Category: Developers

Weekend Project: Upgrade SpamAssassin To Release 3.4.0 And Add IPv6 Records For Your Mail Server(s)

Apache Spam Assassin logoIf you operate your own mail server and use Apache’s SpamAssassin as your anti-spam tool, here’s a weekend project for you – upgrade SpamAssassin to release 3.4.0, which, as we mentioned this past Wednesday, now includes better IPv6 support!  The release also has a number of other features which make the upgrade useful.

After doing that upgrade, if you have IPv6 connectivity your next step is to make sure you have the correct records in DNS to accept mail over IPv6.  In DNS, the ‘MX’ records point to the host names of the mail servers that will accept email for a given domain.  All you need to do to accept email over IPv6 is make sure that each host name used in MX records also has a ‘AAAA’ record with the IPv6 address for the server.

If you do not have IPv6 connectivity, your next step is to ask your ISP or server hosting provider when they will support IPv6!  Preferably in a public forum (or on social media) so that they can respond and others can also join in to the request. :-)  If they won’t have IPv6 soon (and you don’t want to or can’t switch to a different hosting provider or ISP), you could try setting up an IPv6 tunnel to get IPv6 connectivity to your mail server.

You also do need a mail server that supports IPv6, of course, and so you may need to check that with the company or group behind your mail server. (As I note to myself that we need a page here on Deploy360 that lists IPv6-capable mail servers!)

To test out your ability to receive email over IPv6, here is an email test tool that can check if your records and servers are set correctly. (Here is an example test for

If you did all this, congratulations!  You’re now ready to accept email – and protect yourself from spam – over IPv6!

New IETF “openv6″ Mailing List For IPv6 Application Developers

IETF LogoDo we need an “open interface and a programmable platform to support various IPv6 applications? That is the question posed for a new “openv6″ IETF discussion mailing list announced yesterday. The openv6 list, which is open to anyone to subscribe to, has this description:

This list is to discuss a open interface and a programmable platform to support various IPv6 applications, which may include IPv6 transition technologies, SAVI (Source Address Validation and Traceback), security, data center and etc. This discussion will focus on the problem space, use case and possible protocol extensions. The following questions are listed to be solved via this discussion:

(1) What are the problems and use cases existing in various IPv6 applications,  e.g., multiple IPv6 transition technologies co-exist?

(2) How to enable the applications to program the equipment to tunnel IPv6 traffic across an IPv4 data plane?

(3) How this work can be done through a general interface, e.g., to incorporate  the transition policies, simplifying the different stages through the transition  and guaranteeing that current decisions do not imply a complicated legacy in
the future?

(4) How to make the end-to-end configuration of devices: concentrator/CGN, CPE and the provisioning system?

(5) How to extend the existing IETF protocols, e.g., netconf, to support this open interface?

The list is not for forming a new IETF working group (WG). It is at this point purely for discussing this topic. The mailing list archive seems to be empty at the moment (or the link is not correct), but given that the list was just announced yesterday the list owners may be waiting for people to join the list before kicking off discussion. In searching IETF archives I found this recent draft from October 2013, “Problem Statement for Openv6 Scheme,” that may be part of the discussion.  I expect we should see more information soon as the discussion begins.

Anyway, if you are an application developer looking to look at how you help your applications work over IPv6 this may be an interesting mailing list to join, if for no other reason than to monitor it and see what work is happening.

I’m looking forward to seeing the discussion begin!

Geoff Huston Unravels An IPv6 Bug Involving Apple Mail And Microsoft Exchange

Geoff Huston's blog postGeoff Huston at APNIC Labs published today a fascinating and very well-documented exploration of why he was having occasional seemingly random problems sending email from his Apple Mail program via APNIC’s Microsoft Exchange Server.

It’s such a good read that I’ll not spoil the story, other than to say it is a good example of the kinds of things application developers need to be thinking about with regard to how they work with IPv6 addresses!

