pmeerw's blog

Sat, 13 Jan 2024

Windows 10 update KB5034441 fails to install - 0x80070643

This will probably the only post I do for Windows ever, happened to do support for a PC over Christman holiday season.

Thing is, security update KB5034441 fails to install with code 0x80070643. Of course, there can be multiple reason, but this Golen article (German) was spot on: the Windows recovery partition needs to be increased.

It refers to a Microsoft support page which has instructions for the command-line how to shrink the system partition and grow the recovery partition. Very nice incarnations :-)

A appreciate the user friendlyness of tools I've never heard of: reagentc, diskpart. After that (no reboot necessary), the update completes installation within seconds, very nice!

posted at: 13:07 | path: /configuration | permanent link

Mon, 02 Oct 2023

Null MX

For servers that do not accept mail, there's "null MX". See RFC 7505.

posted at: 22:09 | path: /configuration | permanent link

Tue, 16 May 2023

DNS, minimal ANY queries

RFC 8482 deprecates DNS ANY queries. These were mostly used for debugging, i.e. retrieving all information for a domain. DNS server now just respond with HINFO "RFC8482" "" in the CPU and OS field of the HINFO response to indicate that information has been suppressed.

See also Cloudflare blog on this topic.

And the (hard to come by) configuration for bind9 is (tada!):

minimal-any yes;
Use dig +tcp to get a full response (see here).

posted at: 10:24 | path: /configuration | permanent link

Sat, 17 Dec 2022

Using DNS to securely publish SSH key fingerprints

Another nice article showing off DNSSEC strength...

Generate SSHFP DNS records for by host (

$ ssh-keygen -r @
@ IN SSHFP 1 1 3b00267ed86c211026e6d8b8eb5d9a7d9e51cf7d
@ IN SSHFP 1 2 189d464e8a13d2df66d882afdcb4220fb281ba1f19eda96aa35bf1a50188b0a7
@ IN SSHFP 2 1 adb06e3c4de279d2338bbec35a9a64c8661fb431
@ IN SSHFP 2 2 50e72d460ea86ad416b74b71f9b0c948bf42004ebf730290eff9d43fea9545a6
@ IN SSHFP 3 1 aaa45514f6bd534448ab7f09842fe1e13c269142
@ IN SSHFP 3 2 cc68f391aea002966cc3d7e84ce41dc73d4cfb6c2381e5b665f26603f8317dd3
@ IN SSHFP 4 1 7482ed5e3e6621978bd0bbd61f6b9740dcef252c
@ IN SSHFP 4 2 eb77b6f29bee067d6524459e4cfc696881bd70908d514be682cb068746729594

SSH can silently connect to an SSH server (without asking to verify the host fingerprint!) if VerifyHostKeyDNS is enabled: ssh -o VerifyHostKeyDNS=yes

posted at: 22:58 | path: /configuration | permanent link

PGP Key Distribution via DNSSEC: OPENPGPKEY

RFC7929 describes a way to put OpenPGP public keys into DNS using DANE. Here's an article which I shamelessly condense here...

There is a DNS resource record that stores the complete public key. I'm using ECC to bring down key size. It looks like this: IN OPENPGPKEY (
The name part is the SHA-256 hash of "pmeerw". You can use the command openpgpkey --create to create the record (install the Debian/Ubuntu hash-slinger package).

Try to query a PGP public key!

posted at: 22:49 | path: /configuration | permanent link

Made with PyBlosxom