Skip to content
August 21, 2016 / Jim Fenton

DNSSEC Signing Revisited

signingA couple of years ago, I signed the DNS records of my personal domain with DNSSEC, and wrote a blog post on the experience. Since then, life has been generally good, although there have been a couple of hiccups where the signatures expired and my domain became briefly unavailable to resolvers that verify DNSSEC. I figured out how to make the re-signing of the domain happen automatically, and those problems for the most part went away.

I recently upgraded my DNS server from the Debian “squeeze” release to the “jessie” release to ensure that I continue to get security updates. A month or so later, I got a notification that my DNS was broken again. I figured that the process that re-signed and published my DNS records had failed to start; quite a few things like that broke in the upgrade.

But it was worse than that: the dnssec-tools package that I have been using for signing (described in that blog post) is no longer available from Debian for jessie, apparently because of some unresolved bugs. I needed to quickly find another way to sign my domain.

BIND to the rescue

Looking around for alternatives, I found out that BIND 9.9, which is available as a jessie package, supports inline signing. I have always used BIND as my DNS server, and I welcome the prospect of signing without a lot of external dependencies. ISC provides a good (but incomplete – see below) how-to guide on turning on DNSSEC signing, so I followed those instructions.

My first problem was the keys themselves. Dnssec-tools seems to have used a different format for the public/private keypairs used by DNSSEC than BIND, so I needed to generate new keys. I started to do this, but it was taking forever! It turns out that dnssec-keygen needs a fair amount of cryptographic entropy to generate a keypair, and I was running it on a virtual private server that doesn’t get much entropy. So, despite my aversion to transferring private keys, I generated keys on my home Linux (Ubuntu) machine. This took long enough, even with me banging on keys and doing every other random thing I could think of.

Having transferred the keys (two keypairs, a Zone Signing Key and a Key Signing Key) back to the name server, I went ahead and signed the zone. But I realized something was missing: the ISC how-to guide doesn’t talk about publishing the DS records at the parent domain that are necessary to link my keys to the global DNS trust chain.

Fortunately, I found the instructions for this in a different ISC how-to guide. The dnssec-dsfromkey utility converts the public keys into the necessary format for the DS records. I then logged into my domain registrar’s website and added the necessary DS records.

Everything looked pretty good, and I was able to look up my records using my verifying resolver. But I also checked an online utility to see if it saw any errors. It said my DNSSEC was still broken. I thought maybe there were some old records in a cache somewhere so I waited a day or two.

Time didn’t help here, and I couldn’t figure out why it was still reporting an error. So I consulted a very knowledgeable friend – thank you Patrik! – who introduced me to a different tool, DNSViz, that showed that my slave DNS server, running on a different host, was returning different data. Specifically, it was showing several DNSKEY records from my old configuration that shouldn’t have been there.

I looked at the primary zone file, both the unsigned one I maintain and the one signed by BIND (using the named-checkzone utility, since the file is in a binary format). Everything looked fine; the extra DNSKEY records weren’t there. I re-transferred the zone to the secondary, but the extra records remained.

Finally, somewhat in desperation, I deleted the zone file and the associated .jnl file (not sure where the latter came from). Restarted BIND and everything was fine. I’m guessing that the .jnl (journal) file was telling BIND to make only incremental changes to the zone, and therefore the old DNSKEY records were untouched.

I will, of course, need to continue to watch to make sure that the signatures don’t expire since I don’t understand the key rollover methodology yet. But module a couple of problems getting started here, I’m optimistic that inline signing with BIND will be much easier than what I had been doing.

August 13, 2016 / Jim Fenton

Home is where you don’t have to accept the Wi-Fi terms and conditions

2445601775_958aa5afbf_mYou arrive at your hotel after a long day of travel. Hungry and tired, you pick up the phone to call room service. There’s no dial tone, but after about 10 seconds, a recorded announcement starts to play:

Important! Please listen carefully before using. Your use of this telephone is your acknowledgement and agreement that you agree with the terms set forth as follows: By using this telephone, you agree to all terms, conditions, and notices contained herein. The Hotel reserves the right, in its sole discretion, to terminate your access to all or part of the telephone system, with or without notice.

All materials, information, and services available through this telephone are provided “as is”. The Hotel accepts no liability for your use of the telephone, including but not limited to damage to your ears, hearing assistance devices, or other equipment. Under no circumstances shall the hotel, its subsidiaries, affiliates, owner, or representatives be liable for any direct, indirect, punitive, incidental, special, or consequential damages that result from the use of, or inability to use, the telephone.

