Smokes your problems, coughs fresh air.

Tag: DNS

Upgrading PowerDNS from Debian Squeeze to Wheezy

As I mentioned here, I had to manually create a database schema when I installed PowerDNS on Debian Squeeze. Later versions apparently create one themselve.

I just upgraded my Sqeeuze machine, and the package manager said that the DB needed to be migrated. But, MySQL maintenance always seems to go wrong on Debian upgrades. It started asking me the same questions as if PowerDNS wasn’t installed; it wanted to create a new user and such. I don’t know why it keeps doing that; it’s not the first time that happened. Needless to say, this process failed.

So, I looked at another PowerDNS server and I made the SQL myself:

alter table records add ordername varchar(255);
alter table records add auth tinyint(1);
update records set auth=1;
CREATE TABLE `cryptokeys` (
  `domain_id` int(11) NOT NULL,
  `flags` int(11) NOT NULL,
  `active` tinyint(1) DEFAULT NULL,
  `content` text,
  PRIMARY KEY (`id`),
  KEY `domain_id` (`domain_id`),
  CONSTRAINT `cryptokeys_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE
CREATE TABLE `domainmetadata` (
  `domain_id` int(11) NOT NULL,
  `kind` varchar(16) DEFAULT NULL,
  `content` text,
  PRIMARY KEY (`id`),
  KEY `domain_id` (`domain_id`),
  CONSTRAINT `domainmetadata_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE
CREATE TABLE `tsigkeys` (
  `name` varchar(255) DEFAULT NULL,
  `algorithm` varchar(255) DEFAULT NULL,
  `secret` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `namealgoindex` (`name`,`algorithm`)

Adding foreign key constraints to PowerDNS default schema

In an earlier post I made, I described how to manually create the SQL schema, because it didn’t itself. When I installed Power DNS 3.1-4 on a Raspberry Pi, I noticed it had created the scheme itself this time. However, it did not make the foreign key constraints. This is dumb. I regularly need to remove domains from the DB and I don’t want stale or incorrect references as a result.

To create them by hand:

alter table records add foreign key (domain_id) references domains(id) on delete cascade;
alter table cryptokeys add foreign key (domain_id) references domains(id) on delete cascade;
alter table domainmetadata add foreign key (domain_id) references domains(id) on delete cascade;

It must be a bug that this was omitted, because I got the original scheme from the PowerDNS website. Question is, is this a bug in the Rasbian/Debian package, or in PowerDNS?

Making Linux less dumb about failed DNS servers

Whenever one of the servers in /etc/resolv.conf is unreachable, Linux/glibc/whatever isn’t smart enough not to retry it for a while. This results in a lot of services becoming unavailable, because a lot of them do reverse lookups on all incoming connections (like SSH), which will hang for the time-out of the first DNS server query.

There doesn’t seem to be a solution, but I worked around it a little bit by putting this in /etc/resolv.conf (or /etc/resolvconf/resolv.conf.d/base && resolvconf -u):

options timeout:2 rotate

Still not perfect, but more workable.

Configuring a Power DNS superslave server

Power DNS, as opposed to Bind, has the option to be a superslave. This means that it will initiate any zone transfer from trusted hosts, avoiding the need to configure each zone on both master and slave.

Power DNS has separate back-ends, of which you must choose one. I chose mysql, and I use the generic mysql engine (this is different, and better, than normal MySQL, or something like that…).

First install Power DNS:

aptitute -P install pdns-server pdns-backend-mysql

Then create a database and user:

create database pdns character set utf8;
grant all on pdns.* to 'pdns'@'localhost' identified by 'password';

Then create this schema (found it in the Power DNS docs):

create table domains (
 id    INT auto_increment,
 name    VARCHAR(255) NOT NULL,
 master    VARCHAR(128) DEFAULT NULL,                                                                                                                    
 last_check  INT DEFAULT NULL,                                                                                                                           
 type    VARCHAR(6) NOT NULL,                                                                                                                            
 notified_serial INT DEFAULT NULL,                                                                                                                       
 account         VARCHAR(40) DEFAULT NULL,                                                                                                               
 primary key (id)                                                                                                                                        
CREATE UNIQUE INDEX name_index ON domains(name);                                                                                                         
CREATE TABLE records (                                                                                                                                   
  id              INT auto_increment,                                                                                                                    
  domain_id       INT DEFAULT NULL,
  name            VARCHAR(255) DEFAULT NULL,
  type            VARCHAR(6) DEFAULT NULL,
  content         VARCHAR(255) DEFAULT NULL,
  ttl             INT DEFAULT NULL,
  prio            INT DEFAULT NULL,
  change_date     INT DEFAULT NULL,
  primary key(id),
  CONSTRAINT `records_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domains` (`id`) ON DELETE CASCADE
CREATE INDEX rec_name_index ON records(name);
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
create table supermasters (
  nameserver VARCHAR(255) NOT NULL, 
GRANT SELECT ON supermasters TO pdns;
GRANT ALL ON domains TO pdns;
GRANT ALL ON records TO pdns;

Then create /etc/powerdns/pdns.d/pdns-mysql-backend with this in it:


Then insert a supermaster:

insert into supermasters values ('','','identifiername');

Lastly, don’t forget to enable slave mode in /etc/powerdns/pdns.conf:


OpenDNS servers

I’ve had to deal with crappy DNS servers quite a lot; servers that don’t resolve certain sites, servers that take endlessly, etc. Therefore, using OpenDNS can be a good solution. The IP addresses for OpenDNS are (including /etc/resolv.conf directives):


BigSmoke.US is no longer mine

Since my three previous posts [1, 2, 3], I’ve made over 7 phone calls to the US, alternating between Wild West Domains and NeuStar. And it turned out that, no, I’m not allowed to have a dot-US domain. So I gave it away.

My father has a great cousin, Roel, who has been a US citizen for the greatest part of his life. Having spent his career wiring mainframes for IBM, he can also be called computer literate. I gave my domain to him and he was kind enough to allow me to keep using it for my websites.

It was the first phone call with NeuStar when I was told that I would, under no circumstances, be allowed to own a .US domain myself. I was also told that this could easily be emended if I could find a US representative for myself to whom I could transfer the domain if I would be lucky enough that the domain wasn’t locked.

That led me to my father’s cousin Roel from Maryland. He’s an absolutely great guy who’s always friendly and willing to help. He accepted ownership of what was then still my domain.

Naively, I tried to transfer my domain using Wild West Domains (WWD). Because it had previously been locked on authority of NeuStar, I tried to unlock it but nothing happened. A call with WWD quickly revealed the cause: NeuStar had put a hold on my domain, meaning that nothing could be done to it until NeuStar removed the hold.

When explaining my situation during my next call with NeuStar, I was first being told that transferring my domain wasn’t allowed. When I brought into recollection that I had been told that it was a proposed solution, my friendly helper disappeared from the phone to talk to other support workers. The outcome was that they would remove the hold if I would fax them a statement of my intend to transfer along with a copy of Roel’s driver’s license to once and for all settle the problem of American citizenship.

Roel went to all the trouble of installing an unused scanner of his to send me his license and I faxed the documents to NeuStar and went to bed. It was AM already.

July 26. The next afternoon, I noticed that, when I tried to unlock the domain, it would again remain stuck in the pending unlock state.

Willy at NeuStar told me that, yes, they had received the papers and, yes, they would remove the hold. (Or they had already removed it; it wasn’t quite clear to me which it was.) Back to WWD: Had I someone screwed up the process by trying to unlock before knowing for sure if the hold had been released? They didn’t know, but they thought it wise to wait a few hours for eventual delays and then see if it still hadn’t been released.

More than a few hours later, I got back to WWD because the unlock was still pending. They couldn’t make sense of it so the issue got reported to technical support and they passed it on to advanced technical support.

A day or so later, the issue still wasn’t resolved, so I made another call. They were working at it and I would be notified as soon as it was resolved. Of course, a few days later I harassed them again to be sure this issue wasn’t somehow forgotten.

Finally, the issue was resolved on August 1:

Dear Sir/Madam,

Our advanced tech support has reviewed the domain We have made the necessary updates to ensure this domain is active and resolving correctly. Please let us know if we can assist you further.

David S.
Advanced Technical Support

I quickly updated all the contacts for what is now no longer my domain. Thanks for letting me use your new domain, cousin Roel!

Can NeuStar be trusted to keep networks together?

Trusted to bring networks together, beams NeuStar‘s corporate slogan. After my previous two posts, I’m still hoping that they can be trusted to keep networks together too.

NeuStar slogan
(Get the GIMP working file if you want to play with the slogan a bit. (I didn’t have a 2.3 version available with which I could have adjusted the letter-spacing of the subslogan. (Without the reduced letter-spacing, setting it in 14pt Arial looked ugly.)))

