Fix Headers, Spaces

We have a [page](/howto/Getting-started) for that!

### Can I update the wiki?

This wiki is the main reference about dn42. It is available in read-only mode from the Internet [here](https://wiki.dn42.us) or [here](https://dn42.dev) or [here](https://dn42.tk) or [here](https://dn42.eu), [tor](http://jsptropkiix3ki5u.onion) and [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/) and for editing from within dn42, at [https://wiki.dn42](https://wiki.dn42) - [https](services/Certificate-Authority) required for editing.

An svg of the DN42 Logo is available [here](/dn42.svg).

ipv4: 172.22.255.160/28

ipv6: fd04:de02:7af9::/64

IP IPv6 User Host ASN

-------------- ------------------- --------- ----------- -----

172.22.255.161 fd04:de02:7af9::161 uves spline 64733

(64511, 8) :: latency \in (1097ms, 2981ms]

(64511, 9) :: latency > 2981ms

(64511, x) :: latency \in [exp(x-1), exp(x)] ms (for x < 10)

(64511, 21) :: bw >= 0.1mbit

(64511, 22) :: bw >= 1mbit

(64511, 23) :: bw >= 10mbit

(64511, 25) :: bw >= 1000mbit

(64511, 2x) :: bw >= 10^(x-2) mbit

bw = min(up,down) for asymmetric connections

(64511, 31) :: not encrypted

(64511, 32) :: encrypted with unsafe vpn solution

(64511, 33) :: encrypted with safe vpn solution (but no PFS - the usual OpenVPN p2p configuration falls in this category)

else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }

else return 34;

}

function update_flags(int link_latency; int link_bandwidth; int link_crypto)

int dn42_latency;

int dn42_bandwidth;

* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)

* Replace `<PEER_NAME>` a self chosen name for your peer

```

#/etc/bird/bird6.conf

/*

krt_prefsrc defines the source address for outgoing connections.

On Linux, this causes the "src" attribute of a route to be set.

Without this option outgoing connections would use the peering IP which

would cause packet loss if some peering disconnects but the interface

is still available. (The route would still exist and thus route through

/*

krt_prefsrc defines the source address for outgoing connections.

On Linux, this causes the "src" attribute of a route to be set.

Without this option outgoing connections would use the peering IP which

would cause packet loss if some peering disconnects but the interface

is still available. (The route would still exist and thus route through

# External Links

* detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42

protocol kernel {

scan time 20;

ipv6 {

import none;

export filter {

template bgp dnpeers {

local as OWNAS;

path metric 1;

ipv4 {

import filter {

if is_valid_network() && !is_self_net() then {

}

```

## Redirect

~~There are forwarding rules for _PERSON_ @ dn42.org to the mail addresses which have been given in the registry. Please note that the trailing `-DN42` is stripped from the local part.~~

| Handle | Alias | Redirection |

|:------------ |:-------------- |:--------------------- |

Introduced with Postfix version 3.0, this fully supports UTF-8 email addresses and UTF-8 message header values.

more at the [SMTPUTF8_README](http://www.postfix.org/SMTPUTF8_README.html).

### Exim

/* Warning: Do not remove the following line. */

/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */

/* Release version: v1.3.0.4605130.131011.1754 */

#### Copy OpenVPN key to the EdgeRouter

Copy the VPN key to `/config/auth/SomeSharedKey.key`:

sudo cat > /config/auth/SomeSharedKey.key

Paste the key in the terminal window, hit return once and kill `cat` with CTRL+C. Then type `exit`.

save

#### Announce Route to BGP

set protocols bgp 111111 network 172.A.A.64/27

commit

save

}

interface eth0

}

```

# Security

See [IPsec on FreeBSD](ipsec-on-freebsd).

## How to configure GRE + IPsec on Debian

authentication_algorithm hmac_sha1;

}

1. Best practice is to generate the private key on the router itself, and not transfer it to another machine. This part should be kept secret!

2. Generate a key of at least 2048 bits, preferably 4096 if both ends support it.

3. Some implementations support more than one key format. The examples here only show how to use one of them (usually PEM) for brevity.

foo(config-pubkey-chain)#addressed-key 192.0.2.2

foo(config-pubkey-key)#key-string

Enter a public key as a hexidecimal number ....

foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0

foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7

interface FastEthernet0/0

description WAN

ip address 192.0.2.1 255.255.255.0

verify_cert on;

send_cert off;

send_cr off;

proposal {

encryption_algorithm aes 256;

hash_algorithm sha256;

FLOWS:

flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use

flow esp out proto gre from 3.4.5.6 to 1.3.3.7 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type require

SAD:

esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes

esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes

tunnel 3.4.5.6 1.3.3.7

inet 10.20.30.0 10.20.30.1

## Se also

# NAME KEY-SIZE

0 PR mykey 4096-bit

1. Export the public key to a file.

[admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub

[admin@mtk1] /ip ipsec key> /file print where name=mykey.pub

# NAME TYPE SIZE CREATION-TIME

2 mykey.pub ssh key 451 jul/20/2014 12:35:33

[admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key

passphrase:

[admin@mtk1] /ip ipsec key> print

Flags: P - private-key, R - rsa

# NAME KEY-SIZE

lifetime=8h local-address=192.0.2.1 remote-key=peer-key

/ip ipsec policy

add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \

ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom

Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated

The public portion of the key is:

0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

### Exchange public keys with your peer

1. Display the public key. Send the key data portion to your peer.

ubnt@ubnt:~$ show vpn ike rsa-keys

Local public key (/config/ipsec.d/rsa-keys/localhost.key):

0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==

2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.

rsa-key 0sAwEAAbsbRoUcgdm4A4Nm+PLxWcW+zFis7pkaJ0MkGVzM7VC8nmngkM+W2zqZyQ4NUTBKKfGOUc4Ogi6gyhlzUnHdag9tDERIX+BwlDO6G4arod9z9KqmJuX4AOYVjH5QlAPz7NDMAezVekGoVLPGdOAMPD6NN54ihLRH6V3if8AGoJRpiajhcgQipjeQnhH4QhsYK4XSjayGT1onQwA8nhy5kt4ofyqSale4Fl4166S9tCn4RKwtlJDjR6VIrg6op6Ip8+ke2vjEHPJHj6qVsxfRgOk2d8pY8oPVt8ayc5F1z+lqJ7R0fADfN+AQSaBqOMmg5dHDFYWwgYkU5egdVKS7Oko6uNuUWsZ0VEnRoPZ4syJEUbiF5wGfaVBaaVLZYUlRLQCffB4JKzp+JesVToCX6JYRfb4JYQWFCDeQfrqRZHM4r13h8MOWPn9cqXcP47RKJjzNp6595biUotmCbMHyy/uveMWxK6vDzPQRkywqMMJE2qOyACmbMnSce9KlYhvma82Vd+z/9/U9NEy0s5MaYNDn+q+KYT5My3NSv52F6sLVGrKxTk79tzUejZcoukJv+gf51Epam4kVHzPIal/khsfjZn6YCU2j5+qcdRmzF+SG5c2WicvEU2Gc4ratfYNEPxU5oArzHIhIz6x2nAF+szcx/x8GEyXPNHnxEboJB7ox

}

}

valid_lft forever preferred_lft forever

root@debian:~# more /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

keyexchange=ikev1

dpdaction=restart

conn MYPEER

# peer IPs

left=192.0.2.1

rightprotoport=gre

# startup

auto=route

valid_lft forever preferred_lft forever

root@debian:~# more /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

keyexchange=ikev1

dpdaction=restart

conn MYPEER

# peer IPs

left=192.0.2.1

rightid=NATIP

# See also

# /etc/pim6sd.conf

# disable all interfaces by default

default_phyint_status disable;

# enable the pim-router-id interface first to acquire the correct primary address

phyint pim-router-id enable;

# add multicast-capable peer interfaces below

phyint dn42-peer1 enable;

# configure rendezvous point for the personal multicast prefix

cand_rp pim-router-id;

group_prefix ff7e:230:fd00:2001:db8::/96;

```

The `phyint` statement enables [PIM](https://tools.ietf.org/html/rfc7761) and [MLD](https://tools.ietf.org/html/rfc2710) on the target interface - by default all interfaces are in the disable state. Enable an interface if it is directed towards a multicast-capable peer or other multicast-capable routers in your autonomous system. Also enable it for downstream network segments with multicast listeners and senders, like for example your home (W)LAN segments.

