DNSSEC + unbound local DNS

I’ve been playing with dnssec-trigger, a neat little utility from NLnet labs which configures a local instance of Unbound (a caching recursive DNS resolver) and a utility which listens for network configuration changes. It can then reconfigure your system’s DNS settings on the fly to ensure you’re always using DNSSEC secured resolvers (while still taking advantage of locally configured recursive resolvers assigned by DHCP).

I think that’s pretty cool 🙂

Only pitfall so far is that it doesn’t play nicely with VPN for accessing work. I think I can probably work around that by setting up a stub resolver configuration in Unbound though.

Further info:


It works nicely with the DNSSEC Validator Firefox addon (by CZ.NIC Labs).

Makes me really want to get my domain DNSSEC enabled now!

SixOrNot 0.7.0

It’s been a long time coming, but I finally finished off a new release. There’s actually an 0.7.1 which fixes a few additional bugs but that’s awaiting review.

So what’s new? Most visibly the UI has been replaced with a new panel-based design. This allows more information to be shown. This is needed because the addon now shows you not only the IPv6 status of the main domain you’re visiting, but also the status for all the domains contacted during the loading of the page. This is particularly useful for highlighting when a site’s CDN (content delivery network) isn’t IPv6 enabled despite the site itself claiming to be!

Another major change is that SixOrNot now takes advantage of changes to the Firefox API which allow you to find the actual IP address used to connect to a remote site. When the addon was first conceived this was not possible and I had to take the approach of using DNS lookups along with local address information to guess at the transport being used. This wasn’t 100% reliable however, and in dual-stack environments was only a best-guess as to the actual state. Now SixOrNot tells you the actual address you’re connecting to.

Of course it still shows the DNS information, and so can still show you when a site could potentially be contacted using IPv6. As far as I’m aware it’s the only addon which does this combined approach.

Under the hood I’ve completely re-engineered the way the addon works. Previously a polling loop was used (a hangover to the old code which was lifted from the Flagfox addon – now all completely re-written), now the architecture is entirely event-driven. This makes the addon much more efficient and reduces memory/CPU usage.

The code has also been heavily re-factored and re-organised. This aids maintainability and provides a good basis for new features. On that subject I’m planning on adding back the local IP address information (along with an optional lookup of your external IP address(es). The documentation also needs a major overhaul, and a proper website is on my todo list as well.

You can download SixOrNot from the Mozilla addons website here:


The source code is available on Github:


SCCM 2012 PowerShell automation library

So my latest project is to build a library to permit automated configuration of SCCM 2012. Currently this is in release candidate form, though a final release date is expected at MMS later this year. So far despite rumours there is no firm information about whether native PowerShell support (e.g. SCCM-specific cmdlets) will be provided by Microsoft.

We need this right now at work to start building test environments so I have a copy of the RC2 beta installed, a copy of the /\/\o\/\/ PowerShell WMI Explorer and a certain grim determination to produce a damn fine PowerShell library.

So far I’ve finished Boundaries and BoundaryGroups, currently working on Discovery Methods (via an interesting diversion into the world of CIM_DATETIME strings and SMS Schedules…)

I’ll be posting more as I build it. Code will be pushed to github: