Experience of bypassing the China Great Firewall (GFW) to access Facebook and Youtube in China

I went to China yesteday.  Unfortunately, I could NOT access facebook via the hotel broadbnad line.

What I tried to do is to make my browser access through a proxy setting of 127.0.0.1 with port 7070. From PuTTY (a common ssh client), I forwarded the local port 7070 to my proxy server 202.81.252.116:3xx78. Of course, I had to use SSH to login sshd @202.81.252.116. This way, the browser would be accessing the Internet through a secure tunnel and there was a proxy server serving the secure tunnel. With these settings, I was able to browse any websites I wanted.


I just hope more people can master the skills of bypassing the GFW.

Fully DNSSEC-enabled domain

One of my domains “i3way.net” is fully DNSSEC-enabled. Thanks to Verisign for activating DNSSEC on .NET this month and my registrar, Godaddy which catches up technological development quite fast. I guess this is my biggest gift in this Xmas.

I have no difficulty with key-rollover.

Addding DS records in godaddy.com

I have the domain name i3way.net registered with godaddy.com  Now that .net TLD is running with DNSSEC, it is possible for me to pass my DNSSEC DS records (hash of KSK public key) from godaddy registrar to .net registry.  I am happy to see the interface which is clear and simple enough for me to understand.

My KSK, ZSK and DS are not yet ready.  I think I can pass the DS record to godaddy in Thursday evening.

No such facility as do-not-call register for email in Hong Kong or in any other part of the world

Last Saturday, while talking to the media appealing for the establishment of do-not-call register for person-to-person telemarketing calls, the Privacy Commissioner made a mistake that OFTA has already set up a do-not-call register for email. Here are the URLs below of local newspaper.


http://orientaldaily.on.cc/cnt/news/20101219/00176_015.html

http://news.mingpao.com/20101219/ggf1.htm

Actually, there is no such system as  do-not-call register for email in Hong Kong or in any other part of the world.  I can give three reasons below:

1. The majority (over 90 %) of spam emails are sent out by zombie computers, but not human email accounts. Will zombie computers look at the registry and do some screening before sending out ?


2. Even if spam emails are sent out by human email accounts, it is not possible to punish the senders as they are not in the same country as the recipients. Email has no national boundary.

3. Spammers can download the register and send more spam to those email addresses contained in the register. After all, these are live valid email accounts.


I hope that nobody will commit same mistake again in future.

Enhanced WiFi test facility

I have a Windows script to test the dowload speed of WiFi network based on ftp.  However, I discover that some WiFi only allows http, https and dns traffic to pass through.  In order to cater for such situation, I have changed my test program to use http:

@echo off

:loop
echo Hi! This is a http loop for WiFi download speedtest!
wget http://www.i3way.net/fire/science-fire.wmv
del *.wmv* -y
goto loop

Please feel free to copy and use.  Of course, any file in a URL can be used to verify the download speed.

Fuck her gently

"Fuck her gently" is the most interesting song I have ever come across.  It is played by Tenacious D.  If you know Jack Black of School of Rock, you might have known "Tenacious D".

The lyric is extremely lovable.

This is a song for the ladies
But fellas listen closely
You don't always have to fuck her hard
In fact sometimes that's not right, to do
Sometimes you've got to make some love
And fuckin' give her some smoochies too
Sometimes you got to squeeze
Sometimes you got to say "Please..."
Sometimes you got to say "Hey..." 

I'm gonna fuck you, softly
I'm gonna screw you gently
I'm gonna hump you, sweetly
I'm gonna ball you discreetly

And then you say "Hey I brought you flowers"
And then you say "Wait a minute, Sally"
"I think I got somethin' in my teeth, could you get it out for me?"
That's fuckin' team work!

What's your favorite posish
That's cool with me
It's not my favorite but I'll do it for you
What's your favorite dish?
I'm not gonna cook it
But I'll order it from Zanzibar

And then I'm gonna love you completely 
And then I fuckin fuck you discreetly
And then I fuckin bone you completely
But then I'm gonna fuck you haaaaaaaaaaaaaaaaaaard!
Haaaaaaaaaaaaaaaaaaaaard!

OFTA Speed Test Engine

This is the test results of my 6M ADSL line when performing speed test through OFTA Speed Test Engine:




It should be noted that IP addresses not in the HK range can not acess the website.

 

Dreamweaver and IE

I read a book about using Dremweaver CS5 and CSS to create websites.  The book says all web contents should be tested under Firefox browser but not IE.  The reason is that Microsoft IE does not follow W3C standards.  

Thats true.  It is a shame on Microsoft.

SOA of .hk nameserver

Strange !   The serial of SOA of .hk nameservers is 2071434190 (Unix time) which converts to 22 August 2035 :

[warren@dnssec ~]# nslookup

> set type=soa

> hk.

Server:         202.81.252.116

Address:        202.81.252.116#53

Non-authoritative answer:

hk

        origin = NS1.HKIRC.NET.hk

        mail addr = HOSTMASTER.HKIRC.NET.hk

        serial = 2071434190

        refresh = 5400

        retry = 1800

        expire = 3600000

        minimum = 600

Is there a hidden fault ?  

Server up for 401 days without reboot

This is a good news.  My server has been up and running for 401 days without reboot.  On one occassion, httpd suddenly disappeared and I had to manually start it up again.

I hope the situation can continue till 800 days. 

Dedicated Internet Access in Hong Kong in Year 1994

In clearing my drawers today, I found a quotation from Supernet sent to me in December 1994 about subscribing to its 256kbps Internet Dedicated Access.  The installation charge was HK$55,000 quoted as follows:

HKT DDS leased line installation – HK$4,000

Supernet Dedicated Installation fee – HK$10,000

Router installation – HK$41,000

As for the monthly recurrent cost, it was charged at HK$45,900 a month made up as follows:

HKT DDS leased line rental – HK$5,900

Supernet Dedicated monthly rental – HK$40,000

That was not the end of the story.  Supernet adopted a cap on monthly throughput of 8000 MB per month.  If the quota was exceeded, user would be charged HK$8 per MB.

