Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Apr 24
Photo: Still Time To Meet The Deploy360 Team at Global INET
If you are at the Internet Society’s Global INET event happening in Geneva right now, you still have a chance to meet Richard Jimmerson and Megan Kruse from the team behind the Deploy360 Programme. Here’s a photo of them (looking sharp!) by the banner for our program.
Megan and Richard have been having great conversations with people about IPv6 and DNSSEC and are still very interested in talking to more folks. If you are there at Global INET, please do say hello to them!
Also, IF YOU ARE A GLOBAL INET ATTENDEE, please check out the IPv6-only network available at the event. If you connect to the network and go to ipv6.internetsociety.org you will be able to register for a raffle we’ll be doing after the Global INET is over. The site is ONLY available over IPv6, so you’ll need to get on the IPv6-only network. Information about how to connect is available at the Internet Society booth there at Global INET.
The Global INET event has been great so far and Megan and Richard are looking forward to continuing more discussions about how to deploy IPv6 and DNSSEC. If you haven’t met with them yet, please do seek them out!
P.S. Please note that the raffle on the ipv6.internetsociety.org site is only for Global INET attendees, but anyone else is welcome to connect to that site over IPv6 and see the links to resources.
Apr 23
When Will We Hit 100 DNSSEC-Signed TLDs?
In looking at ICANN’s TLD DNSSEC Report for today, I noticed that the number of top-level domains (TLDs) signed with DNSSEC is creeping very close to 100:
- 313 TLDs in the root zone in total
- 94 TLDs are signed;
- 86 TLDs have trust anchors published as DS records in the root zone
Who will be the next 6 TLDs to be signed?
That will put us that much closer to one-third (104) signed… and then of course the next step is getting all the DS records in the root zone.
Excellent to see the growth in signed TLDs. Looking forward to seeing the percentage growing even higher!
Apr 23
WordPress 3.3.2 Out With Security Fixes – Upgrade Now!
http://codex.wordpress.org/Version_3.3.2
You'll note that the release is pretty much all about security fixes to underlying libraries and other aspects of the software.
While yes, I'm a "security guy" who may care about these kind of things more than others, the reality is that I'm in the "content business" and I want my content always to be available. Having my site taken down by attackers is NOT a way to do that.
So I always upgrade WordPress - particularly when there are security issues involved.
The beautiful thing is that you should just be able to go into your site and click the "Update automatically" link to make it happen. Yes, backup your database first to be safe... but do go in and do the update.
Particularly because if the upgrade fixes "cross-site scripting attacks", you have to know that attackers are out there right now trying to exploit those attacks against sites that have NOT yet upgraded.
So don't be a target... upgrade!
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed.
Apr 20
Want to understand DNSSEC? Watch this excellent 1-hour elearning video.
Want to understand DNSSEC and how it can help secure the Internet? The folks at SIDN, the registry behind the .NL country code top-level domain (ccTLD), have put together a truly excellent 1-hour video e-learning session available in either English or Dutch at:
The course touches on the basics of DNS then explains the role of DNSSEC, how it works and the steps that need to be done. It also has some solid points about things you need to think about and also business impacts of DNSSEC. Perhaps most usefully, the course includes a number of animations that really illustrate how DNSSEC works, as well as a few examples of what DNS zone files really look like with DNSSEC involved.
The video’s target audience is really for domain name registrars who would enable DNSSEC for their customers (domain name registrants). However, SIDN created the video in such a way that it’s quite a useful introduction to DNSSEC for anyone interested in the topic.
I found the elearning user interface quite nice in that you could skip around between sections, return to past sections, stop/start the sections and skip ahead as well. The “Notes” tab also includes the text of what was said in each section, which I could see being quite valuable particularly for those for whom English or Dutch is not a native language. It was also nice to have the video introductions from Bert Hubert interspersed with the slides and animations.
My one issue with the user interface was that when a section was done you have to press the “Next” button to move on to the next section. Given that there are 74 sections, I soon found myself wishing there was an “auto-advance” that would just keep on playing the video. A minor quibble, perhaps. Otherwise I was quite pleased.
On a technical level, my only issue was that the course oversimplified one aspect of the DNSSEC infrastructure. It states that a copy of the public key for your zone (the DNSKEY record) is stored in the parent zone as the DS record.
In fact, the DS record is a digest of the DNSKEY, as defined in section 5 of RFC 4034 and shown as an example in section 5.4.
I realize that the video couldn’t go into every detail and had to simplify some aspects in order to keep it within the presentation timeframe. I also realize that the idea is quite similar. However, if someone left this video thinking that the DS record in the parent zone was simply the DNSKEY record from the child zone, they would be extremely surprised when the do a “dig” on the records for a DNSSEC-signed domain and see that they are quite different.
