My expectation for IPv6 World Day

My expectation for IPv6 World Day – Gigantic content providers such as Facebook, Google and Yahoo notice that IPv6 brokenness is far insignificant (0.0000x %). They decide to put their content accessible by IPv6 once and forever !  

Am I dreaming ?  Of course not !


SHA-1 hash phased out

I remembered that last December, when I submitted the DS of my domain name i3way.net, it was in SHA-1 (160 bits) format and my registrar godaddy did not reject the submission.  In April 2011, I tried to submit the SHA-1 DS of another domain warrenkwok.com but this time, godaddy did not accept it.  As an alternative, I submitted the SHA-2 (256 bits) DS and it was accepted.

I should be aware that SHA-1 was phased out on 1 Jan 2011 as mandated by the US Government.  In fact, it should also be noted that SHA-1 is not cryptographically strong enough for today's online applications.  Verisign is the operator of .com and .net TLD nameservers and it is a US company.  It is logical for Verisign to mandate all DS for .com and .net domains in SHA-2 format.


Complicated password

This is the most complicated password I have ever set:


It is 12-character in length combining small and capital letter, numbers and symbols.  I don't want to guess the chance of successful cracking by brute force attacks as this is meaningless.  Do you think I can remember it without writing on a piece of paper or storing it in a phone's memory.
Shit, I make my  life so complicated and confusing.


IPv6 brokenness

Just completed the test on IPv6 brokenness through “test-ipv6.com”.  Results show that there is no brokenness from my home PC for access to Internet . With my IPv6 properly in place, on IPv6 World Day (8 June 2011),  I  will reach Google, Yahoo and Facebook by IPv6. Enjoy the great day and the great play.


Verizon LTE running IPv6

I just learnt that Verizon LTE, the fastest 4G mobile network which was  launched in mid March 2011, can fully support IPv6. One NATed IPv4 address and one public IPv6 address are assigned to each mobile terminal.  I have a screen dump of HTC Thunder Bolt handset running IPv6.

So finally, we see large scale IPv6 deployment in a commercial mobile network.


NSEC again

These few days, I tried to recapitulate my understanding on NSEC of DNSSEC because I know very clear that I am weak in NSEC concept.  The basic question is why should NSEC be implemented ? NSEC at least doubles the file size of an entire zone which eats up a lot of memory in the authoritative name server.  Reading documentation is really boring and I have to think practically from a hacker angle.

By means of cache poisoning, a hacker can redirect a bank website to a different IP address.  Suppose, if the hacker finds that it is too difficult to make the fake bank site close resemble the original bank site and the lack of digital certificate looks suspicious, the fake bank site would be easily recognized by victims.  In that case, the hacker can inject fake answer such as www.hsbc.com.hk does not exist in a resolver.  This is a direct denial of service against the bank.  In order to avoid such scenario, NSEC plays an important part.  If a host name does not exist, resolver will get the existent NSEC records in canonical form close to www.hsbc.com.hk.  Of course, at this instance, it lists that www.hsbc.com.hk is in existence and the fake answer of www.hsbc.com.hk in cache should not be returned to clients.  Furthermore, the resolver should then proceed to get the proper answer.


A letter from Dad and Mom

This letter makes every reader cries.  

My Child,

When I get old, I hope you have patience with me. In case I break a plate or spill soup on the table because I am losing eyesight, I hope you don’t yell at me. Older people are sensitive, always having self pity when you yell.

When my hearing get worse, I can't hear what you are saying, I hope you don’t call me “Deaf”. Please repeat what you said or write it down.

I am sorry, my Child. I am getting older.

When my knees get weaker, I hope you have the patience to help me get up. Like how I used to help you when you were little, learning how to walk. Please bear with me.

When I keep repeating myself like a broken record, I hope you just keep listening to me. Please don’t make fun of me or get sick of listening to me.

Do you know when you were little and wanted to get a ballon? You repeated yourself over and over again until you got what you wanted.

Please also pardon my smell. I smell like an old person.

Please don’t force me to shower. My body is weak. Old people get sick easily when they are cold. I hope I don’t gross you out.

Do you remember when you were little? I used to chase you around because you didn’t want to shower.

I hope you can be patient with me when I am always cranky. It’s all part of getting older.  You’ll understand when you are older.

And if you have spare time, I hope we can talk. Even for a few minutes. I am always by myself all the time and have no one to talk to.

I know you are busy with your work. Even if you are not interested in my stories, please have time for me.

Do you remember when you were little? I used to listen to your stories about teddy bears.

When the time comes and I get ill and bedridden, I hope you have the patience to take care of me.

I am sorry if I accidentally wet the bed or make a mess.  I hope you have the patience to take care of me during the last few moments of my life.

I am not going to last much longer, anyway. When the time of my death comes, I hope you hold my hand and give me the strength to face death.

And don’t worry. When I finally meet our Creator, I will whisper in his ear to bless you. Because you love your Mom and Dad.  Thank you so much for your care.  We love you.

With much love,

Mom and Dad



longest domain name contest

I have joined the longest Hong Kong domain name contest and have submitted a 63-character domain name. My proposed 63-character domain name is :


which reads:

The Internet is for all peoples so censorship by Government is prohibited.


Public SSL VPN

Hong Kong ISPs can gain revenue from the China Great Firewall (GFW). Udomain now offers public SSL VPN service aiming at escaping the GFW.   The service charge is HK$70 per month per PC.

It is useful to people who work in China or travel to China. 


Android WM FTP client

I had tried WM FTP client on my Android 2.1 Tablet.  The functions are pretty easy to use, including upload or download files, create directory and deleting files.

Hey, wait a minute.  The program should have split screens to let users see the files in the local side and the server side.  I have to find out the setting and enable it.


APNIC activated final /8 policy

This may be a good news or a bad news.

APNIC has activated the final /8 policy which states that all members, regardless of whether they are new operators or not, can have one and only one chance to get a /22 block (1024) IPv4 addresses. The IPv4 addresses are useless to absorb new customers, but rather they can enable new IPv6 service providers to implement transitional arrangements and systems to bride to the IPv4 Internet world. This implies that from now on, new service providers in the Asia Pacific will only be IPv6 network operators.

For God’s sake, I appeal to all well-established service providers not to apply for IPv4 addresses in the last /8 block, leaving these resources to new IPv6 service providers. After all, the well-established service providers have more than enough IPv4 addresses to use.

In the next APNIC Meeting, APNIC members will consider whether to reduce the /22 allocation to /24. I think 256 IPv4 addresses are good enough for a new IPv6 service providers to build some IPv4 systems plus transitional systems with redundancy.


Hurricane Electric is dating Android

Look at this picture.  Hurricane Electric is dating Android now.

Be careful, there is a generation gap. Hurricane Electric is 17 years old but  Android is just 3. 

While dating is good for them, it is difficult for them to consider getting married. Android comes from the rich Google’s family. Google has super power to control the fate of Android. Without Google’s blessing, everything is in vain.


on-9 domains

I have a bad  news to all on-9 guys. The domains "on-9.net" and "on-9.com" have been registered. The best you can have is "on-9.com.hk" or "on-9.asia".

From what I observe, some people think that on-9 sounds as on-nine which is similar to on-line. Oh, that is a valuable name for all kinds of e-commerce services. They do not consider on-9 as a slang to describe extreme stupid and ignorant behaviors.


IPv6 Sage T-Shirt

This is the back side of my IPv6 Sage T-Shirt.  It is nicely designed with a lot of technical information on the back.  Thanks to Hurricane Electric for offering me this interesting T-Shirt.


Verisign has enabled DNSSEC in the ".com" Top Level Domain

The world largest top level domain, “.com” has been fired up with DNSSEC since end March 2011. This is a huge task considering that there are over 80 million registered ". com" domains and hundreds of anycast server instances throughout the world including one in Hong Kong. I applaud Verisign for keeping its promise.
After performing some tests, I realized that .com only accepts SHA-2 (256 bit) Delegation Signer (DS) records. This is quite acceptable to me as I know SHA-1 (160 biits) has now reached the end of its service lifetime. I hope more IT people with DNSSEC experience can help to verify my findings. Perhaps, I should also further point out that submission of SHA-1 digest of DS to .com might cause some troubles.

As a keen supporter of Internet security, I congratulate Verisign for completing a great mission.


Postfix 50MB limit in inbox

I just discovered that by default, Postfix imposes a limit of 50 MB on the user inbox.  In addition, the max size of an incoming mail can not exceed 10 MB.  These are of course not adequate to serve modern days email communications need.  See my checks using "postconf -d | grep size_limit" to find the default settings:

[warren@dnssec ~]# postconf -d  | grep size_limit
body_checks_size_limit = 51200
bounce_size_limit = 50000
header_size_limit = 102400
mailbox_size_limit = 51200000
message_size_limit = 10240000

What I tried to do is add the following two lines in /etc/postfix/main.cf:
mailbox_size_limit = 300000000
message_size_limit = 102400000

Mailbox size is extended to 300M and incoming email as large as 100M can be received.  Further checking by "postconf -n | grep size_limit" shows the new settings are properly in place.
[warren@dnssec ~]# postconf -n  | grep size_limit

mailbox_size_limit = 300000000
message_size_limit = 102400000

Glad to see that everything works as expected. I think these settings might need to be tweaked again after 1 - 2 years. Oh well, in this course of troubleshooting, I have learnt something new. "postconf -d" is to show the default whereas "postconf -n" is to show the current settings.  Seems pretty useful.


what these words really mean in yearly appraisal report

If your supervisor writes in your appraisal report that you have good communication skills and leadership quality, don't be so happy because he is a liar.  Just take a look at what these words really mean in yearly appraisal report

1. Outgoing personality - always going out of the office
2. Great presentation skills - able to bullshit
3. Good communication skills - spends a lot of time on phone
4. Work is first priority - too shame to get a date
5. Active socially - drinks a lot
6. Independent worker - nobody knows what he/she does
7. Quick thinking - offers plausible excuses
8. Careful thinking - never makes a decision
9. Logical thinking on difficult jobs - get someone else to do it
10. Express themselves well - always speak shamelessly for not
     accepting responsibility
11. Meticulous attention to detail - a nit picker
12. Has leadership quality - is tall or has a loud voice
13. Exceptionally good judgement - just a bit of luck with him
14. Keen sense of humour - knows a lot of dirty jokes
15. Career-minded - in serious debt and needs money to repay
16. Loyal - can't get a better job else where
17. Plans for promotion/advancement - always offers drinks to the boss
18. Of great value to the company - just get to work on time
19 Relaxed attitude - sleeps at desks
20. Exercise sound judgement - the situation is not too diffcult to handle


IPv6 rDNS tool

In my previous blog post, I mentioned IPv6 reverse DNS builder at fpsn.net.  The site has been dead for some time.  

A visitor whose name is Matthew Roy read my blog and he was so kind to inform me about a similar web-based facility at http://rdns6.com.  Actually, reverse DNS for IPv6 is not difficult but due to the input of exact 32 hexadecimal digits, it is quite easy to make mistakes by adding more or missing out some hexadecimal digits.  I tend to think that we should not spend too much time to remember some things which are difficult to memorize.  The web-based IPv6 rDNS helps me a lot.  My thanks to Matthew Roy again.