chez  ·   jad   ·  tsurc   ·  cat   ·  tarquin  ·  cryptoboy Weird People    
journal.terryfroy.com
PhotosWritings
 
admin

post to journal
edit journal entry

archives

june 2004
july 2004
august 2004
september 2004
october 2004
december 2004
  january 2005
february 2005
may 2005
june 2005
november 2005
  january 2006
february 2006
april 2006
may 2006
july 2006
august 2006
september 2006
october 2006
november 2006
  february 2007
april 2007
may 2007
june 2007
july 2007
august 2007
september 2007
october 2007
november 2007
december 2007
  january 2008
march 2008
april 2008
july 2008
november 2008
december 2008
  march 2009
july 2009
august 2009
september 2009
october 2009
november 2009
december 2009
  january 2010
march 2010
may 2010
august 2010
november 2010
  march 2013

contact me

e-mail [pgp key]
homepage
icq

daily news

bbc radio 1
bbc news worldwide

fun stuff

ntk
fuckedcompany.com
bofh archives
the onion

internet oracles

google [usenet]

pc entertainment

c64 radio
project ay
world of spectrum
mame [unix] [wip]
id software
unreal tournament

network stuff

iana
6bone
rfc editor
arin whois
apnic whois
ripe whois

essential software

fedora core
courier mta
pureftpd
user mode linux

seo fun

uk tv abroad
live uk tv
website design lincolnshire
sticky labels

 
Saturday, March 23, 2013

Thieving bastards!
(posted at 07:25AM GMT)

My bag (with my MacBook Pro Retina inside) was stolen from a public house in Leicester Square last night... it has been reported to the Metropolitan Police and all the usual places.

For Google's benefit, the serial number is C02HX58GDKQ5 so if anyone does a search for this serial number on Google because they have this machine in their possession or have been offered it for sale, I will pay £200 to the thief for the safe return of the machine with the understanding or will pay a higher sum to anyone who can lead the Metropolitan Police to whomever is selling it/sold it and a successful conviction is achieved.

Please note: Any customers who read this journal should be aware that the internal system disk was encrypted using FileVault 2 and secured with a 12-character mixed-case-alphanumerics-with-obligatory-symbol password - no personal data will have been compromised as a result of this theft.

Monday, November 8, 2010

DNSSEC Continuous Validation
(posted at 10:29AM GMT)

It feels like an age has passed since I last posted anything to my ever-so-neglected part of the Internet :-(

I have been quite busy sorting out some upgrades to our ADSL services with the hope that we should be providing some FTTC-based offerings in the very near future; enjoyed diagnosing an MTU issue with BT Wholesale concerning one of our uplinks, why oh why do suppliers state that our end must be able to support an MTU of 1600 and then proceed to configure their end with an MTU of 1500 (stock Ethernet setting) ?

Whenever we set up a link between our network and another, I always insist on providing them with a copy of our switchport/router interface config and requesting that they provide us with the same for their end.

It eases link setup/future troubleshooting plus it gives each admin some comfort that the other admin has set up their end correctly.

Apparently, BT Wholesale don't do this quoting that their config is 'confidential'.

How can making the hard-coded MTU, duplex and speed settings of an interface available to an admin whose network directly connects to said interface be a breach of 'confidentiality' ?

*shakes head in disbelief*

In other news, I spent a pleasant morning in sunny Amsterdam on Monday in the offices of the RIPE NCC discussing a variety of DNS-related things with the resident DNS Services Manager and the hardened IT Manager (who has been doing the job for sixteen years and looks very well for it too!).

I always welcome the opportunity to talk 'shop' with folk outside of my own circle of colleagues/friends in the industry; especially when one of those has superuser access to k.root-servers.net ;-)

While I can't go into too much about what was discussed, I enjoyed my visit immensely and the subject matter which was covered but did manage to take the opportunity to see a few of the tourist attractions around the RIPE NCC offices with Dam Square offering some lovely examples of Dutch architecture.

One of the topics which we covered was DNSSEC continuous validation; essentially, the RIPE NCC had an issue with zones being signed with already-expired signatures that turned out to be a software bug with their signers but would have been caught if they had been checking the signatures on zones prior to publication or were continually verifying the DNSSEC 'trustability' of their zones.