Thanks to Geoff and his colleagues for publishing such a thorough write-up from which we all can learn.

Got A DNSSEC Project That Needs Funding? Apply to NLnet Foundation Before Dec 1

NLNet FoundationDo you have an open source project (or the idea for one) related to DNSSEC that needs funding? Perhaps a new tool that will make it easier to use DNSSEC?  Or perhaps new software that supports the DANE protocol to increase the security of TLS/SSL? A browser plugin?  A program that makes it easier for registrars to pass DS records?  A measurement tool for DNSSEC usage?

Or do you want to add DNSSEC capabilities to an existing program, like the Jitsi team did when added DNSSEC validation to VoIP?  Would you like to build DNSSEC validation into your tool or service?  Would you like to add DANE support to your browser or other tool?  Would you like to add DANE support to another service beyond the web?  Do you have a use case where DNSSEC-signed TLS/SSL certificates would greatly add another level of security?

If you have any ideas along these lines, the NLnet Foundation is funding projects through their “DNS Security Fund” and THE NEXT APPLICATION DEADLINE IS DECEMBER 1, 2012 at 12:00 Central European Time (CET).  You can read more and find out how to apply at:

That page lists at the bottom some of the many projects that the NLnet Foundation has funded.  Their most recent “Open call for funding” gets into more details.  There is one very important note:

There is one important condition which is that any software or hardware that a project produces must be available under a valid open source licence (GPL, BSD, Apache, etc.).

As long as you are fine with that, you may be able to get some level of funding through NLnet Foundation.

We’d definitely appreciative of all the great work that the NLnet Foundation has funded to date. Tools like Unbound, DNSSEC-Trigger and the multiple DNSSEC developer libraries they have supported have made it so much easier to get DNSSEC deployed.

Now it’s your turn – what can you develop to help get DNSSEC more widely deployed?    If you’ve got an idea, the NLnet Foundation may be able to help… apply before December 1 to see if they can!

P.S. Note also that if you can’t apply before December 1, the NLnet Foundation accepts proposals six times a year, with deadlines of February 1, April 1, June 1, August 1, October 1, December 1.

FreeBSD IPv6 Performance Analysis Project Brings Parity With IPv4

FreeBSD Foundation LogoThe FreeBSD Foundation posted this week about the completion of a “IPv6 Performance Analysis Project” that had as its main goal closing the gap between IPv4 and IPv6 in terms of performance.

Bjoern Zeeb was awarded a grant to perform this work earlier this year and has maintained a “Benchmarking and results” page showing his work and progress.  As noted in the article:

With IPv6, TCP performance is now basically on par with IPv4 in the offloading case, allowing 10 Gbps line speed connections. This is a huge step forward.  UDP throughput has increased and is closer to the level of IPv4. Changes to locking allowing better parallelism, which is a step in the right direction.

In the FreeBSD Foundation report, Zeeb is quoted as saying “This will help to keep the resource usage at the same level as traffic patterns shift towards IPv6.”  This is indeed a concern. As more traffic shifts to IPv6, particularly with the impending World IPv6 Launch on June 6, 2012, network administrators will want to see the same level of performance in their servers on IPv6 as there is in IPv4.

Kudos to the FreeBSD team for recognizing this issue and undertaking the work – and congrats to Bjoern Zeeb and any others involved on bringing about performance parity in FreeBSD between IPv6 and IPv4.  Great news to hear!

Slides: The Status of IPv6 and Open Source/Free Operating systems

What is the status of IPv6 support in free / open source operating systems? Recently Olle Johansson gave a presentation in Sweden where he provided, in his own words:

A status report from a brief test of IPv6 support (including DHCPv6 and SLAAC) in OpenBSD, FreeBSD, Debian, Ubuntu, Fedora compared with Windows 7 and OS/X

His testing focused on trying to answer these questions:

  • Can I install a desktop operating system over IPv6?
  • Can I add and install packages over IPv6?
  • Can I configure it with combinations of Router Solicitations/Advertisements and DHCPv6?
Basically, his goal was to see – how ready are we to run IPv6 single-stack?

