Ton Kersten - Thoughts of a geek

I, for some time now, created RPM's for git. I will not do that anymore, because Dag Wieers RPMForge now has them and even up-to-date ones as well.

I also removed the git archive RPM's.

As blogged before I had my first IPv6 visitor, but of course the first IPv6 type that tried to enter my network could not be far of. Yep and there he/she is.

It's IP address 2002:4e6d:8112::1 and that does not resolve to something useful, yet, because it's a 6to4 network address.

Recalculating to an IPv4 address this gives me: 78.109.129.18 and digging that results in

; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 78.109.129.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;18.129.109.78.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
18.129.109.78.in-addr.arpa. 3600 IN PTR 18.static.ppp.dianet.info.

;; AUTHORITY SECTION:
129.109.78.in-addr.arpa. 172799 IN  NS  ns3.netcorp.ru.
129.109.78.in-addr.arpa. 172799 IN  NS  ns1.netcorp.ru.

;; Query time: 694 msec
;; SERVER: 192.168.63.4#53(192.168.63.4)
;; WHEN: Mon Aug 30 21:06:50 2010
;; MSG SIZE  rcvd: 129

So: From Russia with love!

This dude or dudette tried to connect to port 51777 (uTorrent I guess) for a meager 21514 times. I would guess you should know there's nothing to get after a couple of times (say 10). I do not run torrents and even if I did, you wouldn't get anything.

Last night I had my first genuine visitor with IPv6. It seems it's a webcrawler from the Erlangen University in Germany.

The IPv6 address is 2001:638:a00:4f::83bc:4e1e and this results in

; <<>> DiG 9.7.1-P2 <<>> -x 2001:638:a00:4f::83bc:4e1e
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33203
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;e.1.e.4.c.b.3.8.0.0.0.0.0.0.0.0.f.4.0.0.0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
e.1.e.4.c.b.3.8.0.0.0.0.0.0.0.0.f.4.0.0.0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN PTR legolas.rrze.uni-erlangen.de.

;; AUTHORITY SECTION:
0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN NS   faui45.informatik.uni-erlangen.de.
0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN NS   ns.rrze.uni-erlangen.de.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 30 09:07:47 2010
;; MSG SIZE  rcvd: 181

To the Erlangen University: Congratulations!!

I've been running this blog for some time now and for the IPv6 certificate I needed this site to be IPv6 capable. Therefore I had to run my own nameserver and stuff like that and so I decided that it would be nice if you could reach me at http://pa1ton.nl as well.

Well, you can. Just click here.

Some URL's need some tweaking, but the first hurdles have been taken.

It took me some time and some tweaking of nameservers, webservers and mailservers, but I finally got it.

I got the Hurricane Electric IPv6 Certification nailed for the "Sage" level. This is the highest level, so only a simple test to go and a daily submission of some logs for maximum points. the maximum points you can get is 1500, so I'm well on my way.

As an extra HE gives you a nice, nerdy T-Shirt, stating that you are an IPv6 guru. I can't wait to put it on

This is the certificate.

Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it's not possible to use secure delegation, but that's something for the future.

I do have two domains up and running and I signed them both.

dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE        tonkersten.com
dnssec-keygen    -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com

Ktonkersten.com.+005+42559.key
Ktonkersten.com.+005+42559.private
Ktonkersten.com.+005+61598.key
Ktonkersten.com.+005+61598.private

$include keys/Ktonkersten.com.+005+42559.key
$include keys/Ktonkersten.com.+005+61598.key

dnssec-signzone         \
    -d keys         \
    -K keys         \
    -N increment        \
    -o tonkersten.com   \
    -S tonkersten.com

$ dig +dnssec +multiline DNSKEY home.tonkersten.com

; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com
;; global options:  +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;home.tonkersten.com.   IN DNSKEY

;; AUTHORITY SECTION:
tonkersten.com.     3600 IN SOA home.tonkersten.com. tonk.tonkersten.com. (
                2010082303 ; serial
                21600      ; refresh (6 hours)
                7200       ; retry (2 hours)
                604800     ; expire (1 week)
                3600       ; minimum (1 hour)
                )
tonkersten.com.     3600 IN RRSIG SOA 5 2 3600 20100922081850 (
                20100823081850 61598 tonkersten.com.
                W9qamKcSdTfCwOJk+m+tRZsRwdvZVzHzONGCehfX41/I
                ...
                FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== )
home.tonkersten.com.    3600 IN NSEC mail.tonkersten.com. A AAAA RRSIG NSEC
home.tonkersten.com.    3600 IN RRSIG NSEC 5 3 3600 20100922081850 (
                20100823081850 61598 tonkersten.com.
                ZdeRhW5RxqFZguFMOtZhnes/OGA/E2K2CgLLVW3Z00T0
                ...
                PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== )

;; Query time: 52 msec
;; SERVER: 80.126.204.63#53(80.126.204.63)
;; WHEN: Mon Aug 23 12:30:43 2010
;; MSG SIZE  rcvd: 734

It took me some time, but now I have it up and running. My home network runs IPv6 and my server can be reached on an IPv6 address.

Unfortunately I don't have a native IPv6 address and my provider (UPC/Chello) will not supply one. So I had to use a tunnel broker. After experimenting a bit I got stuck on the tunnelbroker of Hurricane Electric.

My m0n0wall firewall supports the Tunnelbroker IPv6/IPv4 tunnels and after configuring some firewall rules everything is up and running.

Have to grab some screenshots and after that I'll post how I did it.