Using DNS TXT records to effect EU/UK cookie law

It struck me that the most logical way of expressing what policy you have for a web site for the use of cookies or personal data is to detail this policy within the DNS records that a person (or their device) must look up BEFORE they hit your site. A bit like how SPF records detail email delivery policy for your systems and recipients can use this (or ignore it) when they look at emails that are claimed to be from your domains.

The suggestions of using web page forms or pinch pages or similar requires both the site operator and the site user to do things for no logical and practical gain to either party.

So how would this work ? Well you would add a TXT record that has an expiry and for each CNAME or A record or a default, it would list either a URI to a privacy policy which would include details on cookie use and/or a set of flags on cookie use the URL of the policy is a bit like the CRL within SSL)..

The user, before they visit the web site thus has the opportunity to examine the privacy and cookie use policy without actually visiting the web site.

Actually we know anonymous web site users won’t give two flying ducks about what cookies our web sites use given they probably already use anything from ad blocking software to browsers within virtual machines, but for some bizarre reason the UK Information Commissioner’s Office (ICO) has managed to gold-plate an equally bizarre EU cookie directive.  Yes the ICO is the same group that gets everyone who handles personal data from babysitters through to government departments to pay either Tier 1 of  £35 or Tier 2 of £500 (if you have 250 or more employees and £25.9 million revenues – yes logic isn’t their strong point) but the ICO doesn’t have an online payments system nor can it take credit/debit cards so you end up having to print out the forms you just filled in online and send those with your cheque or you can use a direct debit from your bank account only they can’t actually do direct debits if you had to pay a Tier 2 £500 fee. In sharp contrast the Companies House that is the regulator and registrar for companies does everything online and you can renew your annual company registration for the grand sum of £14 online as well.

Enabling IPv6 in Ubuntu ufw

I was creating a new web site and as I was installing it on my IPv6 enabled host I thought I would setup the A and AAAA records for the same CNAME.

Windows based PCs without any IPv6 routing obviously ignore any AAAA records and the browser connects to the site as expected but an Ubuntu desktop I was using was unable to get to the site – both Firefox and Opera not connecting.

I loaded Wireshark to see if my traffic was leaving and though I could see the DNS queries for AAAA and A records there was no TSP traffic (Tunnel Setup Protocol) to the IPv4 address  (I’m using gogoc package out of the box). This means that the browser connection was not getting to the tunnel interface. This means firewalling or kernel.

If I run the Firestarter then I also see the tun (routed IP tunnel) but no traffic passes (note: that I have since removed Firestarter and now run Gufw).

Well the IPv6 is in the kernel but I had ufw enabled and that doesn’t have IPv6 enabled by default so you get the error message if you try and use ping6 of e.g.

 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted

If it is safe you can quickly test this is your problem by turning off the ufw with the command,

sudo ufw disable

Now your ping6 should work. If it does not then you have a tunnel problem. Use the command netstat  -rn6  to see if you have tun entries.

It is easy to enable IPv6 in ufw by editing /etc/default/ufw and towards the top there is a line of IPV6=no which you change to IPV6=yes

Save that and then disable and then enable the firewall i.e. sudo ufw enable or do a sudo ufw reload if it was still running.

Now you will be able to ping6 and connect to IPv6 enable hosts using a browser. Note that when you ping6 then there is a PTR query (that you would only see in wireshark) and you may get a no such name response if you have not configured your host DNS records right so if you are committed to setting up IPv6 on your host then please check you have added a suitable DNS PTR entry for the dotted nibble PTR part of your IPv6 address. Very few protocols, perhaps only mail connections and obviously ping6, use IPv6 PTR queries.


We do not agree with the ICANN program of allocating new (generic) gTLD.  Their claim that the “expansion of the generic top-level domain (gTLD) space will allow for a greater degree of innovation and choice. ” is, in our view in a word, nonsense.

An existing brand will already have their BRAND plus .COM, .NET and .ORG gTLD. The innovation and choice has already settled at that second level.

A small startup won’t be able to afford to run or own a .BRAND gTLD but must make do with the existing  .COM and other gTLD or ccTLD space. You would be a moron to come up with a great new name and go ahead with your branding without getting the  .COM even if ICANN go ahead with their plans. Your ability to spend a vast amount of money and get a new gTLD isn’t going to make the fact that if you don’t have the .COM then you are still doomed to try a reverse domain name hijack or throw lots of money at the existing .COM owner to grab that too. So much for your choice.

“Innvovation” and “choice” is an application layer problem.  It is not a network problem. ICANN need to go back to school with a wall chart of the ISO 7-layer model if they think that semantically overloading the DNS is a way to “Innovation” and “choice”.

For the past 10 years of the ICANN existence there are basically two problems that ICANN should be focusing on with all their hearts, minds and our money and that is the exhaustion of the IPv4 address space (i.e. IPv6) and the security of the DNS infrastructure (i.e. DNSSEC). Given IPv4 has started to exhaust but many ISP are only in beta programs for IPv6 then we’ll leave you to make a call as to how successful that has been.

We, the existing domain name owners, all pay the ICANN money as a levy on our gTLD domain names that we buy, so we all have a right to complain about what they are doing. Like many domain name owners  we’ve accumulated the main top level domains for our own company, Open Mutual Limited, but being a small company we have ignored the ccTLD and the more esoteric gTLD. With the new ICANN plans we’ll be looking at potentially many hundreds of new gTLD which will segment the domain name space into a vast number of silos and the further out you go from the traditional .COM then these new gTLD seem to get progressively more expensive to buy (if existing .info, .biz or .xxx are anything to go by).

If we wanted to semantically overload our domain names for application reasons then we do this at the 3rd level i.e. Our customers would always go to the existing domain name and then at an application level we would route them to the 3rd level domain and in all probability this would be done behind the scenes without the customer even knowing this domain name existed.

At a company level we would not be able to afford a new gTLD of http://openmutual.idea/ or http://idea.openmutual/and neither would 99.9% of the rest of the world and neither would this be the focus of any startups unless those startups were just in the business of allocating domain names. I fail to see where the innovation and choice is in filling out the ICANN forms to be just another registry for just another gTLD.


Multiple domain name selections

As a minimum we buy the three TLD, .com, .net and .org for a domain name.

With most registrars you can forward the emails and web traffic from the two you don’t use to your main site at no extra cost.

The value of the extra domains becomes apparent when you start adding e-Commerce or company blogs or test or administration sites. Whilst your main public-facing domain can be on e.g. the .com you can host test and development sites on the .net or .org.

With Open Mutual we have our .net as our main public facing web site, this .org as a “blog” and the .com is used for client hosting and is used for our business continuity testing.

Most hosting providers allow you to have multiple TLD (usually up to 10) on the same host (shared hosting reseller account or a V-server)  as well as countless subsites so the cost of running multiple TLD is just the cost of the registry fees (say an extra USD 20 per annum) plus extra time in administration of these extra domains.

If the domains are on completely different infrastructure (different DNS and servers) then the administration site can be used to advertise service status for the live domain.

Done right, the administration costs are neutral because when you are planning your business continuity you can deploy your backups onto the other domain names and hosting accounts without interfering with your live system or, equally, you can install new versions of software on the other domains and test the impact by comparing the live and test systems.