Category: Weekend Projects

Looking For A Weekend Project? Check These Out… IPv6, DNSSEC, TLS, BGP and more…

Do you have some vacation time during Christmas and New Year’s Day?  Are you looking for a weekend project to try out something new?  Maybe improve your home network?  Or learn a new skill for 2015?  If so, why not check out our list of weekend projects at:

http://www.internetsociety.org/deploy360/blog/category/weekend-projects/

We’ve got all sorts of ideas related to IPv6, DNSSEC, TLS and much, much more…

There are all sorts of ways you can make your network work better, faster and be more secure – and ways to learn a great bit as well.  Our Start Here page can help you get more information… and if you come up with a great weekend project idea, please do let us know!  We’ll write about more in the future.

Enjoy your weekend! Make something happen!

weekend projects

Weekend Project: Check Out The New “getdns” API

getdnsapiAre you an application developer who makes queries to DNS somewhere inside your application?

If so… or if you aren’t, but are just looking for a reason to play around with some code… there’s a new “getdns” API out that is designed to make it easier to interact with DNS.  From the website:

getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in an API specification edited by Paul Hoffman. With the development of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications.

You can read more about it at:

http://getdnsapi.net/

And the code is available on Github at:

https://github.com/getdnsapi/getdns

There are also bindings for python and node.js in the works. This new “getdns” API has been developed by a team of developers from NLnet Labs, Verisign Labs and No Mountain Software and is based off of the getdns API specification documented by Paul Hoffman.

Members of the team gave a presentation at IETF 89 whose slides you can view about this new API and what you can do with it.  While  I haven’t played with it myself yet, I’m pleased to see that one major point is that it provides developers with easy usage of DNSSEC.  All in all it’s very cool to see a new API out there and we do encourage people to check it out and see what you think of it.  I’d note that because the code is maintained at Github, you can file issues there if you have questions or bugs.  There is also an email list for developers and users who want to get more involved with the project.

Congrats to the developer team for releasing this new API and we hope that it enables  app developers to more easily interact with DNS and DNSSEC!

Weekend Project: Add IPvFoo or IPvFox To Your Web Browser To See What Is IPv6

IPvFoxHere’s a quick project for you that will quickly enable you to see what sites work over IPv6 – and what sites don’t! If you use either Google Chrome or Mozilla Firefox as your web browser you can add an “extension” or “add-on” that helpfully adds an icon to the location bar in your browser, as shown in the image with this post. You can get them at these links:

As we wrote about in the past, the cool part about these add-ons is that they enable you to see what parts of your website are NOT working with IPv6.  For instance, in preparing this post I noticed that our Deploy360 site is no longer showing only a “6″ like it used to do a few weeks ago.   By clicking on that icon in the location bar, I saw this:

Detail of the IPvFox plugin

This clues me in to the fact that when I recently installed the JetPack plugin for WordPress I wound up using two services that are only available over IPv4. :-(  Given that we want this site to be available to people on IPv6-only networks, now it’s time for me to go off and file bug reports with those sites to indicate that they are not reachable over IPv6.  (Either that or turn off the features that use IPv4, but bug reports are a critical way for people to get more attention to the need to be accessible over IPv6!)

Anyway, I’ve installed these extensions and add-ons into all my instances of Chrome or Firefox and it’s great now to see the places where I can get IPv6 connectivity!

Give it a try!

P.S. This assumes, of course, that you have IPv6 connectivity… if you do not have IPv6 these add-ons won’t be of much help. But hey, if you don’t have IPv6, maybe now is a good time to try setting up an IPv6 tunnel so that you can try these add-ons out!  

Weekend Project: Set Up An IPv6 Tunnel

World IPv6 Launch LogoDon’t have IPv6 connectivity to your home or office network? Have you asked your ISP about getting IPv6 and they can’t give you a timeframe?

Don’t despair! One way you can get IPv6 connectivity for your home office is to set up an “IPv6 tunnel” from your network out over your IPv4 Internet connection to an “IPv6 Tunnel Broker” service that will then connect you out to the rest of the IPv6-enabled Internet.

An IPv6 tunnel can work quite well and was in fact what I used for most of two years until my local ISP just recently provided native IPv6 connectivity.  The good news, too, is that there are IPv6 tunnel broker services that are available to you for free, operated by companies and organizations that want to expand the use of IPv6.

