News archive December 2019 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

2019-12-29 New countries.. on the 70 centimeter band 1 year ago
I saw reports of special propagation on the 2 meter band and even on 70 centimeters today. Normally I can get something further than line of sight on 2 meter and line of sight is the hard limit on 70 centimeter. But with some propagation types it's different and signals can get further. So I tried FT8 on both bands and got Belgium, France, Germany and England in the log on 70cm and new callsigns on both bands.

Denmark still got away, I had an almost-contact with a Danish station on 70 centimeters but it stopped after the initial exchange.

This is all with the vertical antenna on the roof. I wonder what a beam or big wheel antenna for 70cm or 2meter could do.

At the same time I spun the dial on the remote HF radio so I also got some calls in the log on 20 meters.

Update: Current distance record on the 70 cm band is 803 kilometers to F8DBF in France and the first contact with Denmark has been made.

Tags: , ,
2019-12-27 First radio contacts with the radio and antenna setup at a remote location 1 year ago
The main unit of the Kenwood TS-480SAT radio is now at a different location and the frontpanel is at home. With an OpenVPN connection between them so it's not exposed to the big bad internet.

And it's working! I currently have access to a 10/15/17/20 meter antenna and I have already heard stations I wouldn't dream of receiving at home. And the first country in SSB in the log that I only had in digital modes before: Ceuta and Melilla, the Spain enclaves in Africa.

Lag is minimal, audio is less delayed than listening to the utwente websdr to the same signal. Control works fine, so I can control the radio like I'm sitting behind it, including menu settings.

Comparing received signals on the local radio with the attic dipole and the remote radio is hell and heaven: local noise is S9+ and the remote location has almost no local noise (while still being in an urban environment) so I can hear even weak stations fine. I leave the noise blanker off most of the time because it's not needed to hear signals fine.

Not making loads and loads of contacts yet, propagation isn't cooperating very well and there aren't many people calling CQ. But when a somewhat special station calls CQ there are a lot of answers so there are numerous amateurs active. Or I guess they go to their set when they see an interesting callsign on the DX-cluster.

I also got morse keying by paddle working beforehand. Hearing the sidetone from the radio with just a bit of lag got annoying fast when doing morse at a bit of speed so the sidetone is now from the control unit and the sidetone in the radio is silent. It's still set to the same audio frequency as the sidetone in the control unit to allow for finding the zero beat frequency.

Tags: , ,
2019-12-24 First tries with DNSSEC on subzones: no success 1 year ago
I tried adding subzones with DNSSEC by adding the DS record to the parent zone, but in both tries I got errors from DNSViz. Different errors even: in one case the signature on the DS record was seen as invalid and in another case there was no signature at all. The errors are reproducable, even after waiting for caches to empty.

Tags: , ,
2019-12-19 Removing an RRTYPE for a DNS name causes an expired RRSIG for that record 1 year ago
I kept seeing warnings about an expired signature when running named-checkzone or dnssec-signzone and it took some searching before I found the reason.

Recently I removed the records with type SPF from my zones since the recommended approach is to use TXT records with SPF data. The RRSIG records for the SPF records were left in the signed zonefile, but not updated so they expired and started to give warnings.

The SPF records were for names that had other data too which seems to trigger this. Removing a record completely (no RRTYPEs left for the name) removes all signatures.

The things in DNSSEC I haven't tested yet are a signed subzone, a ZSK rollover and a KSK rollover. Those will eventually happen too.

Tags: , ,
2019-12-14 Moved the first domain registration to TransIP 1 year ago
The machine moved so I had to do the whole update dance with the glue records again. Since the IPv6 glue records 'vanished' when I added DNSSEC to I decided to move to a different registrar where IPv6 glue records and DNSSEC are normal and don't require an extra support call.

Since I have an account with TransIP anyway for the stack storage service I just had to add (and pay for) domain services. Interesting bit is that TransIP says I have to pay again next year. According to the registry the domain is registered until 11 august 2024 at the moment.

