• he.net IPv6 certified!

    From Nicholas Boel@1:154/701 to All on Tue Dec 2 21:26:30 2014
    Hello All,

    I finally got around to taking the certification test over at he.net. I made it to "Guru" and have a current score of 510, scoring perfectly up until this roadblock.

    Apparantly, my domain registrar doesn't support "IPv6 glue".. so I'm kinda screwed until they do, or until I switch registrars. I'm not entirely sure I care to do that, since Godaddy has been pretty damn good to me for almost the past decade.

    So "Sage" status may have to wait.

    After I did that, I also added SSL to my IPv6 website (even though it's COMPLETELY unnecessary). :)

    Anyhow, all this transpired when I decided to go looking how to create a static IPv6 address, which I found - but got sidetracked before trying to implement. Whoops!

    Regards,
    Nick

    --- GoldED+/LNX 1.1.5-b20130910
    * Origin: thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin) (1:154/701)
  • From Tommi Koivula@2:221/360 to Nicholas Boel on Wed Dec 3 07:40:26 2014
    On 3.12.2014 5:26, Nicholas Boel -> All wrote:

    I finally got around to taking the certification test over at he.net. I made it to "Guru" and have a current score of 510, scoring perfectly up until this roadblock.

    https://ipv6.he.net/certification/scoresheet.php?pass_name=koivula

    So "Sage" status may have to wait.

    "Sage" was needed to get port 25 opened. ;)

    'Tommi

    --- Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
    * Origin: *** nntp://rbb.bbs.fi *** Lake Ylo *** Finland *** (2:221/360)
  • From Nicholas Boel@1:154/701 to Tommi Koivula on Wed Dec 3 18:05:04 2014
    Hello Tommi,

    On 03 Dec 14 07:40, Tommi Koivula wrote to Nicholas Boel:

    https://ipv6.he.net/certification/scoresheet.php?pass_name=koivula

    Very nice! What domain registrar do you go with?

    So "Sage" status may have to wait.

    "Sage" was needed to get port 25 opened. ;)

    I'm not sure I understand. For "Sage" it says "your domain registrar *must* support IPv6 glue." I have port 25 opened and accepting mail here, as I passed the mail exchanger stuff already in a previous test.

    Regards,
    Nick

    --- GoldED+/LNX 1.1.5-b20130910
    * Origin: thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin) (1:154/701)
  • From Tommi Koivula@2:221/360 to Nicholas Boel on Thu Dec 4 18:21:22 2014
    On 4.12.2014 2:05, Nicholas Boel -> Tommi Koivula wrote:

    https://ipv6.he.net/certification/scoresheet.php?pass_name=koivula

    Very nice! What domain registrar do you go with?

    I am a member of iki.fi, I have a sub-domain from there. Servers of IKI are fully IPv6 ready.

    "The Internet Users Forever IKI is a non-profit society which provides its members, private individuals in Finland, permanent iki.fi-addresses with e-mail and WWW"

    So "Sage" status may have to wait.

    "Sage" was needed to get port 25 opened. ;)

    I'm not sure I understand. For "Sage" it says "your domain registrar *must* support IPv6 glue." I have port 25 opened and accepting mail
    here, as I passed the mail exchanger stuff already in a previous test.

    Hmm. I wanted to have port 25 opened, and contacted HE about that. They said that I need to reach "sage" before they can open port 25 for my tunnels. So I did. :)

    'Tommi

    --- Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:17.0) Gecko/20130330 Firefox/17
    * Origin: *** nntp://rbb.bbs.fi *** Lake Ylo *** Finland *** (2:221/360)
  • From Nicholas Boel@1:154/701 to Tommi Koivula on Fri Dec 5 03:26:38 2014
    Hello Tommi,

    On 04 Dec 14 18:21, Tommi Koivula wrote to Nicholas Boel:

    Hmm. I wanted to have port 25 opened, and contacted HE about that.
    They said that I need to reach "sage" before they can open port 25 for
    my tunnels. So I did. :)

    Ok. I see what you're saying now.

    Did you have to setup your own nameserver? From what I understand, IPv6 "glue" is basically being able to use your domain name as your nameserver. (ie: if you own example.com, your nameservers would have to be something like.. ns1.example.com)

    I'm going to create my own temporarily, I just haven't had the time yet. :)

    Regards,
    Nick

    --- GoldED+/LNX 1.1.5-b20130910
    * Origin: thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin) (1:154/701)
  • From Tommi Koivula@2:221/361 to Nicholas Boel on Fri Dec 5 12:26:09 2014
    On 5.12.2014 11:26, Nicholas Boel -> Tommi Koivula wrote:

    Hmm. I wanted to have port 25 opened, and contacted HE about that.
    They said that I need to reach "sage" before they can open port 25 for
    my tunnels. So I did. :)

    Ok. I see what you're saying now.

    Great. ;)

    Did you have to setup your own nameserver?

    Yes. I have been running Bind for a long time. On OS/2 computer it is IPv4-only, of course, but on Win2003 computer it can also do IPv6.

