Skip to content

Posts from the ‘Technology’ Category

Is your existing DNS service reliable? Unlikely!

(This is an occasional rant about how to make things on the Internet just simply work without problem or hinderance).

Many domains fail almost every one of the reliability tests. They have two nameservers (the minimum), but often on adjacent IP addresses, say x.y.z.1 and x.y.z.2. These are certainly on the same IP network, and therefore in the same AS. They’re probably in the same rack, one sitting on top of the other. There is a large number of common failure modes that can make them both temporarily unreachable.

You can use the whois command (or any WHOIS-lookup web site) to look up the NS records by the name of your domain. It should tell you both their names and their IP addresses.

Here’s a very bad example, but very typical:

$ whois example.com
(…)
Domain servers in listed order:

A.EXAMPLE.NET 192.0.34.43
B.EXAMPLE.NET 192.0.34.44

If there are only two of them, and their IP addresses are identical except in the last number (as in the bad example, above), you have a problem.

If they’re not as close together as the example, finding out for sure whether they share an IP network takes local knowledge of the routing topology, which you probably can’t determine on your own. Ask your DNS provider for details.

Finding the AS path for the IP addresses is easier, but the output takes some expertise to interpret. http://nitrous.digex.net/ has some Looking Glass web pages that will let you look up available routing information for any IP address. (Pick a site and choose a BGP Query.) If in doubt, ask your DNS provider to describe their redundancy in terms of IP networks, physical space, and AS diversity. If they don’t even know what you mean, escalate. If they refuse to “disclose” this to you, vote with your feet.

The iPad is unbeatable

This piece by Farhad Manjoo is so spot on….

“Imagine you run a large technology company not named Apple. Let’s say you’re Steve Ballmer, Michael Dell, Meg Whitman, Larry Page, or Intel’s Paul Otellini. How are you feeling today, a day after Apple CEO Tim Cook unveiled the new iPad? Are you discounting the device as just an incremental improvement, the same shiny tablet with a better screen and faster cellular access? Or is it possible you had trouble sleeping last night? Did you toss and turn, worrying that Apple’s new device represents a potential knockout punch, a move that will cement its place as the undisputed leader of the biggest, most disruptive new tech market since the advent of the Web browser? Maybe your last few hours have been even worse than that. Perhaps you’re now paralyzed with confusion, fearful that you might be completely boxed in by the iPad—that there seems no good way to beat it.”

Unacceptable, unacceptable, unacceptable

I think Chris Chant has hit the nail on the head with his recent Institute of Government piece.

“It is unacceptable at this point in time to not know the true cost of a service and the real exit costs from those services: the costs commercially, technically and from a business de-integration standpoint. So, how do we untangle our way out of a particular product or service. I can’t tell you how many times I’ve had the discussion that says, we need to get away from that, and we can’t because of the complexity of getting out from where we are, and of all the things that are hanging on to that particular service, that we can’t disentangle ourselves from.

I think it’s completely unacceptable at this point in time to enter into contracts for longer than 12 months. I can’t see how we can sit in a world of IT, and acknowledge the arrival of the iPad in the last two years, and yet somehow imagine that we can predict what we’re going to need to be doing in two or three or five or seven or ten years time. It’s complete nonsense.”

It fills me with hope that there are people out there working to highlight that the command-and-control approach to technology and systems no longer holds up. Can the few break out of the force field of the incumbent suppliers? I really hope so.

Full audio of Chris’s piece is available here.

Security utopia

The problem I’ve most often met in building secure systems is that this particular subject seems to bring out the utopian in people like no other.

This ‘should’ happen, that ‘should’ happen, its unfair or wrong or wicked that such and such is allowed to continue. Well, yes. But what are we actually going to do about it? So we need realistic problems solvers. That means a pragmatic approach, which can often offend a lot of purists. Peter Gutmann captures the essence beautifully -  I think a lot of purists would rather have PKI be useless to anyone in any practical terms than to have it made simple enough to use, but potentially “flawed”.”

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

A superb piece from TED.com with Ralph Langer clearly explaining the internal workings of Stuxnet, a 21st-century cyber weapon.

Sender Policy Framework and DomainKeys Identified Mail

E-mail – I love to hate it. I could write so much about what is wrong, on so many levels, with e-mail. That’s another matter for another time.

But even with problematic e-mail corporations and enterprises have come to rely on e-mail to support, or even build and maintain their business processes. There’s a lot at stake here, best we get things right and keep them in good order then!

So, with so many additional and complex requirements being loaded onto what is in essence, and was only ever designed to be, a Simple Mail Transfer Protocol it’s no surprise that the system is creaking at the seams.

Thus, if you’re serious about your e-mail, and you give a damn that your message gets through, you need to make sure your e-mail has the edge and advantage. If you’re running your own e-mail service, either as a large corporation or even just as a home enthusiast you really should take a look at using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both are orthogonal and complementary to each other and give your e-mail service the edge.

If you haven’t deployed yourself, or your service provider isn’t offering these options as integral to their service, then you really need to consider how important your communication really is, and whether you can actually afford not to have them.

(Postscript: Or you could take the nuclear option and ditch e-mail completely :-) )