s what I added to my /etc/fstab to stop mount.ecryptfs from prompting for anything besides the password on Ubuntu 10.10:
/root/.crypto /root/crypto ecryptfs noauto,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n 0 0
tech stuff. 