Press 1 to indicate your acceptance of these terms and conditions.

Silly? Infuriating? Yes. But this is exactly what the vast majority of hotel and other quasi-public Wi-Fi networks put us through.

What’s the justification for this? A frequently cited reason is that it’s important to make the acceptable use policy for the use of the network clear: you must not use the network to send spam, spread malware, and such. But don’t many of the same concerns apply to telephones, where you similarly must not use the phone to make telephone threats, harass people, and so forth? We don’t seem to need an explicit display of the acceptable use policy there.

Much of the language in these agreements doesn’t have to do with acceptable use so much as protecting the operator of the network if, for some reason, the network doesn’t perform as desired. This might be of some concern if the user is paying for the service, but increasingly Wi-Fi service is provided for free. Are there any documented cases where the operator of a Wi-Fi network has been sued for damages over the use of the network?

There are other user experience issues as well. These networks often spontaneously forget that you have accepted the terms and conditions. Having to re-accept the terms once each day is typical, but it can happen as often as each time a device connects. Moving from one location to another, such as from a hotel room to the lobby or convention area, or from one Starbucks location to another, often requires reacceptance of the terms as well.

For some reason the systems that implement this operate very slowly. Often the enforcement is done centrally (in the cloud), and perhaps there isn’t a business justification for providing enough capacity to handle requests quickly enough. Regardless, this makes the user experience worse yet.

Requiring acceptance of Wi-Fi terms and conditions causes other problems as well: it prevents some functions from working as intended. If one loses a Wi-Fi-only Apple iPad, that iPad’s Find Device feature may not work at all, even if it had been previously connected to the network. Acceptance requirements can also interfere with cellular/Wi-Fi devices that connect to a Wi-Fi network, making that the preferred route for data traffic, even though communication is blocked via that route.

We’re wasting lots of time trying to get connected to Wi-Fi networks. What does it take to get Wi-Fi connections to work the way they’re supposed to, other than on our home networks?

Skaneanteles_Hotel_room” by Skaneanteles Suites is licensed under CC BY-SA 2.0

July 24, 2016 / Jim Fenton

Great Lakes Day 15: Home from Toronto

July 3, 2016

Our ride home

Our flight home was again at a “civilized” time, 12:25 pm. We were told to expect long lines at customs, so we checked in early, but were rewarded with very short lines everywhere. We had hoped to do some last minute shopping, but unfortunately there wasn’t a great deal to shop for after customs. The selection of stores was limited and we’re just not into the typical “duty free” merchandise, such as liquor, perfume, and oversized Toblerone bars. So we had coffee and tea and grabbed sandwiches to take on the flight.

This article is the final installment in a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 23, 2016 / Jim Fenton

Great Lakes Day 14: Fenelon Falls to Toronto

July 2, 2016

Kenna, with Doug driving, on Cameron Lake

Kenna, with Doug driving, on Cameron Lake

The weather is beautiful again, so we began with some things we weren’t able to do yesterday. Cousin Stan and his son Doug took us for a short boat ride on Cameron Lake. The lake was quite a bit smoother than it had looked from the shore. Everything was so serene, and as we had remembered it, that we hated to leave. On our way out of town, we stopped to pay our respects to my grandparents and many other relatives at the Fenelon Falls cemetery.

Our next stop was in Oshawa, where a cousin (Mom’s cousin’s daughter Jill) and her husband live. We had a nice visit with them, traded many stories, and collected a little more information on the family genealogy. We then drove to Mississauga, on the other side of Toronto and close to Pearson International Airport, where we are staying for the night in preparation for our flight home tomorrow.

 This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 22, 2016 / Jim Fenton

Great Lakes Day 13: Canada Day in Fenelon Falls

July 1, 2016

Celeste and Laura making cookies

Today is Canada Day, and the second time we have celebrated it in Fenelon Falls. This time, however, it is stormy — the first really stormy day of the trip.

It was a good day to stay in and read. A rainy day is a real treat for us Californians with our dry summers. Kenna and Celeste went along on a trip to a nearby Mennonite bakery, where they bought yummy-looking cinnamon rolls for tomorrow’s breakfast and strawberry-rhubarb pie for tonight. Celeste and cousin Laura also made chocolate cookies, as if we need more delicious food to eat.

