|
| News | Profile | Code | Photography | Looking Glass | Projects | System Statistics | Uncategorized |
My News |
I've owned a GSM Galaxy Nexus (Samsung i9250) for a few months, now. It's generally been a good experience and a somewhat good (but not great) upgrade from the Nexus One. I wrote a short review on it here.
The one deficiency that I didn't initially notice is the lack of decent GPS reception.
When I had the Nexus One I would typically use the My Tracks application to plot my routes when walking or jogging. This, of courses, used the GPS. The Nexus One would take maybe a minute at most to obtain a GPS lock on its own (no Wi-Fi required) and then would keep the lock the whole time when the phone was in my pocket.
The Galaxy Nexus is a completely different story. The GPS is, quite simply, broken. It takes, on average, 5-10 minutes to get a GPS lock when standing outside with a clear view of the sky and the phone in the palm of my hand. Sometimes it takes longer but usually I give up after 10 minutes because, strangely enough, I do have a life. Unfortunately, even after this GPS lock is achieved, it loses it easily. Putting the phone in my pocket will cause the GPS lock to be lost within a few minutes, typically.
Unfortunately, it appears that I'm not the only one with the problem. This is unfortunate because this means if I call Samsung asking for a replacement phone most likely my situation will not improve.
Strangely enough, if I enable Wi-Fi and are within the vicinity of some networks, I can get a GPS lock fairly quickly. In fact, even sitting here in my condo typing this, with Wi-Fi enabled I can get a lock within a few seconds by holding the phone near the window. The phone will only see 4-5 satellites, but that's all that is needed for a 3D lock. This makes a little bit of sense because WPS probably seeds the GPS subsystem with location data so it knows exactly where to start (vs. a cold or warm start).
After searching around a little bit I found a few suggestions. One was to shut off the phone and remove the battery for a few minutes, which seemed silly since this suggestion only temporarily fixes the problem. The second, that seemed to work for a few people, was to force a cold start and redownload A-GPS data, both of which can be done using GPS Status & Toolbox, an application I've used in the past and is pretty darn neat.
Unfortunately, performing the cold start (reset) and redownloading the A-GPS data didn't work out for me. I was still left in the same situation as I was before. However, using the GPS Status & Toolbox provided me with some additional information about the GPS problems. Apparently when the Galaxy Nexus is stuck searching for a GPS lock, usually it actually does see a whole boatload of satellites, but fails to receive any data from them.
Let's look at some screenshots to illustrate this.
Here's a screenshot of GPS Status & Toolbox when standing outside with a clear view of the sky:
The above has no GPS lock. Note the bars in the middle of the screen. Those indicate satellite signal strength and gray apparently means no data.
Now, here's a screenshot of a good GPS lock with Wi-Fi enabled. I don't even have a clear view of the sky since I'm indoors. However, I'm standing at a window:
The green apparently means the sallite is used in establishing the GPS lock. The other color codes are below:
When I can get a lock I notice that the satellite colors transition from gray, to blue, to yellow, and then to green. According to Wikipedia, almanac and ephemeris are two parts of the GPS message, the other being time information and satellite health.
Why does the GPS on the Galaxy Nexus not quickly receive the second and third parts of the GPS message from any satellites when Wi-Fi is disabled? According to the first screenshot above, it can clearly be seen that a number of satellites are providing adequate signal strength, but most are just stuck in the no info stage or have only processed the first GPS message. I wish I had an answer.
I suspect the problem may be due to inadequate RF shielding of the GPS receiver inside the hardware itself. Perhaps the GPS receiver is getting a strong signal but it's too noisy and the messages are chock full of errors and can't be processed correctly. This is really only speculation, though
I haven't had a chance to stop by a Verizon Wireless store to see if the LTE Galaxy Nexus has the same problem. However, I think it may be difficult to test since I probably won't be able to take any of the phones outside for a good test!
Anyone have any suggestions or comments?
