2010/07/31

Firefox dnssec validator

On my FC13 box running Bind 9.7 for name resolution, the Firefox browser is now having the dnssec-validator as an add-on tool.   Here is the result of accessing a website with dnssec RRSIG in domain part of the browser (note the green key):




However, if the same add-on is added to Firefox in Windows XP environment, the dnssec signatures failed to authenticate:




2010/07/30

Root trust anchor tested successfully

I have a notebook PC installed with Centos 5.5 and the bind version was upgraded to Bind 9.7.0.P1 which support the root KSK (trust anchor) in SHA256 algorithm.  Using the following root trust anchor in name.conf :

 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8g
cCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUe
VPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
oBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRL
KBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";

Here is what I got when resolving the www.isoc.org with dnssec-enabled query:


















That is to say, I have successfully deployed the root trust anchor in a resolver.

2010/07/23

root dnskey used SHA-256 algorithm

Just when I thought it was the right time to include root KSK (dnskey) as the trust anchor for a resolver, I then realized that the root KSK was generated with SHA-256 algorithm:

trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607
371607A1A41855200FD2CE1CDDE32F24E8FB5"

My resolvers running Bind 9.5.2 and Unbound 1.3.4 can not support this algorithm.   Thats say, I am not able to use the root key as the trust anchor.  Time to move to Bind 9.7 and Unbound 1.4.4

.

2010/07/18

HEAD / HTTP/1.0

I have tried some simple tricks to do web server fingerprinting by issuing "HEAD / HTTP/1.0" after telnet to port 80 of the web server IP address:

**** capture *****

# telnet 58.64.165.185 80
Trying 58.64.165.185...
Connected to 58.64.165.185.
Escape character is '^]'.
HEAD / HTTP/1.0
[Note :two CR pressed afterwards]
HTTP/1.1 200 OK
Content-Length: 5482
Content-Type: text/html
Content-Location: http://58.64.165.185/Index.html
Last-Modified: Sat, 16 May 2009 19:00:08 GMT
Accept-Ranges: bytes
ETag: "3888e08758d6c91:17665"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 17 Jul 2010 16:38:23 GMT
Connection: close

Connection closed by foreign host.

**** End of capture *****

I remember two other methods to do the same; one is httprint and the other is nmap.

2010/07/16

Root zone is serving DNSSEC now

After many years of planning and trial, the root zone is now signed with DNSSEC keys. See the screen dump below.

From my observations, the root zone will be signed twice a month by the Zone Signing Key, double the pace of an ordinary fully qualified domain name which is to be signed on a monthly basis. Also, according to ICANN, the Key Signing Key shall be used for 5 years. This introduces only a slight additional burden to include the default secure entry point to a resolver every 5 years.

My wholehearted thanks go to ICANN and all root zone operators for taking major steps to secure the public Internet.
 

2010/07/14

No more IE

I have convinced all my family members to stop using buggy unsecure Microsoft IE. We have Safari, Chrome and Firefox all providing browser capability. Goodbye to your rubbish bundle, Mr Bill Gates and Steve Ballmer !

 

 

2010/07/12

ICANN finally approved .xxx top level domain

In April 2006, I wrote on my blog casting doubt on ICANN's non-sensible decision of not allowing .xxx top level domain for porn sites.   ICANN has recently announced the approval.

With an estimated 370 million adult websites on the Internet, porn websites certainly deserve their own top level domain just like .com, .net or .org.   The benefit is that adult sites not suitable for children can be filtered very easily.  I must say the new management of ICANN is very open-minded, effective and efficient.  Just look at the recent progress of introduction of new gTLDs, IDNs, IDN for ccTLDs and DNSSEC signing of the root zone.

2010/07/10

Opera can show thumbnail of webpage in tab bar

Showing thumbnail of a webpage in tab bar is a unique feature of Opera.  In tab browsing, suppose I have opened many tags, I might find it difficult to navigate from one tab to another by just looking at the text on the tab bar.  With thumbnail in opened tabs,  I am sure I can get back to the right page.

In Chrome, there is something even more powerful called tab review.  It is a plug-in which can be installed easily.

Microsoft should learn from Google and Opera.










2010/07/09

A nice 404 error page

This is the most impressive 404 Error Page that I have ever seen:













While you will be amazed by the enlarged 404 wordings, you will be impressed by the rich menu on the right hand side which provide sufficient guidance to visitors.