Adding DNSSEC gave problems at first, the format they expect is from the public part of the key signing key, which is a different format from the file which gets generated by dnssec-signzone. After some tries and searching I found the right source and format. The error message was about the Key Tag which was confusing as that is a number where there isn't much to go wrong.

Tags: ,
2019-12-12 Adding the first TLSA records for secured services 1 year ago
Encrypt all the things meme Now I have DNSSEC running ok on my domains I can start looking at security innovations that rely on DNSSEC.

The first one is DANE for the mailserver, in which the public key signature is published in DNS record secured with DNSSEC to give a separate path to verify the public key during the SMTP session.

The public key of the mailserver is also signed by LetsEncrypt as described in Automating Let's Encrypt certificates further and Automating Let's Encrypt certificates with DNS-01 protocol so there are two completely independent paths to verify the identity of the mail server.

To find the public key of the mailserver for a given domain:
$ dig +short mx
$ dig +short tlsa
3 1 2 2B55764A99A47AEC5B66D8EB4E741F2646BF6352CABC9BE3F37D2F42 0BD7EF56B5BE3058E7B10964BA963777364443057E45599E07A82375 7A812F1A7014356A
I found the tlsa tool from package hash-slinger by Paul Wouters to create these records. This can be both from the protocol which has certain risks (if that connection is intercepted) or from the public key file. Or via the web tool Generate TLSA Record by Shumon Huque.

TLSA records are generically linked to a TCP or UDP port. The next step will probably be to start adding records for other public services with TLS like https. There was a time that some people were convinced DANE was going to replace certificate authorities for https, but at this moment it is very limited. I have added TLSA records for https (tcp/443) for and for now and I'm testing with these. For now one of my favourite checkers isn't convinced.

This does increase the chances for things to go wrong. With the tlsa program it is possible to verify records too, so I can use this to verify TLSA records.
$ tlsa --verify -6 --starttls smtp --port 25
SUCCESS (Usage 3 [DANE-EE]): Certificate offered by the server matches the TLSA record (2001:980:14ca:1::23)
Although this certificate is a valid LetsEncrypt certificate, DNS-based Authentication of Named Entities (DANE) does not support usage 1 (check the certificate public key and verify certificate chain to a known root) for SMTP with STARTTLS, so it is usage 3 (just check the certificate public key). The tlsa program does not check this specifically, but the web checker at DANE TLSA Server checker found the issue, so I corrected that.

I use selector 1 to just check the public key because the complete certificate changes with every LetsEncrypt renewal. My choice for mtype 2 (sha512) is just a wish for a strong hashing algorithm.

This also makes the link between service configuration and DNS contents a lot stronger. Maybe this needs secure automated updates.

Tags: , ,
2019-12-09 Niet alle passwords kunnen uit een password manager in je browser komen 1 year ago
Met alle tips voor het maken van veilige wachtwoorden en die alleen beschikbaar hebben vanuit een wachtwoordmanager loop ik nu tegen websites aan die vragen om een wachtwoord maar vervolgens moet je dat wachtwoord ineens op een fysiek andere plek dan achter je eigen computer intikken.

De eerste keer dat ons dat overkwam was bij een camping van staatsbosbeheer op Ameland. We hadden ons via de website ingeschreven en bij het aanmelden op de camping zelf bleek er een aanmeldscherm te zijn waar je met e-mail adres en wachtwoord moest inloggen. Maar we gebruiken voor dat soort websites altijd gegenereerde wachtwoorden die we niet weten. Met veel zoeken naar de hoek van de camping met een beetje mobiele data dekking konden we bij onze wachtwoordkluis en konden we het wachtwoord opzoeken. Want het aanmeldscherm is omdat de beheerder van de camping er ook maar een uur per dag is.

De tweede keer was bij de bibliotheek in Utrecht. Als je daar in de bibliotheek zelf een reservering wilt maken moet je ook inloggen op een computer met gebruikersnaam en wachtwoord. En ook daar konden we het niet snel opzoeken, maar daar konden ze ons helpen aan de hand van de bibliotheekpas.