Accoring to Verizon Business (AS701), Google is the Internet:
(evolution:15:32)% sudo traceroute -Iq 1 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 226.sub-66-174-38.myvzw.com (66.174.38.226) 39.272 ms 2 49.sub-69-83-51.myvzw.com (69.83.51.49) 52.978 ms 3 * 4 1.sub-69-83-32.myvzw.com (69.83.32.1) 52.690 ms 5 TenGigE0-0-0-0.GW4.ATL5.ALTER.NET (63.122.230.125) 56.609 ms 6 0.ge-1-0-0.XT2.ATL5.ALTER.NET (152.63.80.190) 56.562 ms 7 0.xe-2-0-1.XT2.NYC4.ALTER.NET (152.63.0.153) 75.615 ms 8 TenGigE0-5-4-0.GW8.NYC4.ALTER.NET (152.63.18.206) 94.438 ms 9 Internet-gw.customer.alter.net (152.179.72.66) 123.363 ms 10 72.14.232.244 (72.14.232.244) 82.318 ms 11 * 12 * 13 64.233.175.109 (64.233.175.109) 82.116 ms 14 72.14.232.21 (72.14.232.21) 93.076 ms 15 google-public-dns-a.google.com (8.8.8.8) 85.996 ms
Usually, the customer.alter.net. subdomain is used for labeling the interface of the customer router. It's usually the company name. RAS even has this documented in his Traceroute document on page 12. Here's an example for Juniper Networks:
(evolution:15:34)% sudo traceroute -Iq 1 juniper.net. traceroute to juniper.net. (207.17.137.239), 30 hops max, 60 byte packets 1 226.sub-66-174-38.myvzw.com (66.174.38.226) 40.993 ms 2 49.sub-69-83-51.myvzw.com (69.83.51.49) 50.846 ms 3 * 4 1.sub-69-83-32.myvzw.com (69.83.32.1) 50.619 ms 5 TenGigE0-0-0-0.GW4.ATL5.ALTER.NET (63.122.230.125) 57.569 ms 6 0.ge-4-0-0.XT1.ATL5.ALTER.NET (152.63.83.37) 57.482 ms 7 0.ge-3-0-0.XL3.SJC7.ALTER.NET (152.63.49.141) 124.462 ms 8 TenGigE0-6-4-0.GW3.SJC7.ALTER.NET (152.63.49.166) 126.358 ms 9 juniper-gw.customer.alter.net (152.179.48.62) 126.317 ms 10 ns-app-fw-dmz.juniper.net (207.17.136.1) 124.180 ms 11 juniper.net (207.17.137.239) 127.080 ms
Why is Google's called Internet? Do they think Google is The Internet or something? Using my handy dnsnew utility, I also found the following:
PTR 152.179.72.60 -> NXDOMAIN PTR 152.179.72.61 -> TenGigE0-3-4-0.GW8.NYC4.ALTER.NET, A $_ -> NXDOMAIN PTR 152.179.72.62 -> google-gw.customer.alter.net, A $_ -> NXDOMAIN PTR 152.179.72.63 -> NXDOMAIN
That looks better. Why is their other PTR labeled the way it is, though?
Curious!
Yes, it's time for Trance 3.0. It's my whenever-I-get-around-to-it listing of a few trance tracks that I like. I've done two previous ones but this will be the first that includes some short reviews.
Arty is great, but Dan Stone is a genius. The original mix is interesting, but lacks any appreciable feeling and energy. Dan Stone transforms it into an epic uplifting trance track that might even bring a tear to your eye. The breakdown is soothing yet the release is full of power and melody.
Gareth Emery feat. Christina Novelli - Concrete Angel
The first time I heard this track was when I watched the music video (link above). Thanks to Ross Ching, this is probably the best trance music video I have ever seen. The time-lapses plus the spectrum equalizer effects in the buildings provide amazing visuals in addition to scenes with Gareth Emery and Christina Novelli. Also, what's even more important.. the video matches the percussion in the audio. Speaking of the audio, Gareth Emery has outdone himself on this one - the music is fantastic and Christina Novelli's voice is angelic. The only thing that bugs me is the paperclip in her ear.