It should be noted that in the early days of Internet, routers and switches, firewall and other networking equipment were not highly reliable and the committed availability of Supernet was just 99 %.  We all know that the Service Level Agreement used today always require the serving ISP to provide 99.9 or 99.95 % availability.

Looking back, I could not imagine how network administrators could have paid such high cost for Internet provisions and yet the services were not reliable. On top of that, how could they ensure that the maximum throughput was not exceeded.  Of course, having said that, network administrators today have easier jobs as they can ask ISPs to provide the best possible services without worrying the bandwidth usage.

What the hell is Google on this planet !

What the hell is Google on this planet ! Google is testing intelligent cars that can drive by themselves.

The technolgies involved are video cameras, radar sensors and a laser range finder. I believe digital road maps are also required. Ultimately, the number of car accidents can be reduced.

When such cars are available in the market, I don’t need to learn driving and get a drive licence in order to use a car.

Google please keep up with the good work and give us more surprise in whatever new inventions.

Nobel Peace Prize 2010

Though I can download or copy and paste the statement by the Noble Committee about the Nobel Peace Prize Award 2010 granted to Liu Xiaobo, I prefer to buy a newspaper and type the content word by word by myself and post it on my blog. This way, I am paying a tribute to the winner.  Here comes the statement:

The Nobel Peace Prize 2010

The Norwegian Nobel Committee has decided to award the Nobel Peace Prize for 2010 to Liu Xiaobo for his long and non-violent struggle for fundamental human rights in China.  The Norwegian Nobel Committee has long believed that there is a close connection between human rights and peace.  Such rights are a prerequisite for the “fraternity between nations” of which Alfred Nobel wrote in his will.

Over the past decades, China has achieved economic advances to which history can hardly show any equal.  The country now has the world’s second largest economy; hundreds of millions of people have been lifted out of poverty.  Scope of political participation has also broadened.

China’s new status must entail increased responsibility.  China is in breach of several international agreements to which it is a signatory, as well as of its own provisions concerning political rights.  Article 35 of China’s constitution lays down that “Citizens of the People’s Republic of China enjoy freedom of speech, of press, of assembly, of association, of procession and of demonstration”.  In practice, these freedoms have proved to be distinctly curtailed for China’s citizens.

For over two decades, Liu Xiaobo has been a strong spokesman for application of fundamental human rights in China.  He took part in the Tiananmen protests in 1989; he was a leading author behind Charter 08, the manifesto of such rights in China which was published on the 60th anniversary of the United Nations Universal Declaration of Human Rights, the 10th of December 2008.  The following year, Liu was sentenced to eleven years in prison and two years’ deprivation of political rights for “inciting subversion of state power”. Liu has consistently maintained that the sentence violates both China’s own constitution and fundamental human rights.

The campaign to establish universal human rights also in China ie being waged by many Chinese, both in China itself and abroad.  Through the severe punishment meted out to him, Liu has become the foremost symbol of this wide-ranging struggle for human rights in China.

Oslo, October 8, 2010/10/9

***** End *****

In memory of John Lenon

Anybody still remember John Lenon was born on 9 October 1940. Google certainly do. Look at the Google logo on the left.

SOA expiration time and DNSSEC signature period

My DNSSEC-signed zone bya.org.hk has SOA expiration timer set to one week (604800) which is not aligned with the published DNSSEC operational practices, RFC4614 bis. It is advisable to have SOA expiration timer between 1/3 and 1/4 size of the signature validity period (30 days = 2592000 seconds). If this is not handled properly, secondary nameserver could keep serving out of date RRSIGs. This can only happen when a primary nameserver is unreachable for AFXR update.

I have decided to set it to 720000 which is easy to remember.

The Obama Administration issued another IPv6 directive

The Obama Administration has issued a directive requiring all US government agencies to upgrade their public-facing Web sites and services by 30 September, 2012 to operate on IPv6. Native IPv6 must be used as opposed to transition mechanisms.

Intutively, I have to ask myself what is the point of issuing such directive which is the second one in 5 years ? Back in 2005, the Bush
Administration established a deadline of June 2008 for all federal agencies to demonstrate IPv6 connectivity over their backbone networks. It seems clear to me that there is no penalty imposed on Federal agencies if they do not comply.

Would there be a third directive after the tenure of the Obama
Administration ? Only God knows !

HKCERT web outage

In the current issue of HKCERT newsletter, HKCERT stated the incident of its web outage happened on 4 August.

The web server and the firewall were working normally.  However, the firewall could not connect to the Trust Source to verify incoming IP addresses and as a result, all visiting IP addresses were untrustworthy.  Thus, the firewall denied all access to the web server.

I applaud the gust of HKCERT in releasing the sensitive information and let all readers learn from the incident.  If the same happens in bank or any other public organizations, I doubt whether such details can be made known to the public.

DNSSEC Visualization

Some friends asked me the URL of the website to visualize DNSSEC chain of trust in a graphical manner. The URL is at http://dnsviz.net/


I have a picture below of verifying the chain of trust for the domain isoc.org. This tool is invaluable for troubleshooting and understanding DNSSEC chain of trust.

ftp loop to test network throughput

I have crafted a script in Windows to test network throughput and performance.  Basically, it is a ftp loop in conjunction with wget.  To quit the loop, just press CTRL-C.

@echo off
:loop
echo Hi! This is a ftp loop!
wget ftp://username:password@server.net/test.wmv
del *.wmv* -y
goto loop

Big John problem

I have not seen such advice in public toilets in Hong Kong but I have to admit that there is the Big John problem everywhere.

It has nothing to do with the size of Big John.  Rather the problem is related to the thrust and firing angle of Big John.

WiFi on steroids

Just when we think there can hardly be further development on WiFi, then comes "WiFi on Steroids". The use of white space in TV band can boost coverage and better building penetration.

By the way, traditional WiFi in the 2.4 GHz band is sick in the sense that it has a poor coverage and insufficient building penetration. I therefore like the name "Wifi on steroids".

IPv6 global routing infrastructure

I just received a newsletter from Hurricane Electric and note that of the 35684 autonomous networks in the world running BGP, the number of IPv6 networks is increased to 2487. In other words, IPv6 now makes up 7 % of the global routing infrastructure.

IPv4 and IPv6 will co-exist for an ultra long time. It might take 30 - 40 years for the global routing infrastructure to become 100 % IPv6. By that time, I will be sleeping forever.

司馬文大比數勝出

南區選民投票精采呀，司馬文大比數勝出，建制派候選人一敗塗地。

以投票率計算，司馬文取得 59 %，力保泛民以往六成支持率。

泛民繼續努力呀！

保護根域

DNSSEC 實行後，為了保護根域 (root zone)，共有14位當家，7位謢法，分散保管加密鑰及隨時啟動後備鑰。當家和謢法個個德高望重，武功高強，現在缺小了一位武林盟主，應該是 Rod Beckstorm，我是否在談武俠小說呀！

/64 block in IPv6 router links

I note that some ISPs and organizations are not using /64 block in IPv6 router link or IPv6 peering.

Unlike IPv4 which normally has a subnet mask of /30 in router link for reserving the available IPv4 addresses , there is no need to make the subnet mask as /126 in IPv6. Just use /64 will be good enough and this is the default in a basic network segment. Put it another way, this is not a waste IPv6 addresses but an industry norm.warrenkwok

Can IPv6 resolve cache-poisoning

Lately, I have been thinking about whether IPv6 can help to prevent cache poisoning.

A resolver running IPv4 can have one source IPv4 address to use whereas one riding on IPv6 can have up to 2^64 addresses to use within a basic network segment. Each time, the IPv6-enabled resolver sends out a query, a random IPv6 address within the assigned prefix should be selected. This way, the chance of cache poisoning will be a factor 16 bit transaction ID, 16 bit random port number plus 64 bit source IPv6 address. That says, the chance of poisoning is 1 in 2^96 which is not a problem at all.

However, the reality is that not all authoritative name servers are IPv6-enabled. If the Internet world had implemented IPv6 much earlier, cache poisoning should have been resolved and DNSSEC would not be necessary.

DNSSEC resolvers weakness

I notice there is a weakness in DNSSEC-aware resolvers which is the root public key.  If hackers can disrupt the pre-stored root trust anchor, the resolvers can not resolve any domain due to chain of trust not  established.  But is that a big deal.

No, not at all.  ISPs are required to supply 2 or more resolvers to clients.  Even one resolver breaks down, the other will serve immediately.  The chance of hackers damage two resolvers at the same time is quite limited.

Pre-published rollover of zone signing keys

I have turned to the use of pre-published rollover of zone signing key in order to manage DNSSEC in one of my administered zones. I need to draw a diagram to remind about the timing sequences and what keys to sign and publish. Here it is.

The above process must be done by cron job and shell script for automation.

Root and TLDs shall not sign child's NS glue records

I have been wondering if root zone and TLDs are required to sign the NS glue records for their child zone since these TLDs are required to sign the DS records of their child zones. The answer is negative. Current release of DNSSEC specifications do not require such signing as TLDs are not authoritative for their child zone glue records. Whatever submitted will be accepted and stored without question. Just give a live example. If I get abc.com and the glue reccords say ns1.abc.com is at 1.2.3.4. Verisign, the operator of .com TLD will never ask me to prove this information.

Sounds pretty reasonable. Will there be any risk due to no signing of NS glue records for child zones. Hackers will know after some time.

Start time of RRSIG fall behind 9 hours from the system clock after zone signing

I was wondering why the start time of RRSIG fell behind 9 hours from the system clock when zone signing was completed. On careful lookup of dnssec-signzone, it was stated that RRSIG should have a start time of UTC-1 hour in order to allow clock skew. It also made sense that RRSIG should be time-stamped with UTC. Since the time zone of Hong Kong is UTC +8, after adding one hour for clock skew, all RRSIG generated will be 9 hours behind the system clock.

This triggers me to think about another issue. If you have a nameserver that performs DNSSEC zone signing, it is better to change the clock to UTC instead of the local time. It will help to track RRSIG start and expiry more easily.

Rescue boot process of Windows XP again

What a bad luck.  Within 6 months, I had 2 machines running Windows XP not able to boot up.  Fortunately, during the last failure, I wrote down the rescue method.  This time, the failed machine had Windows XP in F drive while C, D and E hard disks  were just non-OS drives.  The rescue was to boot Windows XP CD to repair mode and then invoke “fixboot f:”.  It might be good to do “bootcfg /rebuild” if fixboot report any errors.

Which TLDs are now having Delegation Signer (DS) signed by root

A question can be asked do you know if which TLDs are DNSSEC-enabled and have been signed by root.  I have a solution using "ldns-walk . | grep DS".  As shown in the screen dump below, they are : .bg, .biz, .br, .cat, .cz, ..dk, edu. .lk, .museum, .na, .org, .tm, .uk. and .us.  Hey, the US Government mandated the use of DNSSEC for .gov, what happens to .gov ?

Only less than 5 % of global IPv4 addresses remain

Bad news.  The remaing IPv4 addresses unallocated are less than 5 %.  This is an alarm.  If your company has not started deploying IPv6, act now.

PCCW can now offer IPv6 services

PCCW, the bigggest ISP in Hong Kong, can now offer IPv6 services by way of dual-stack approach. If you are corporate customers of PCCW, ask PCCW for IPv6 address block and how to seamlessy migrate to IPv6.

In fact, PCCW is the biggest ISP in Honb Kong.   Now that the biggest ISP has embarked on IPv6, other competitors will follow suit.

For my record, IPv6 service providers in HK are NTT Com Asia, CPCNet and PCCW.

Obtaining DNSSEC Logo

DNSSEC Logo is now issued by http://www.dnssec-logo.org/.

Once a domain is submitted, the zone admininistrator mentioned in the SOA record will receive an email on how to proceed.   There are three levels of certification:

Bronze - Zone is properly maintained, i.e. passes classical zone checks, and is correctly signed.

Silver - The KSK of the zone is correctly refered by the parent zone (if signed) or registered at one of the common TARs. During the last six months a ZSK rollover following the procedures of RFC 5011 was observed.

Gold - During the last year a KSK rollover following the procedures of RFC 5011 including the parental delegations was observed. Access is granted to the zone contents for exhaustive RRSIG checks.

I shall apply for DNSSEC logo in order to test my capability of managing DNSSEC.

DNSSEC Signature Expiry

What will happen if the stub resolver of a browser works on DNSSEC only and the signature of a address record of the domain name have expired.  The simple answer is that the browser can not allow access to the site.  My captured picture is attached below (see the red warning key).

Changing the default resolvers assigned by DHCP

One of my Linux machines get IP address from DHCP Server and as a result, the resolvers are pre-assigned in the file /etc/resolv.conf.   I wanted to use my local DNSSEC-aware resolver @127.0.0.1.  My way of doing this is to add the following in /etc/rc.d/rc.local :

cat /dev/null > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
service named restart
rndc flush

CPU Thermal Shutdown due to heat generated from display card

One of my desktop PC with Intel motherboard D865PERL experienced frequent thermal shutdown after booting up for several minutes.  The CPU heat sink was not hot at all.  I guessed the motherboard sensors detected excessive heat from devices close to the CPU. Without doubt, this should be the display card.  What I tried to do was to do a CMOS reset and then replace the fan of the display card.  

Things got normal now.

Fedora Core 13 on a USB memory stick

I used Live USB Creator to make Fedora Core running on a 2GB USB stick.  The amount of persistent storage was set to 700 MB.   Guess what, everything is so smooth.  I can boot up the USB to have a working desktop version of Fedora Core 13.  Since there is space for persistent storage, user profiles, file moves and changes can be saved.    It is a thriving experience.

Root trust anchor and DNSSEC Lookaside Validation Registry working side by side

Previously, I had the idea that DLV Registry scheme administered by the Internet System Consortium (ISC) would cease operation after 15 July 2010 when the root zone is signed. Recently, I have come across the config file of a recursive validator running BIND 9.7.1 and found that DLV is supplementing the root trust anchor. This is great since DLV Registry has a large number of domains already deploying DNSSEC but their parent zones (such as .com, .net or .hk etc) have not started DNSSEC operation and provided signing for their child zones.

Without DLV, in the absence of a fully signed path from root to a zone, users wishing to enable DNSSEC-aware resolvers would have to configure and maintain multiple trusted keys into their configuration. Maintaining multiple trusted keys by hand is an unmanageable task. ISC DLV removes this need by serving as a trusted repository of entry points through which those keys can be securely retrieved by the resolver when it needs them.

Here is the named.conf for Bind 9.7 using root trust anchor and DLV:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
// listen-on port 53 { 127.0.0.1; };
 listen-on-v6 port 53 { ::1; };
 directory  "/var/named";
 dump-file  "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query     { localhost; 192.168.73.0/24; };
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";
};
trusted-keys { 
"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
 type hint;
 file "named.ca";
};

include "/etc/named.rfc1912.zones";

// End of config

15 % of all .cz domains are DNSSEC-secured

Congratulations to the Czech Republic (.cz) Government.  There are about 700K “.cz” registered domains but as of today, over 100K are DNSSEC-secured. This is really a world leading position in infrastructure and application security.

Firefox dnssec validator

On my FC13 box running Bind 9.7 for name resolution, the Firefox browser is now having the dnssec-validator as an add-on tool.   Here is the result of accessing a website with dnssec RRSIG in domain part of the browser (note the green key):

However, if the same add-on is added to Firefox in Windows XP environment, the dnssec signatures failed to authenticate:

Root trust anchor tested successfully

I have a notebook PC installed with Centos 5.5 and the bind version was upgraded to Bind 9.7.0.P1 which support the root KSK (trust anchor) in SHA256 algorithm.  Using the following root trust anchor in name.conf :

 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8g
cCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUe
VPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvP
VjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
oBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRL
KBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";

Here is what I got when resolving the www.isoc.org with dnssec-enabled query:

That is to say, I have successfully deployed the root trust anchor in a resolver.

root dnskey used SHA-256 algorithm

Just when I thought it was the right time to include root KSK (dnskey) as the trust anchor for a resolver, I then realized that the root KSK was generated with SHA-256 algorithm:

trust-anchor: ". DS 19036 8 2 49AAC11D7B6F6446702E54A1607

371607A1A41855200FD2CE1CDDE32F24E8FB5"

My resolvers running Bind 9.5.2 and Unbound 1.3.4 can not support this algorithm.   Thats say, I am not able to use the root key as the trust anchor.  Time to move to Bind 9.7 and Unbound 1.4.4

.

HEAD / HTTP/1.0

I have tried some simple tricks to do web server fingerprinting by issuing "HEAD / HTTP/1.0" after telnet to port 80 of the web server IP address:

**** capture *****

# telnet 58.64.165.185 80
Trying 58.64.165.185...
Connected to 58.64.165.185.
Escape character is '^]'.
HEAD / HTTP/1.0
[Note :two CR pressed afterwards]
HTTP/1.1 200 OK
Content-Length: 5482
Content-Type: text/html
Content-Location: http://58.64.165.185/Index.html
Last-Modified: Sat, 16 May 2009 19:00:08 GMT
Accept-Ranges: bytes
ETag: "3888e08758d6c91:17665"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 17 Jul 2010 16:38:23 GMT
Connection: close

Connection closed by foreign host.

**** End of capture *****

I remember two other methods to do the same; one is httprint and the other is nmap.

Root zone is serving DNSSEC now

After many years of planning and trial, the root zone is now signed with DNSSEC keys. See the screen dump below.

From my observations, the root zone will be signed twice a month by the Zone Signing Key, double the pace of an ordinary fully qualified domain name which is to be signed on a monthly basis. Also, according to ICANN, the Key Signing Key shall be used for 5 years. This introduces only a slight additional burden to include the default secure entry point to a resolver every 5 years.

My wholehearted thanks go to ICANN and all root zone operators for taking major steps to secure the public Internet.
 

No more IE

I have convinced all my family members to stop using buggy unsecure Microsoft IE. We have Safari, Chrome and Firefox all providing browser capability. Goodbye to your rubbish bundle, Mr Bill Gates and Steve Ballmer !

 

 

ICANN finally approved .xxx top level domain

In April 2006, I wrote on my blog casting doubt on ICANN's non-sensible decision of not allowing .xxx top level domain for porn sites.   ICANN has recently announced the approval.

With an estimated 370 million adult websites on the Internet, porn websites certainly deserve their own top level domain just like .com, .net or .org.   The benefit is that adult sites not suitable for children can be filtered very easily.  I must say the new management of ICANN is very open-minded, effective and efficient.  Just look at the recent progress of introduction of new gTLDs, IDNs, IDN for ccTLDs and DNSSEC signing of the root zone.

Opera can show thumbnail of webpage in tab bar

Showing thumbnail of a webpage in tab bar is a unique feature of Opera.  In tab browsing, suppose I have opened many tags, I might find it difficult to navigate from one tab to another by just looking at the text on the tab bar.  With thumbnail in opened tabs,  I am sure I can get back to the right page.

In Chrome, there is something even more powerful called tab review.  It is a plug-in which can be installed easily.

Microsoft should learn from Google and Opera.

A nice 404 error page

This is the most impressive 404 Error Page that I have ever seen:

While you will be amazed by the enlarged 404 wordings, you will be impressed by the rich menu on the right hand side which provide sufficient guidance to visitors.

UPS Delivery Virus

I've got the infamous UPS delivery virus in my mailbox:

Of course, the attached zip file contains a virus.  This virus has been found since 2008.

NAT NAT

Today, I saw a van with the car plate "NAT NAT". Presumably, the car owner is an IT Manager and he even deploys double NAT in his company's network. I have no doubt that this guy will keep using IPv4 and he will not move to IPv6 as he loves NAT so much. How many such guys are there in the IT Sector ?

Shall I give him a lesson on IPv6 ?

URL too long encountered by Chrome

This is the first time I notice about the error message "URL Too Long" in Chrome.

The same webpage and same URL can be opende in IE 8.   Is this a compatibility problem of Chrome ?   On security concern, there might be a need to limit the maximum length of URL in order to avoid buffer overflow or other types of attack.  I guess it is not easy to find the answers.

6 IT people of HK get IPv6 Sage status as of today

I checked Hurricane Electric IPv6 certification website and noticed that as of  today there are 6 IT people attained Sage level.  They are:

1. Warren Kwok
2. Jacky Tsoi
3. Joe Ho
4. Charles Low
5. Sang Young
6. Billy Yim

Since APNIC will conduct IPv6 training in HK next week, we can expect more IT people getting Sage certification by this year end.  Stay tuned.

In memory of Mark Chai

頂！社民連網站被駭客攻擊

頂！社民連網站被駭客攻擊，社民連經費有限，只靠網站寄存服務維持，不能擁有獨立伺服器，更惶論設立防火牆及入侵防禦系統。慘慘慘！

IPv6 Sage T-Shirt

Nice to learn that Hurricane Electric is giving out T-Shirt for those attained the Sage level. When I need to do is to log in, and in the account setup, click the request T-Shirt button and validate the postal address. Upon completion, extra 100 score points will be added so my score is 1500.

The T-Shirt and the extra 100 score are nice gifts. Thanks to Hurricane Electric.

My dog, Mark Chai passed away yesterday

My dog (Mark Chai) passed away yesterday after staying with my family for 16 years (6 Dec 1993 -22 May 2010). Things change now. A family of four becomes a family of three.

Looking back, I hate myself for not treating my dog much better. I should have bought more tasty snack for him to eat. I should have spared more time to take the dog for a longer walk in the park. I should not have punished him for occasionally pissing on the floor and making the house a mess. I should have paid more attention to his deteriorating body condition. I promised I will certainly be good to him if God can bring him back to life.

Dogs are our best companion. We only need to give them food, water and shelter and then they will be loyal to us for the rest of their life.

狗屎垃圾方案

政府話, 有得食好過冇得食, 請支持狗屎垃圾方案.

516 齊投票

每一個選民手上這一票得來不易，這票代表人的尊嚴，社會的希望。為下一代、為民主、為公平、為公義、516 齊投票，踢走功能組別。

林彬之死

林彬之死，鐵證如山，不容抵賴，是民建聯前身及工聯會所幹的醜事，且看中共喉舌《大公報》的標題:



可恨特區政府還不知羞恥，頒大紫荊勳章給楊光 - 當年工聯會的領袖及左派67年暴動的策劃者，真的對當年所有死難者不敬。

GFW poisons DNS resolution

I have heard about GFW purposely poison DNS information but as I am in Hong Kong, I have no way of testing this scenario. Thanks to websitepulse which offers a facility for testing accessibility to websites behind China GFW.  The URL is at:

http://www.websitepulse.com/help/testtools.china-test.html

My test on access to www.twitter.com is dumped in the picture below. The fake return IP address is 37.61.54.158. Actually 37.0.0.0/8 Class A range is not assigned yet so there is no route to this IP address.

Root Zone Public Keys

Some network administrators are eager to see what the root zone public keys look like which were issued on 5 May. In fact, ICANN has issued the warning inside the key strings that "This is an invalid key and should not be used contact rootsign@icann.org for more information". See my dump below:

***** Root Zone Public Keys *****

[localhost]# dig +dnssec dnskey . @192.5.5.241

; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> +dnssec dnskey . @192.5.5.241
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47371
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY

;; ANSWER SECTION:
. 86400 IN DNSKEY 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++8=
. 86400 IN DNSKEY 257 3 8 AwEAAazdM++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++8=
. 86400 IN DNSKEY 256 3 8 AwEAAavbA++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++8
. 86400 IN RRSIG DNSKEY 8 0 86400 20100515235959 20100501000000 19324 . QWXJEkPRYzAu8SpGmzRw1y9B9JOPRNl9C5csTh6Edv4xQRUb0apb7YRD mhbIgqZN4TMMme70pni93z8gn7fqtylFzCObC0prH90vq20DjxcOeZtV ufvoadCQFsUi87G2kgicZjRLSHjz/h2zJO36nmdp/S05wGxT9KX56Yoy hjuSr6AzCCQvsmDKdhL8D8SAPAZGjPs0ftfKsDyEarcy9XYP9nZfskmQ OWbx0ldr41JfibY3+onP/tA61KQdTQYZ2bAU/eQK/6Kq2YEzSzQijwdV Kex+hi4LXWB85u9uY8YMsa1MVJDY/BYkjW4HU1wvKY47oz4G3oDyI23X IR8NSA==