The reason I mention this here is that as DNSSEC is something which is being actively rolled out and the RIPE NCC folks have been doing DNSSEC since 2005, it seems prudent to point out that if this can happen to them, it can happen to anyone else and has spurred me into passing all signed zone data through ldns-verify-zone prior to publication along with all of the other (in)sanity checks we have on our provisioning platform.

The main question though is, "How far should continuous validation really be taken ?":

  1. Check signatures are valid after zone has been signed but prior to publication ?
  2. Perform regular AXFRs of the zones in question and check the signatures/expiry times of each resource record ?

To me, the first option is acceptable but then again, our nameservers see in the regions of tens of queries per second whereas the parts of the in-addr.arpa tree which are delegated to the RIPE NCC will be seeing many many thousands of queries per second in relation to rDNS lookups... if we break DNSSEC on our nameservers, it might result in a single support ticket from our own monitoring boxes telling us to pull our fingers out and fix it plus maybe a couple from some of our more tech-savvy users.

If the same issue hits the RIPE NCC or any other TLD/popular domain, it has far worse consequences due to the dependency which the Internet has on the root and the in-addr.arpa tree.

The second option is more appealing for the RIPE NCC due to the fact that their DNS is more mission-critical than ours (ours is still mission-critical but if ours breaks, we don't have a large part of the Internet shouting at us to fix it) and it is easier to continually validate the small number of zones which the RIPE NCC hosts as opposed to us validating 25,000+ zones on a high-frequency basis.

Nevertheless, I am certain that DNSSEC will continue being a source of fun and games for us and the RIPE NCC alike :-P

Saturday, August 21, 2010

Phew... that was fun!
(posted at 10:33PM BST)

The spilsby.net collective have just returned from a four-day break from 'the usual'; a three-day coursefest courtesy of the RIPE NCC and spending last night out in the West End watching an unforgettable performance of Avenue Q.

The 'The Internet Is For Porn' meme widely available on YouTube initially spiked my interest in seeing the show but I could never justify making a trip over to the States to go see the Broadway version.

This time, it just seemed like it was a no-brainer when we were going to be in the West End doing courses in the day and not much else to do in the evenings except catch up with support tickets... best £56 I have spent in the last six months!

Anyway, back to the usual topics I usually cover:

The RIPE NCC courses were informative but as I was only really interested in the course presented on the second day (Routing Registry Course), I was really only tagging along for the 'LIR Training' and 'Introduction to IPv6' courses - primarily as 'support' for my colleague who is still trying to find his feet with some of the more esoteric parts of our infrastructure (mainly IPv6!).

I took the opportunity to wear my freebie 'IPv6 Certified Sage' shirt I received from Hurricane Electric; primarily because it was likely going to be the only opportunity I would get to do so where I wouldn't have endless people coming up to me asking WTF it meant and also to emphasize that, like all 'sages', I had no problem in dispensing lots of advice relating to some of the more 'interesting' issues and gotchas to some of the fellow delegates who have the task of IPv6-enabling their own networks.

In my own way, I hope that I managed to dispel some of the myths and fears about IPv6 as I was aware that RIPE NCC have to be seen to 'push' IPv6 but they aren't the ones who have to retro-fit the countless existing networks which will need to use it; the trainers know RIPE policy and they acknowledge that they know 'how it all works' but don't have the necessary hands-on experience to advise their LIRs on specific deployment scenarios, so, if I had to really pick the course apart, I think the one thing that it lacks would be the assuring words from someone who has actually done what they now need to do and managed to come out the other side with a 100% IPv6-enabled network that didn't end up breaking IPv4 in the process ;-)

For those who asked for my business card, Googled(tm) my name and found this post, I sincerely hope I did a good job of convincing you that IPv6 isn't something you need to be afraid of and I look forward to hearing from you!

 
slashdot

Netropolitan Is a Facebook For the Affluent, and It's Only $9000 To Join

The Myths and Realities of Synthetic Bioweapons

Europeans Came From Three Ancestry Groupings

Study: Chimpanzees Have Evolved To Kill Each Other

Slashdot Asks: What's In Your Home Datacenter?