Edu & Cramp - Silver Sand (Original Mix)
Edu & Cramp have been producing some great hits lately, but I think this one is the best. It's got the anatomy of a traditional uplifting trance track with a very upbeat melody and almost an airy feel to it.
Dan Stone - Harvest Moon (Original Mix)
I think I like almost everything that Dan Stone produces (Fahrenheit and Mumbai are two other good ones). As someone mentioned at one point, it sounds like this track is from a rave in the jungle since Dan Stone disperses a few sound bytes of animals throughout it. The breakdown and release is amazing with the release being slightly louder than the rest of the track (you can see it in the waveform above). I liked this track so much that I used a piece of it in a time-lapse that I took of a sunrise in Miami when I was at NANOG last year.
This track is an oldie but goodie and may be my favorite one of all time. It's no less than the epitome of uplifting trance with not one breakdown and release, but two!
This is a very underappreciated track in my opinion. Even Paul van Dyk's own In Between studio album had only a very short version of it! The breakdown and release aren't excessive, which serve to keep the speed and flow of the track almost constant. That being said, it's an awesome display of talent from both Paul van Dyk and Giuseppe Ottaviani!
Stoneface & Terminal - Super Nature (Orignal Mix)
I couldn't find the original mix on YouTube, unfortunately. This track is an emotional rollercoaster that I always thought would be great while watching lightning in the sky. The electric guitar during the breakdown is a nice touch, too. The album mix is decent, too, but I don't like it as much as the original mix, for some reason.
Over the past couple weeks I've had to figure out how to change the default name resolution behavior for short names containing dots on at least two operating systems: Windows 7 and Mac OS 10.7. It's starting to get annoying.
I've always found it quite useful to be able to connect to hosts using a short name like cr0.nyc instead of cr0.nyc.bb.isp.com. If the DNS for all the loopback addresses of my routers are within the bb.isp.com. zone, then I shouldn't ever have to type the FQDN if my default search prefix is bb.isp.com.
Sure, this generates additional lookups most of the time. Take this mostly fictious example:
(destiny:21:48)% telnet -6 em0.dax Trying 2001:48c8:1:2::2... telnet: Unable to connect to remote host: Connection refused
The above results in the following:
21:49:00.525997 IP 10.3.5.107.51245 > 10.3.5.1.53: 44160+ AAAA? em0.dax. (25) 21:49:00.560909 IP 10.3.5.1.53 > 10.3.5.107.51245: 44160 NXDomain 0/1/0 (100) 21:49:00.561096 IP 10.3.5.107.36493 > 10.3.5.1.53: 6644+ AAAA? em0.dax.prolixium.net. (39) 21:49:00.561414 IP 10.3.5.1.53 > 10.3.5.107.36493: 6644* 1/7/13 AAAA 2001:48c8:1:2::2 (488)
It's fictious because dax doesn't run a telnet daemon, duh. The resolver library assumes "dax" might be a TLD, so it qualifies it with a "." and sends it to the DNS server, which returns NXDOMAIN. The next query is appended with the search suffix (prolixium.net, in this case) and succeeds. This all happens because on a traditional Unix system, /etc/resolv.conf has a "ndots" directive that defaults to 1, which means that any name containing a dot will be tried absolutely (ie, qualified and sent to the resolver). This ndots value can be set to something higher than 1, which might result in something like this in the worst case if I tried to visit http://twc.com/:
21:43:31.052253 IP 10.3.5.107.39468 > 10.3.5.1.53: 54327+ A? twc.com.prolixium.com. (39) 21:43:31.052476 IP 10.3.5.1.53 > 10.3.5.107.39468: 54327 NXDomain* 0/1/0 (108) 21:43:31.052592 IP 10.3.5.107.44456 > 10.3.5.1.53: 33643+ A? twc.com. (25) 21:43:31.052811 IP 10.3.5.1.53 > 10.3.5.107.44456: 33643 1/2/0 A 165.237.62.28 (85)
