Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
26 Aug 2017
A recent article
in the New York Times Dealbook column reported on phone number hijacking, in which a
bad guy fraudulently takes over someone's mobile phone number and used it to
reset credentials and drain the victim's account.
It happens a lot, even to
the chief technologist of the FTC.
This reminds us that security is hard, and understanding two factor authentication is
harder than it seems.
The usual definition of two-factor is to pick two different items from
a list of security types:
See more ...
Stable link is https://jl.ly/Security/2fphone.html
10 Aug 2017
Yesterday's article introduced my
DNS extension language, intended to make it easier to add new DNS
record types to DNS software.
It described a new perl module Net::DNS::Extlang that uses the extension language
to automatically create perl code to handle new RRTYPEs.
Today we look at my second project, intended to let people create DNS records and zone
files with new RRTYPEs.
See more ...
Stable link is https://jl.ly/Internet/extlang2.html
08 Aug 2017
The Domain Name System has always been intended to be extensible.
The original spec in the 1980s had about a dozen resource record types (RRTYPEs),
and since then people have invented many more so now there are about 65 different RRTYPEs.
But if you look at most DNS zones, you'll only see a handful of types, NS, A, AAAA, MX, TXT,
and maybe SRV.
A lot of the other types are arcane or obsolete, but there are plenty that are useful.
Moreover, new designs like DKIM, DMARC, and notorously SPF have reused TXT records
rather than defining new types of their own. Why? It's the provisioning crudware.
While DNS server software is regularly updated to handle new RRTYPEs, the web based
packages that most people have to use to manage their DNS is almost never updated,
and usually handles only a small set of RRTYPEs.
This struck me as unfortunate, so I defined a DNS extension
language that provisioning sytems can use to look up the syntax of new RRTYPEs, so
when a new type is created, only the syntax tables have to be updated, not the software.
Paul Vixie had the clever idea to store the tables in the DNS itself (in TXT records
of course), so after a one-time upgrade to your configuration software, new RRTYPEs
work automagically when their description is added to the DNS.
The Internet draft that
describes this has been kicking around for six years, but with support from ICANN (thanks!)
I wrote some libraries and a sample application that implement it.
See more ...
Stable link is https://jl.ly/Internet/extlang.html
17 May 2017
It is not much of an exaggeration to say that
the Digital Millenium Copyright Act
of 1998 makes the Internet as we know it possible.
The DMCA created a safe harbor that protects online service providers from copyright suits so
long as the follow the DMCA rules.
One of the rules is that the provider has to register with the Copyright Office, to designate an agent
to whom copyright complaints can be sent.
The original process was rather klunky, send in a paper form that they scan into their database, along
with a check.
This year there is a new online systems, and as of December they will no longer provide the old paper
So if you are a provider (run web servers, for example) and want to take advantage of the safe harbor,
you have to register or re-register.
See more ...
Stable link is https://jl.ly/Internet/dmcareg.html
30 Apr 2017
Among the many issues affecting ICANN's thousand new TLDs is collisions, that
is, the same name already used elsewhere.
The other uses are non-standard and unofficial, but some names turn out to have
been used a lot.
One approach to see how bad the collisions are is controlled interruption,
in which the TLD publishes wildcard records with obvious impossible values, in
the hope that systems that use colliding names see them and do something about it.
The process is pretty simple. For 90 days the domain publishes records like these
currently in the new .hotels TLD:
hotels. 3600 in a 127.0.53.53
hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.
hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in a 127.0.53.53
*.hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
*.hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
When the 90 days are up, the domain takes out the interruption records, and starts
putting in real ones.
That's the theory, and what the ICANN registry agreements require.
The practice turns out to be different.
See more ...
Stable link is https://jl.ly/ICANN/newtldcrud.html
My other sites
Who is this guy?
Airline ticket info
The Criminals Behind WannaCry
129 days ago
A keen grasp of the obvious
Live from the collander-cam
30 days ago
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse