It's the time of the your were I need to study for my upcoming exams. After I've noticed, that I am doing complete bullshit like 20 - 5 = 5, I decided to do something to relax. I'm pretty good in relaxing in front of my computer, and here I am and also something useful - oh my pizza arrived, brb. During the last week, my IP address changed and I where unable to access my NAS from outside. This was part one on my todo list, the second and final part was to figure out why Ubuntu doesn't ask for two passwords for my two encrypted partitions.

When you call a server your own, where you have full control of the Bind configuration and wanted to have your own dynamic DNS for your home IP address, this is might for your interest.

The easiest way is:

# dnssec-keygen -a <alg> <name>
# e.g.:
$ dnssec-keygen -a HMAC-MD5 home.foo-bar.com

Two file will be genereted, a

K<name>+<alg>+<id>.key

and

K<name>+<alg>+<id>.private

Open one of these files or use cat to get the output. If you opened the file .key, you take the last column, the string often ends with ==, if you opened the file .private you copy the string for Key:.

EXAMPLE0SEcr3tString00==

or your named.conf.local, or where ever you keep track of your different zones. I'll demonstrate with a small example what changes you should make. At first define the key, your client uses to authenticate:

key "home.foo-bar.com" {
    algorithm hmac-md5;
    secret "EXAMPLE0SEcr3tString00==";
};

After that you need to update the zone configuration for foo-bar.com. For example the section looks something like this:

zone "foo-bar.com" {
    type master;
    file "db.foo-bar.com";
    allow-transfer {
        10.0.1.1;
        common-allow-transfer;
    };
};

You need to insert an update-policy¹⁾.

zone "foo-bar.com" {
    type master;
    file "db.foo-bar.com";
    allow-transfer {
        10.0.1.1;
        common-allow-transfer;
    };
    update-policy {
        grant home.foo-bar.com name home.foo-bar.com. A;
    };

};

As a short conclusion for the update-policy syntax, the first parameter grant allows use to update, if the rest of the rule matches. The second parameter is our key we defined above, the third is a matching rule. I'm using the full domain name to check, You should have a look at the Bind documentation to see the other options. name is followed by the matching name and the last one is the type, 'A', 'CNAME', or 'TXT'²⁾.

After everything is setup you need to reload your Bind DNS server.

$ rndc reload

Your Bind is now configured.

I came up with the idea using my DNS server to manage my dynamic address, while scrolling through the OpenWRT Kamikaze package list, and so I gave it a try.

Edit your /etc/ipupdate.conf:

server "ns.foo-bar-com"
{
    zone "foo-bar.com"
    {
        hosts "home"
        keyname "home.foo-bar.com"
        keydata "EXAMPLE0SEcr3tString00=="
    }
}

Now, execute ipupdate

$ ipudate
getconfig: loading '/etc/ipupdate.conf'
Detected IP: 10.00.100.200

You also should see a success message. Sorry but I haven't copied it, but you'll recognize, when it is successful. Otherwise you'll see some errors. If you check in your Bind directory, (e.g.: /var/cache/bind) you should see a file named home.foo-bar.com.jnl. After 15 minutes the changes will be merged with your db.foo-bar.com zone file.

You can start ipupdate as daemon.

$ ipupdate start

If also installed a cronjob to check every 24h, if an update is needed.

59 23 * * * /usr/sbin/ipupdate

I've updated to Xubuntu 9.04 recently and using encrypted LVM to secure my stuff. After I've set up a second partition encrypted with cryptsetup and hooked it up in my LVM. Ubuntu didn't ask for two passwords during boot. I can remember using Debian using with two encrypted partitions and putting the entries into your /etc/crypttab and updating the initrd's was enough to get asked twice during boot. Ubuntu seems to fail at this point. In this chapter I'll want to show you how I've solved this problem, for now. This solution isn't automated, yet, and using update-initramfs overwrites the changes.

With Ubuntu it unlocks my root partition and trying to bring up all volumes of my volume group. At this point boot will fail, because one of the volumes is encrypted separately. After a minute,Ubuntu will drop you to a fail-over console. At the (initramfs) prompt I needed to unlock my second partition and hit Ctrl+D to resume to normal boot.

Extract the initrd of your current kernel:

$ mkdir /tmp/initrd-$(uname -r)
$ cd /tmp/initrd-$(uname -r)
$ gzip -dc /boot/initrd.img-$(uname -r) | cpio -id

Open the file conf/conf.d/cryptroot and add a separate line with your second device. You should know your UUIDs for this. Here is mine, after I've edited it.

target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-root
target=sdd1_crypt,source=/dev/disk/by-uuid/f6b68c07-ad87-46a6-8602-94889c1233b8,key=none,lvm=goat-home
target=sdc1_crypt,source=/dev/disk/by-uuid/56fc9490-4afd-484f-9574-640bec210fe1,key=none,lvm=goat-swap_1

I've added the line starting with sdd1_crypt.

To complete the setup we need to pack the initrd back together. Make a backup of your old initrd.img first!

$ cd /tmp/initrd-$(uname -r)
$ find ./ | cpio -H newc -o | gzip -c > initrd.img-$(uname -r)
$ cp initrd.img-$(uname -r) /boot/

You now should be asked twice for a password, or more, if you have more devices added.