Anyway, it seems that some newer operating systems take a completely different approach if the short name has dots - they don't ever try to append the suffix by default. For example, if I want to connect to dax.prolixium.com. I can still type in dax and get there just fine. However, if I want to hit em0.dax.prolixium.net. by typing in em0.dax, I would get a lookup failure. For Windows 7, SimAda00 provided a solution in this thread:
For Mac OS 10.7, this link has the solution, although you can follow the quick & dirty exerpt below:
In addition to the above, some web browsers like Google Chrome are starting to make short names more annoying to use. For example, if I haven't been to dax.prolixium.com. before, and I wanted to connect to it by just simply typing dax, I might see something like the following:
After clicking on "http://dax/" in the infobar, I wouldn't ever have to do it again unless I cleared my browsing history. I don't know of a way to disable this, but this thread from Chromium-discuss seems to shed some light on the rationale for it. Another way around it is to type dax/ instead of just dax. Firefox doesn't seem to have this annoyance, but Internet Explorer 10.0 (at least the version that's included in the Windows 8 preview) doesn't even give you an infobar-type of message for short names - it just throws the short name at your default search engine. Adding a trailing slash still works, though.
Quite annoying.
Since I'm not a bit football fan, I figured I'd do my taxes tonight instead of watching the Super Bowl. Unfortunately, I hit a little snag.
I installed my copy of Intuit Inc.'s TurboTax 2011 on my Mac mini running Mac OS 10.7. After installing it and completing the 15 minutes worth of updates, I fired it up expecting to see a "welcome to TurboTax" or "let's get started by importing your old return" dialog. Instead, I saw nothing past the registration screen. TurboTax was running, but the application didn't have any windows open. I selected "New Tax Return" from the File menu, but nothing happened. I restarted TurboTax and then I restarted the OS - still nothing was happening. Uh, something was broken.
I installed the same software on my MacBook Air running Mac OS 10.6 just to see what would happen. Some Internet searches indicated Intuit had some issues with their software on 10.7. The same thing happened - TurboTax just sat there doing nothing!
I figured there was something up, so I put on my old-school Unix hat, opened Terminal.app, and ran TurboTax in a terminal window. No messages were generated up until.. yep, you guessed it, I selected "New Tax Return" from the File menu. Here it is:
(orion:19:23)% /Applications/TurboTax\ Home\ Business\ 2011.app/Contents/MacOS/TurboTax\ 2011
2012-02-05 19:23:43.862 TurboTax 2011[90253:903] Encountered TPS error (120)
zosFileException: full file name is /Applications/TurboTax Home Business 2011.app/Contents/Resources/Forms/1040_11.formset/Contents/MacOS/._fdi11cv.3pe
open mode is 1
data mode is 1
share mode is 4
Inherited info follows
zpExceptionBase: error code = 120 source file = /Users/devmac/Documents/dev/official/2011.r08.003/source/Src/Low/P/OSFS/osXPResF.cpp, line 1381
The TPS error cracked me up at first (remember Office Space?) but I quickly realized that yep, there was some software bug in TurboTax. Specifically, it looked to be centered around one of the 1040 forms.
I did some Internet searches on these errors but didn't find anything relevant. Maybe it was a bad update that got pushed out at the last minute? Rather than uninstalling TurboTax and then starting it without performing software updates, I decided to install it on Windows 7. The updates took about one minute and the "New Tax Return" function worked!
Hopefully Intuit will fix their 1040 form errors on their Mac version of TurboTax, soon. Although, I suppose I don't really care anymore since the Windows version works!
About two weeks ago I picked up a GSM variant of the Galaxy Nexus smartphone. I decided that after almost two years with my Nexus One, it was time for an upgrade.