Two of the most well-known tunnel broker services are:

The general process for both of them is:

  1. Sign up and register on their website.
  2. Login to their website.
  3. Create/request a tunnel.
  4. Configure your local network to connect to the tunnel.
  5. Start using IPv6!

Now, step #4 may or may not be a bit involved.  Some wireless home routers have a configuration tab somewhere for IPv6 where all you need to do is enter the tunnel information provided by the tunnel broker and away you go!   At one point I used an Apple TimeCapsule and was impressed at how easy it was to configure an IPv6 tunnel.  There are also some home server/gateway software distributions that also make setting up an IPv6 tunnel easy to do.

To help with this, the SixXS team provides a software client called “AiCCU” and documents the process in “10 easy mini steps to IPv6“. IPv6 advocate Olle Johansson wrote up his experience setting up an IPv6 tunnel through SixXS for his training center.

For Tunnelbroker.net, Hurricane Electric provides configuration information for different operating systems once you login and create a tunnel.  They also have tunnelbroker user forums with a wealth of information and tutorials about how to connect from various kinds of systems.

Once you have your IPv6 tunnel connected, you should be able to go to a site like test-ipv6.com and see that you do indeed have IPv6 connectivity!  What’s fun then is to install the IPvfoo/IPvfox extension/add-on to either Chrome or Firefox and then as you browse around the web you’ll be able to see what sites you are getting to over your nice new IPv6 connection.

If you’d like more technical information about how IPv6 tunneling services work, you may want to read RFC 7059 that compares different types of IPv6-over-IPv4 tunnel mechanisms.

The cool part of all of this is that you can get IPv6 connectivity while you are waiting for your ISP to join the movement to bring about IPv6 everywhere!

P.S. If any of you want to also write up tutorials of the steps you went through to set up an IPv6 tunnel on your particular hardware or operating system, we’d love to have some more step-by-step tutorials to reference.  Please just leave a comment to this post with a link to wherever you post your article.  (Or if you don’t have a site to post an article on, drop us a note and we may be able to help you out.)

Weekend Project: Enable DNSSEC Validation On Your DNS Resolver

SURFnet whitepaper on deploying DNSSECLooking for a weekend project to learn more about a new technology?  How about seeing if you can enable DNSSEC on the DNS resolver you use in your home network?  (or in your business network?)

This whitepaper from SURFnet about deploying DNSSEC validation on recursive caching name servers provides an excellent guide to get started.

If you operate your own home server/gateway/router and use any of these three recursive name servers, the document provides step-by-step instructions:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

Once have DNSSEC validation configured, you should be able to go to our list of DNSSEC test sites to test your installation. Specifically you should NOT be able to get to the sites with bad DNSSEC signatures.

If you do not operate your own home server, or if you just have a wireless “home router” from one of the various manufacturers, you may need to do a bit more digging to see where your DNS resolution is happening.

To start, you may want to download the DNSSEC-check tool from the DNSSEC Tools Project and run that tool on one of the computers on your network.  It may be that your ISP is already providing DNSSEC validation and if so you can congratulate yourself and go find another project to work on!

If that doesn’t show that you have DNSSEC validation, you need to figure out where your DNS resolvers are located.  The DNSSEC-check tool will give you the IP addresses of the DNS resolvers your computer is configured to use.  Alternatively you can go into one of your computers on your home network and look in the network settings where you should be able to find the IP addresses for whatever DNS servers are being given out by DHCP on your local network.

If the IP address of the DNS resolver is in the same address range as your computer’s IP address (i.e. the same subnet), you are most likely using a DNS resolver located on your home router.  You’ll need to go into the administrative interface for the home router (assuming you have access to it) and look around to see if there is a setting there for DNS resolution and if so if there is a setting to enable DNSSEC.

If you don’t see a way to enable DNSSEC, your home router vendor doesn’t support DNSSEC yet. If you have the time and patience, it would be great if you could go to the website for that router vendor and see if there is a way to file a feature request or bug ticket.  It might be in support forums or in a bug tracker somewhere.

If the IP address of the DNS resolver is in a different address range from your computer’s IP address, odds are that it is probably operated by your Internet service provider (ISP) or is perhaps from a service such as Google’s Public DNS (although if it was from Google, the DNSSEC-check tool would have already shown that DNSSEC validation was working).

Again, if you have the time and patience, it would be great if you would contact your ISP to ask if you can get DNSSEC validation. We hear from both ISPs and vendors that “customers aren’t asking for DNSSEC”  - and we need to change that!

Thanks for your help!  Working together we’ll make a more secure Internet!