;; Query time: 5 msec
;; SERVER: 192.5.5.241#53(192.5.5.241)
;; WHEN: Mon May 10 09:44:35 2010
;; MSG SIZE rcvd: 1011

****** End *****

DNSSEC Look-aside Validation and / or IANA’s published Interim Trust Anchor Repository

For those network administrators who have not tried to make their resolvers working with ISC’s DNSSEC Look-aside Validation or IANA’s published Interim Trust Anchor Repository, they need to catch the remaining time left. By 1 July 2010, when the DNSKEY of the root zone is published, these work-around technologies will disappear in the networking world. Don't miss the chance to witness technological changes by yourselves.

Avoid Error 404 page found by search engine

It is quite embarassing to me that the Error 404 Page of my website can be found by Google. On checking the error 404 html file, I noticed that I have not included the appropriate meta tag in header to tell search engine not to touch on that file. The meta tag should look like:



After 1 - 2 months, the Error 404 Page should not be found again.

Another approach is to place the Error 404 html file in a special directory and use robots.txt to disallow web spider to crawl on that directory which looks like:

[file robots.txt]

User-agent: *
Disallow: /cgi-bin/
Disallow :/404-file/

NSEC and ldns-walk

In my previous blog post, I discussed the weakness of NSEC in DNSSEC which causes zone walking by means of trying alphabetical combinations in domain names. Actually, for those who have installed the ldns DNS tool, they need not try alphabetcial combinations for zone-walking. Just invoke "ldns-walk ripe.net" will give all sub-domain names under ripe.net and the associated NSEC records.

Use fail2ban to protect dovecot against brute force attacks

From time to time, I find brute force attacks on pop and imap in addition to ftp and ssh. The fail2ban version I have can offer brute force protection for ftpd and sshd but not dovecot. In order to achieve the same for dovecot, the following files must be added under the fail2ban folder:

/etc/fail2ban/filter.d/dovecot.conf

[Definition]
failregex = dovecot-auth: pam_unix\(dovecot:auth\):
authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
ignoreregex =

/etc/fail2ban/jail.conf

[dovecot-iptables]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=Dovecot, dest=you at mail.com]
logpath = /var/log/secure
maxretry = 5
bantime = 1800
ignoreip = 127.0.0.1

This works quite well. No more worry on unlimited meaningless break-in trials on port 110 and port 143.

Reverse lookup in Postfix

I recalled that once I successfully amended the config file of postfix (/etc/postfix/main.cf) to require mandatory reverse lookup of connecting IP addresses and if no hostname could be returned, then the connections would be rejected. The directive for this is :

reject_unknown_reverse_client_hostname,

There is yet another more stringent settting

reject_unknown_client_hostname,

which requires not only that the address->name and name->address mappings exist, but also that the two mappings must reproduce the same client IP address. This one must be used with care. My experience is that not many SMTP servers can satisfy the requirements.

Weakness of NSEC in DNSSEC

Some zone administrators might have heard that an obstacle to DNSSEC implementation is that the early design of DNSSEC provided the resource record of NSEC (next secure record) which tells interrogating resolvers that the domain names they are asking do not exist at all. When a zone file is signed, all the original resource records will be arranged in alphabetical order and the NSEC records are properly inserted indicating which domain name to be followed after each other. This is a huge vulnerability giving rise to zone walking and a bad guy can dig out all domain records. The illustrations are below:

[Please click on the link to see the second screen dump]


In the screen dump above, I tried to find the a record of "a.ripe.net" and the query was dnssec-enabled. The remote side just told me that this one did not exist and the next available record which best matches my query is "adder.ripe.net". Please note that I have already installed the the public key of ripe.net so all data returned are tagged with "ad" which means "authenticated data".

Next, I tried to find the a record of "ooo.ripe.net" and the result told me that the next available was "openpgp.ripe.net" as below:

[Please click on the link to see the second screen dump]


By trying different alphabetical combinations, thanks to NSEC, I can find out all domain names in a zone. NSEC is now replaced by NSEC3 for zone signing. It is quite new indeed and Windows 2008 Server R2 and Bind 9.6 or above can support it.

The IETF has recommended that all early implementations of DNSSEC signed zones must be resigned with NSEC3 for security reason.

DNSSEC-enabled name hosting service

I guess no ISPs in Hong Kong right now has the capability to provide domain name hosting service with DNSSEC. I find one in Germany which is Exanemes (http://exanames.com/)

The standard rate is 5€ per month per domain. It is really not expensive if you consider the heavy workload of signing and resigning zones. key rollovers and publish the KSK to parent zone.

I am not going to use it as I have decided to do all the DNSSEC config by myself.

HKNET is testing out IPv6

My IPv6 email autoreply facility (autoreply@v6-mail.com) has received test emails from HKNET Network Operation Center (noc@ipv6-test.hknet.com) and the v6 addresses in use are:

2001:2e0:4::5
2001:2e0:4::6

From the mail transaction tests, I visualize that IPv6 paths of HKNET are already well-established. It is just a matter of time for HKNET to offer to corporate customers.


In fact, HKNET was the first ISP to get IPv6 address block dated back to year 2001.

IPv6 Reverse DNS Zone Builder for BIND 8/9

For those who need help in configuring IPv6 reverse lookup information, they may use “IPv6 Reverse DNS Zone Builder for BIND 8 & 9” available at:

http://www.fpsn.net/index.cgi?pg=tools&tool=ipv6-inaddr

This tool is a quick and easy way of creating BIND 8, and BIND 9 named.conf configuration entries, along with creating a zone file with the correct syntax for domain name mapping to IPv6 addresses. Users just need to input the file name, assigned IPv6 Block (e.g. 2002:ca51:1234::/48), zone managers E-mail address, primary Domain server, secondary Domain server(s) and the forward lookup records.

I have never found any websites that offer similar function.

XPS Viewer

Bind 9.7makes DNSSEC human touchable

BIND 9.7 promises to make DNSSEC much easier, much more human. From ISC website, it says the improvements are :

- support NSEC3;
- easier to resign zone;
- automated trust anchor management;
- support DLV;and
- support dynamic DNS configuration.

I am not sure I will be impressed by these additional features BIND 9.7. I have decided to use “Unbound” as the recursive validator and “NSD” as the DNSSEC-enabled authoritative server.

Rescue Windows XP

One XP box in my home failed to boot. Boot into last known configuration or safe mode also crashed.

I used the XP CD to boot up and then gained access to the System Recovery Console. failure.Next I used bootcfg /list, /scan, or /rebuild, all failed and the Recovery Console prompted me that no bootable Windows partition is found. At this point, I had the feeling that boot.ini might have corrupted. I did fixboot to try my luck. It worked.

This process of finding ways to rescue XP was really a great pain. I decided to crone another disk for emergency purpose.

Configure BIND as a recursive validator with Domain Lookaside Validator

I made pretty good progress in DNSSEC. I have changed BIND from a plain resolver to a recursive validator with the aid of domain lookaside validator (DLV) of ISC. DLV is an interim solution for providing an entry point (besides the root zone) from which to obtain DNSSEC validation information. Without DLV, in the absence of a fully signed path from the root to a zone, zone administrators must configure and maintain all trusted keys into their configurations.

The following lines are the additional requirements in named.conf to enable DLV :

----------------------------------------
[enable dnssec in BIND ]

dnssec-enable yes;
dnssec-validation yes;

[use dlv.isc.org as secure entry point ]

dnssec-lookaside "." trust-anchor "dlv.isc.org.";

[Permit detail logging ]
logging {
channel dnssec_log {
file "/var/log/dnssec.log" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3; };
category dnssec { dnssec_log; };
};

[add the KSK of dlv.isc.org]

trusted-keys {
dlv.isc.org. 257 3 5
"BEAAA..........................."};

---------------------------------------------
After these entries, tests need to be conducted to verify AD (authenticated data) flag is set when querying resource records that are signed.

[root@i3way etc]# dig +dnssec www.dnssec.se a
; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> +dnssec www.dnssec.se mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16411
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

Now that I have an recursive validator in place, the next tasks are to sign my zones and publish the keys to dlv.isc.org.

Journalists in China said their Yahoo email accounts were hacked

Some journalists in China said their Yahoo email accounts were hacked, see the URL:

http://news.yahoo.com/s/ap/20100330/ap_on_hi_te/as_china_internet

My advice is that they should give up Yahoo email service which lacks HTTPS encryption in the web session. In Sept 2005, a Chinese journalist named Shi Tao was sentenced to 10 years' imprisonment because of talking June 4 in Yahoo email which was intercepted by the China Great Firewall.

By all means and for avoding being caught because of reporting sensitive matters, they should use Gmail which is fully encrypted.

CISSP won the "Best Professional Certification Program"

I was extremely happy to learn that CISSP won the "Best Professional Certification Program" from SC Magazine.

The link is here :

http://www.scmagazineus.com/best-professional-certification-program/article/164155/

I read the following with a bit of excitement:

"The CISSP is not only an objective measure of excellence, but a globally recognized standard of achievement. It requires at least five cumulative years of relevant work experience in two or more of the 10 domains of the CISSP CBK (common body of knowledge), or four years of work experience and a four-year bachelor's degree or a master's degree in information security. To maintain the certification, CISSP holders are required to obtain 120 continuing professional education (CPE) credits every three years, with a minimum of 20 CPEs posted during each year of the three-year certification cycle. This continuing education ensures that CISSP-certified pros are keeping up with the latest threats.

One major point that sets the CISSP apart from other security certifications is the breadth of knowledge and experience necessary to pass the exam. A CISSP candidate cannot specialize in just one domain. They must know and understand the full spectrum of the (ISC)2 CBK to become certified. In addition to the required five cumulative years of relevant work experience in two or more of the 10 domains, CISSPs must also legally adhere to the (ISC)2 Code of Ethics, be endorsed by a current (ISC)2 member, and undergo continuing education to keep the certification current. By meeting each of the above requirements, employers can rest assured that when they hire a professional who holds the CISSP credential, that person has been tested on understanding industry best practices and possesses a broad knowledge of the field and sound professional ethics and judgment."

Google and the China Great Firewall

After google.cn redirected to google.com.hk, some of my IT friends have discussions if running https:/www.google.com.hk can circumvent blocking by the China Great Firewall (GFW). The answers and scenarios are quite complicated. In the absence of HTTPS, sensitive keywords can not be passed to Google. When https is employed, some sensitive keywords (June 4 massacre, DaLai Lama, Tibet independence etc) submitted by Chinese netizens can be absorbed by Google and Google can presents a list of URLs and descriptions best match the search results. However, when Chinese netizens click on the URLs, the traffic fallback to HTTP again and the GFW can block by keywords, domains or IP addresses.

Those reading should have a clearer understanding by now. Without relying on encrypted means (SSL VPN, SSH + Proxy), there is no way to escape the GFW’s inspection.

Another IPv6 email test site

There is a website which allows people to send emails to account on IPv6 mail servers :

http://vsix.me/index.php?r=Tools

This site is accessible by IPv6 addresses only. The test tool is written in PHP. I am exploring if I can find codes to do the same.

It can help to verify if a newly established IPv6 email server can received emails. The outgoing direction is not tested. I am also thinking of a web-based IPv6 email autoreply facility which helps verify the email functionality in the two directions.

Google is leaving China. What's next ?

Google is leaving China. What's next. The website of baidu.com greets you with :

"Welcome to the new Internet world of China search. We are disciplined. We know what information is good for you. Enjoy."

Ookla speedtest software

I have installed and tested the trial version Ookla speedtest engine at URL:

http://speedtest.warrenkwok.com



The configuration is easy. Just tell the config file what URL is used and if the server is running apache, use "filename.asp" inside index.html. By same token, "filename.asp" or "filename.jsp" will be used for IIS and Tomcat web server respectively. No gimmicks or hassles at all.

I try to dig out the logics behind the speedtest engine, some of which can be found in Ookla documentation:

Latency Test

1. This test is performed by measuring the time it takes to get a response for an HTTP request sent to the web server.
2. It is done 10 times (configurable) with the average value determining the final result.

Download Test

1. A small binary file is downloaded from the web server to the client to estimate the connection speed.
2. Based on this result, one of several file sizes (jpg files with sizes of 1M, 2M, 8M, 12M and 32M) is selected to use for the real download test.
3. The download test is performed with cache prevention via a random string appended to each download.

Upload Test

1. A small amount of random data is generated in the client and sent to the web server to estimate the connection speed.
2. Based on the result, an appropriately sized set of randomly generated data is selected for upload.
3. The upload test is then performed by pushing via POST with the aid of a server-side script.

The trial licence will expire in one month.

FCC Broadband Test

The FCC has added broadband test in the official website www.broadband.gov.

I have done test on my home 6M-ADSL line from PCCW.


The test results are :

download speed = 3584 kbps
upload speed = 193 kbps
latency = 235 ms
jitter = 28 ms

The upload and download speeds are quite ok to me. Actually Google offers to FCC the line connectivity and Google has ample bandwidth in HK. The only problem is that with 235 ms latency, I might not have good quality VoIP, video-conferencing and online games with the US side.

By the way, I need to give a fake US address in order to conduct the test.

Improvements of motherboards

I do not follow up closely on new improvements of motherboards. Just find out quite recently latest desktop boards of Intel have removed com ports, parallel printer port, IDE and floppy connection. Removing these obsolete things has long been overdue. I am really happy to see new motherboards look smart and take care of user needs.

Benchmarking and stress test tools

I had funs with two benchmarking tools. They are "ab" which stands for Apache Benchmarking tool and siege. Both can be used to stress test a web server.

#ab -k -n 1000 -c 100 http://www.example.com/123.html

The above states that 100 threads are concurrently open and each makes 1000 requests. "-k" means to perform multiple requests within one HTTP session

#siege -b -r 1000 -c 100 http://www.example.com/123.html

This one operates similarly and siege is run in background mode.

Just a note to remind myself that when doing stress test on a web server, it is better to know the maximum concurrent threads the server is configured.

Mitigating the risks of unintentional IPv6 tunnels to IPv4 corporate networks

Some network administrators have started to look at mitigating the risks of unintentional IPv6 tunnels which introduce threats to corporate IPv4 networks. Basically, there are three type of threats :

a. Teredo tunnels by internal hosts;
b. GUI-based tunnel-broker clients like gogoclient; and
c. 6to4 tunnels which affect public servers in the DMZ.

For (a), we can ban UDP port 3544 in the outgoing direction since all Teredo servers must listen on that port within the IPv4 network path. For (b), Gogoclient and other similar programs must adhere to the specification of Tunnel Setup Protocol (TSP) and the port used is UDP 3653. Hence killing this port is feasible to disable all kinds of GUI TSP clients. As for 6to4 tunnels, some have suggested to ban Protocol 41 (IPv6 Protocol Number) entirely in a firewall. Banning entirely Protocol 41 is just like demolishing a big house because of a worm found inside the house. Just a little bit of pesticide to spray on the worm is ok. I think we can stop all servers or hosts to access the anycast address 192.88.99.1 as a way to eliminate the establishment of 6to4 tunnels.

If anyone has better ideas of stopping unintentional IPv6 tunnels by means of a coporate firewall, please share your knowledge.

Akamai Network

I was asked to explain how the Akamai's Content Delivery Network (CDN) operate. Here is what I have jotted down :

"Akamai is the biggest CDN in the world which builds upon distributed computing platforms. As of today, the network is comprised of more than 60,000 high performance servers to store contents and applications and these servers are scattered over 70 countries. Customers in Hong Kong are Cathay Pacific and Apple Computer etc. Last year, when the HKSAR Government hosted the fifth East Asian Games, the Games website was also linked with Akamai to better serve Internet users in the Asian region.

By subscribing to the service of Akamai, Cathay Pacific can ensure that customers worldwide can access its web contents with improved speed and performance which can not be achieved by placing an array of servers in Hong Kong. In operation, the online contents and applications of Cathay Pacific’s web server will be replicated in real-time to Akamai’s servers. When users type in the domain www.cathaypacific.com, this URL is just an alias of a sub-domain name assigned to Cathay Pacific by Akamai (cdn.cathaypacific.com.edgekey.net) which then points to a number of IP addresses."

The above note should be quite easily understood by average Internet users as well as laymen.

New antispam features in Sendmail 8.14.0 and above

I have not paid attention to some new important antispam features offered by Sendmail in version 8.14.0 or above. They are :

FEATURE(`require_rdns')

This is to reject messages from SMTP clients whose IP address does not have proper reverse DNS.

FEATURE(`block_bad_helo')

This is to reject messages from SMTP clients which provide a HELO/EHLO argument which is either unqualified, or is one of our own names (i.e., the server name instead of the client name).

FEATURE(`badmx')

The function is to reject envelope sender addresses (MAIL) whose domain part resolves to a "bad" MX record.

I recommend all network administrators who manage Sendmail must enable these antispam functions.

Resolver and recursive validator

I need to remind myself that the term "resolver" can no longer be used when DNSSEC is rolled out on a global scale. All DNS servers that perform look up function for clients shall be called "recursive validator". That is to say, a DNS servers must ensure that all information related to a domain it gets must be properly verified with the keys signed by the domain name owners.

Bind upgrade failure due to yum

Today, I made an upgrade of Bind DNS package by way of "yum install bind". Afterwards, when I restarted the service using "service named restart", bind stopped running unexpectedly.

The cause of the failure was that yum only upgrade bind to bind-9.5.2-1.fc10.i386. However, bind-chroot, bind-libs and bind-utils stayed on the older version. This is a flaw network administrators never expect to see.

I had to do a "yum -y update bind bind-libs bind-utils bind-chroot". Afterwards, everything was rescued to normal.

I am sure similar incident of upgrade failure will come back to me at a later time.