I've been running the Nexus One with CyanogenMod since mid-2010. As such, I've gotten used to the built-in BusyBox, enhanced power widget, status bar tweaks, OpenVPN functionality, and general hacker-friendly operation. I was hesitant to grab the Galaxy Nexus, which ships with Android 4.0 (codenamed Ice Cream Sandwich) until CyanogenMod 9, but I ended up ordering it anyway. Hopefully CM 9 will be out soon, but I'm not going to ask when!
If you're unfamiliar with the Nexus product line, it's a collection of Android devices (currently just phones) that run vanilla versions of Android. No carrier modifications or garbage are present, just plain Android. Unfortunately, a number of other Samsung devices sport names similar to the Galaxy Nexus, but should not be confused with it. Here's a list of Nexus devices, that are pure vanilla Android:
Here's a list of the non-Nexus devices that may be confused:
The Galaxy Nexus is a large phone with a 4.6" (diagonal) screen at 720x1280 pixels. The screen itself is very sharp and clear, although sometimes with a white background some bands are visible. I can't tell if this is a manufacturing defect or not.
Unlike the Nexus One, the Galaxy Nexus has the sleep button on the side and lacks a ball. The only way to physically wake the phone is to hit this button, unlike on the Nexus One where it can be configured to wake on both sleep button and ball depress. I'm slightly worried that the singular sleep button might wear out over time, but perhaps I'm being overly paranoid.
Android 4.0 seems like a nice upgrade from the 2.3.x series. I've never used an Android tablet with 3.x so I'm not sure how many 4.0 features first appeared in that version. The user interface is GPU-accelerated and provides smooth transitions through menus, although after a few minutes I disabled all the animations in the hopes of maximizing battery life. The 4.0.1 version I'm running uses Linux 3.0.1:
root@android:/sdcard # uname -a Linux localhost 3.0.1-ga052f63 #1 SMP PREEMPT Mon Nov 21 16:05:10 PST 2011 armv7l GNU/Linux
The voice recognition is vastly improved over previous Android versions, although I don't use it all that often. In Android 2.3.x, the voice recognition would require the user to speak a few words and those would be sent to Google and returned in text form at once. In 4.0, instead of buffering the whole phrase, apparently the audio samples are streamed live to Google, which results in recognized words appearing on the screen almost as they're said. In other words, there appears to be no limit to the amount of words that can be recognized at once. Very cool, if you don't mind the extra data being chewed up by such things.
The GN has soft buttons instead of hardware buttons like on the Nexus One. These are nice because I can finally buy a pair of those touchscreen-friendly gloves and have them work! The Nexus One's hard buttons wouldn't ever work with those gloves, for some reason.
The photo gallery now automatically synchronizes Picasa albums, which struck me as a little odd when I first opened it. It's obvious that Google is trying to integrate Google+ more tightly with all aspects of Android. My contacts initially included all of my Google+ contacts, too, until I disabled that (I typically have no desire to call or e-mail the majority of my Google+ contacts).
The GSM variant of the Galaxy Nexus supports all GSM and UMTS frequencies used throughout the globe. This means that it can be used with any GSM carrier without the risk of things like HSPA+ not working. This makes the phone compatible with both AT&T and T-Mobile work out of the box.
The dual-core OMAP processor is interesting. Interesting as in only one core is active most of the time, with the second core only being used under high load or other situations. Perhaps this is the norm for dual-core CPUs in mobile devices, as it's an obvious way of extending battery life. Here's /proc/cpuinfo under normal situations:
root@android:/sdcard # cat /proc/cpuinfo Processor : ARMv7 Processor rev 10 (v7l) processor : 0 BogoMIPS : 597.12 processor : 1 BogoMIPS : 597.12 Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x2 CPU part : 0xc09 CPU revision : 10 Hardware : Tuna Revision : 0009 Serial : 01298fc30100203f
Under high load the bogoMIPS increases to 2047. I've seen both cores listed in /proc/cpuinfo in the past, but when writing this I was unable to trigger activation of both cores. Anyway, we can see this from the kernel log:
root@android:/sdcard # dmesg|grep CPU|tail <6>[111361.896057] Enabling non-boot CPUs ... <4>[111361.912170] CPU1: Booted secondary processor <6>[111361.913208] CPU1 is up <6>[111361.917938] Switched to NOHz mode on CPU #1 <4>[111362.918182] Disabling non-boot CPUs ... <5>[111362.918823] CPU1: shutdown <6>[111363.056030] Enabling non-boot CPUs ... <4>[111363.072174] CPU1: Booted secondary processor <6>[111363.073211] CPU1 is up <6>[111363.078124] Switched to NOHz mode on CPU #1
Speaking about CPUs, the developer options offer a nifty CPU utilization overlay graph to see what applications are hogging it:
Since it can be seen here, I'll point out that Zynga's craptacular development of Words With Friends still causes it to chew up 100% of a single core when running. I suspect this is due to polling things that should be event or interrupt-driven instead. The game is so addicting, though!