Here’s Andrea’s reply to my latest helpless message:

“.US Nexus” <>
To: Rowan Rodrik van der Molen <>
Cc: “” <>
Date: Jul 23, 2007 9:46 PM
Subject: RE: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US


Please note the information below for Nexus category 3.

Nexus Category 3
A foreign entity or organization that has a bona fide presence in the United Stated of America or any of its possessions or territories.
Applicant must state country of citizenship
Applicant must also (1) regularly engage in lawful activities (sales of goods or services or other business, commercial or non-commercial including not-for-profit activities) in the United States; or (2) maintain an office or other property within the United States.

Though you are running a personal website which may have several visitors from the United States, this does not meet the Nexus requirements as stated above. Please provide documents that prove you meet the Nexus under category 3 as listed above.

Kind Regards
.US Customer Support

O.k. So she knows the rules. I’m hoping she understands them too. 😐 It would be especially nice and good (and pleasant too) if she understands them so well that she can explain them to me, because, by now, I still haven’t grown any the wiser about what these requirement entail. I decided to ask her another time:

Dear Andrea,

That’s clear then. Is see I must regularly engage in lawful activities. Apparently, writing articles for Americans is not a lawful non-for-profit activity. I’m not quite sure what, then, besides selling goods or services, are other “lawful, commercial or non-commercial including not-for-profit activities.” Still, I hope my understanding of this phraseology is not completely off as that might mean that, indeed, I wouldn’t have qualified to purchase a .US domain. (Not that I think that this would make it a good idea to break a piece of the web by withdrawing my domain from me after having let me use it to build my American readership over the course of 2 years.)

Anyway, to keep my share of the web intact and to satisfy your rules (which I still don’t know how to interpret correctly), I could consider transferring my domain to one of my American relatives who may be kind enough to let me keep using the same subdomains for my websites so that I won’t have to break any links. Then I could change the category of the domain to C12 again. Is changing the Registrant of the domain acceptable? I’m sure one of my family members wouldn’t mind owning a domain to keep my piece of the web working for everyone.

Thank you once again for your time and patience,

Changed the Nexus agreement for BigSmoke.US

My usage of the BigSmoke.US domain didn’t get approved yet. I was hoping for a little advice to come my way by submitting an Ask Slashdot this morning, but the story didn’t get past the firehose. After realizing that I should have submitted the story to my /. journal as that would allow Slashdotters to comment without the story having to make it, I just added a journal entry. I want all the exposure and feedback that I can get.

In the mean time, I’ve updated the Nexus agreement for my domain:

BigSmoke.US Nexus agreement - C12 to C31

I’m still puzzled why I landed in Category 1. I distinctly remember that in March 2005, when I registered the domain, I knew I was in Category 3. Either I didn’t get a category selection then or they simply didn’t store it correctly. Has anyone else who registered a .US domain at Wild West Domains during that time had a similar experience?

After my failure to get any answers from the Slashdot crowd, I picked up on my exchange with Andrea from NeuStar again. (On an aside: since her last message I had gotten two forwards of said message from Go Daddy. I’m crossing my fingers that they’re not going to bill me for every mail that Andrea carbon copies to them, especially if they’re going to forward each such mail twice!)

Rowan Rodrik van der Molen <>
To: “.US Nexus” <>
Date: Jul 21, 2007 11:06 PM
Subject: Re: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US

Dear Andrea,

I’ve updated my domain information to reflect the actual category which applies to me (C31). The changes should be visible in WHOIS lookups soon. When I registered the domain I was aware of which category I was in, but at the time (over 2 years ago) there either mustn’t have been an option to select the category or the selection simply wasn’t saved. I would never have consciously stated that “I’m a US citizen,” because it’s simply not true.

Now you apparently need some information from me before NeuStar can approve my use of the BigSmoke.US domain. I’m afraid I’m going to need a little help on this as I’m not very familiar with the legalities of .US domain regulations. I can tell you that my website is a resource for a US demographic and that it’s hosted in the US. I can easily prove that my website is hosted in the US. Would that be sufficient?

I’ve pointed to the statistics which say that most of my visitors are US citizens. Also, various pages on my website are bookmarked by hundreds of people using an American social bookmark manager []. Apparently, the fact that my website is of great use to Americans is of no import? Or is it just that I need to deliver more useful information about this?