Regardless, I still see this as an outstanding introduction to DNSSEC and commend the folks at SIDN for creating this elearning video. If you want a quick way to understand DNSSEC, definitely do check it out!
Apr 20
Civic.io – Mark Headd’s new site on Civic Hacking and Open Government
My friend Mark Headd passionately wants to open up government - and to do so through code. I've known him for years as the author of the VoiceInGov / Vox Populi blog where he has been writing about mashups and so many other ways to open up access to government information via telephony. Back in November 2010, Mark joined me and the others on the rocket ship known as Voxeo and did outstanding work for the Voxeo Labs and Tropo teams.
But just as my passions altered my career last fall, as of just a short time ago Mark is now the Director of Government Relations at Code for America and, with that, changing a bit about the way he is writing online.
His new site is civic.io, where he will be writing on "civic hacking, civic startups and the future of open government". He's brought over to the site many of his relevant older posts, so he's already got a solid amount of content.
The work he and the others at projects like Code For America are doing is incredibly important to help with keeping our networks open. I'm looking forward to reading more of what Mark is up to in the time ahead - and certainly wish him all the best in this new endeavor.
Oh, and of course you can follow him on Twitter at @civic_io.
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Apr 20
Facebook To Provide IPv6 Access For Developers On May 18th
As of May 18, 2012, developers working on Facebook applications will have access over IPv6 to Facebook’s development platform to test their applications out in preparation for World IPv6 Launch. In a blog post this week, Facebook’s Eric Osgood writes:
With the World IPv6 Launch coming on June 6th 2012, Facebook has committed to enabling IPv6 access for our users on most of our HTTP and HTTPS endpoints. Based on the results of last years IPv6 test on June 8th 2011, we are confident that enabling IPv6 on our platform will be a success. On May 18th, we will be enabling IPv6 on beta.facebook.com ahead of World IPv6 Launch to give our developer community time to discover issues and report bugs back to us.
IPv6 is vital because the Internet’s original addressing system (IPv4) has run out of free space. Since every device on the Internet relies on a unique address to communicate, we must transition to IPv6 which provides over 4 billion times more addresses than IPv4. IPv6 will ensure everyone (users, ISPs, governments, and companies) have direct and open access to the Internet.
We are thrilled to see this news out of Facebook and look forward to learning of developers ensuring their applications work over IPv6!
Apr 19
Creating an IPv6-only Wi-Fi Network For the Global INET Event
This weekend, hundreds of people will begin converging in Geneva, Switzerland, for the Global INET event, celebrating the Internet Society’s 20th Anniversary, listening to visionary keynotes and collaborating with others to shape the future of the Internet.
While there, attendees will also have the opportunity to ensure their laptops and mobile devices are configured correctly for IPv6 – and…
…to use an IPv6-only Wi-Fi network.
Once connected to the IPv6 Wi-Fi network, attendees will be able to test their IPv6 connectivity by visiting an IPv6-only website (and entering a contest while there). To help attendees, we will be providing there onsite a document explaining briefly how to configure IPv6 on typical laptops and mobile devices.
To create this IPv6-only WiFi network for a large event like this, our Internet Society IT team worked with Swisscom. This diagram shows the overall architecture (click on the image for a larger version):
For the Internet gateway, we’ve configured a Cisco 2901 in dual stack mode. To restrict the network to IPv6-only, we have disabled IPv4 DHCP. A few other notes:
Wi-Fi configuration:
For the Wifi access points we are using four Apple AirPort Extreme access points. These devices support connectivity on both the 2.4GHz and 5GHz bands. 802.11b/g/n is supported on the 2.4GHz band and 802.11a/n on the 5GHz band. Based on the IEEE 802.11n specification, AirPort Extreme uses a technology called multiple-input multiple-output (MIMO) to transmit multiple data streams simultaneously. A maximum of 50 WiFi users can be associated with each access point.
IPv6 LAN configuration:
DHCPv6 is not configured on the LAN. We use IPv6 address auto configuration (SLAAC) to discover the IPv6 parameters. The host uses the link prefix + the EUI-64 address (MAC address + FF:FE) to construct the IPv6 address.
If you are going to be at Global INET, please do give the IPv6-only Wi-Fi network and try and let us know how it works for you. We’re looking forward to seeing Global INET attendees using the network next week!
Note: Peter Godwin of the Internet Society’s IT team contributed to this article.
Apr 18
Where Are The IPv6-Only Wi-Fi Routers And Access Points?