Unfortunately, there are a few things about the Galaxy Nexus that are annoying.
Let's start with the hardware: the phone is just too large. Or, maybe my hands are just too small! While holding the phone, I have trouble reaching my thumb up to the top left portion of the screen. At first this was just an annoyance, however after using the phone for 15-20 minutes my arm started hurting from the strain. The large size combined with its thin and somewhat slippery frame makes it easy to drop. I've had a few close calls already while using the phone outside with one hand.
The sleep button should be on the top of the phone, not on the side. I don't use a case or belt clip for the phone and usually put it in my pants pocket. Unfortunately I find myself accidentally hitting the sleep button when putting it into my pocket, which results in a few incorrectly dialed emergency numbers or screen unlock attempts.
The GN wouldn't connect to my 5 GHz SSID at home. I've got my Cisco 1142 WAP configured for 802.11a and 802.11n, but the GN wouldn't see it at all, whether the SSID was broadcast or not! More research is needed, but this was a let down.
The screenshot feature that's built into Android 4.0 is a little weird. Why didn't they just add it to the power menu (hold sleep) like CyanogenMod 7.x did? It's annoying to have to hold volume down and sleep.
A huge annoyance with Android 4.0 was that it automatically signed me into Google Talk without notifying me (I never use Google Talk). I only figured this out because I saw myself online from my other XMPP account. It was easy to disable, but this should not by on by default.
The SMS emoticon icons are really ugly:
In general, things crash frequently. I don't think I have bad hardware (RAM, etc.) because I've heard similar reports from other GN (LTE variants) users. Applications crash and the phone has hard locked twice. It's annoying that there's no watchdog that automatically reboots or some way to trigger a hard reboot via the sleep button. So, in the case of a hard lock, removing the back case and battery is required. Also, the back case seems flimsy and cheap. I feel like I'm going to break it half the time.
I've had AT&T as my wireless carrier since sometime in 2007. I've moved the same SIM card between over half a dozen different phones without any issue and mostly kept the same plan. Since the Galaxy Nexus supports all five UMTS frequencies, I figured I wouldn't have a problem using HSPA+ on AT&T and getting some extra speed over my Nexus One. Unfortunately, this didn't work out.
After using the phone for the first week, I didn't notice any increased speeds. The Ookla mobile speed test application returned plain old congested HSPA speeds (1.7 Mbps downstream, and < 1 Mbps upstream), although latency seemed to be improved (39 ms RTT). I was puzzled since the network type indicated HSPA+:
root@android:/sdcard # getprop gsm.network.type HSPA:11
After searching around I came upon this article that basically convinced me to leave AT&T. Essentially, AT&T won't grant customers access to the enhanced backhaul that traditionally accompanies the HSPA+ connection unless they're equipped with a 4G data plan (no price difference). Unfortunately, the only way to get a 4G data plan is to have an AT&T-supported device (ie, device sold by them). Obviously, an unlocked GSM Galaxy Nexus wasn't one of these devices and lying about this to customer service wasn't going to do any good because the IMEI won't be accepted.