Sorry for my ignorance and thank you for you time so far,

Crackdown on my .US infiltration attempt

Wether it has something to do with the current Terror Alert level or with a renewed surge of isolationism I don’t know, but my foreign ass no longer seems to be welcome below the Dot-US TLD. Never mind that almost all of my visitors are American. Or that my dot-US websites are hosted at US-based NearlyFreeSpeech. Or are my ties to the states sufficient that I just need to deliver the proof? - awstats - Visitors by country

So, what happened? Yesterday, I got a mail from .US Nexus, forwarded by GoDaddy. It wasn’t the worst that GoDaddy billed me $9.95 for … forwarding a mail to me. What was bad was the mail that they forwarded:

From: “” <>
Date: Jul 19, 2007 5:16 PM
Subject: [FWD: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US]

Dear Rowan Rodrik van der Molen,

Please see the Nexus Compliance Notice below from Neustar.


Domain Services

Subject: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US From: “.US Nexus” <>
Date: Wed, July 18, 2007 3:46 pm
To: “” <>

Dear Go Daddy,

Please send the following verbiage to your customer.

Neustar Registries

Dear Rowan,

As you may be aware, in November 2001, the United States Department of Commerce (“DOC”) selected NeuStar, Inc. (“NeuStar”) to be the Administrator of the .US top-level domain (“usTLD”), the official top-level domain for the United States of America. As Administrator of the usTLD, NeuStar has agreed to perform random “spot checks” on registrations in the usTLD to endure that they comply with the usTLD Nexus Requirements which can be found at (“Nexus Requirements”).

Our records indicate that you are the registrant of the domain name BIGSMOKE.US.

On July 18, 2007, this domain name was selected for Nexus revalidation and confirmation. According to the information you provided with your registration of these Domain Names, you indicated that you qualify under:

Category 1 – You are a US citizen or permanent resident

As part of our verification process, we ask that you provide to us by no later than ten (10) days after the date set forth above, a written response describing how you qualify under the above Nexus category.

In addition, please verify that the name-servers that you have selected to use are also physically located within the United States as required by the Nexus Requirements.

In some instances, we may request additional documentary evidence from you to demonstrate that you meet the Nexus requirements.

You should be aware that if you either (i) do not respond within the ten (10) days, or (ii) are unable to adequately explain or demonstrate through documentary evidence that you meet any of the Nexus Requirements, NeuStar may issue a finding that your entity or organization has failed to meet the Nexus Requirements. Upon such a finding, you will then be given a total of ten (10) days to cure the US Nexus deficiency. If you are able to demonstrate within ten (10) days that your entity or organization has remedied such deficiency, you will be allowed to keep the domain name. If, however, you either (i) do not respond within the ten (10) days of such a finding of noncompliance, or (ii) are unable to proffer evidence demonstration compliance with the Nexus Requirements, the domain name registration will be deleted from the registry database without refund, and the domain name will be placed into the list of available domain names.

Thank you for your cooperation in this matter. Please let us know if you have any questions.

Kind Regards
.US Customer Support

.US America’s Internet Address

Address: Loudoun Tech Center
46000 Center Oak Plaza
Sterling, VA 20166 USA
Web Site:

This transmission (the e-mail and all attachments) is confidential and intended solely for the use of the addressee(s). If you have received this transmission in error, please notify the sender by reply and delete this transmission immediately. Any unauthorized distribution, or copying of this transmission, or misuse or wrongful disclosure of information contained in it, is strictly prohibited. The information contained in this document is provided on an as-is basis and does not constitute a binding legal contract or receipt for services. While this information is believed to be substantially correct, it is not intended to be substituted for appropriate legal counsel.

If you have any questions related to intellectual property rights, copyrights, service marks, whether in common use or legally registered, please contact your legal counsel. No statement made, printed, or otherwise disseminated by NeuStar or any of its employees, contractors, sub-contractors, web site, or interactive voice response system should be considered in any way legal or other advice.

I was left a little confused and hoped that, maybe, Andrea could shed some light on my ignorance.

From: Rowan Rodrik van der Molen <>
Date: Jul 19, 2007 6:40 PM
Subject: Re: [FWD: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US]

Dear Andrea,

When registering my domain, I actually did so because I qualify according to Category 3, not Category 1. I qualify because my .US websites are hosted at a US hosting provider (NearlyFreeSpeech) and donations to my website are processed by a US company (Paypal). Also, advertisements are served by Google inc.

Most of my visitors are US residents because my websites are targeted at an American audience. (Detailed statistics about this can be obtained from I’d like to note that my website is a valuable resource to many American web developers, database developers and system administrators. Because most of my visitors are American, it would be Americans which would be harmed most if I where to loose my dot-us domain.