We went over to one of the neighbors’ cottages for an informal party, then had dinner with the extended family. Although the rain had stopped, the town fireworks show was unfortunately postponed because it was too windy. So back to the neighbors for another party. The people of Fenelon Falls are so welcoming.

 This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 21, 2016 / Jim Fenton

Great Lakes Day 12: Ottawa to Fenelon Falls

June 30, 2016

Today was largely a driving day, about 225 miles from Ottawa to the Fenelon Falls, Ontario, where we are staying with my cousin at his cottage.

Peterborough Lift Lock

Peterborough Lift Lock

We got a relatively early start from Ottawa. One wrong turn coming out of the hotel, coupled with nearby construction work, made our departure unexpectedly challenging but we found our way. Once we got out of metropolitan Ottawa, the surroundings were quite rural; it appeared that much of the area is wetlands. We stopped in Peterborough, the largest city in the area, to see a notable lift lock, one of two in North America and the largest in the world. The Peterborough lift lock is part of the Trent-Severn Waterway system, which runs through much of this area, extending from Lake Ontario to Georgian Bay off Lake Huron. We continued through Peterborough and grabbed some lunch along the way. Traffic was quite heavy, probably because tomorrow is Canada Day.

After lunch, we drove to the town of Lindsay, stopping to show Celeste the ruins of the former flour mill where my grandmother had worked about 100 years ago. Lindsay traffic was also heavy, but soon we were on our final leg of the trip to the cottage.

Sunset over Cameron Lake

Sunset over Cameron Lake

Fenelon Falls, Ontario is a village on the Trent-Severn waterway that is primarily a tourist destination for people in the Toronto area. My mother’s family came from Fenelon Falls, and my cousin has a cottage on Cameron Lake that I have been visiting since my childhood.

It was wonderful to return to the cottage, visit family, and decompress. After a couple of weeks of shuttling from place to place, primarily in cities, we all needed a breath of fresh air.

This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 20, 2016 / Jim Fenton

Great Lakes Day 11: Ottawa

June 29, 2016

Centre Block — from a distance

Today we had planned to visit the Canadian Parliament and the Mint. However, President Barack Obama also planned to visit the Canadian Parliament, and to have a meeting near the Mint. Guess whose plans prevailed?

After breakfast, we took a walk toward the Parliament Buildings to see if we could at least see them. A few blocks from the hotel, we were stopped by barricades; the street had been closed in anticipation of President Obama’s arrival, and there were police everywhere. We (and quite a few others) waited a while under close supervision by the police, who even required that we back up 3 feet from the barricades. After all that, the motorcade didn’t even pass close to us — it was about one (short) block away. Nevertheless, we did get to see the President’s limo, ever so briefly.

After the motorcade passed, we were able to walk in front of the Parliament building known locally as “Centre Block”, at a considerable distance of course. There was also quite a bit of preparation for Canada Day celebrations the day after tomorrow.

Canadian Aviation and Space Museum

Canadian Aviation and Space Museum

We stopped in at the tourist information across from the parliament building, then bought bus tickets to take us somewhat close to the Canada Aviation and Space Museum. After a bit of a walk there, we enjoyed a well-presented museum highlighting Canada’s contributions to aviation and space exploration. Besides the many exhibits of old planes, there was an informative section on the International Space Station, highlighting what living there is like. It featured videos of Chris Hadfield, the Canadian known for his active social media presence from the ISS. We agreed this was the high point of the museum.

After returning on the bus and relaxing a bit, we set out for dinner, again in the direction of the Parliament buildings. While it was clear that there was no motorcade about to pass by, the police presence was heavy and there was a helicopter hovering overhead, signaling that the President had not yet left. By the time we finished our dinner, the police presence had all but evaporated.

One last treat for the day was a stop at a “beaver tail” stand for dessert. A beaver tail is a flat fried pastry about the size and shape of a beaver’s tail, to which various confections are added on top. We decided on the apple/cinnamon beaver tail, which we brought back to the hotel and split 3 ways. It was highly decadent — and recommended.

