Deploy360 IPv6

PHP Domain Parser Adds Support for IPv6


The PHP community recently announced the release of the initial draft specification for PHP. This is an important step in the development of any open language.

With the announcement they also showed some usage statistics for PHP, and called PHP the lingua-franca of the Internet. I’m not sure if PHP is the common tongue of every programmer who creates web pages, but it sure is popular. Just look at these usage statistics.

With that many users we get excited when an important PHP library gets IPv6 support. The php-domain-parser from Jeremy Kendall just implemented IPv6 and International Domain Name(IDN) support in its 1.4.0 release. This means that the library will now correctly parse IPv6 addresses, and unicode domain names.

The php-domain-parser is available on Github.

If you would like to get started with IPv6, please visit our IPv6 resources or begin with our “Start Here” page to help find resources most appropriate for your type of organization. If you have an IPv6 case study you think we should consider for inclusion on our site, please contact us – we are always looking for more!

Deploy360 Domain Name System Security Extensions (DNSSEC)

Got A DNSSEC Project That Needs Funding? Apply to NLnet Foundation Before Dec 1

NLNet FoundationDo you have an open source project (or the idea for one) related to DNSSEC that needs funding? Perhaps a new tool that will make it easier to use DNSSEC?  Or perhaps new software that supports the DANE protocol to increase the security of TLS/SSL? A browser plugin?  A program that makes it easier for registrars to pass DS records?  A measurement tool for DNSSEC usage?

Or do you want to add DNSSEC capabilities to an existing program, like the Jitsi team did when added DNSSEC validation to VoIP?  Would you like to build DNSSEC validation into your tool or service?  Would you like to add DANE support to your browser or other tool?  Would you like to add DANE support to another service beyond the web?  Do you have a use case where DNSSEC-signed TLS/SSL certificates would greatly add another level of security?

If you have any ideas along these lines, the NLnet Foundation is funding projects through their “DNS Security Fund” and THE NEXT APPLICATION DEADLINE IS DECEMBER 1, 2012 at 12:00 Central European Time (CET).  You can read more and find out how to apply at:

That page lists at the bottom some of the many projects that the NLnet Foundation has funded.  Their most recent “Open call for funding” gets into more details.  There is one very important note:

There is one important condition which is that any software or hardware that a project produces must be available under a valid open source licence (GPL, BSD, Apache, etc.).

As long as you are fine with that, you may be able to get some level of funding through NLnet Foundation.

We’d definitely appreciative of all the great work that the NLnet Foundation has funded to date. Tools like Unbound, DNSSEC-Trigger and the multiple DNSSEC developer libraries they have supported have made it so much easier to get DNSSEC deployed.

Now it’s your turn – what can you develop to help get DNSSEC more widely deployed?    If you’ve got an idea, the NLnet Foundation may be able to help… apply before December 1 to see if they can!

P.S. Note also that if you can’t apply before December 1, the NLnet Foundation accepts proposals six times a year, with deadlines of February 1, April 1, June 1, August 1, October 1, December 1.

Deploy360 Domain Name System Security Extensions (DNSSEC)

Code Examples: Checking the DNSSEC Status Of A Large Number of Domains

SIDN LabsDo you want to check the DNSSEC status of a large number of domains?  To know whether they are signed or unsigned? Or perhaps if any of the domains are failing validation?

Yesterday at the DNSSEC Deployment Workshop at ICANN 45 in Toronto I learned that the good folks at SIDN Labs in the Netherlands have created a service that allows you to do just that… and they are offering it for free public usage.

They provide two ways to use the service: 1) a web interface where you upload a file; or 2) a RESTful API you can query.  The web interface is in Dutch, but for non-Dutch-speakers it’s not hard to figure out (or translate via browsers):

You just upload a file and the service will give you back the results of whether the domains are secure, insecure or failing validation (‘bogus’).

What was more interesting to me, though, was the RESTful API allowing you to query the status of a domain by simply connecting to:

as in:

The comma-separated results that come back are:,"",secure,""

with the third field being either “secure”, “insecure” or “bogus”.

My immediate thought was how I could use this to create a simple little program to help me remember which of my domains I have signed and which ones I still need to sign.  After playing around with it for a few minutes in python, I decided that others might find my experiments useful or interesting, so I uploaded them to a Github repository at:

I included one very simple example that does no error checking and simply issues queries based on a list in the program.  I then added a second example that you could use from a command line to query for one or more domains:


(Omitting the ‘python’, of course, if you change ‘’ to be executable.)  An obvious extension would be to make the program accept the name of a file containing domain names.  You could also change it so that “bogus” entries come out on top or have big “Danger! Danger!” warnings of some type. I may make a web page that when I go to it shows me visually which of my domains are signed and which aren’t.  There’s a hundred other things you could do with it.  My purpose was just to try it out and see how the API worked.

Feel free to use those examples in whatever way you want… and thanks to SIDN Labs for making this service available for any of us to use!

Deploy360 IPv6

aaaa-check – a small little program to check for IPv6 DNS records (AAAA)

As I was helping out last week approving website participants for World IPv6 Launch, I found that sometimes I wanted to check for the existence of a AAAA record to know if the domain was already running IPv6.  I was using the good old “dig” command for a while, but wanted an easier way to do it. I looked around for a tool that would do what I wanted… and when I couldn’t find one I dusted the cobwebs in my brain off of my python coding and wrote up a little app in python:

It also gave me an excuse to play with the dnspython library developed by Bob Halley (and also available on Github). Once you follow my installation instructions and make the file executable (or call it with “python” first), it just lets you enter in domain names and it will tell you if there is a quad-A or not:

$ ./
Domain name =
Domain name =
Domain name =
Domain name =
Domain name =
Domain name =
Domain name =
Domain name = ^C

I didn’t do anything fancy for commands… you just press Ctrl+C to exit.

What I was then doing was copying the domain name from the World IPv6 Launch web page and pasting it into the command window where I was running the app.

It worked well for what I needed… I probably won’t do too much more with it, although I might add on the capability for it to read a flat file from the command line, so you could just do “aaaa-python ” and have it run through a list and tell you which domains have AAAA records.

Anyway… it’s out there and if any of you find it of interest please feel free to play with it.  And if you feel like extending it in some way, feel free to send some patches (or if you are on Github, just fork it and then send me a pull request).



Deploy360 Domain Name System Security Extensions (DNSSEC)

DNSSEC And The Challenge Of Modern Websites

queries of modern websitesGiven that modern websites often pull content from a variety of different sites to build a single page, what impact does that have on DNSSEC and providing the security that it does?

That was one of the questions raised in a recent post by the DNSSEC Deployment Initiative titled “Are You Secure?” This key point was emphasized in this paragraph:

It shouldn’t come as a surprise to you that your browser was trying to load content from although you had not typed that in the address bar. More generally, it shouldn’t be surprising that it requires more than a single DNS lookup to fill the contents of a page. In fact, as the query trace from loading a relatively simple page such as illustrates below, an un-primed resolver easily performs in excess of a hundred lookups before the browser renders the complete page. Some of these queries are not even for names under the domain. For more content-packed sites the number of names looked up is even higher.

The way we build websites today does very often involve pulling in content from a variety of different sites.  Sometimes it is something as simple as the latest jquery JavaScript library.  Sometimes it is images or advertisements.  Sometimes it is the latest tweets or other content from social networks.

The article goes on to talk about the value of moving DNSSEC validation directly into the application, such as the web browser, so that all DNS queries can be properly validated. The author ends on this note:

It is also important, given that web pages are typically composed of a number of discrete elements, that validation be performed for all lookups initiated by the browser and not just for the name typed in the address bar. Many browser plugins for DNSSEC support will validate only the latter; while that capability is certainly useful, the real benefit of local validation is realized only when the browser (or the OS) completely integrates DNSSEC validation capability into its internal resolver library and enables validation for all queries.

The good news is that browser vendors (and their user communities) have been showing increased interest in seeing DNSSEC capability extended to the end-applications. Proof-of-concept implementations of browsers with DNSSEC validation support (e.g., the DNSSEC-Tools Firefox patch) have been available for a while, and with DNSSEC validation capability being continuously extended to new platforms and devices, there is hope that DNSSEC capability in browsers will eventually become more commonplace.

We certainly share that hope that DNSSEC capability in browsers and other applications will become more commonplace. A goal of this entire Deploy360 Programme is to help bring that widespread availability about.

Application developers… have you checked out the developer libraries available now to help add DNSSEC support to your applications?   Have you looked at what is available in the DNSSEC Tools project?

What else can we do to help you build DNSSEC into your applications?

P.S. In my case, I did see the correct image on the DNSSEC Deployment Initiative web pages, but that is because I’m running a local DNSSEC-validating DNS resolver on my MacBook Pro laptop.  I’m using the excellent DNSSEC-Trigger tool from NLnet Labs – it’s available for Mac OS X, Windows or Linux.