I have gained 146 CPEs in the past three years through attending security conferences, offering training courses and writing security-related articles.  For renewal of my CISSP credential,  I only need 120 CPEs. 10 CPEs can be carried forward to the next 3-year term.  Counting back, I am wasting 16 CPEs.


DNSSEC can support wild card domain names

I have tested that DNSSEC can support wild card domain names by looking at the status of the AD (Authenticated Data) field.  Here is a snapshot.  Look at the AD field.  My original entry in the name server side is "*.i3way.net  1H IN A".

C:\bind>dig kill123.i3way.net
; <<>> DiG 9.9.1-P2 <<>> kill123.i3way.net
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
kill123.i3way.net.      3600    IN      A
C:\bind>dig kill234.i3way.net
kill234.i3way.net.      3600    IN      A
C:\bind>dig kill234.i3way.net
; <<>> DiG 9.9.1-P2 <<>> kill234.i3way.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 12253="12253" font="font" id:="id:" noerror="noerror" opcode:="opcode:" query="query" status:="status:">
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
kill234.i3way.net.      3600    IN      A


Root server instance and DDoS attacks

Maldives suffers from DDoS attacks from time to time. The attack traffic is coming from overseas and therefore the international links are saturated.  However, the local backbone within the country should have sufficient capacity to serve local access but due to the need to do name query with root zone nameservers which are in overseas, local people can not access local website.  The solution is of course to implement anycast root server instance within the country.   Apart from mitigating the effect of DDoS attack, the other purpose is that if there is a break in submarine cables due to earthquake, at least, local content can still be accessible by local people.


A look at DNSSEC amplification attack again

The query "dig +dnssec any isc.org" returns a packet size of 3993 bytes

[ ~]# dig +dnssec any isc.org | grep "MSG SIZE"
;; MSG SIZE  rcvd: 3994

The original query is 50 bytes in size.  If the answer is directed to a victim name server using IP address spoofing (reflector), this action can give an amplification factor of 80.  In theory, a 100 Mbps link can flood out 8 Gbps traffic to DoS a name server.  Woo, no way the name server can survive.


DNSSEC-aware resolvers

I noticed that  the biggest ISPs in US  (Comcast, AT&T, Sprint, Verizon etc) have made  their resolvers DNSSEC-aware.  This is in response to FCC recommendation  to protect their customers.  The task is easy, just add the root trust anchor in resolvers and enable DNSSEC in configuration file.

In other countries, if ISPs do not want to validate DNSSEC, they should leave this job to corporate users or end users.  In that case, they should not block DNSSEC traffic in their network with UDP larger than 512 bytes.  Not just don’t block, they should set their firewalls in an appropriate way to allow large UDP  payload to go through.  In fact, this requirement is not just for DNSSEC, it is also for IPv6.   When a resolver ask for the name servers of .com from the root zone, 13 name servers, 13 IPv4 addresses and 13 IPv6 addresses will be provided.  The UDP size could be larger than 512 bytes.


Europe ran out of IPv4 addresses

Europe has run out of IPv4 addresses, that was announced by RIPE on 14 September 2012.  That is a good news.  In the lack of IPv4 addresses, ISPs, mobile operators and large corporations will think seriously about  IPv6 deployment in order to sustain their future business plans.  This will drive the growth of IPv6.

In fact, in Asia Pacific region, we have no more IPv4 addresses since 15 April 2011.

I am a keen supporter of IPv6.  All my emails to gmail users are sent over IPv6 channel everyday.


rescuing mail server

The Hong Kong National Education Centre (HKNEC) has been under DDoS attack by Anonymous since last Saturday and the attack is going on.  Both web access and email service can not respond.  From DNS records, I note that there are some actions taking place to rescue the mail service:

hknec.org.              3600    IN      MX      90
hknec.org.              3600    IN      MX      10 mail.hknec.org.

HKNEC wants to use the backup mail server to rescue in case the main can not respond.  However MX can not point to an IP address.  " " is wrong with a full stop after 37.  For host name, the last full stop is required.