With `cand_rp` and `group_prefix` statements you can configure this router as a Rendezvous Point (RP) for your personal multicast group prefix. The address on the interface given as `cand_rp` will be used as the primary address for your RP, it therefore *must* be routable.

---

ToDo:

* We have a solution for personal multicast prefixes tied to the network prefix of an AS owner. But what to do with multicast addresses that not only have listeners but also senders globally? We could have everyone add an additional "group_prefix ff00::/8" and then multicast router with the lowest address would win and become the central RP for all these addresses... not really scalable, robust or decentral though :-/. Should we use PIM-DM for some of these addresses instead (e.g. ones which generally have a low throughput, for instance Bittorrent Local Peer Discovery)? Or maybe those global addresses should be managed and configured as /128 and people who are interested in managing a specific, global multicast address will coordinate with each other?

### With Multiple Prefixes

## More Info

```

Example installation:

This is mostly OpenBSD specific since [bgplg(8)](http://man.openbsd.org/bgplg.8) and [httpd(8)](http://man.openbsd.org/httpd.8) ship as part of the operating system.

The **bgplg** manual contains the few steps and example [httpd.conf(5)](http://man.openbsd.org/httpd.conf.5) required to enable the looking glass.

## DNS

vtysh(config-router-af)> exit

vtysh(config-router)> exit

vtysh(config)> exit

### peer groups, prefix lists and such

If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor.

ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28

!new dn42 allocation:

ip prefix-list vpn-in seq 10 permit 172.20.0.0/16 ge 22 le 28

! Anycast /32s for Whois and DNS:

ip prefix-list vpn-in seq 11 permit 172.22.0.43/32

ip prefix-list vpn-in seq 12 permit 172.22.0.53/32

....

172.23.64.1 4 4242421375 0 0 0 0 0 never Active

fe80::deca:fbad 4 64699 902 694 0 0 0 01:23:57 486

The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking)

* UNKNOWN

There exists no ROA for the route announcement

## How can I implement ROA on dn42?

On dn42 we generate ROA information from the dn42 registry.

You can find a hosted example of dn42regsrv at https://explorer.burble.com/

Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).

You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):

git checkout https://git.dn42.us/burble/dn42regsrv.git .

cd contrib/docker

./build.sh

docker-compose up -d

Documentation for the api endpoints can be found here: https://git.dn42.us/burble/dn42regsrv/src/master/API.md

### gortr

### How do I integrate RTR with my BGP implementation

---

`git log` will list all the recent commits and show the commit hash:

```

PGP keys may be uploaded to a public keyserver for verification, or added in the registry.

- Use the following `auth` attribute in your `mntner` object:

```

```

There are examples below for each specific key type.

OpenSSH v8 introduced new functionality for creating signatures using SSH keys. If you have an older version, you can compile the latest version of ssh-keygen from the [openssh-portable repo](https://github.com/openssh/openssh-portable).

pause

ping %gateway6%

pause

```

/ip dns static

add comment=DN42 forward-to=172.23.0.53 regexp=".*\\.dn42" type=FWD

There should an attribute like:

```

gateway=gre-dn42-peer gateway-status=gre-dn42-peer reachable

$ sysctl -a | grep forwarding

```

Do not configure iptables/nftables to drop packets with invalid conntrack state in forward chain.

and your firewall will drop it if it is configured to drop packets with invalid state.

* [IPv4 - multicast](https://en.wikipedia.org/wiki/Multicast_address#GLOP_addressing)

* [IPv4 - GLOB calculator](http://labs.spritelink.net/glop)

* [RFC3108 GLOP Addressing in 233/8](http://tools.ietf.org/html/rfc3180)

Address = <your DN42 ipv4>/32

Peer = <peer DN42 ipv4>/32

This node will then automatically generate configuration, private/public keys and will exchange this key with the other node on connection.

VyOS is an open source software router. It is feature rich and supports multiple deployment options such as physical hardware (Old PC's) or a VPC/VM. The developers have a nightly rolling release that includes all the latest features such as Wireguard.

It can be downloaded here https://www.vyos.io/rolling-release/.

Now that we have a tunnel to our peer and theoretically can ping them, we can setup BGP.

`set protocols bgp 424242XXXX address-family ipv4-unicast network 172.x.x.x\x`

_Insert your ASN and your assigned network block. Note that this should match your exact prefix as listed in the registry; if you try to advertise a subnet of your assigned block it could get filtered by some peers._

`set protocols bgp 424242XXX parameters router-id 172.x.x.x`

_To keep it simple just make your router ID match your lower IP within the DN42 registered space._

`set protocols bgp 424242XXXX neighbor 172.x.x.x address-family ipv4-unicast`

_This is likely the same IP as the one used in your static route earlier when creating the Wireguard tunnel._

`set protocols bgp 424242XXXX neighbor 172.x.x.x ebgp-multihop 20`

_This setting may need to be adjusted depending on circumstances_

`set protocols bgp 424242XXXX neighbor 172.x.x.x remote-as 424242XXXX`

_Your peers ASN_

`show ip bgp summary`

Burble has made this super easy. More info can be found [here](https://wiki.dn42/howto/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.