    'Tommi

    --- Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 SeaMonkey/2.31
    * Origin: *** nntp://rbb.bbs.fi *** Lake Ylo *** Finland *** (2:221/361)
  • From Björn Felten@2:203/2 to Tommi Koivula on Sat Dec 6 01:12:44 2014
    Yes. I have been running Bind for a long time.

    Setting up a Bind server is really easy. Getting it properly set-up is not. It's estimated that somewhere around 98% of all traffic to DNS servers is caused by badly configured Bind servers.

    If you care to write an article for the Fidonews about this, I know it would be highly appreciated.

    --- Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1.16) Gecko/20101125
    * Origin: news://felten.yi.org (2:203/2)
  • From Nicholas Boel@1:154/701 to Tommi Koivula on Fri Dec 5 18:54:42 2014
    Hello Tommi,

    On 05 Dec 14 12:26, Tommi Koivula wrote to Nicholas Boel:

    Did you have to setup your own nameserver?

    Yes. I have been running Bind for a long time. On OS/2 computer it is IPv4-only, of course, but on Win2003 computer it can also do IPv6.

    Nice. That's the direction I'm aiming to pass the "Sage" test, if only temporarily and deleting it afterwards. I tend to like godaddy's zone configuration file as it's nice and easy to maneuver and edit things there. One less thing I have to keep track of on my own system, and possibly forget about if I choose to move to a different Linux distro in the near future. I'll rethink about doing it when I'm settled with a new server system. :)

    Regards,
    Nick

    --- GoldED+/LNX 1.1.5-b20130910
    * Origin: thePharcyde_ telnet://bbs.pharcyde.org (Wisconsin) (1:154/701)
  • From Joe Delahaye@1:249/303 to Björn Felten on Fri Dec 5 21:16:19 2014
    Re: he.net IPv6 certified!
    By: Bj”rn Felten to Tommi Koivula on Sat Dec 06 2014 01:12:44

    Yes. I have been running Bind for a long time.

    Setting up a Bind server is really easy. Getting it properly set-up is

    I must ask, what is a Bind server?
    --- SBBSecho 2.27-Win32
    * Origin: The Lions Den BBS, Trenton, On, CDN (1:249/303)
  • From David Drummond@3:640/305 to Joe Delahaye on Sat Dec 6 14:00:09 2014
    On 6/12/2014 12:16 PM, Joe Delahaye -> Bj”rn Felten wrote:

    Yes. I have been running Bind for a long time.

    Setting up a Bind server is really easy. Getting it properly set-up is

    I must ask, what is a Bind server?

    *nix DNS server


    --

    Regards
    David

    --- Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.
    * Origin: Have a happy Midsommardagen (3:640/305)
  • From Alexey Vissarionov@2:5020/545 to Björn Felten on Sat Dec 6 12:00:00 2014
    Good ${greeting_time}, Bj”rn!

    06 Dec 2014 01:12:44, you wrote to Tommi Koivula:

    Yes. I have been running Bind for a long time.
    Setting up a Bind server is really easy. Getting it properly set-up
    is not. It's estimated that somewhere around 98% of all traffic to
    DNS servers is caused by badly configured Bind servers.

    Also, significant part of that traffic is the amplification of DDoS attacks.

    If you care to write an article for the Fidonews about this, I know
    it would be highly appreciated.

    About configuring BIND? I ever doubt whether it worth quoting configuration files...

    % cat /etc/named/named.conf
    acl "secondaries"
    {
    127.0.0.1;
    10.10.10.10;
    10.20.20.20;
    };

    acl "clients"
    {
    127.0.0.1;
    192.168.0.0/16;
    172.16.32.0/12;
    10.0.0.0/8;
    };

    options
    {
    version "unknown";
    directory "/etc/named";
    listen-on { 192.0.2.123; 2001:0DB8:1:2::123; };
    allow-transfer { secondaries; };
    allow-recursion { clients; };
    };

    logging
    {
    category lame-servers { null; };
    };

    include "key.conf";

    controls
    {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
    };

    view "common"
    {
    match-clients { any; };
    zone "." in { type hint; file "root.hint"; };
    include "primaries.conf";
    include "secondaries.conf";
    };


    % perl -e 'my $key=`head -c18 < /dev/urandom | openssl base64`; chomp $key; print("key \"rndc-key\"\n{\n\talgorithm hmac-sha2-512;\n\tsecret \"$key\";\n};\n");' > /etc/named/key.conf

    % cat /etc/named/key.conf
    key "rndc-key"
    {
    algorithm hmac-sha2-512;
    secret "an1DY/ukB8ArIWlTjMxHz5+Q";
    };


    % cat /etc/named/rndc.conf
    include "/etc/named/key.conf";
    options
    {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
    };


    % dig . ns | egrep -v '^($|;)' > /etc/named/root.hint


    % cat /etc/named/primaries.conf
    zone "example.net" in { type master; file "zones/primary/example.net.zone"; };


    % cat /etc/named/secondaries.conf
    // zone "some-secondary-domain.net" in { type slave; file "zones/secondary/some-secondary-domain.net.zone"; masters { 10.20.30.40; }; };


    Bonus - example of zone specification:

    @ IN SOA ns.example.net. root.example.net. (
    2014120611 ; Serial
    1H ; Refresh
    15M ; Retry
    4w ; Expire
    1H ) ; Minimum
    IN NS ns0
    IN NS ns1
    IN A 192.0.2.123
    IN AAAA 2001:0DB8:1:2::123
    IN MX 10 mail
    IN TXT "v=spf1 +mx ~all"

    ns0 IN A 192.0.2.123
    IN AAAA 2001:0DB8:1:2::123
    ns1 IN A 192.0.2.12
    IN AAAA 2001:0DB8:1::12

    ns IN A 192.0.2.123
    IN A 192.0.2.12
    IN AAAA 2001:0DB8:1:2::123
    IN AAAA 2001:0DB8:1::12

    mail IN A 192.0.2.123
    IN AAAA 2001:0DB8:1:2::123

    ; IPv4-only example
    myipv6only IN AAAA 2001:0DB8:1:2::123

    ; IPv6-only example
    myipv4only IN A 192.0.2.123

    * IN A 192.0.2.123
    IN AAAA 2001:0DB8:1:2::123



    --
    Alexey V. Vissarionov aka Gremlin from Kremlin
    gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii

    ... god@universe:~ # cvs up && make world
    --- /bin/vi
    * Origin: http://openwall.com/Owl (2:5020/545)
  • From Alexey Vissarionov@2:5020/545 to Joe Delahaye on Sat Dec 6 13:00:00 2014
    Good ${greeting_time}, Joe!

    05 Dec 2014 21:16:18, you wrote to Bj”rn Felten:

    Yes. I have been running Bind for a long time.
    Setting up a Bind server is really easy. Getting it properly
    set-up is not.
    I must ask, what is a Bind server?

    DNS daemon: http://en.wikipedia.org/wiki/BIND


    --
    Alexey V. Vissarionov aka Gremlin from Kremlin
    gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii

    ... god@universe:~ # cvs up && make world
    --- /bin/vi
    * Origin: http://openwall.com/Owl (2:5020/545)
  • From Markus Reschke@2:240/1661 to Alexey Vissarionov on Sat Dec 6 11:29:30 2014
    Hello Alexey!

    Dec 06 12:00 2014, Alexey Vissarionov wrote to BjFrn Felten:

    About configuring BIND? I ever doubt whether it worth quoting configuration files...

    acl "clients"
    {
    127.0.0.1;
    192.168.0.0/16;
    172.16.32.0/12;
    10.0.0.0/8;
    };

    No IPv6 clients? ;)

    options
    {
    version "unknown";
    directory "/etc/named";
    listen-on { 192.0.2.123; 2001:0DB8:1:2::123; };
    allow-transfer { secondaries; };
    allow-recursion { clients; };
    };

    I'd recommend to set up DNSsec and to add some query limits.

    And for the paranoid to prevent fingerprinting:

    view "chaosnet" CHAOS {
    match-clients { any; };
    recursion no;
    allow-recursion { none; };
    dnssec-lookaside auto;

    zone "." {
    type hint;
    file "/dev/null";
    };

    zone "bind" {
    type master;
    file "local/bind";
    allow-query { my-clients; };
    allow-transfer { none; };
    allow-update { none; };
    };
    };


    local/bind:

    $ORIGIN bind.
    $TTL 1D
    @ 1D CH SOA @ root (
    42 ; serial
    3H ; refresh
    15M ; retry
    1W ; expiry
    1D ) ; minimum

    CH NS localhost.

    version CH TXT "None of your business!"
    authors CH TXT "are better coders than I am. :)"


    Regards,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Joe Delahaye@1:249/303 to David Drummond on Sat Dec 6 11:57:35 2014
    Re: he.net IPv6 certified!
    By: David Drummond to Joe Delahaye on Sat Dec 06 2014 14:00:09

    Setting up a Bind server is really easy. Getting it properly set-up
    is

    I must ask, what is a Bind server?

    *nix DNS server

    OK, I was assuming binkd was meant originally.
    --- SBBSecho 2.27-Win32
    * Origin: The Lions Den BBS, Trenton, On, CDN (1:249/303)
  • From Björn Felten@2:203/2 to Alexey Vissarionov on Sat Dec 6 20:26:29 2014
    I ever doubt whether it worth quoting configuration files...

    I think it is. It's usually very educational, and can often be a basis for one's own set of files.

    Thanks muchly! Combined with Markus' comment, all that can be a good stub.

    --- Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1.16) Gecko/20101125
    * Origin: news://felten.yi.org (2:203/2)
  • From Benny Pedersen@2:230/38.1 to Tommi Koivula on Wed Feb 4 21:31:16 2015
    Hello, Tommi Koivula.
    On 05/12/14 12.26 you wrote:

    Yes. I have been running Bind for a long time. On OS/2 computer it
    is IPv4-only, of course, but on Win2003 computer it can also do
    IPv6.

    lol, a nameserver listning on ipv4 can resolve ipv6 addr without listning on ipv6 addr itself, and the other way around it works aswell

    --
    Best regards, Posted using Hotdoged on Android
    --- Hotdoged/2.10/Android
    * Origin: lollipop (2:230/38.1)