As can be inferred from the Whois info, the nameservers for my domain are located at the same US hosting company as where my .us websites are hosted.

If you require any additional information, I’d be more than willing to send it to you. I wouldn’t have registered this domain if I hadn’t been convinced of the legality of such an action.

Thank you for your time,

Today, I got a friendly reply from Andrea:

From: “.US Nexus” <>
To: Rowan Rodrik van der Molen <>
Cc: “” <>
Date: Jul 20, 2007 6:31 AM
Subject: RE: {Registry#542-209} .US NEXUS COMPLIANCE BIGSMOKE.US


Your domain information in WHOIS shows you are a Category 1. That would indicate that you are a United States citizen. You will need to provide your current US drivers license to prove how you meet the .US Nexus guideline.

If you are doing legitimate business within the United States you will need to correct your domain information to reflect the .US WHOIS.

Below are two categories of which you may fall into.

C31: A foreign entity or organization that has a bona fide presence in the United States of America or any of its insular areas who regularly engages in lawful activities (e.g., sales of goods or services or other business, commercial or non-commercial, including not-for-profit relations in the United States).

C32: Entity has an office or other facility in the United States

If you claim C31, you will need to provide to us documentation in the form of a certificate of corporation or the ability to provide not only the sales of goods but to prove those sales are with United States residents/companies.

If you claim C32, you will need to provide documentation that proves you have and office or facility in the United States.

The information that you have provided in your e-mail is not sufficient enough to prove you meet the Nexus requirements.

Kind Regards,
.US Customer Support

.US America’s Internet Address

Address: Loudoun Tech Center
46000 Center Oak Plaza
Sterling, VA 20166 USA
Web Site:

[The same interesting legalese as in the previous mail from .US Nexus …]

All good and well, but all I can extract from this communication is that I need to change the category at GoDaddy. I still don’t understand if I’m eligible to have an dot-US domain (which I recently extended (with US dollars), by the way). Based on the usTLD Nexus Requirements I’d assume that I qualify for a dot-US domain under Category 3, A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories. In full, the requirements for Category 3 are as follows:

Nexus Category 3

A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories.

  • Applicant must state country of citizenship.
  • Applicant must also (1) regularly engage in lawful activities (sales of goods or services or other business, commercial or non-commercial including not-for-profit activities) in the United States; or (2) maintain an office or other property within the United States.

Category 3 Nexus Certification

Prospective Registrants will certify compliance with Category 3 Nexus based upon substantial lawful contacts with, or lawful activities in, the United States.

Factors that should be considered in determining whether an entity or organization has a bona fide presence in the United States shall include, without limitation, whether such prospective usTLD domain name Registrant:

  • Regularly performs lawful activities within the United States related to the purposes for which the entity or organization is constituted (e.g., selling goods or providing services to customers, conducting regular training activities, attending conferences), provided such activities are not conducted solely or primarily to permit it to register for a usTLD domain name and are lawful under the laws and regulations of the United States and satisfy policies for the usTLD, including policies approved and/or mandated by the DoC;
  • Maintains an office or other facility in the United States for a lawful business, noncommercial, educational or governmental purpose, and not solely or primarily to permit it to register for a usTLD domain name.

Apart from the fact that these days The Netherlands can be considered American territory, you’d think I neatly fit the requirements for C31, since I perform the following lawful activities in the United States:

  • I regularly pay my US hosting provider, NearlyFreeSpeech.Net, US dollars to host my US website.
  • I pay my US domain registar (Wild West Hosting / Go Daddy) in US dollars for my domain.
  • These and other services are paid for using Paypal, which, last time I checked, was still a US company.
  • Advertisements on my regular website are served by Google, which, also, is a US company. This also means I get income from … a US company.
  • Almost all my visitors are American as I write for an English speaking audience.

I’m not sure if any of this is lawful. Perhaps, being active in America in any other way than singing the national anthem and waving a flag is illegal these days. But, I’d say that an English resource which is heavily linked to and visited by thousands (mostly Americans) should somehow be able to fit these requirements. After all, how are the interests of the American people served if a .US website is taken off-line because it’s run by a foreigner from overseas? Are my American visitors supposed to be happy if their links stop working and the top search results for some of their searches suddenly disappear?

I guess that’s not the point and I’m hoping that one of my visitors can help me figure out what I should send to Andrea to make her happy to let me keep the domain for which I’ve paid good USD.

© 2024 BigSmoke

Theme by Anders NorenUp ↑