Olle was quite up front, too, in saying that he was doing this testing as a beginner with the operating systems because he believes it should be that easy to deploy.  While his conclusions are that there is still a good bit of work to do, his testing at least provides some pointers for where work needs to be done within the operating systems.

Olle’s nicely made his slides available for us to see in SlideShare:

DNSSEC And The Challenge Of Modern Websites

queries of modern websitesGiven that modern websites often pull content from a variety of different sites to build a single page, what impact does that have on DNSSEC and providing the security that it does?

That was one of the questions raised in a recent post by the DNSSEC Deployment Initiative titled “Are You Secure?” This key point was emphasized in this paragraph:

It shouldn’t come as a surprise to you that your browser was trying to load content from although you had not typed that in the address bar. More generally, it shouldn’t be surprising that it requires more than a single DNS lookup to fill the contents of a page. In fact, as the query trace from loading a relatively simple page such as illustrates below, an un-primed resolver easily performs in excess of a hundred lookups before the browser renders the complete page. Some of these queries are not even for names under the domain. For more content-packed sites the number of names looked up is even higher.

The way we build websites today does very often involve pulling in content from a variety of different sites.  Sometimes it is something as simple as the latest jquery JavaScript library.  Sometimes it is images or advertisements.  Sometimes it is the latest tweets or other content from social networks.

The article goes on to talk about the value of moving DNSSEC validation directly into the application, such as the web browser, so that all DNS queries can be properly validated. The author ends on this note:

It is also important, given that web pages are typically composed of a number of discrete elements, that validation be performed for all lookups initiated by the browser and not just for the name typed in the address bar. Many browser plugins for DNSSEC support will validate only the latter; while that capability is certainly useful, the real benefit of local validation is realized only when the browser (or the OS) completely integrates DNSSEC validation capability into its internal resolver library and enables validation for all queries.

The good news is that browser vendors (and their user communities) have been showing increased interest in seeing DNSSEC capability extended to the end-applications. Proof-of-concept implementations of browsers with DNSSEC validation support (e.g., the DNSSEC-Tools Firefox patch) have been available for a while, and with DNSSEC validation capability being continuously extended to new platforms and devices, there is hope that DNSSEC capability in browsers will eventually become more commonplace.

We certainly share that hope that DNSSEC capability in browsers and other applications will become more commonplace. A goal of this entire Deploy360 Programme is to help bring that widespread availability about.

Application developers… have you checked out the developer libraries available now to help add DNSSEC support to your applications?   Have you looked at what is available in the DNSSEC Tools project?

What else can we do to help you build DNSSEC into your applications?

P.S. In my case, I did see the correct image on the DNSSEC Deployment Initiative web pages, but that is because I’m running a local DNSSEC-validating DNS resolver on my MacBook Pro laptop.  I’m using the excellent DNSSEC-Trigger tool from NLnet Labs – it’s available for Mac OS X, Windows or Linux.

DNSSEC-Tools Project

Dnssec tools projectThe goal of the DNSSEC-Tools Project is “to create a set of software tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies.” The project website is at:

There you will find information about the available tools, tutorials, installation information and of course the actual DNSSEC tools available for download in a number of different formats for different operating systems.

The available DNSSEC tools can be broken down into the following categories:

  • Zone Administration Tools
  • Authoritative Domain Name Server Tools
  • Recursive Domain Name Server Tools
  • Application/Script Writers
  • End Users (patches to add DNSSEC support to applications like Firefox, sendmail, jabberd, etc.)
  • DNS Error Checking Tools
  • DNSSEC Management Tools

The DNSSEC-Tools Project is open to public participation and operates a wiki full of documentation a number of public mailing lists, a public bug tracker, and a Subversion/SVN repository.