RFC9460 is about "Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)". The idea is to signal to web browsers that the connection to the server shall be encrypted (similar to HSTS), as well as HTTP protocol preferences: HTTP/3 (QUIC), HTTP/2, fallback to HTTP/1.1. The protocol handshake can thus be performed quicker. The SVCB records allow configuration for load balancing, failover, encrypted ClientHello support, etc.

The proposed DNS record looks as follows:

example.com. IN HTTPS 1 . alpn="h3,h2" ipv4hint="23.209.46.91" ipv6hint="2600:1413:b000:13::b857:c185"

ALPN indicates for protocol preference and fallback. The IP hint may speed up connection performance. In particular when a different "target" is to be used (here it's just ".").

More here.

posted at: 16:20 | path: /configuration | permanent link

It's basically impossible to recover a MicroSD card stuck in a Lenovo X13 Gen1 (AMD) MicroSD card slot. Opening the case (removing the back cover) doesn't help either as the SD card slot is on other side of the system module.

Any ideas? In my opinion a total design failure. I otherwise like the machine.

posted at: 15:48 | path: /rant | permanent link

... from the command-line.

export STEAM_COMPAT_DATA_PATH=/data/SteamLibrary/steamapps/compatdata/123456
export STEAM_COMPAT_CLIENT_INSTALL_PATH=/home/user/.steam/debian-installation
python3 "/data/SteamLibrary/steamapps/common/Proton - Experimental/proton" waitforexitandrun some.exe

posted at: 09:52 | path: /programming | permanent link

Background: DNS resolution on Linux is controlled by /etc/resolv.conf, where up to three nameservers can be configured among other things (search list, timeout, attempts, etc.)

Nameservers are queried in order, the second nameserver is only asked if there is no response from the first. When there is an answer (even a negative one), further nameservers are not consulted. This can be changed with the rotate option. The man page has more info.

How does Docker configure the container's DNS?

At least for bridged container network configuration (default), Docker mounts some host files into the container:

$ mount
...
/dev/nvme0n1p3 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro)
/dev/nvme0n1p3 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro)
/dev/nvme0n1p3 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro)

Hence, resolv.conf that the resolver service of the host uses is used by the container. I.e. on a system with systemd's resolved, the nameservers used by resolved will be used by the container, and NOT the local resolver 172.0.0.53. I don't know why, I think this makes no sense and complicates configuration.

The problem

All nameservers in /etc/resolv.conf shall return the same information. However, this is not the case if local, private and public nameservers are used. Private domains (such as example.local) can only be resolved by the private nameserver. This is in principle possible to configure in resolved, but not easily passed on to the container. In case multiple nameservers are configured for the container and the first local, private nameserver is unreliable or too slow, the fallback nameserver will be queried. This leads to sporadic host name lookup failure for private hosts on a local domain.

nameserver 172.x.y.z # private, can resolve example.local
nameserver 1.1.1.1 # public

Oh no, Snap!

Ubuntu can package docker as a Snap, adding some more complication...

The dockerd config file (--config-file=/var/snap/docker/nnnn/config/daemon.json) for Snap luckily lives in var/snap/docker/current/config/ and is editable, hurray!

Configuration changes

Edit /var/snap/docker/current/config/daemon.json to override DNS configuration for all containers:

{
    "dns": ["172.x.y.z"]
}

Restart the docker container service:

sudo snap restart docker

posted at: 19:05 | path: /configuration | permanent link

A signed Windows executable allows windows to display the publisher name in the UAC dialog, except sometimes it doesn't work. Windows uses Authenticode to verify the integrity of a PE32 executable and provide authentication via code signing.

One way to learn more what UAC does w.r.t. crypto is to enable CAPI2 diagnostics , i.e. event logging.

Things to remember: the entire certificate chain up to but not including the root CA's certificate should be in the executable, i.e. all intermediate certificate. When certificate are missing, they might be retrieved by Certificate Authority Information Access (AIA), specified in RFC5280 via some HTTP URLs given in the certificates.

Different applications implement different verification policies: caching of certifiates, revocation list checks, etc. It's know clear what checks Windows, or the UAC dialog, or other application do to check the authenticity of an executable.

Tooling is difficult: again, it's not clear what the verification policy is. For example, Microsoft's signtool does not complain about missing intermediate certificates.

• The LIEF project has code to verify Authenticode in a platform independent way, and a nice Python tutorial about it. TrailOfBits has some more background.
• Other tools: PESignAnalyzer and AuthenticodeLint which can extract certificates from an executable and give some guidance.

Looking for some more mystery to research: Try page hashes!

posted at: 00:45 | path: /programming | permanent link