DNSSEC zone re-sign today

I’ve signed or re-signed all my domains with new more secure RSA/SHA-256 keys today (and adding some domains that weren’t previously signed).  I’m going to leave my old signing keys in for a while so you shouldn’t notice the changeover, and remove them in a few days when the new DS and DNSKEY records have had a chance to propagate to the wider Internet.

(For those of you unfamiliar with the concept of DNSSEC, it is a way of using encryption to verify that DNS lookups on the Internet, which convert names such as www.garyhawkins.me.uk to IP addresses and vice-versa, are genuine and are not being spoofed from an unauthorised server.)

Update: Old keys now gone from the server.

Yet another certificate disaster

I was dismayed to read this article on The Register today which suggests that yet another large manufacturer has shipped a security nightmare with its laptops.  You’d have thought these people would have learned after the Lenovo “Superfish” debacle, but apparently not.

It would appear that Dell ships a self-signed root CA certificate by the name of “eDellRoot” which is automatically installed by Dell software into the Windows trusted root certificate store.  This would normally be not too much of a problem, but this time they’ve managed to install the private key as well, which means (assuming the private key is the same on every machine with this certificate on) that it’s trivially easy to take the private key, sign certificates with it and then any Dell machine will blindly accept this certificate which can be used for nefarious purposes such as impersonating web sites, man-in-the-middle attacks, malware, etc, etc, etc.

What on earth were Dell thinking?!

Review: Whole (“blue top”) milk

The other day, I went to the supermarket to do the weekly shop as usual, but they’d run out of semi-skimmed milk (“green top”) which is about 2% fat), so I had to buy whole milk (“blue top”) which is 3.5%-4% fat, and I hadn’t bought for ages.

And so, the following morning, I got up as usual, reached for a bowl and put a handful of corn flakes in it, poured some milk into the bowl and sprinkled a bit of sugar on them, and started to eat them.  I’d forgotten just how nice corn flakes tasted with “unskimmed” milk!  (OK, not quite as nice as when the milkman delivered the milk bottles and you got a bit of the “cream”  on the top, but still pretty nice. If you want that you can still buy 8% fat “gold top” milk still at the supermarket.)

So the question is … do I buy whole milk next week, or go back to the decidely-inferior-on-corn-flakes semi-skimmed?  Decisions, decisions…

Likes: Tastes great.  Also nice in coffee.
Dislikes: Makes you fat(ter)

Rating: 9 out of 10
(Corn flakes with “gold top” milk would be rated at least 11 out of 10, if I had any in the fridge)

Review: Snom D765 VoIP phone

So I thought it was time I replaced my existing Snom 370 telephones, after 7 years, with a new model.   After much waiting, eventually the phone I was after came on the market, and so I bought two of the Snom D765 phones.  The Snom D765 is an updated version of the Snom 760, with better hardware inside.  The new design is considerably different to the Snom 370, and looks a lot more modern.  The new phone is taller and not as wide.  It also has a colour screen, but you’d hardly notice because not much of the screen is in colour except for the green box to show the phone has been registered.  (I suspect the colour screen works a lot better when you start including photographs of your contacts)

The Web interface is largely similar to previous Snom models with a few extra features.  However, I think they’ve got some bugs to fix on the 8.7.5.28 firmware because pushing certain buttons on the Web UI causes the wrong thing to happen, especially when you push red crosses to delete lists of missed calls etc.  The really irritating thing is that the IPv6 support works, but I cannot understand for the life of me why on earth it will not resolve AAAA records.   The only way I can get it to work is to put IPv6 address literals in instead!  (And yes, I have reported the bug.)  Once I did that, it connected to my IPv6-capable FreeSWITCH installation perfectly.

What can I say about this phone?  Well, it’s a Snom.  If you’re used to previous versions of the Snoms it’s pretty much more of the same.  However, they’ve got some stupid bugs to fix in the firmware but otherwise the phone works fine.  Still no Opus support yet which is a shame.  Also new (relative to the 370s) are Bluetooth and USB sound card support so you can plug in a USB headset, and multicolour (red/green/yellow) LEDs, unlike the 370 which only had yellow.  Lots of possibilities with that, I’m sure once I’ve worked out how to control them.

Likes: New modern design, IPv6 support, USB headset support, colour screen
Dislikes: Firmware still full of stupid bugs, lack of Opus support, can’t resolve AAAA records.

Rating: 8 out of 10.  Nice phone, needs some work on the firmware

 

ARIN Watched: 24 September 2015

The day has finally arrived.

ARIN announced today that their free pool has reached zero.  Unlike all of the other declared exhaustions, this actually means that there are no IPv4 addresses at all left in the ARIN region, covering the North Americas.

ARIN’s press release can be found here.  Note that this is potentially not the end for waiting list users, as it is possible IANA may make further redistributions of returned addresses every few months or so, but these are likely to be immediately gobbled up by the waiting list applicants.

ARIN Watch: 1 July 2015

Today is the day!

ARIN have announced today that the first applicant to ask for a block of IPv4 addresses that cannot be fulfilled has been processed, and therefore the Waiting List has been activated.  You can find the official announcement here.

As of this morning (UK time), there are just 59 /23s and 437 /24s left to be allocated in the pool, a total of 142,080 addresses left.  These are likely to be gone in a matter of weeks too.  Returned blocks and any futher IANA distributions may be added to this pool, so may go up as well as down, but effectively today is the end of any LIR hoping to get a block of addresses larger than a /23.

ARIN Watch: 29 June 2015

Well, “today wasn’t the day” (see last Friday’s post) but ARIN have today published a new blog entry indicating that exhaustion is imminent.  Astonishing at it is, it was a bit of a slow day on Friday, but tomorrow could be the day.  It really is that close.  As of now, there are 88 /23s left and 440 /24s left, a grand total of 157,696 addresses, which is just over a /17 worth of space.  If today isn’t the day (which we shall find out early tomorrow morning UK time), then it’s going to be very very soon.  Keep watching this space…

ARIN Watch: 26 June 2015

Is today the day?

As of this morning, there were 164,096 remaing IPv4 addresses in ARIN’s pool, comprised of 101 /23s and 439 /24s.  This is somewhere between a /17 and /16, if expressed as contiguous space.  Given that on an average day, ARIN can easily allocate this amount, it’s likely that today all of this address space could be allocated, or one of the applicants in the queue opts to join the waiting list.  In either scenario, it’s game over.   At the time of writing, there is just over half an hour before ARIN closes for the day, so very soon we’ll find out whether today was the day or not.  Watch this space…