Tags: ,
2019-12-08 Out of IPv4 addresses, way past time to start using IPv6 1 year ago
Based on the fact that RIPE has really run out of IPv4 addresses it is way overdue to start using IPv6.

To help that I wanted to have a way to show visitors to my site whether they can use the new protocol. The current box on the righthandside is based on the connection with the webserver and most browsers prefer the fastest connection to just give the user the best experience. The so-called 'happy eyeballs'.

But I want to show visitors whether their browser/system/network supports the new Internet protocol. So I'm looking into ways to check for IP versions with Javascript. Ages ago their was a test (mainly to test for systems with broken IPv6 connectivity) but that one is gone and not completely what I want.

So I asked around and Iljitsch van Beijnum responded with his version of the IP version test.

So my current version is at Plan is to add an option to have true/false values in javascript available and make updates to parts of the page using that.

I could imagine turning a page black-and-white if you only have 'old' Internet protocols. I just have to learn a lot more javascript to do that.

Tags: ,
2019-12-06 Received ISS SSTV again 1 year ago
This week had an opportunity to receive ISS SSTV pictures. The Russian on the ISS were transmitting SSTV images as part of the Inter-MAI-75 project. ISS SSTV image ISS SSTV image ISS SSTV image

The pass had a partial first image, a nice decode of one full image and the start of a third image. Even the good receives are a bit noisy/unsharp, I'm not sure whether that's an artifact of the PD120 mode or some local noise ending up in the image.

This is one of the rare occasions where living close to Russia is a good thing: the Russians time the passes to optimize reception in Russia.

Tags: , ,
2019-12-02 Remembering the IBM PC RT.. and its powerusage 1 year ago
For a number of years between 1993 and 1997 I not only had a BBS running at home but also an IBM RT 6150 computer. It was a bigtower I got for free including the system floppy disks. I had to reinstall it because I had no idea of the root password and the only contact at the previous owners wasn't willing to give it up. So I swapped 1.2 megabyte 5.25 inch floppies for a while until I had a complete running system with AIX complete with graphical environment and a working TCP/IP stack.

The IBM RT 6150 I had came with 3 builtin harddisks (full-height). For as far as I remember those were 70 megabyte each. Eventually I had enough AIX installed to also have a working compiler.

One downside of this system was the powerusage. It used quite a lot of electricity.

The rest of BBS Koos z'n Doos also used a lot of power. When I moved out of my parents' house in a December month the effect on the electricity bill was remarkable. Next December my parents got a call about what changed because the electricity bill had halved. And I did put 'computers' on the form for the new electricity contract but that same december I received a bill because the electricity for that house was double what the electricity company expected.

Tags: , ,
2019-12-01 Better audio for learning morse 1 year ago
I installed xcwcp from the unixcw packages on a different system and noticed it did not use PulseAudio. It said it could not find PulseAudio and skipped to ALSA. The downside of ALSA in xcwcp is that it pushes audio 10 characters ahead, with PulseAudio the buffer is smaller.

Some searching using strace found that xcwcp tries to open which wasn't found on that system. It is available on my laptop, as part of:
$ dpkg -S /usr/lib/x86_64-linux-gnu/
libpulse-dev:amd64: /usr/lib/x86_64-linux-gnu/
while the files linked to a part of the runtime package:
$ dpkg -S /usr/lib/x86_64-linux-gnu/
libpulse0:amd64: /usr/lib/x86_64-linux-gnu/
$ dpkg -S /usr/lib/x86_64-linux-gnu/
libpulse0:amd64: /usr/lib/x86_64-linux-gnu/
But I don't have package libpulse-dev on that other system.

Solution: make the symlink by hand in /usr/lib/x86_64-linux-gnu with:
user@system:/usr/lib/x86_64-linux-gnu$ sudo ln -sf
And I reported it as a bug for ubuntu: Bug #1854630: xcwcp doesn't use pulseaudio but given the list of bugs in Ubuntu I reported or commented on before with a lot of 'undecided' and not a lot of progress I'm not sure anything will happen.

Back to practising morse after this diversion!

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.50 2020/12/31 15:36:31 koos Exp $ in 0.026538 seconds.