```

sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082

```

This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.

`set protocols rpki cache GoRTR address x.x.x.x`

`set protocols rpki cache GoRTR port 8082`

You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.

```

set policy route-map DN42-ROA rule 10 action 'permit'

set policy route-map DN42-ROA rule 10 match rpki 'valid'

set policy route-map DN42-ROA rule 30 match rpki 'invalid'

```

This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.

```

set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA

set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA

```

## Example Route Map

### No RPKI/ROA and Internal Network Falls Into DN42 Range

```

```

$ ip addr add 172.xx.xx.xx/32 peer 172.xx.xx.xx/32 dev <interface_name>

$ ip link set <interface_name> up

```

<!-- Nurtic-Vibe has another [script](https://git.dn42.us/Nurtic-Vibe/grmml-helper/src/master/create_wg.sh) to interactively automate the peering process. -->

Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_hostname_or_ip>`. If your output looks like `From gateway.local (192.168.0.1) icmp_seq=1 Frag needed and DF set (mtu = 1440)` substract `80` from the MTU and set it via `ip link set dev <interface_name> mtu <calculated_mtu>`

PostUp = /sbin/ip addr add dev %i <MyIPv4>/32 peer <PeerIPv4>/32

PostUp = /sbin/ip addr add dev %i <MyIPv6>/128 peer <PeerIPv6>/128

Table = off

[Peer]

Endpoint = <your peer's wireguard endpoint>

PublicKey = <your peer's public key>

This page can be useful if you are trying to automate something or if you are trying to retrieve data programmatically.

Authenticate your users by having them verify their ASN ownership with KIOUBIT-MNT using their registry-provided methods in an automated way.

More Information in the setup tutorial: https://dn42.g-load.eu/auth/documentation/tutorial.html

To use the service, please message Kioubit on IRC to have your domain activated.

[dn42regsrv](https://git.dn42.us/burble/dn42regsrv) is a REST API for the DN42 registry that provides a bridge between interactive applications and the registry.

|:------------------------------------------------- |:--------------------------------------------------------------- |

| http://stream.media.dn42/ | icecast-relay, contact toBee for more streams (DOWN 2020-11-02) |

| http://radio.hex.dn42/ | Ambient musics |

## File Sharing

### Augsburg

We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.

… or the service that would make dn42 truly interesting for people (for non-technical reasons).

- it should be difficult to setup on the Internet (for technical or legal reasons)

- it should interest people that are likely to know dn42 (hackerspaces, etc)

| irc.hackint.hack/dn42 | Yes | ChaosVPN |

| irc.dn42 | Yes | Internal IRC |

| Hostname / IP | Remarks |

|:--------------|:--------|

| Offline | | |

|---------------------------------------|-------------|-------------|

WorkingDirectory=/etc/ssl/dn42

ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT

# accept multiple ExecStart lines for other certificates

ExecStart=/usr/bin/nginx -s reload

```

```

## Certificate transparency

## PKI Store

- Contact [XUU-DN42](https://io.nixnodes.net?t=person&l=XUU-DN42) and ask for write access to the repo

- Setup cron for periodic pull/push jobs for the repo (simple example):

+ **wiki-sync.sh**:

```sh

- Install [gollum](https://github.com/gollum/gollum)

- Start two gollum instances, read-only and read/write on `127.0.0.1`:

Read/write (SSL only):

