wildcard domains

I have tried configuring wildcard domains for Bind and Apache to work together. In Bind, the syntax of a zone file (example.com) is simple :

*.example.com. 1H IN A

As for Apache, the directive for supporting named-based virtual hosting must be enabled:


Next comes the ServerAlias to align with the virtualhost:

# comment: this one accepts any subdomain
< VirtualHost>
DocumentRoot /var/www/html/subdomain
ServerName www.example.com
ServerAlias *.example.com
< /virtualhost>

The above configuration is easily understood. Any URL ending with example.com will access www.example.com. The sequence of wildcard entry is worthy of precaution. The wildcard entry must be the last and must come after valid subdomain name because Apache looks at lines and files and uses the first one that has matched.

I can not think of any practical applications of wildcard domains. Some might argue that if the subdomain part is mistyped, users can still reach the correct website.

One question I have in mind is can IIS support wildcard domains?


IPv6 and IPv4 gateway services

SixXS is providing IPv6 and IPv4 gateway services through the use of domain names. Suppose an IPv6 only host wants to access IPv4-based www.cnn.com, the URL is www.cnn.com.sixxs.org. Converserly, for an IPv4 host to access IPv6 servers such as ipv6.google.com, the URL will be ipv6.google.com.ipv4.sixxs.org.

Great work. The is another way for people to access IPv6 web sites without using tunneling.


US Cybersecurity Chief

Mr Howard Schmidt, our ISC2 Director has been appointed by President Obama as the US Cybersecurity Chief. This is a great honor to all ISC2 members.

Perhaps PISA should announce this good news at the Annual Dinner next month.



國內的朋友,在網上討論 IT技術時要打醒十二分精神。例如說 "一台獨立的主機,可架設多個虛擬網站"。「台獨」二字引致GFW 追踪發訊者所在,而公安亦會請你協助調查。不知這是可笑還是荒謬 !


.google top level domain

Google has conquered the cyber world, why not having its own top level domain. I bet the TLD ".google" will appear very soon. What are the results then ? Google search at search.google, Gmail at mail.google, Google Map at map.google, blogger at blog.google etc…

Wooo.. Google will become bigger, stronger and more powerful than any companies in the world.


6to4 Reverse DNS Delegation

A visitor to my blog informed me that the Number Resource Organization (NRO) is the authority for 6to4 reverse DNS delegation. The delegation is done at https://6to4.nro.net/. I am really surprised as I have always wanted to set reverse lookup of my 6to4 address in order to set up SMTP service.

Since I am using the IP address, upon converting to 6to4 address, I own the IPv6 address prefix of 2002:ca51:fc74::/48. The requirements to meet 6to4 RDNS delegation are very strict:

1. The requester must use a 6to4 IPv6 address to visit the web site.

2. Only RDNS delegation of a /48 prefix related to the visiting IPv6 address is allowed.

3. The website knows which /48 prefix is to be delegated by checking on the visiting 6to4 address. There is no need for the requester to make any input.

4. The nameservers must have the proper configuration in place to handle the reverse lookup of the /48 prefix before requesting the delegation. Once the submit button is clicked, reverse lookup will be checked and if there is anything wrong, the delegation will not be successful.

I fully support these rules as they are designed to verify who own a 6to4 address range.

Hopefully, I passed all the check. I am now able to do “dig –x 2002:ca51:fc74::1” which points to “ipv6.warrenkwok.com”.

I like to give a big thank to the Number Resource Organisation.


IPv6 Reverse DNS Configuration

On IPv6, I do have some good news this week.

By now I am able to do configurations for IPv6 reverse DNS delegation on /48, /56 and /64 subnets. For a couple of months, the syntax of the Bind config files and the zone files for IPv6 reverse lookup scared me to death. However, after playing around and looking at the settings of existing working IPv6 systems through "dig -x", I was able to figure out how these things worked together.

It has been a great learning exercise. I will create sample templates for /48, /56 and /64 subntes for my future reference.


IPv6 Certification Scorecard

IPv6 Certification Badge for warrenkwok

After 100 days of daily ping6, traceroute6, dig and whois, I have made a top score of 1400 for my IPv6 Sage Certification. That says, I do not need to log on Hurricane Electric's certification web site any more. However, in order to keep abreast of IPv6 development, I still read the discussions in HE's Forum.


4-byte Autonomous System Numbers

Some ISP friends told me that they found AS numbers larger than 65536 in advertised BGP routes in the range of 13XXXX. This is a good sign since some service providers are using 4-byte AS numbers for their routing. Without resorting to 4-byte AS numbers, new comers can not have their routers hooked up to the Internet.

In fact, APNIC is administering 2.xxxxxx prefix for 4-byte AS numbers. The first 4 byte AS assigned to Hong Kong is 2.155 or written as AS131227 (2 x 65536 + 155). It is good to see that whois search can also support AS number larger than 65536.

[root@localhostl]# whois –h whois.apnic.net AS131227
aut-num: AS131227
as-name: ASIADC-HK-AP
descr: Asia Data Center Limited
country: HK
admin-c: ADCL1-AP
tech-c: ADCL1-AP
changed: hm-changed@apnic.net 20090914
source: APNIC