20 Aug

Bangladesh .bd TLD outage on 18th August 2016



Day before yesterday i.e on 18th August 2016 Bangladesh’s TLD .bd went had an outage. It was originally reported by Jasim Alam on bdNOG mailing list.


His message shows that DNS resolution of BTCL (Bangladesh Telecommunications Company Ltd) was failing. Later Alok Das that it was the power problem resulting in outage.

Let’s look ask one of 13 root DNS server about NS records on who has the delegation for .bd.

So two of out of these three seem to be on BTCL network and that too on same /24.


Let’s ping to all these three using NLNOG Ring node of bdHUB: bdhub01.ring.nlnog.net

So clearly all three servers are in Bangladesh/local as per super low latency from bdHUB node. From traces from outside India it’s quite unlikely of any other anycast node outside Bangladesh. This is a serious design issue. For a country’s TLD one should have much more resiliency.

My good friend Fakrul from APNIC mentioned on mailing list about PCH becoming secondary for .bd. Same is visible now in the authority NS records of the domain.

dig @dns.bd. bd. ns +short


So once the same is added on root DNS servers, it will bring up bit more resiliency with PCH’s platform with large number of anycast nodes.

So what was impact of this outage?
Well, probably a lot. .bd TLD outage would have brought down a lot of websites running on .bd domain. Any fresh DNS lookup would have failed, any websites with lower TTL would have went down. As per bdIX traffic graph some disturbance is visible across that day.

bdix drop


27 Mar

Letsencrypt – Free signed automated SSL

Last year a really good project Letsencrypt came up. They key objective of this project is to help in securing web by pushing SSL everywhere.


Two key cool features

  1. It offer free signed SSL certs!
  2. It helps in setting up SSL via an agent seamlessly without having to deal with CSR, getting it signed & updating web server configuration.


At this stage Letsencrypt is itself a Certificate Authority and but it’s root certs are yet not in the browser. It’s probably going to take a while till all major browsers get their certificate.

To help on that one of it’s sponsors IdenTrust has signed their intermediate certs. Hence certs signed by Letsencrypt are accepted by all browsers right away. All certs signed by Letsencypt are signed by Letencrypt Authority X1 which have signature from DST Root CA X3 which is accepted by pretty much all popular browsers. You can read more about How it works here.


Here’s an example of SSL setup for say “demo.anuragbhatia.com” test domain which is already up and working without SSL. http://demo.anuragbhatia.com shows a plain text page. This is Apache running on Ubuntu server.

The Apache web config is pretty straightforward.



Step 1 – Grab the Letscrypt agent

git clone https://github.com/letsencrypt/letsencrypt


Step 2 – Execute the auto script

./letsencrypt-auto –help


This will grab all needed dependencies and will get the agent working.


Step 3 – Execute Letsencrypt auto script with it’s Apache plugin

./letsencrypt-auto –apache -d demo.anuragbhatia.com


It takes with a quick wizard and in the end I get:

Congratulations! You have successfully enabled

You should test your configuration at:


And it’s done!

Wizard got me a signed SSL and installed it in the apache config as well.

Screen Shot 2016-03-27 at 7.22.21 PM


Screen Shot 2016-03-27 at 7.22.37 PM


The agent created an addional Apache config with name demo.anuragbhatia.com-le-ssl.conf with following content


Here options-ssl-apache.conf plays an important role by using better security options. It’s config:


Some of the limitations 

  1. Signed SSL certs are valid only for 90 days and have to be renewed.
  2. Wildcard SSL certs are not supported yet.
  3. IPv6 is not supported in the autoconfig setup via client. One can always get certificate manually and use with IPv6 but agent is yet to support IPv6 (which I guess is from next month).


You can read more on their excellent documentation here and can also consider checking Presentation by Ashley Jones from PCH at SANOG on All TLS, all the time.


Have fun!