```

RACK_ENV=production gollum --css --host 127.0.0.1 --port 4568 <path>

## Nginx reverse proxy

- Setup your maintainer object according to [Automatic CA](/services/Automatic-CA)

- Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is):

```

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_session_cache shared:SSL:2m;

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

ssl_prefer_server_ciphers on;

## ExaBGP

The prefix AS-PATH should show the announcement is originating from your AS. After peering ExaBGP to the nearest speaker(s), check if the prefix is routing properly inside your network. Try not to blackhole the passing traffic (e.g. no static routes to `172.23.0.80/32`). Test the whole thing by shutting down nginx/gollum and watch what happens.

ROUTE='172.23.0.80/32'

## the anycast v6 route (/64 due to prefix size limits)

ROUTE6='fd42:d42:d42:80::/64'

## the next-hop we'll be advertising to neighbor(s)

NEXTHOP='<source-address>'

NEXTHOP6='<source-address-v6>'

INTERVAL=60

###########################

RUN_STATE=0

check_urls() {

for url in "${URL[@]}"; do

## workaround curl errno 23 when piping

http_response=`${CURL} --insecure -g -s -L -o - "${url}"`

echo "${http_response}" | egrep -q "${VALIDATE_KEYWORD}" || {

return 1

}

fi

sleep ${INTERVAL}

done

exit 0

cpid=$!

[ ${cpid} -eq 0 ] && {

echo "ERROR: could not start process"; return 1

}

echo ${cpid} > ${PID_FILE}

}

**Free E-Mail Addresses for DN42 Users.**

* DN42 Mail, https://dmail.dn42

* Free, easy to sign up, unlimited internal emailing. Hosted by zane_reick

The NL-Zuid website is also available from the public internet: https://nl-zuid.nl

* Phone #: +493727/959023

* Sipgate: 5884293

* SIP: maxx(at)maxx.spaceboyz.net

### Future services

- streaming

* [DNS Quick Start](/DNS)

* [Old Hierarchical DNS](/Old-Hierarchical-DNS)

|----|----|----|----|----|----|

| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |

| UFO | _down_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |

You may want to set up a resolver, see link below or use 172.23.0.53 directly.

## [Old Hierarchical DNS](/Old Hierarchical DNS)

ipv4 {

# export all available paths to the collector

add paths tx;

# import/export filters

import none;

export filter {

fi

# Measure Section ##########

```

You can reach the local node via web browser at [http://localhost:3456](http://localhost:3456).

## Further informations

Previously, some DN42 users had provided VMs to the community, but it is not known if any of these are currently active any more. The list of old providers is below the break.

If you have a DN42 project but do not have the resources to host it yourself, the burble.dn42 network may be able to provide hosting for you. Contact burble on IRC or via email to discuss.

---

| Person | RAM | HDD | Net | CPU | Description | No. Available

|:------------- |:------ |:--------- |:---------- |:---------- |:-------------------------- |:--------------------------|

| florianb | 384 MB | 5 GB | dn42 only | 1x 2.2Ghz | OpenVZ in Germany, good peers | always enough

| nellicus | 384 MB | 5 - 10 GB | dn42 only | 1x 2.6Ghz | Xen/KVM Washington, DC USA | 0

|Basil | 256 MB | 20 GB | dn42, NAT v4, /64 v6 | 1x 3.4Ghz | KVM, Gravelines, France | Always enough

| burble | whois.burble.dn42 | 172.20.129.8 / fd42:4242:2601:ac43::1 |

| taavi | whois.svc.as4242423270.dn42 | 172.22.130.143 / fd96:70f6:b174:<span>ac</span>::43 |

| **person** | **dns** | **ip** |

|------------|---------------------------|-----------------|

```

options {

# [...]

validate-except {

"dn42";

"20.172.in-addr.arpa";

```

## MS DNS

## Configuration

You may want to participate in the anycast DNS cloud.

| xuu |ON,CA| 64737 | souris.root.dn42 (fdea:a15a:77b9:53::1) | |

| Nurtic-Vibe |EU |4242420123 | ns1.grmml.dn42 (fd42:23:149:cccc::53) ||

| hax404 | DE | 76114 | chero.hax404.dn42 (fd58:eb75:347d:101::1) ||