I’m happy to see that more and more tools are developed to increase the security level and trustworthiness of Internet applications. I already talked about DNSSEC and tools to check the validity of domain names, many others blogged about DANE and TLSA validation support in browsers; this time I would like to focus on DKIM and on a Thunderbird add-on to verify its signatures taking advantage of DNSSEC end-to-end validation.
After reading the interesting post by Stéphane Bortzmeyer on RIPE Labs (How Many RIPE Atlas Probes Can Resolve IPv6-only Domain Names?) I wondered how many RIPE Atlas probes used DNSSEC aware resolvers, so I tried to setup some measures and some comparisons.
As also expressed in the aforementioned post, it should be noted that RIPE Atlas probes can’t be used to represent general behaviors of Internet users; they are excellent “toys” in the hands of network engineers but nobody can ensure that their configuration reflects the one used in production environments by users or by servers or by applications.
After the good IPv6 Working Group presentations at RIPE67 I decided to put togheter some data regarding IPv6 adoption in Italy, analyzing enabled Government websites and enabled access networks.
The results are… quite encouraging from the point of view of the work that needs to be done!
Yes, I’m proud to announce the umpteenth maybe-useful IP subnet calculator (or call it whatever you want): IPv6 Prefix Calculator.
This one is an IPv6 only calculator, particularly focused on prefixes, which allows you to take a base network and split it in smaller sub-prefixes.
IPv6 Prefix Calculator
I hope that someone will find it useful; feel free to contact me for any problem or error you encounter using it.
You can find it here: http://www.pierky.com/ipv6-prefix-calculator
Hurray! My blog and the whole pierky.com domain are now running on a DNSSEC secured zone.
Thanks to the recent moving of the blog from the WordPress.org hosted infrastructure to the OVH hosting service I finally managed to enable IPv6 and DNSSEC support.
If you are using a DNSSEC-aware resolver (are you? check it out…) you can verify it yourself:
:~# dig +dnssec blog.pierky.com ; <<>> DiG 9.8.1-P1 <<>> +multi +dnssec blog.pierky.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31643 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ...
There it is the ad (Authenticated answer) flag.
If your resolvers are not DNSSEC-aware – what a shame! Tell your ISP to enable them 🙂 – you can try the same using an open resolver which supports DNSSEC, like those of Google…
:~# dig +dnssec blog.pierky.com @8.8.8.8
… or you can try an online test suite, like the one provided by Verisign Labs or DNSViz.
A nice browser addon – available for Internet Explorer, Firefox and Chrome – allows you to check the DNSSEC validity of the domain names in your browser window. It’s name is DNSSEC Validator and it works even if your resolvers are not DNSSEC enabled (you can set an external resolver different from the one in use in your operating system); here it is a screenshot showing my blog’s status:
DNSSEC secured blog as seen by DNSSEC Validator addon
(in the above screenshot you can see a green 6 too, originated from another Chrome addon, IPvFoo, which indicates whether the current page was fetched using IPv4 or IPv6).
This is just a small drop in the ocean of Internet, but I like to believe that it might raise awareness about DNS security matter and encourage its adoption (it seems that as of September 2012 only 1.7% of the visible DNS resolvers in the Internet were performing DNSSEC validation).
RIPE Labs – Counting and Re-Counting DNSSEC
dnssec-deployment.org – DNSSEC in ccTLDs, Past, Present, and Future/
dnssec-deployment.org – ccTLD DNSSEC Adoption as of 2013-07-30 [PDF]
CZ.NIC – DNSSEC Validator
Verisign Labs – Test if you are benefiting from DNSSEC
Verisign Labs – DNSSEC-Debugger
Sandia.gov – DNSViz