China: Internetanschluss oder Telefonnummer nur gegen Gesichtsscan

In China soll es ab Dezember Telefonnummern oder Internet-Anschlüsse nur noch mit Identitätsfeststellung per Gesichtserkennung geben. Eine entsprechende Regelung wurde kürzlich erlassen und soll auch für bereits registrierte Anschlüsse gelten.

Weiterlesen …

Posted in Uncategorized | Leave a comment

Staatliche Überwachung bedroht die Religionsfreiheit

Christen, die in totalitär regierten Staaten leben, geraten immer stärker unter Druck. Laut dem aktuellen Weltverfolgungsindex des christlichen Hilfswerks Open Doors hat sich die Lage für Christen etwa in China und in der Türkei weiter zugespitzt.

Weiterlesen …

Posted in Uncategorized | Leave a comment

DNSSEC with bind 9(.11) on debian 10(.1)

Since I needed hours to configure dnssec (because of one little failure), I made here a little write-up (in short).



# vi /etc/bind/named.conf.local
file “/var/lib/bind/”;
key-directory “/var/lib/bind/”;
auto-dnssec maintain;
inline-signing yes;
to your domain

# vi /etc/bind/named.conf.options
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

The keys

# cd /var/lib/bind/
(because the directory must me writable by bind and /etc/bind/ shouldn’t)

create the zone signing key (zsk)
dnssec-keygen -a RSASHA256 -b 2048
create the key signing key (ksk)
dnssec-keygen -a RSASHA256 -b 4096 -f KSK

change permissions and the owner
(all keys must be readable by bind)
# chmod 644*.key
# chmod 600*.private
# chown bind*

you have now 4 keys – two pairs of zsk and ksk. you have to add the public keys which contain the DNSKEY record to the zonefile. the following will do this:
# for key in `ls*.key`
echo “\$INCLUDE $key”>>


sign the key
# dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o -t


# /etc/init.d/bind9 restart


# dig DNSKEY @localhost +multiline
if everything went right you should see the two keys. if not, you have done something wrong.

some good DNSSEC testing sites:


when we ran the dnssec-signzone command apart from the .signed zone file, a file named was also created, this contains the DS records.
# cat
go to the registrar of your domain and enter those DS records

Update zone files

    1. make changes to the file
    2. # rndc freeze
    3. delete all* files (i have not found another way)
    4. resign the key
      # dnssec-signzone -A -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o -t
    5. # rndc reload
    6. # rndc thaw


…are automatically signed with your domain


if you get an error like:
No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size.
on, and you have a firewall kike pfsense before the dns-server, try to disable scrubbing:
Disable Firewall Scrub (Diables th PF srubbing option with can sometimes interfere with NFS traffic.)
another solution, with pfsense, is here:
another, but last option, is to reduce the udp-package-size in bind’s named.conf.options
# vi /etc/bind/named.conf.options
edns-udp-size 512;
max-udp-size 512;

If you like this write-up or I missed something, please let me know.

Posted in Debian, Linux, Security | Tagged , , , , , , , , , | Leave a comment

Bill Gates will den Planeten mit Geoengineering kühlen

Jetzt will Bill Gates den Planeten mit Geoengineering kühlen, genauer gesagt mit Kalkpulver. Jede Menge Kalkpulver. Experten sagen, der Unfug könnte katastrophale Auswirkungen haben.

Continue reading …


Posted in Uncategorized | Leave a comment