In trying to set up an IPv6-only Wi-Fi network for a test environment in my home office, I ran across an interesting stumbling block:
You can’t turn IPv4 OFF on typical Wi-Fi access points or routers!
Now, this does make a certain degree of sense for consumer-grade equipment. Providing such a setting is simply one more thing for someone to mess up – and generate support calls into the router manufacturer about how they can’t get on the network, can’t access email, etc., etc. So I get it… the consumer equipment manufacturers are operating on commodity margins and need to minimize support inquiries.
It may also be quite honestly that… no one has asked for it! We’ve been living in a world where IPv4 was the only option for so long that equipment product managers may not even be thinking about the desire for an IPv6-only Wi-Fi network. “Why would you ever want to do that?”
But I do want to do that – and I imagine I’m not alone among those of us working on deploying IPv6. I want a Wi-Fi test network that is IPv6-only. No IPv4 at all. Just IPv6… which then lets me connect to an IPv6 server and experiment with various different transition technologies. Plus I get to see which apps work in an IPv6-only environment and which don’t. I want a Wi-Fi network to experiment and play in the land of pure IPv6.
However, in searching online and looking through documentation of various Wi-Fi routers and access points, I’ve yet to find any off-the-shelf routers/APs that allow IPv4 to be disabled on an interface.
Yes, multiple people have suggested that I could hack the OpenWRT or DD-WRT code to roll my own AP without IPv4… and yes, I certainly could, and maybe that winds up being my only choice, but I’d personally rather hack on other projects than my Wi-Fi infrastructure. However, that may be what I do.
Have any of you seen Wi-Fi routers or access points where you could disable IPv4 on the Wi-Fi network and only use IPv6? Even better, an AP that lets me create multiple networks and have one of them be IPv6-only?
Or have any of you already hacked OpenWRT or similar code to be IPv6-only?
I’d love to hear what options folks have found (and would love to publicize them here).
Image credit: a_ninjamonkey on Flickr
The post Where Are The IPv6-Only Wi-Fi Routers And Access Points? appeared first on Internet Society.
Apr 18
Where Are The IPv6-Only Wi-Fi Routers And Access Points?
In trying to set up an IPv6-only Wi-Fi network for a test environment in my home office, I ran across an interesting stumbling block:
You can’t turn IPv4 OFF on typical Wi-Fi access points or routers!
Now, this does make a certain degree of sense for consumer-grade equipment. Providing such a setting is simply one more thing for someone to mess up – and generate support calls into the router manufacturer about how they can’t get on the network, can’t access email, etc., etc. So I get it… the consumer equipment manufacturers are operating on commodity margins and need to minimize support inquiries.
It may also be quite honestly that… no one has asked for it! We’ve been living in a world where IPv4 was the only option for so long that equipment product managers may not even be thinking about the desire for an IPv6-only Wi-Fi network. “Why would you ever want to do that?”
But I do want to do that – and I imagine I’m not alone among those of us working on deploying IPv6. I want a Wi-Fi test network that is IPv6-only. No IPv4 at all. Just IPv6… which then lets me connect to an IPv6 server and experiment with various different transition technologies. Plus I get to see which apps work in an IPv6-only environment and which don’t. I want a Wi-Fi network to experiment and play in the land of pure IPv6.
However, in searching online and looking through documentation of various Wi-Fi routers and access points, I’ve yet to find any off-the-shelf routers/APs that allow IPv4 to be disabled on an interface.
Yes, multiple people have suggested that I could hack the OpenWRT or DD-WRT code to roll my own AP without IPv4… and yes, I certainly could, and maybe that winds up being my only choice, but I’d personally rather hack on other projects than my Wi-Fi infrastructure. However, that may be what I do.
Have any of you seen Wi-Fi routers or access points where you could disable IPv4 on the Wi-Fi network and only use IPv6? Even better, an AP that lets me create multiple networks and have one of them be IPv6-only?
Or have any of you already hacked OpenWRT or similar code to be IPv6-only?
I’d love to hear what options folks have found (and would love to publicize them here).
Image credit: a_ninjamonkey on Flickr
Apr 16
Excellent Interactive Map of DNSSEC Support by Swedish Municipalities
This morning we learned via a tweet about this very cool interactive map of the status of DNSSEC support by Swedish municipalities. Sweden has by far been one of the leaders world-wide in implementing DNSSEC and the fact that such a map like this can even be constructed is a great testimony to all the excellent work happening there.
Kudos, too, to whomever created this map and site. Other than seeing it was funded by the great folks at .SE it’s not clear from the site who created it. We love seeing visualizations like this and look forward to seeing more such maps for other parts of the world.
