Sam Trenholme's webpage
Support this website

MaraDNS 3.5.0012


August 12 2020

I have released MaraDNS 3.5.0012 to address a minor security issue. I also discuss the end of BuyVM’s OpenVZ servers. 692 words

==MaraDNS 3.5.0012==

The mmLunacyDNS program did not use a secure hash compression scheme when hashing strings. As a result, it could had been, under some unusual circumstances, vulnerable to denial of service attacks.

To fix this issue, I have updated Lunacy (the MaraDNS-specific fork of Lua 5.1), mmLunacyDNS, and coLunacyDNS to use a secure hash compression function called HalfSipHash-1-3. The reason I am using this function is that it is secure enough for our uses, while being rather fast with both 32-bit and 64-bit code.

One reason why MaraDNS has had, over the years, a pretty stong NIH policy (Not invented here: Use MaraDNS with a minimum of external third party code) is because, once I incorporate third party code in to MaraDNS, I am responsible for any and all security issues that code may have. So, since Lua 5.1 has a security issue with string hash collisions, and since I use Lua 5.1 in MaraDNS, I am now the one who has fixed this bug.

This issue does not affect MaraDNS nor Deadwood. This issue only affects the new Lua-based nameservers, mmLunacyDNS and coLunacyDNS, which, while included with MaraDNS releases, are still undergoing active development and are currently not stable.

MaraDNS 3.5.0012 can be downloaded at SourceForge and MaraDNS’s download page.

==The end of BuyVM OpenVZ==

Frantech (BuyVM) no longer sells OpenVZ plans, and their current OpenVZ nodes will no longer be in service at the end of this year.

Back in the days of the housing mortgage crash recession of the early 2010s, FranTech revolutionized low-cost web hosting by providing OpenVZ virtual servers with root access for only $15 a year. Sure, they only had 128 megs of memory and 15 gigs of space, and they could only run Linux, but they could really nicely run a full web, DNS, and mail server if one was careful about the software they used (nginx instead of Apache, MaraDNS instead of Bind, etc.).

I was able to get one and use it for a few years as a server for my domains; I was able to even run my MaraDNS mailing list from there, where we had a small but vibrant community. As the years passed on, running a mailing list on a tiny 128 megabyte virtual machine was no longer viable—the number of spammers who send non-stop spam to any mailing list increased to the point that it was overloading my mailing server.

Finally, in late 2019, with the end of life for CentOS 6 looming, and with CentOS 8 being released, I looked into upgrading my BuyVM nodes to run CentOS 8. I asked BuyVM if they would provide CentOS 8 support for their OpenVZ nodes. They told me they didn’t think it would work; finally, after waiting a few months, with CentOS 6’s end of life coming closer, I gave up on BuyVM and moved my web sites over to Dreamhost, using a low cost unlimited shared hosting plan.

My timing was good; it was just earlier this week that Frantech said that they were ending OpenVZ hosting in December; fortunately, none of my Frantech plans extended past this year when I canceled them in May.

It is possible to have OpenVZ support CentOS 8, but it requires updating the servers to use a newer version of OpenVZ to pull it off. A step BuyVM was unwilling to do with their low cost $15/year nodes. Indeed, RamNode offers OpenVZ with CentOS 8 support, but they do not have any plans between a $15/year underpowered 128 megabyte plan (128 megabytes is no longer viable, now that CentOS is 64-bit) and a $42/year high end OpenVZ plan. So, I have moved on to shared hosting; I am at a place in my life where it’s a lot more convenient to let someone else keep the operating system up to date and secure, and where creating a new email address (with webmail support) only takes a minute and about half a dozen clicks.

Since my websites have always been static sites, moving to a new site was a simple matter of updating my script to rsync to a different destination.

Edit: Let me make it clear that BuyVM is not deadpool; they are still thriving, and continue to sell KVM virtual machines. But, their lowest cost offering is now $24 instead of $15.

Did you know that all of my blog entries are available in a free to download eBook at