Some folks claim they've gotten the AT&T employees to temporarily associate an IMEI from one of the in-store phones with their account to activate the 4G data plan, then switch it right back. I didn't go down this road not because I didn't think I couldn't finagle myself a 4G plan but because I don't agree with such a policy in the first place. I decided to switch to T-Mobile, and it was the best decision I've made in awhile.
The very next day I strolled into the local T-Mobile store and picked up a SIM card with the $60/month unlimited everything plan. After 2 GiB T-Mobile will cap me to EDGE speeds, but that's fine. I ported my number from AT&T and haven't looked back. The HSPA+ speed is blazing at night and not too bad during the day. The best I've gotten so far is 8 Mbps downstream and 1.7 Mbps upstream. Coverage at my condo is excellent and at work it's decent, too. Overall, it's slightly worse than AT&T but that hasn't bothered me, yet. What's a little strange is T-Mobile's internal IPv4 addressing scheme: they use pieces of 22/8 and 25/8 for mobile clients! I guess they don't have much public space to speak of and RFC 1918 can only go so far.
I also signed up for the T-Mobile IPv6 trial, which seems to work great. I think it'll work with any phone that sports an IPv6-enabled pppd, which aren't many, so far. The IPv6 trial is a separate APN that provides a single IPv6 address and DNS server (fd00:976a::9; it's whitelisted by Google over IPv6). IPv4 connectivity is provided by a NAT64 gateway alongside DNS64. The NAT64 prefix appears to be fd00:976a:c004:8fb1::/96 and the last 32 bits of this prefix directly map to an IPv4 address. Yes, these fd00 addresses are ULA, which makes sense so T-Mobile doesn't have to worry about their NAT64 gateway becoming accidentally public. I consistently get addresses out of the 2607:fb90:400::/40 prefix, and SSH seems to be allowed inbound! This makes copying files from my phone much easier when not on Wi-Fi. I have a feeling it won't last, though. Also, it's easy to switch back to the IPv4 APN with three taps, in case things go wrong. Two things that do not work on the IPv6 APN are MMS and applications that utilize ICMP.
The Galaxy Nexus is a great, albeit buggy, phone.. if you've got big hands and have T-Mobile. Otherwise, get the LTE version from Verizon Wireless and stay in the country. Android 4.0 has promise, if they can fix the bugs. Overall, I think everything software-related will be better when CyanogenMod 9.x is released!
A number of sites on the Internet are blacked out to protest SOPA and PIPA:
I figured I'd do the same (see the top banner). To get a list of your representatives (so you can tell them to voice opposition to both these bills), go here.
I recently deployed DNSSEC on almost all of my domains and lived to talk about it!
A little history, first. Back in July of 2010 I used ISC's DLV registry to sign one of my domains since the com. and net. TLDs weren't signed at the time. The DLV registry provided a list of trust anchors so individuals could sign their domains and DNSSEC validating caches could easily look them up. I signed tengigabitethernet.com. with no ZSK rollover and it worked! I also configured all of my internal caches to perform DNSSEC validation (dnssec-validation yes; along with making sure the "." keys are fresh).
Since com., net., org., and most other TLDs are now signed, a few months ago I decided it was time for me to sign the remainder of my domains and figure out how to perform automatic ZSK rollover.
I first started reading a few documents about the right way to sign zones and get together a sane configuration with BIND (9.7.3 at the time). This howto probably contained the most information, so I used it primarily. Creating the keys and signing domains was familiar to me at this point, so that was mostly review. I then started to research the best way of performing automatic ZSK rollover, which turned out to be the difficult part.
For security reasons, it's recommended to roll over the ZSKs (zone signing key, as opposed to a key signing key which isn't published) periodically. I decided that it would be good to roll my ZSKs every over month (the odd-numbered months, specified as 1,3,5,7,9,11 via cron). After searching the Internet for some suggestions on best practices for ZSK rollover, it seemed that most folks were using a new directive in BIND that took the throught out of this: dnssec-auto.
