The problem is, the same dudes (and it was nearly always dudes) who were pumped for all of that bollocks now won't stop wanging on about Artificial Fucking Intelligence.

"It's gonna be the future bro, just trust me!"

"I dunno, man. Seems like you say that about every passing fancy - and they all end up being utterly underwhelming."

"This time is different!"

*sigh*

The investor who says, “This time is different,” when in fact it’s virtually a repeat of an earlier situation, has uttered among the four most costly words in the annals of investing.

16 rules for investment success - Sir John Templeton

All of the above technologies are still chugging along in some form or other (well, OK, not Quibi). Some are vaguely useful and others are propped up by weirdo cultists. I don't doubt that AI will be a part of the future - but it is obviously just going to be one of many technology which are in use.

No enemies had ever taken Ankh-Morpork. Well technically they had, quite often; the city welcomed free-spending barbarian invaders, but somehow the puzzled raiders found, after a few days, that they didn't own their horses any more, and within a couple of months they were just another minority group with its own graffiti and food shops.

Terry Pratchet's Faust Eric

The ideology of "winner takes all" is unsustainable and not supported by reality.

What?!

It is yet another of those baroque standards which spits out things like:

cid.uri.arpa.
;;       order pref flags service        regexp           replacement
IN NAPTR 100   10   ""    ""  "!^cid:.+@([^\.]+\.)(.*)$!\2!i"    .

Essentially, it is a way to store contact details within a DNS record (rather than in a WHOIS record).

Back in the early 2000s, the dotTel company opened the .tel TLD with a promise that it could be used to store your contact details in DNS⁰. The idea was simple, rather than storing my phone number in your address book, you'd store my domain name - https://edent.tel/

If I updated my phone number, changed my avatar, or deleted an old email address - your address book would automatically update via DNS. Nifty!

If you didn't know a company's phone number, you'd dial example.com on your phone and it would grab the phone numbers from DNS. Wowsers trousers!

You can see an example by running:

dig justin.tel NAPTR

You'll get back something like:

NAPTR   100 101 "u" "E2U+web:http" "!^.*$!http://justinkhayward.com!" 

A phone number stored in a NAPTR would look something like:

NAPTR   100 100 "u" "E2U+voice:tel" "!^.*$!tel:+442074676450!" .

Brilliant! But there's a problem - aside from the somewhat obtuse syntax! - and that problem is spam.

Those of you old enough to remember putting your unexpurgated contact details into WHOIS know that the minute it went live you were bombarded with sales calls and scammy emails. So putting your details directly into DNS is a bad idea, right?

.tel thought they'd come up with a clever hack to prevent that. As they explain in the .tel privacy paper, records can be individually encrypted.

• Alice has her contact details on alice.tel
• Bob has his contact details on bob.tel
• Alice agrees to share her phone number with Bob.
• Alice looks up Bob's public key from bob.tel.
• Alice encrypts her phone number.
• Alice generates a new DNS record specifically for Bob - bob123456.alice.tel
• Alice shares the name of the new record with Bob.
• Bob downloads the NAPTR from bob123456.alice.tel and decrypts it with his private key.
• Bob periodically checks for updates.
• Alice can decide to revoke Bob's access by removing the data or subdomain.

Clever! If convoluted. You can read more about the way friendships and public keys were managed and some more technical details.

Are there better ways?

Multi Recipient Encryption

When people say "you can't give Government a secret key to your private messages" they are technically incorrect¹. Multi Recipient Encryption is a thing.

Here's a very simplified and subtly wrong explanation:

• Alice creates a temporary public/private keypair.
• Alice encrypts some text with her temporary public key - resulting in e.
• Alice encrypts the temporary private key with Bob's public key - resulting in k1.
• Alice encrypts the temporary private key with Charlie's public key - resulting in k2.
• Alice publishes the concatenation of e+k1+k2
• Bob downloads the file, decrypts his version of the key, and uses that to decrypt the message.
• Charlie does the same.

In this way, both recipients are able to decipher the text but no one else can. So can we just shove an encrypted record in the NAPTR? Not quite.

There are two main problems with this for DNS purposes.

1. The encrypted size grows with every recipient.
2. Every time a new recipient is added, everyone needs to download the data again even if it is unchanged.

Generally speaking, DNS records are a maximum of 255 characters - although they can be concatenated.

An extra record could be used to say when the plaintext was last updated - which would let existing recipients know not to download it again.

Monitoring for changes would allow a user to know roughly how many recipients had been added or removed.

What other ways could there be?

What else could be done?

Here's the user story.

• I want a friend to subscribe to my [phone|email|street|social media] address(es).
• I must be able to pre-approve access.
• When I change my address, my friend should get my new details.
• I need to be able to revoke people's access.
• This should be done via DNS².

Using an API this would be playing on easy mode. A friend (or rather, their app) would request an API key from my service. I would approve it, and then ✨magic✨.

DNS isn't technically an API although, with enough effort, you could make it behave like one³.

So - how would you do it?

Domain names, like www.example.com usually resolve to servers. As much as we think of "the cloud" as being some intangible morass of ethereal Turing-machines floating in probability space, the more prosaic reality is that they're just boxen in data centres. They have a physical location.

Got a tricky machine which is playing silly-buggers? Wouldn't it be nice to know exactly where it is? That way you can visit and give it some percussive maintenance.

Enter the DNS LOC record!

The snappily titled RFC 1876 is an experimental standard. It allows you to create a DNS record which specifies the latitude and longitude of your server. Of course, some data-centres are very tall and some are underground. So it also contains an altitude parameter.

The standard allows for a minimum altitude of -100,000 metres - deep enough for any bunker! The maximum altitude is 42,849,672 metres which is high enough to allow it to be used on satellites in geostationary orbit.

So, as a bit of fun, I decided to create where-is-the-iss.dedyn.io

It isn't a website. You can't ping it. There's no way to interact with it except by using DNS. Yup! You can use a DNS query to get the (approximate) location of the International Space Station!

Linux and Mac users⁰ can run:

dig where-is-the-iss.dedyn.io LOC

And receive back the latest position of the ISS:

;; ANSWER SECTION:
where-is-the-iss.dedyn.io. 1066 IN  LOC 47 24 53.500 N 66 12 12.070 W 430520m 10000m 10000m 10000m

The DNS records are updated every 15 minutes on a best-effort basis¹.

How

The lovely people at N2YO have a website which allows you to track loads of objects in orbit. They also have an easy to use API with a generous free tier.

Calling https://api.n2yo.com/rest/v1/satellite/positions/25544/0/0/0/1/&apiKey=_____ gets back the latest position:

{
    "info": {
        "satname": "SPACE STATION",
        "satid": 25544,
        "transactionscount": 7
    },
    "positions": [
        {
            "satlatitude": -21.25409321,
            "satlongitude": 140.3335763,
            "sataltitude": 420.09,
            "azimuth": 292.92,
            "elevation": -70.95,
            "ra": 202.69300845,
            "dec": -32.16097472,
            "timestamp": 1751366048,
            "eclipsed": true
        }
    ]
}

Note that the altitude is in Km, whereas the LOC format requires m.

The latitude and longitude are in decimal format - they need to be converted to Degrees, Minutes, and Seconds.

There were only a few free domain name providers who offer an API for updating LOC records. I went for deSEC a charity from Berlin. They have comprehensive API documentation.

Adding the initial LOC record is done with:

curl https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/ \
    --header "Authorization: Token _______" \
    --header "Content-Type: application/json" --data @- <<< \
    '{"type": "LOC", "records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"], "ttl": 900}'

However, updating the record is a little trickier. it needs to be sent as an HTTP PATCH to a subtly different URl. The PATCH only needs to send the data which have changed.

curl -X PATCH https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/@/LOC/ \
    --header "Authorization: Token _______" \
    --header "Content-Type: application/json" --data @- <<< \
    '{"records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"]}'

I set the Time To Live at 900 seconds. Every 15 minutes my code runs to update the record². That keeps me well within the API limits for both services. I could add TXT records showing when it was last updated, or other sorts of unstructured data, but I think this is enough for a quick proof-of-concept.

There you have it! A complex and silly way to demonstrate how DNS can be used to hold the most unlikely of records³. Say, I wonder how you'd represent the co-ordinates of the Mars Rover…?

Further Reading

For more DNS weirdness, please see my other posts:

• BIMI - SVG in DNS TXT WTF?!
• Why you can't dig Switzerland

{<((https?|ftp|dict|tel):[^\'">\s]+)>}i

I'm familiar with HTTP and FTP. I worked in the mobile industry, so knew that tel:+44... could be used to launch a dialer.

But DICT?!?!?!

It turns out that, lurking on the Internet are Dictionary Servers! They exist to allow you to query dictionaries over a network.

For many years, the Internet community has relied on the "webster" protocol for access to natural language definitions. […] In recent years, the number of publicly available webster servers on the Internet has dramatically decreased. Fortunately, several freely-distributable dictionaries and lexicons have recently become available on the Internet. However, these freely-distributable databases are not accessible via a uniform interface, and are not accessible from a single site.

The (informal) standard was published in 1997 but has kept a relatively low profile since then. You can understand why it was invented - in an age of low-size disk drives and expensive software, looking up data over a dedicated protocol seems like a nifty² idea.

Then disk size exploded, databases became cheap, and search engines made it easy to look up words.

How it works

You can try it out today!

Run this command in your terminal:

curl dict://dict.org/d:Internet

That will bring back the definition from the server's default dictionary. If you want to look up a word in a specific dictionary - like The Jargon File - you can run:

curl dict://dict.org/d:Internet:jargon

You can even use it for simple translation tasks. For example, to translate English to Japanese:

curl dict://dict.org/d:Internet:fd-eng-jpn

What Else?

Perhaps the easiest way to explore the protocol and server is to use telnet:

telnet dict.org dict

Type the command HELP and help ye shall receive:

113 help text follows
DEFINE database word         -- look up word in database
MATCH database strategy word -- match word in database using strategy
SHOW DB                      -- list all accessible databases
SHOW DATABASES               -- list all accessible databases
SHOW STRAT                   -- list available matching strategies
SHOW STRATEGIES              -- list available matching strategies
SHOW INFO database           -- provide information about the database
SHOW SERVER                  -- provide site-specific information
OPTION MIME                  -- use MIME headers
CLIENT info                  -- identify client to server
AUTH user string             -- provide authentication information
STATUS                       -- display timing information
HELP                         -- display this help information
QUIT                         -- terminate connection

250 ok

That will allow you to see all the dictionaries available - in a variety of languages - and the various commands you can use with them.

Unanswered Questions

0. Are there any other Dictionary Servers still available on the Internet?
1. Did the Webster Protocol get specified outside of obscure source code?
2. Is there something interesting and modern one could do with a DICT server?

Long-time readers of this blog will know that it's possible to register .me.ss domain names - there are various other 3rd level domains you can buy.

But, from the 1st of August 2024, you'll be able to apply for a 2nd level. So you'll be able to grab example.ss.

Here's the official announcement.

As per normal for a new TLD, there will be a period where organisations with Trade Marks can register their domains. Then a period where anyone with sufficient cash can register their cool idea for a domain. Then it opens up to everyone.

So what will they cost? Afriregister provided these prices:

For comparison, their .me.ss domains are only €25.

Registrations will only be allowed in ASCII - which means no IDNs. The majority of the languages officially recognised in South Sudan appear to be written in the Latin script, so that shouldn't be a huge issue.

As is common with all other TLDs, there is a list of words which will not be allowed to be registered.

Applications will not be accepted for domain names appearing on the Second Level Domain (SLD) block list.

When I previously investigated this, there were lots of names which weren't available due to local politics. Although there is an archived version of the list of banned words (PDF), the modern SLD Block List appears to have vanished from the registry. I've asked them for an updated list which I'll link to once I get it.

I think it is fair to say that the .ss TLD has had a tumultuous history. There hasn't been much discussion of this change in policy since the announcement a few weeks ago - but I hope that this opening up will help South Sudanese people & businesses to establish their own distinct presence on the Internet.

But, over the years, ISPs shut down their bundled web offerings. Even their bundled email services went on the chopping block. This is sad, but understandable. Most people unbundled their email so they didn't need to stick with the same ISP. Why have user@isp.example when you could have a GMail address?

And, indeed, why host data with your ISP when you could just use Facebook?

For most people, Facebook is a pretty good personal website. You can post your photos and have your friends & family see them. You can write long heartfelt rants about your teenage melodrama. You can put up the opening times of your new business. You can even host a discussion board around a specific topic.

Now, don't get me wrong, there are a few problems with Facebook¹. All your faves are problematic. But I think it shows that people want the benefits of personal websites, even if they don't want the hassle of running those websites.

What does the world look like if a country offers its citizens a Universal Basic Website? Similar to Universal Basic Income, a no-questions asked entitlement to a chunk of the Web. Perhaps a generic subdomain, some storage space, and an easy to use interface?

Oh, sure, there are lots of technical issues. You'd probably have to make sure people weren't running unapproved scripts. Moderation of prohibited content would be contentious. Tech support would be a nightmare. Some corrupt company would get billions to run a sub-standard service. A failed backup or a hacker would wipe out your bakery's recipes.

But...

We accept that there are common spaces in the real world² where people can have fun without paying. Anyone can go to a park. Anyone can stick a flyer up on a community notice board. We let kids ride the bus for free.

Can we do the same in cyberspace?

You can read some other peoples' thoughts on this Mastodon thread.

In amongst all the other offers, they asked whether I would be interested in paying more for symmetric Internet speeds!

Here are some of the offerings they proposed. I must not that these are from a market research exercise. Whether they'll ever launch, and whether the prices are accurate, is something we'll have to wait to see.

As I've mentioned before, I like my 500Mbps down - but the 50Mbps upload is a bit of a drag. So I eagerly answered "yes" to anything that looked like faster upload bandwidth.

I've no idea if this will actually materialise. And I can only hope those prices are realistic.

If you're interested in joining Virgin Media, you can get £50 if you join with my link.

The Internet uses Top Level Domains (TLD) to organise information into hierarchies. This website uses .mobi - you may also be familiar with .com for commercial entities, or .de for German pages.

The World Wide Web uses HyperText Markup Language (HTML) to structure web pages. For example <footer> to display a footer, or <ol> for an ordered list.

There is absolutely no relationship between the two sets of entities. But, just for fun, are there any HTML elements which happen to be false friends of the TLDs?

Before we go any further, have a quick think. How many do you reckon there are? Are there some which spring to mind immediately?

Obviously, the first port of call is AI. Its mastery of all things means that we can get an accurate answer in a nanosecond.

Oh.

Right, let's compare the Element Reference with the Root Zone Database.

There are fifteen current HTML elements which have a match with a TLD. And a couple which are deprecated. Here they are:

And the ones which are no longer valid HTML:

Is that more than you expected? Less? Are there others which you think should be TLDs? Should HTML get a <uk> element post-Brexit? Have I missed any?

Comments in the usual box.

If you've read any of his fiction, or listened to him talk, you'll know what to expect. An overview of how big tech has screwed us over and the consequences of those machinations. Unlike other writers, Doctorow provides eminently practical solutions.

Now, some of the solutions you'll be unable to implement unless you're an elected official. So now's a great time to write to your representative and ask them to take action.

He is relentless at pointing out the hypocrisy of big tech - fighting to carve out exceptions for themselves which they then deny to others. We get a full-on historical lesson about the VCR and how the fight for the right to party infringe copyright was won and lost several times.

I spent many years working inside the UK Government pushing the agenda of open standards and interoperability. So it was particularly gratifying to read:

Governments can—and should—have rules about interoperability in their procurement policies. They should require companies hoping to receive public money to supply the schematics, error codes, keys and other technical matter needed to maintain and improve the things they sell and provide to our public institutions.

That's what I did! It is getting better - but it is work that will never be finished.

Similarly, he accurately describes the problems with Standards Development Organisations:

standardization meetings and forensic examinations of firewall errors—is supremely dull. It combines the thrill of bookkeeping with the excitement of Robert’s Rules of Order.

I've been a member of many and - yes - that's exactly what it is like. But, I take slight issue at some of his suggestions on this topic. The ideal SDO has to be a compromise. No one gets to walk away entirely happy. This is the eternal "Devil's Bargain" - we all exchange a little bit of what we want in order to get closer to what we need. I'm not sure there's any way around that without centrally mandating specific technical choices.

Indeed, he goes on to say:

We won’t fix anything by demanding the impossible and shouting “nerd harder!” when tech companies fail to produce it. Nor will we fix anything by taking the tech industry at its word when it tells us that effective policies are flat-out impossible.

I'm a boring practicalist. At some point we need to do what works, even if it is ideologically unpleasant.

One of the things that Cory does well is "steelman" his opponents' arguments. He's excellent at taking on some big topics (CSAM and Blockchain, for example) and giving their proponents the benefit of the doubt⁰. And then he forensically takes them apart.

Cory's writing style is like his spoken style. The poetic rhythm is almost palpable - as is his love for sarcastic asides. It makes this - admittedly short - book supremely quick to read. I feel greedy asking for more - but the book does end rather abruptly.

If you work in tech, or go anywhere near tech-policy, this is a must read. It gives you the history of how we got here, explains the problems happening now, and warns about an uncertain future.

• The eBook is currently on sale for £4.50 from the publishers.
• You can follow Cory Doctorow on Mastodon @pluralistic

Foolishly, I missed the 10 year anniversary, but let's see how we're doing against those predictions a little over halfway through.

My prediction for the Web?

The same speed. Faster pipes & processors – more bloated markup & JS.

Well... fuck! Bang on the money there. The web is faster than it was on dial-up. But I can't say that it's noticeably better since I got ADSL. Sure, it's faster to download big files and stream 4K video. But for day-to-day browsing? Between the unoptimised "hero" images, multi-megabytes of JS, and thousands of trackers, it sometimes feels like we've taken a step backwards in speed.

We all know that bloat expands to fill available bandwidth. But perhaps we could rein it in a little? Please?

A few of the predictions are already here. Better, smarter phones. Computers becoming pervasive and invisible. And, yes, lots of cat gifs.

Some of the other predictions are - I think it's fair to say - not quite on track.

We haven't returned to an AOL model where AT&T charge us per minute. And I don't see any path to that.

Internet censorship is a tricky one. There are some countries which routinely shut off net access. There's still a cat-and-mouse game with pirates. There are still people crying censorship when their inflammatory posts are removed. But, outside of a few jurisdictions, you remain as free as ever to criticise whoever you want.

Holograms aren't even close to real. And, no, Facebook's laughable attempts at the MeTAvErSe don't count. Perhaps Apple's iBalls (or whatever they're called) will get us to that point before 2031? But I doubt it.

There are a lot of predictions about 3D printers. Look, they're pretty nifty, but it is clear that most homes don't need an endless supply of rapidly printed plastic doodahs.

Finally, there are a couple which I still think are feasible by 2031. Take this one from Santiago Ochoa:

Companies like Google, Facebook, PayPal, Amazon, will create virtual currency systems linked to our social reputation. The more friends, posts, contacts, and comments we have, the more +1s, “like it”s or whatever points we’ll accumulate. These points will then be used to buy real things like you do now with PayPal and Amazon. Good social communicators will be able to make a living out of social networking points. Similar to Second Life but not limited to a virtual world. Our cell phones will be used as wallets and even some salaries will be paid with virtual money.

Social credit scores aren't mainstream… yet. But Twitter is experimenting giving revenue to some posters based on their social reach. Facebook's currency dreams are dead for now, but I bet another social network will try to use virtual money as its hook. Some people are, no doubt, being paid in volatile cryptotokens. And many of us use our phones as tap-to-pay wallets.

There's also this by Pedro Henrique Monteiro Padilha:

Internet will more and more allow people to work to companies on other countries or continents. It will also create a new way for all our social behavior, we will have web shows and maybe web pubs. The large bandwidth will help us connecting everywhere and we will no longer need TV as we know. Every TV show will be a stream to be brought in different languages.

That's pretty much the Covid experience, isn't it? Remote working, Zoom quizzes, livestreaming, and endless Netflix. Perhaps by the end of this decade streaming services won't be geo-restricted and decent subtitles will be available to all?

It's fun to see how accurate people's guesses are. But making predictions is usually less about future gazing and more about understanding our current reality. It isn't about being right or wrong - it's about daring to dream of something brighter than today.

You see computers try to be helpful. They see you wrote "visit example.com" and autolink the thing which looks like a domain name. That's handy - especially as most people don't have the time or skill to write HTML.

So what happens when things which are not domain names look like they are domain names? I've been worrying about this for a few years:

Terence Eden is on Mastodon

@edent

Grrr... Because .zip is a valid TLD, it's impossible to know whether example.zip should be a URL or a filename.

---

Right now there is an old tweet, blog, email, or instant message from an authority figure which points to a non-existent .zip domain.

Is that domain available to buy? Well, let's look at Google's Domain Availability site

(No, I don't know where the missing "T" is either.)

Yup! OK, premium domains like photos.zip appear to be about £1,000 - which should put off some scammers. But the price for non-premium .zips is between £10-£30.

Look, I doubt a former president ever Tweeted "Hey, anyone know how I extract files from something called blah.zip on a Mac?" but I'll bet you that something, somewhere, is going to be abused with this new TLD.

I feel like a curmudgeonly old fart. Don't we have enough TLDs? What's the limit? There are very few meaningful controls on who can register all but the most retrictive TLDs (looking at you, .int!) So at what point do we just give up and same everyone can have their own Top Level?

Anyway, have fun determining if the link you see was ever intended to link to a website!

Generally speaking¹, clients (like browsers) talk to servers using a set number of HTTP "verbs". This tells the server what sort of thing the client is trying to do.

The two most popular² verbs are probably POST - which lets you send data to a server - and GET - which lets you get data back from a server.

There are other HTTP verbs like DELETE to delete data, and PATCH to change data. But it is a fairly limited set of actions.

What would be some interesting or useful verbs to add to HTTP's vocabulary?

Payments

I think the most obvious one would be BUY.

A client sends a GET request to a server. The server responds with HTTP Status 402 Payment Required which includes payment details. The client sends BUY along with confirmation that they've sent the payment³. The server responds with the content.

Mistakes

What about if you make a mistake using POST, PUT, or DELETE? Wouldn't you like to use HTTP UNDO?

Terence Eden is on Mastodon

@edent

Your deepest wish comes true and you get to add one more HTTP Verb to the specification.

Which one do you choose?

---

Buy: (6)
6
Forgive: (10)
10
Prevaricate: (20)
20
Something else - what?: (12)
12

---

ཀ།༨ཇ ་།་འ།སབཇའ

@chthonicionic

Replying to @edent@edent Possibly it’s forgive, but … UNDO

---

Let's not get in to a discussion about idempotency⁴

Halt And Catch Fire

Some CPUs have peculiar instructions which can be (ab)used to make them self-destruct. So why not extend that to HTTP⸮

<https://twitter.com/whalecoiner/status/1562878271960002560>

Remember that scene in every Star Trek movie where the captain shouts "Computer! Initiate self-destruct sequence. Confirmation code Heliotrope Banana Daguerreotype." Let's extend that so that clients can request that a (virtual?) machine shuts down.

Won't you please please help me?

APIs - and other services - are sometimes difficult to use. In the Linux⁵ world we just type -h or --help after every command and get some more-or-less useful help text.

So what about HTTP HELP? Return a machine- or human-readable document explaining what commands the server responds to. Pretty sure that'd be useful.

Who are you? Who? Who?

Cookies have gotten out of hand. And, frankly, they're a security disaster. Why should a server send a client a token to store? Let's reverse that with HTTP REMEMBER.

The client sends the server a suitably complex string and a validity period. The server is then compelled to remember the client's authorisation. Perfect⁶!

And when you want to log out, an HTTP FORGET is easier than clearing your cookies. Imagine that, a log-out button in your browser which worked everywhere...!

Over to you

So, if you were made God-Emperor-For-Life of the IETF, which new HTTP verbs would you add?

BIMI (Brand Indicators for Message Identification) is a new standard that can curb the issue of online impersonators. ... BIMI is a new standard that enables you to include your company’s logo alongside the emails you send. That way, your brand stands out among other emails, and your customers are sure that the emails are legitimate.

How To Create a BIMI record

Wow! Much innovation! Such security! There's no way a fraudster could put a bank's logo on their dodgy spam, right?

*sigh*

OK, so in order for this not to be abused, most email providers require brands to pay for an expensive Verified Mark Certificate (VMC) - a digital certificate which says that you are the trademark owner of the logo.

How much does it cost?

US$1,499.00

Per year! No wonder no one is using BIMI.

Then it's just a case of sticking something like this in your DNS TXT records:

v=BIMI1;
l=https://example.com/logo.svg;
a=https://example.com/certificate.pem

That's nice, and all, but I don't think I've ever seen one in the wild. Even the BIMI Group haven't bothered paying for the VMC!

One of the few organisations who have set this up correctly is DigiCert. Because they're one of the orgs you can buy this service from.

dig txt default._bimi.digicert.com will get you:

;; ANSWER SECTION:
default._bimi.digicert.com. 3600 IN TXT 
   "v=BIMI1; 
    l=https://www.digicert.com/resources/DigiCertLogo_WhiteOnBlue.svg; 
    a=https://cacerts.digicert.com/digicert_com_vmc_WhiteOnBlue.pem"

You can read the PEM certificate using: openssl x509 -in digicert_com_vmc_WhiteOnBlue.pem -noout -text

Inside, you'll find this nugget:

data:image/svg+xml;base64,H4sIAAAAAAAACo1XXW/jRhJ8tn8FwzwF4NDzzaFhb3BRckmADRAgwL4eHFoxhePZhqiVN/…

Hmmm… H4sIAAA is the start of a base64 encoded zipped string.

Once decoded and unzipped, we find… the SVG logo!

It's fairly obvious that people want a nice logo next to their email in your inbox. If you're on GMail, you're probably used to seeing your friends faces smiling back at you. But that only works if everyone is on the same email system. So BIMI is a reasonable idea for a cross-provider standard.

Downsides

There are several problems with BIMI.

The first is cost. If it were free then AbsolutelyYourBank@trust_me.biz could use the HSBC logo with impunity. I'm sure an extremely dedicated fraudster could spend the $1.5k and fool DigiCert into certifying their illegitimate use of someone else's logo. But it's unlikely to happen.

There's also a privacy issue. Because the BIMI logos are stored on a website, the website owner could track when they were downloaded and use that to work out who was reading their emails. Thankfully, both GMail and Yahoo proxy the images - so the provider doesn't get any additional analytics benefit.

Support is poor in GMail. Here's an email from LinkedIn: As you can see, the BIMI logo is displayed by the email address - but is absent in the contact view.

Finally, DNS TXT records are limited to 255 bytes of data. That's why logos are restricted to being (fairly short) links.

Is it worth it?

I think the marketplace of ideas has answered this with a fairly resounding "no".

You can track adoption at BIMIBRadar.

It would be great to stick your face, logo, or picture next to every email you send. But the risk from fraudsters is just too high.

The cost of certification is necessary to stop misuse - but that also means that smaller brands and individuals are locked out. Which isn't what we want from an open Internet.

There's no worldwide brand registry which can certify your use of an image. And, even if there were, it would be a huge single-point-of-failure.

The conversation about BIMI chugs on in IETF mailing lists. Do get involved if you think you have something of value to add.

The humble unix dig command allows you to query all sort of DNS information. For example, to see name server records for the BBC website, you can run:

dig bbc.co.uk NS

Which will get you:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35614
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 097db2ee4c92b84982083ecf62b5b5f2007906e616035113 (good)
;; QUESTION SECTION:
;bbc.co.uk.         IN  NS

;; ANSWER SECTION:
bbc.co.uk.      900 IN  NS  ddns1.bbc.com.
bbc.co.uk.      900 IN  NS  dns0.bbc.co.uk.
bbc.co.uk.      900 IN  NS  ddns1.bbc.co.uk.
...

And a whole lot more. But you can go further down the DNS tree. What are the nameservers for .co.uk?

dig co.uk NS

And you'll get your answer. You can go one further and see the nameservers for the Top Level Domain:

dig uk NS

Which replies with:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54061
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 880427eda8ff71de2ab4f43862b5b65f95e317d29cc10a8e (good)
;; QUESTION SECTION:
;uk.                IN  NS

;; ANSWER SECTION:
uk.         159692  IN  NS  nsc.nic.uk.
uk.         159692  IN  NS  dns1.nic.uk.
uk.         159692  IN  NS  nsd.nic.uk.
...

And that works with every TLD. Countries like de, generic names like museum, and internationalised domains like 在线. All of them work!

Except Switzerland.

Switzerland's country code is ch - after the name Confoederatio Helvetica. Let's run the dig on it: dig ch NS

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 31910
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

We have been refused and warned. But why does this only happen with Switzerland?

The blame - as with most modern ills - lies in the mid-1970s. The Bee Gees were storming the charts with "Jive Talkin'", the Rocky Horror Picture Show was gathering a cult following, and MIT scientists were causing chaos. Literally.

Chaosnet was an early network protocol designed for local networks. It was technically very clever but, sadly, never really took off.

However, it found its way into DNS records. Let's go back to the answer to dig bbc.co.uk NS:

;; ANSWER SECTION:
bbc.co.uk.      900 IN  NS  ddns1.bbc.com.

OK, the first part is the domain name. The number is the TTL. The IN is the class. The NS says this is a nameserver record. And, finally, we get the domain of the nameserver.

But, in the class, what does IN stand for?

"Internet", obviously. Wait... Isn't the DNS on the Internet? Why do we need to specify that these DNS records are for Internet?

Well, isn't it obvious? Because you might want records of a different network. Like, for example, Chaosnet.

And if Internet is abbreviated to IN, what is Chaosnet shortened to? That's right! CH.

So, dig sees you enter ch for Switzerland, but thinks you're asking about CH for Chaosnet. And so it fails.

In order to query the records for ch we need to provide an absolutely fully-qualified domain name. It's as simple as sticking a dot at the end of the domain name:

dig ch. NS

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e19b9c23cdfa0f7bcf82750462b5c16b47744386c7974ffb (good)
;; QUESTION SECTION:
;ch.                IN  NS

;; ANSWER SECTION:
ch.         164894  IN  NS  e.nic.ch.
ch.         164894  IN  NS  a.nic.ch.
ch.         164894  IN  NS  f.nic.ch.

And there we go. A failed 1970s experiment like bell-bottoms and Betamax videos - but with much longer lasting consequences.

You can see some CH records by running like:

dig ch txt @f.root-servers.net version.bind

That will get you something like:

;; ANSWER SECTION:
version.bind.       86400   CH  TXT "cloudflare-f-root-20190930"

Of course, DNS doesn't only have IN and CH class records.

There's also Hesiod - HS. But you already knew that, right...?

Obviously what those naughty drone operators are doing is despicable. Imagine cheating bookmakers out of their hard-won profits by using technology! Awful!

But it reminded me of an earlier story. Much earlier!

Tom Standage wrote a brilliant book called "The Victorian Internet". It talks about how the invention of the telegraph upended all sorts of social conventions - in much the same way as the popularity of the Web did at the end of the last century.

Provincial bookmakers used to accept bets long after the race was over. They would wait until the information was transmitted to them via telegraph. To prevent regular punters sending the winning horse's name back to their accomplices, the telegraph companies simply banned unauthorised people from transmitting racing results. But there was plenty of cunning to be had…

Here's an excerpt from Tom's book:

One story from the 1840s tells of a man who went into the telegraph office at Shoreditch station in London on the day of the Derby, an annual horse race, and explained that he had left his luggage and a shawl in the care of a friend at another station—the station that just happened to be nearest the racetrack. He sent a perfectly innocent-sounding message asking his friend to send the luggage and the shawl down to London on the next train, and the reply came back: "YOUR LUGGAGE AND TARTAN WILL BE SAFE BY THE NEXT TRAIN." The apparently harmless reference to "TARTAN" revealed the colours of the winning horse and enabled the man to place a bet and make a hefty profit.

You can read more about this in "The London Anecdotes for All Readers" published in 1848.

I wonder what the next innovation will be which exploits information asymmetry?

Some of my devices have consolidated. My Eufy security cameras have a hub - so despite having more cameras, They're using fewer IP addresses. Similarly, I've replaced most of my LIFX bulbs with Zigbee which also use a hub-and-spoke model.

So these are the devices I currently have connected:

1. Video Doorbell
2. Solar Battery
3. LIFX bulb in external light
4. Security camera
5. EInk display
6. Alexa
7. Robot vacuum cleaner / mop
8. TV
9. Android TV box
10. Amazon Fire TV stick
11. Chromecast
12. Internet Connected Record Player (yes! Really!)
13. PS4
14. Nintendo Switch
15. AV Amplifier
16. Another Alexa
17. Home server
18. Eufy Cameras Hub
19. Philips Hue Light Hub
20. Internal LIFX bulb
21. Smart heating control
22. Office TV
23. Wife's work laptop
24. Wife's personal laptop
25. Wife's phone
26. My work laptop
27. My personal laptop
28. My phone
29. My tablet
30. Power strip
31. Lifx lamp
32. Internet connected plasma ball
33. Gym TV
34. Another robot vacuum cleaner
35. Internet connected electric blanket (my side)
36. Internet connected electric blanket (her side)
37. Solar panel inverter

We have a lot of smarthome kit! I've probably forgotten some. And I haven't counted my various Raspberries Pi and obsolete computers. But we're only a family of two. Larger families are likely to have more phones, tablets, and many other devices.

Is the future the "hub" model? Most of these devices don't need a power-hungry WiFi connection. Keep the airwaves clear for high-bandwidth devices and move everything to ZigBee or similar?

Either way, the number of devices in a typical home is only going to increase. What do we need to do to prepare for that?

I'm trying to give up my mobile phone contract. As part of that, I'm switching my voice calls to VoIP providers. For family and friends, that usually means WhatsApp, Skype, Signal and other consumer apps. For work, Hangouts, Zoom, and Skype.

But what about "normal" people who just want to dial a PSTN number?

And what about "abnormal" people who want to dial my VoIP directly?

These are my experiments using the OnePlus 5T running Android 10, using the native Android dialler.

Inbound PSTN to SIP - working!

In my previous blog post - Adding SIP calls to Android for free! - I described how to get set up with a free SipGate Basic account.

Now, if people ring a landline phone number, it redirects to my SIP. Which means my Android phone just starts ringing and I can answer like normal. It works even if I only have WiFi coverage. Magic!

Outbound SIP to PSTN - working!

Just works! Using SipGate I can call out from my phone - assuming I've told Android to let me pick which SIM to call from.

Or, I can go to the SipGate website and type in a phone number. My SIP line calls me and, once I'm connected, calls out to the other number.

As a bonus, their per-minute call rates are much cheaper than my mobile provider!

Sadly, SipGate don't support SIP-to-SIP calls. So I've set up another SIP account on my phone.

Inbound SIP to SIP - working!

Most SIP provider websites are terrible. The least-worst one that I found which was offering free pure-SIP accounts was IPTEL.org.

People with SIP phones can call me directly on edent@iptel.org. Woo!

Outbound SIP to SIP - broken 😞

When I try to call a SIP number using my IPTEL account, nothing happens.

Android asks which "SIM" I want to call from. I get a dialler screen, but it never connects. There's no ringing. No error tone. Nothing.

I'm on my home WiFi with no port filtering. I don't have a VPN running. I'm trying to call music@iptel.org - a SIP account which just plays music. I can call it from my desktop and mobile browser using the free jssip.net website.

But if I try the same thing using my phone SIP dialler - it never connects. I've tried calling a friend's SIP number - and it never connects. I've tried with and without and outbound proxy. Still nothing.

I can obviously make SIP calls via SipGate - but that only goes to the PSTN.

I can receive SIP calls - whether originating from the PSTN or other SIP users.

Perhaps IPTEL don't support it? I tried LinPhone - but that couldn't make SIP calls either, unless I downloaded their Android app. Even that was a bit iffy.

In my whole circle of telco geeks, I only found three people with SIP accounts. I could only make calls to one of those. The others failed to connect - but there was no useful info in their logs. Huge thanks to Ben and Matt for helping me test.

I'm done

At which point, I'm beaten. I'm going to give up trying to make SIP to SIP calls. As it happens, I only know one person who regularly uses their own SIP account. Hi Neil!

• I accidentally won a load of vinyl on eBay, and
• I bought the cheapest record player I could find.

The record player has USB output. So I shoved it into a Rock Pi S - an SBC similar to a Raspberry Pi - to broadcast vinyl all over my house via ChromeCast! Here's how.

Detect the audio

Install alsa-utils if they're not already present.

Find your hardware with

arecord -l

One of the outputs should be:

card 2: Microphone [USB Microphone], device 0: USB Audio [USB Audio]
  Subdevices: 1/1
  Subdevice #0: subdevice #0

In this case, we want Hardware Card 2, Device 0. From now on, we'll refer to this as hw:2,0. Yours may be different.

Record a sample from the input. Make sure the record player is playing music!

arecord  --device="hw:2,0" -d 10 -f dat -t wav test.wav

That will record a 10 second WAV file at the best possible audio resolution. Check that it has worked by playing back the WAV on a different computer.

Install Icecast

Icecast is a terrible bit of software with no sensible user documentation or guide. Install it with:

sudo apt install icecast2

It should prompt you for some information. And then it will start in the background automagically. If not, run:

/etc/init.d/icecast2 start

You can edit the default config with:

sudo nano /etc/icecast2/icecast.xml

Here's a minimal config. This The admin username is admin and all the passwords are password - you probably want to change that! The hostname is set to the IP address of the Pi, 192.168.0.123:

<icecast>
    <hostname>192.168.0.123</hostname>
    <location>Earth</location>
    <admin>icemaster@localhost</admin>
    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <burst-on-connect>1</burst-on-connect>
        <burst-size>65535</burst-size>
    </limits>
    <authentication>
        <source-password>password</source-password>
        <relay-password>password</relay-password>
        <admin-user>admin</admin-user>
        <admin-password>password</admin-password>
    </authentication>
    <listen-socket>
        <port>8000</port>
    </listen-socket>
    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*"/>
    </http-headers>
    <fileserve>1</fileserve>
    <paths>
        <basedir>/usr/share/icecast2</basedir>
        <logdir>/var/log/icecast2</logdir>
        <webroot>/usr/share/icecast2/web</webroot>
        <adminroot>/usr/share/icecast2/admin</adminroot>
        <alias source="/" destination="/status.xsl"/>
    </paths>
    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <loglevel>3</loglevel>
        <logsize>10000</logsize>
    </logging>
    <security>
        <chroot>0</chroot>
    </security>
</icecast>

To restart after making changes, run:

/etc/init.d/icecast2 restart

If you visit http://your_server_ip:8000 then you should see a boring interface. You can't do anything with it yet.

Install Ice2

Icecast is a server - but you also need a client to broadcast audio to the server. Annoying that Icecast doesn't come with one. And annoying that there's no tutorial to tell you all this.

sudo apt install ice2

I followed this tutorial. Basically, create a file called ice.xml with this in it:

<ices>
    <stream>
        <input>
            <module>alsa</module>
            <param name="rate">48000</param>
            <param name="channels">2</param>
            <param name="device">hw:2,0</param>
        </input>
        <metadata>
            <name>@edent's record player</name>
            <genre>Live Vinyl</genre>
            <description>Listen to what's on my record player</description>
            <url>http://192.168.0.123:8000</url>
        </metadata>
        <instance>
            <hostname>192.168.0.123</hostname>
            <port>8000</port>
            <password>password</password>
            <mount>/vinyl.ogg</mount>
            <yp>1</yp>
            <encode>
                <quality>10</quality>
                <samplerate>48000</samplerate>
                <channels>2</channels>
            </encode>
            <downmix>0</downmix>
        </instance>
    </stream>
    <background>1</background>
    <logpath>.</logpath>
    <logfile>ices.log</logfile>
    <logsize>2048</logsize>
    <loglevel>4</loglevel>
    <consolelog>0</consolelog>
</ices>

Now run ices2 ice.xml - it will run in the background.

The admin page of Icecast should now have something like this: You can now play the audio via the HTML5 player on the page - or open the M3U in VLC.

ChromeCast Broadcast

For my home AV set-up, the easiest way to broadcast audio to my amp is to use its built-in ChromeCast Audio.

There are loads of solutions, but the easiest to use was PyChromeCast. Once installed, it can stream audio from IceCast to a ChromeCast. Bit convoluted, but it works!

To discover ChromeCasts on your network, run python3 then enter these commands:

import time
import pychromecast
pychromecast.discovery.discover_chromecasts()

You'll get a list of ChromeCasts on your network. Mine showed:

[('192.168.0.789', 4321, UUID('5632e20d-1030-4885-ad3d-496504b7c820'), 'Pioneer VSX-933', 'Pioneer VSX-933 ABC1234')]

We want the ChromeCast's ID - which is the 4 digit int. Back to Python

pychromecast.get_chromecasts(4321)

You'll get a bit more debug data:

[Chromecast('192.168.0.789', port=4321, device=DeviceStatus(friendly_name='Pioneer VSX-933 ABC1234', model_name='Pioneer VSX-933', manufacturer='Onkyo And Pioneer', uuid=UUID('5632e20d-1030-4885-ad3d-496504b7c820'), cast_type='cast'))]

This supports cast - good!

Now we can send the audio to the ChromeCast

cast = pychromecast.get_chromecasts(4321)[0]
cast.wait()
mc = cast.media_controller
mc.play_media('http://192.168.0.123:8000/vinyl.ogg', 'audio/ogg')

Success! Vinyl ➡️ USB ➡️ ALSA ➡️ IceCast ➡️ Ogg ➡️ Ethernet ➡️ WiFi ➡️ ChromeCast ➡️ Speakers.

Is it worth it?

Depends. Do you like lossy, crackly vinyl, smushed down to OGG, flown across a network, then digitally reprocessed into luscious 5.1 surround sound with a 4.5 second lag?

Meh.

But we've now entered the (permanent?) work-from-home era. If you're anything like me, you're spending more time broadcasting video than you ever did before. It's painfully obvious when you're stuck on a video call with someone who has restricted upload speeds. Blocky video and garbled sound - getting worse if more people in the household are streaming at once.

Almost all ISPs sell connections this way. And, to be fair, it made sense. But it's increasingly difficult to justify. Gamers want to stream, TikTokers want to meme, and boring old farts like me want HD video calls.

Before this all kicked off, I took the fastest upload package I could find.

Over 300Mbps down is swish! And the 35 up is pretty decent - especially if both my wife and I are on calls. But I'd gladly trade some of my download speed for a faster upload speed.

So which mainstream ISP will be the first to market symmetric - or better - speeds for home workers? BT is apparently trialling it as part of their fibre roll out.

Of course, if you're permanently working from home, perhaps it makes sense for people to go back to having a dedicated, separate line for work?

Either way, broadband speeds will have to change soon. People are beginning to send more data than ever before.

I find this an interesting development. It is well known that people often confused the Net with the Web. Hence the need for these "explanatory" t-shirts:

Of course, the original meaning of Netizen was something quite different.

Netizens are the people who actively contribute online towards the development of the Net and discuss the nature and role of this new communications medium.

Netizens are people who decide to devote time and effort into making the Net, this new part of our world, a better place.

Lurkers are not Netizens, and vanity home pages are not the work of Netizens. While lurking or trivial home pages do not harm the Net, they do not contribute either.

CMC Magazine - 1996

So, I suppose, Webizen makes more sense. The Web has won. Nearly everything on the 'Net uses HTTP to communicate. Ports 80 and 443 reign supreme.

Two thousand years ago, the proudest boast was civis romanus sum. Today, all free people, wherever they may live, are citizens of the Internet, and therefore, as a free man, I take pride in the words "Ich bin ein Webizen!"