Another thing wrong is that the backup mail server (  and the main server ( are on the same network segment and the network segment is now under heavy DDoS traffic.  An IP address outside the network segment should be used for mail backup.

Don't laugh...  I have learnt a lot from the rescue operation of HKNEC.



In my past four previous talks about DNSSEC in Hong Kong, I told audiences about weakness of NSEC in zone walking and NSEC3 can prevent this by providing hashed names to give signed proof of non-exsitence records. However, I have not touched on NSEC3+OptOut which aims at TLD. Here it is. 

With “NSEC3 Opt-Out”, only child zones that are themselves DNSSEC signed and having DS suibmitted to TLD will be signed by the TLD operator. An example is that if  a TLD operator has 500,000 names in its zone of which 1% of all child zones have DS already submitted, under the opt-out scheme, the final TLD zone will contain about 5,000 signed DS  (instead of 500,000 signed DS records, of  which 495,000 do not require NSEC3 hashed names). Opt-Out will reduce zone file size while serving DNSSEC optimally at TLD. 

If all child zones in a TLD have DS submitted, the effect of Opt-out will be nullified.


Future career plan

My son is applying for Sir Edward Youde Memorial Scholarship for subsidy of studying Economics in university next year.  In the application form, there is a box called "Future Career Plan" for him to fill in.  He sought my help and I came with the following:

"I plan to be an economic consultant providing professional advices and consulting services on economic, financial, and business strategies to large corporations and government agencies. Through my knowledge across multiple industries, I will develop state-of-the-art analyses and insights for our clients on complex business issues."

It is hard to predict the future. I just put down something from my basic instinct.


Apology from godaddy

I received an apology from CEO of godaddy about the service interruption on this Monday.  I have been a loyal customer of godaddy.com for over 12 years, and I can recall that there has been no service outage in the past 12 years except the one happened on Monday.   No worry, I will stay with godaddy, the number one registrar in the world.

Dear warren kwok,

We owe you a big apology for the intermittent service outages we experienced on September 10 that may have impacted your website, your email and other Go Daddy services.

We let you down and we know it. We take our responsibilities — and the trust you place in us — very seriously. I cannot express how sorry I am to those of you who were inconvenienced.

The service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented a series of immediate measures to fix the problem.

At no time was any sensitive customer information, including credit card data, passwords or names and addresses, compromised.

Throughout our history, we have provided 99.999% uptime in our DNS infrastructure. This is the level of performance we expect from ourselves. Monday, we fell short of these expectations. We have learned from this event and will use it to drive improvement in our services.

As a result of this disruption, you will receive 30% off any new product or renewal.* This offer will be available to you for the next 7 days. Simply place source code Apology4a in your cart or mention the code when you call 480-505-8877.

It's an honor to serve you. As always, please call us 24/7 at 480-505-8877 — anytime, for any reason. 


Scott Wagner


Kaspersky AV sucks

I did not use my notebook for almost a week.  When I opened it last night, Kaspersky AV prompted me to update AV database.  Oh shit, the accumulated new AV signatures took up a file size of 9534KB and my notebook was downloading at 22KB/sec.  It would take me 433 seconds to complete the process. I have used Trend Micro Tatanium and such trouble does not exist.

We are now living in a cloud-based computing era.  By now, AV protection should all be cloud-based and there is no need for users to regularly download AV signatures.  I have decided to uninstall Kaspersky.


Dying for a Job

Who dare to write such a letter for a job?

Dear Sir,

Application for Employment

I refer to the recent death of the Technical Manager at your Company and hereby apply for the replacement  of the deceased Manager.

Each time I apply for a job, I get a reply that there is no vacancy but in this case I have caught you red-handed and you have no excuse because I even attended the funeral to be sure that he was truly dead and buried before applying.

Attached to this letter is a copy of my CV and his death certificate.

Yours faithfully,

(xxx yyy zzzz)