美金博客

出差去马尔康，周六出发，周一回来了。天没亮就出发，天黑了才到达。因为地震的原因，原来的都江堰-汶川-马尔康路线尚未完全康复，只有绕路走雅安-泸定-丹巴-金川-马尔康路线，行程时间从原来的9个小时增加到了14个小时。

图中可以看到路程增加了很多，尤其是姑咱镇到马尔康的路段，糟糕的一塌糊涂，我去的时候坐在大巴的最后一排，颠的饭都要吐出来了。回来的时候运气更不好坐上了一辆非常破烂的大巴车，椅子是烂的，靠背不能用力，否则就仰到后面人的腿上。车厢密闭，除了驾驶位的窗子能开，其它窗子都无法打开，司机说空调是烂的(其实是好的，司机要省油钱，因为后来司机也觉得热的时候开了几分钟的空调)，车厢内空气糟糕的要死。更加恼火的是如此不堪的空气居然还有人抽烟…..就在这样充满脚臭，狐臭，屁臭，各种食品的异味，呛人的烟味中熬到天全县的时候，大巴车的后轮胎坏了一个，又修了1个多钟头的轮胎。好歹我也是经历过数次北京春运回东北的人，按理说这样的小CASE恶劣环境应该不在话下的，可是这次却是如坐针毡，看来我真的是老了。

唯一值得欣慰的是，马尔康的气候宜人，远离了成都闷热的天气。凌晨5点多从机房出来回到宾馆，听着窗外的河水声心情平静了不少。马尔康的宾馆都很有民族特色，藏族风情随处可见，服务员也豪爽直率。因为目前是奥运非常时期，马尔康的大街上很容易体会到这样的紧张气氛，不时而过的运兵车装满了防暴警察，这样的场景与我上次来马尔康很不一样。因为这次来的时间短，颠簸了14个小时到马尔康，休息了半个小时就开始干活了，到了凌晨四点的时候体力基本上完全用光了，干活的时候总觉得地在摇，看其他人没反应，估计是我太累了又有幻觉了。第二天基本上没有多少力气出去逛了。不过一起工作的华为工程师介绍了不少藏族的东西，讲去藏族寺庙的体会，终于让我知道在中国也有不挖空心思捞钱的寺庙了，回想起几个月前到苏州的北塔报恩寺，真是感觉糟透了，神州大地举国捞钱，连最为脱俗的寺庙都未能幸免，没想到藏族的寺庙却坚守住了阵地。

带回了两斤青稞酒，饭店的老板娘说这酒度数不高，但是后劲大，喝着要小心。

凌晨一点半了，是听老歌的好时间。

http://list.mp3.baidu.com/list/oldsong.html?top6

浏览了一圈，看中了这个：

冬季到台北来看雨 (孟庭苇)

电影：<O Brother, Where Art Thou?>

<man of constant sorrow >

歌词：

Feat. Dan Tyminski
(In constant sorrow through his days )
I am a man of constant sorrow
I’ve seen trouble all my day.
I bid farewell to old Kentucky
The place where I was born and raised.
(The place where he was born and raised )
Hartford John
For six long years I’ve been in trouble
No pleasures here on earth I found
For in this world I’m bound to ramble
I have no friends to help me now.
(chorus) He has no friends to help him now
It’s fare thee well my old lover
I never expect to see you again
For I’m bound to ride that northern railroad
Perhaps I’ll die upon this train.
(chorus) Perhaps he’ll die upon this train.
You can bury me in some deep valley
For many years where I may lay
Then you may learn to love another
While I am sleeping in my grave.
(chorus) While he is sleeping in his grave.
Maybe your friends think I’m just a stranger
My face you’ll never see no more.
But there is one promise that is given
I’ll meet you on God’s golden shore.
(chorus) He’ll meet you on God’s golden shore.

转载一篇isc的文档:

http://www.isc.org/index.pl?/sw/bind/docs/support_bulletin_200707.php

ISC Support Bulletin - July 2007
Document last updated: 2007-07-30

There has been some confusion surrounding the changes to the “allow-recursion” and “allow-query-cache” options made with BIND 9.4.1-P1.

This document will attempt to clarify the change and the impact that it makes on BIND servers.

In BIND 9.3, there was no segregation of queries between cache and authoritative data.

The release of BIND 9.4 added fine-grained differentiation between queries against authoritative data (”allow-query”) and cached data (”allow-query-cache”). This allows more precise control, particularly if you do not want your clients to use any cached data, for example, in an authoritative-only nameserver.

Prior to the release of BIND 9.4.1-P1, the default action of “allow-recursion” and “allow-query-cache” was to permit the query. The P1 patch to BIND 9.4.1 caused two changes in this behavior:

1) If not explicitly set, the ACLs for “allow-query-cache” and “allow-recursion” were set to “localnets; localhost;”.

2) If either “allow-query-cache” or “allow-recursion” was set, the other would be set the same value.

Upgrading from the BIND 9.3 branch to BIND 9.4.1-P1 will significantly restrict those servers that were previously recursive servers for more than “localhost; localnets;” unless configuration changes are made.

To retain the behavior prior to BIND 9.4.1-P1, the following entries should be created in your named.conf file:
Code:

 options {
     ...
     allow-recursion { any; };
     allow-query { any; };
     allow-query-cache { any; };
     ...
 };

We strongly advise against this configuration because clients spoofing queries can use your servers to launch distributed denial-of-service attacks.

The recommended method is to create ACLs that match hosts that should be allowed access to cache and recursion on the servers. For example, if you wanted to provided recursion and access to the cache to clients you trusted, you could list them in an ACL such as the following:
Code:

 acl "trusted" {
     192.168.0.0/16;
     10.153.154.0/24;
     localhost;
     localnets;
 };

 options {
     ...
     allow-query { any; };
     allow-recursion { trusted; };
     allow-query-cache { trusted; };
     ...
 };

软件有bug比较常见，协议有漏洞一般还是比较少。距离7月8日发现的DNS协议漏洞已经过去一周时间了，似乎互联网上并未爆出由此次DNS漏洞引发的重大安全新闻。这得益于发现漏洞的大牛Dan Kaminsky低调的处理风格：没有率先公开漏洞，而是先召集了相关DNS server软件厂商来出相关的patch，并声称即便对补丁反向工程也没什么用。

DNS安全无小事，关于此次协议漏洞的中文说明可以看delphij的Blog。计算机技术发展的太快，很多原有的协议设计已经慢慢的捉襟见肘了，就像Bill Gates声称640k memory对任何人都够用一样，成为历史的速度太快了。

每次在清晨迎着太阳从客户机房出来的时候，我就常常想放弃这个职业。