The dnssec-auto configuration directive was introduced starting with BIND 9.7.0 and includes the ability to automatically re-sign zones and perform routine key maintenance, including key rollovers. Apparently this feature was introduced prematurely and creating new keys with dnssec-auto automatically wasn't possible until 9.8.0. This sounded exactly what I wanted, however.. a bit of a rub, this requires that all zones be converted to dynamic zones. This is required because BIND needs to constantly re-write the zone files (it actually uses a journal) and mainatin them by keeping serial numbers updated.
Dynamic zones didn't seem to be a big deal at first, but I decided I didn't want to go this route right now for a number of reasons. First, moving from a static zone to a dynamic zone removes the ability for me to edit the zone file by hand, which I've gotten used to doing. Maybe I'm the only one who does this, but I use zone files in lieu of an official IP address management system and include all sorts of comments in them. To maintain dynamic zones, one must use the nsupdate(1) utility that ships with BIND. It's not a difficult tool to use, and very easily to script. The second reason is somewhat related: I was unable to find the equivalent of $GENERATE macros to use with nsupdate. This may be by design, but it's annoying.
A few workarounds for the above might be to move comments to TXT records and write scripts to emulate $GENERATE functionality that prepare a batch of nsupdate commands. I suspect down the line I will eventually have to cave and move to a dynamic style of DNS zone maintenance, but it's not going to be today.
So, after deciding I was going to keep things manual, I created some scripts from scratch to handle ZSK rollover. They run dnssec-keygen, dnssec-signzone, and reload BIND as needed. I automated serial number generaton and initial DNSSEC key generation at the same time. Long story short, this allows me to still edit the original zone files in my external view and have the signed copies be served up by BIND. The copies of each zone are appended by the characters ".signed" and these zones are included in named.conf.local (yes, I'm using Debian GNU/Linux). It's a little wasteful, because I have a shared SOA for all of my domains and my scripts re-sign all of my zones for any DNS change. Although for my setup, it's not a big deal.
If you're curious what these scripts look like, check them out here. Please keep in mind that these are very specific to my setup and if you decide to use them you'll essentially have to figure them out yourself and obviously change update-soa.sh to reflect what you want your SOA to look like.
Anyway, to get my DNSSEC setup live, I took the DS records (dsset-*) and had my registrars add them to the parents. This is required so caches that have DNSSEC validation enabled will go ahead and actually perform validation. The DS record authenticates the chain of trust from the parent down to the child zone. So, com. has a DS record for prolixium.com. and uses it to validate that the DNSKEY for prolixium.com. is valid and can be used to check the RRSIG RRs for each record queried. Here's how it looks:
% dig +short @a.gtld-servers.net. prolixium.com. DS 57876 7 1 5B9D902C4E4B15833369B7EED602370B3A525334
Now, this is sometimes when it gets hairy. Since adding the DS key to the parent is the registrar's responsibility, they may or may not support it, or may only support it for a subset of their zones. Even worse, some registrars may advertise support for DNSSEC but in actuality only support it when you use their nameservers as opposed to your own. Because of this, make absolutely sure your registrar has an option in their interface for adding DS records beforehand.
As an aside, Go Daddy has excellent DNSSEC support, but unfortunately supports the evil that is SOPA (their latest flip-flopping should not distract you from the fact that they potentially helped write it and also got an exception from the shutdown clause). I had most of my domains with Go Daddy but moved all but one to name.com and Joker. name.com irrirated me because they only officially support DNSSEC for org., have no mention of DNSSEC in any of their knowledge base, and initially filed my support inquiry as spam. Fortunately the DS records in the parents ended up staying put even after the transfer from Go Daddy, so I guess I'm set for now. Joker supports DNSSEC for all of their domains that are signed.
After signing my zones, I used two web-based DNSSEC checking utilities to validate my configuration: DNSViz and the Verisign DNSSEC Debugger.
In conclusion, although signing zones the manual way ends up taking much longer and causes much more pain, it's a great way to learn DNSSEC!
     |
Page generation time: 0.146 seconds. |