Dealership Commentator: Tesla's Going To Win In Every State

Microsoft Lays Off 2,100, Axes Silicon Valley Research

Apple's "Warrant Canary" Has Died

Mystery Signal Could Be Dark Matter Hint In ISS Detector

Dremel Releases 3D Printer

A Beginner's Guide To Programming With Swift

Next Android To Enable Local Encryption By Default Too, Says Google

Oracle CEO Larry Ellison Steps Down

Once Vehicles Are Connected To the Internet of Things, Who Guards Your Privacy?

New Study Projects World Population of 11B by 2100

the register

Plucky Playmonaut parties as LOHAN hits Kickstarter goal

Open source and the NHS: Two huge disorganised entities without central control

Russian botnet suspects cuffed over romantic MMS spyware allegs

Object Storage Alliance launched. Problem: 3 vendors haven't joined

Google Apple grapple brings crypto cop block to Android

Who's that at the door, storage box flingers? It's the hard drive makers. No, they are not smiling

Stray positrons caught on ISS hint at DARK MATTER source

Oi, London thief. We KNOW what you're doing - our PRECRIME system warned us

Monitors monitor's monitoring finds touch screens have 0.4% market share

Why Oracle CEO Larry Ellison had to go ... Except he hasn't

iPhone 6: Will it blend? We don't know, but it sure CAN'T FLY

Gigantic bazaar Alibaba WILL turn share price up to 11, er, $68 for biggest IPO ever in US

Samsung unlocks Knox at zero bucks

Apple iStuff saved by Beer

Red Hat to Wall Street: I came here to chew FeedHenry and kick some ass. And I'm all out of FeedHenry

How's this for a biz expense? SAP pops $8.3 BEELLION on company card for Concur

Registerjourno braves Australian iPHONE queue, gets HANDS ON the BIGGUN

Home Depot: 56 million bank cards pwned by malware in our tills

First day of Hurd'n'Catz at Oracle: It's dis-fur-pointing for Wall St

Feds act to stop cyber-bullying, whatever it is, at some future point

Oracle's Larry Ellison quits as CEO – new bosses are Hurd'n'Catz

Microsoft's axeman Nadella fills baskets with 2,100 fresh heads

Does this float your boat? Dead Steve Jobs to hijack yachts from BEYOND THE GRAVE

Students playing with impressive racks? Yes, it's cluster comp time

Ten years on, TEN PER CENT of retailers aren't obeying CAN-SPAM

Snowden's NSA leaks have galvanised the storage world

Copyright thieves' cyberlockers slurp MILLIONS from honest creators, study finds

Damien Hirst, eat your heart out - these guys chop up TAXIS

Driving with an Apple Watch could land you with a £100 FINE

Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM

PORTAL TO ELSEWHERE scried in small galaxy far, far away

Mozilla shutters Labs, tells nobody it's been dead for five months

Forget bonking, have ONE OFF THE WRIST with Barclaycard's bPay

Sony says year's losses will be FOUR TIMES DEEPER than thought

China hacked US Army transport orgs TWENTY TIMES in ONE YEAR

Scotland wins WORLD RECORD as voters head to referendum polls

Aggressive HGST hurls flashy humdingers at online archiving

Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks

iPhone 6: Most exquisite MOBILE? NO, it's the Most Exquisite THING. EVER

A3Cube turns RAM up to 11 with FORTISSIMO kit

Murdoch to Europe: Inflict MORE PAIN on Google, please

Turnbull: NBN won't turn your town into Silicon Valley

Comprehensive guide to obliterating web apps published

Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U

Student pleads guilty to Frances Abbott 'secret' scholarship leak

Apple's Cook: We have never allowed g-men access to Apple servers

Spies would need SUPER POWERS to tap undersea cables

Amazon rekindles e-readers and Fire OS without weeks of whack-a-leak fun

Boffins plot global (browser) cookie crumb trail

Get ready for another HYPEGASM: New iPADs 'in October'

 

Linux

Apache

PHP