This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 19, 2016 / Jim Fenton

Great Lakes Day 10: Montreal to Ottawa

June 28, 2016

Olympic Park, Montreal

Olympic Park, Montreal

We planned two nights in Ottawa, and it’s only a couple hours’ drive from Montreal, so we spent much of the day in Montreal. After breakfast, we took the Métro to the Olympic Park, where the velodrome has been converted into a museum called the Biodôme. The Biodôme is divided into five general sections (habitats). My favorites were those that represented Canadian habitats: the Laurentian Maple Forest, Gulf of St. Lawrence, and Labrador Coast. The latter habitat seemed to include a penguin exhibit. We love penguins, except they didn’t really fit, being exclusively southern hemisphere birds.

BiodomeBeaver

Beaver at the Biodôme

As we continued walking around the Olympic Park, we noticed that it is showing some wear since its construction for the 1976 Olympic Games. It also struck us that the scale of the facility, while necessary for the Olympics, is not optimal for much else. Nevertheless, Montreal has done a very good job of adapting the venues to new uses, as they have done with the Biodôme.

After taking the Métro back and getting some lunch, we set out for Ottawa. Once again, our timing with respect to storms was perfect; it started raining just as we picked up the car. Aside from some minor flooding, the trip was uneventful.

Checking into our hotel in Ottawa, we were told of the many tourist things to do, conveniently walking distance from our hotel: visit Parliament, the National Gallery of Canada, Royal Canadian Mint, Canadian Museum of History, etc. But a little while later, we realized that President Obama is coming to visit Ottawa tomorrow, and all of these attractions are closed. Our timing seems to be bad, but who thinks of checking the President’s travel schedule when planning their vacation?

We had dinner at The Highlander Pub, a nearby Scottish-themed pub, where they had a pub trivia contest in which we did rather poorly, but had a great time. We decided that we should find places near home to do this.

This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 18, 2016 / Jim Fenton

Great Lakes Day 9: Burlington to Montreal

June 27, 2016

Notre Dame Cathedral, Montreal

Notre Dame Cathedral, Montreal

With a short day of driving ahead, we decided to take a more leisurely breakfast. Kenna found a bakery, August First, a few blocks away that was wonderful. It had a comfortable environment, excellent breakfast sandwiches (9 grain roll recommended), and good coffee beverages. Burlington reminded all of us of Boulder, Colorado, both in terms of the “vibe” and of course because they are college towns.

DearlyDepinted

Ben and Jerry’s Flavor Graveyard

When we got on the road, we went first to Ben and Jerry’s Ice Cream, about a half hour south. The 30 minute factory tour was enjoyable, especially with the ice cream sample at the end. We took a walk up the hill to the “Flavor Graveyard” where the retired ice cream flavors are memorialized. Celeste reminded us that this is yet another cemetery we’re visiting this trip. I don’t expect this will be in the Find a Grave registry, though.

Traveling north again, we encountered the first significant rain of the trip. Fortunately we were driving for the duration of the storm and stayed dry. We opted to take US 2 through the Lake Champlain islands. This was a scenic alternative to the Interstate, not very crowded and didn’t add much to our trip time. We passed into Canada through the sleepy border crossing at Rouse’s Point, NY/Lacolle, QC, which was fast and pleasant.

NotreDame Interior

Notre Dame Cathedral interior

The drive into Montreal was a little stressful, as it is into any large city, but we found our hotel quickly and set out for the Old Quarter (tourist district). We visited Notre Dame Cathedral, the altar of which is illuminated in blue making it distinctive and attractive. It has a very impressive pipe organ, which unfortunately we did not get to hear.

We walked around the harbor area a bit before stopping at a sidewalk cafe for dinner. The weather was warm and had fortunately cleared since the rain earlier in the day. Our walk back to the hotel took us through a jazz festival being set up nearby.

This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 17, 2016 / Jim Fenton

Great Lakes Day 8: Vermont

June 26, 2016

Burlington Harbor

Burlington Harbor

Today has been mostly a driving day. We took a short detour to Albany to see the state capital, and then drove to Burlington, Vermont. It is Celeste’s first visit to Vermont, and the first time that any of us had spent any time in Burlington. Our hotel is located downtown, close to Lake Champlain. We did a quick visit to the downtown shopping mall (which is apparently under redevelopment), and then made arrangements for a dinner cruise on Lake Champlain.

The cruise was quite pleasant; it began with an Italian buffet dinner which was held inside. After dinner, we had plenty of time to enjoy the scenery before the 8:41 pm sunset. There is no narration on this trip, but through the written materials we learned that there is a Loch Ness monster-like legend, known as “Champ“, in Lake Champlain. Unfortunately, we didn’t see him/her.

This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.