Search completed in 1.86 seconds.
Using dns-prefetch - Web Performance
dns-prefetch is an attempt to resolve domain names before resources get requested.
... why use
dns-prefetch?
...this process is known as
dns resolution.
...And 14 more matches
nsIDNSService
netwerk/
dns/nsi
dnsservice.idlscriptable provides domain name resolution service.
... inherits from: nsisupports last changed in gecko 1.9.1 (firefox 3.5 / thunderbird 3.0 / seamonkey 2.0) implemented by: @mozilla.org/network/
dns-service;1.
... to access the service, use: var
dnsservice = components.classes["@mozilla.org/network/
dns-service;1"] .createinstance(components.interfaces.nsi
dnsservice); note: starting in gecko 7.0, the "happy eyeballs" strategy is used to reduce lengthy timeouts when attempting backup connections during attempts to connect from clients that have broken ipv6 connectivity.
...And 11 more matches
X-DNS-Prefetch-Control - HTTP
the x-
dns-prefetch-control http response header controls
dns prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as urls for items referenced by the document, including images, css, javascript, and so forth.
... this prefetching is performed in the background, so that the
dns is likely to have been resolved by the time the referenced items are needed.
... header type response header forbidden header name no syntax x-
dns-prefetch-control: on x-
dns-prefetch-control: off directives on enables
dns prefetching.
...And 8 more matches
DNS - MDN Web Docs Glossary: Definitions of Web-related terms
dns (domain name system) is a hierarchical and decentralized naming system for internet connected resources.
...
dns maintains a list of domain names along with the resources, such as ip addresses, that are associated with them.
... the most prominent function of
dns is the translation of human-friendly domain names (such as mozilla.org) to a numeric ip address (such as 151.106.5.172); this process of mapping a domain name to the appropriate ip address is known as a
dns lookup.
... by contrast, a reverse
dns lookup (r
dns) is used to determine the domain name associated with an ip address.
nsIDNSListener
netwerk/
dns/nsi
dnslistener.idlscriptable please add a summary to this article.
... inherits from: nsisupports last changed in gecko 1.7 method overview void onlookupcomplete(in nsicancelable arequest, in nsi
dnsrecord arecord, in nsresult astatus); methods onlookupcomplete() called when an asynchronous host lookup completes.
... void onlookupcomplete( in nsicancelable arequest, in nsi
dnsrecord arecord, in nsresult astatus ); parameters arequest the value returned from asyncresolve.
... arecord the
dns record corresponding to the hostname that was resolved.
Link types: dns-prefetch - HTML: Hypertext Markup Language
the
dns-prefetch keyword for the rel attribute of the <link> element is a hint to browsers that the user is likely to need resources from the target resource's origin, and therefore the browser can likely improve the user experience by preemptively performing
dns resolution for that origin.
... see using
dns-prefetch for more details.
... specifications specification status comment html living standardthe definition of '
dns-prefetch' in that specification.
nsIDNSRecord
netwerk/
dns/nsi
dnsrecord.idlscriptable this interface represents the result of a
dns lookup.
... since a
dns query may return more than one resolved ip address, the record acts like an enumerator, allowing the caller to easily step through the list of ip addresses.
nsIDNSRequest
netwerk/
dns/nsi
dnsrequest.idlscriptable please add a summary to this article.
... inherits from: nsisupports last changed in gecko 1.7 method overview void cancel(); methods cancel() called to cancel a pending asynchronous
dns request.
nsIIDNService
netwerk/
dns/nsii
dnservice.idlscriptable this interface provides support for internationalized domain names, including methods for manipulating idn hostnames according to ietf specification.
... inherits from: nsisupports last changed in gecko 1.9 (firefox 3) implemented by: @mozilla.org/network/idn-service;1 as a service: var i
dnservice = components.classes["@mozilla.org/network/idn-service;1"] .getservice(components.interfaces.nsii
dnservice); method overview autf8string convertacetoutf8(in acstring input); autf8string converttodisplayidn(in autf8string input, out boolean isascii); acstring convertutf8toace(in autf8string input); boolean isace(in acstring input); autf8string normalize(in autf8string input); methods convertacetoutf8() converts an ace (ascii compatible encoding) hostname into unicode format, returning a utf-8 format string.
Index
defined options include an rfc822 name (electronic mail address), a
dns name, an ip address, and a uri.
...for the most basic case, simply upload the library: modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] for example: modutil -dbdir sql:/home/my/share
dnssdb -add "example pkcs #11 module" -libfile "/tmp/crypto.so" -mechanisms rsa:dsa:rc2:random using database directory ...
... modutil -dbdir sql:/home/mt"jar-install-filey/share
dnssdb -jar install.jar -installdir sql:/home/my/share
dnssdb this installation jar file was signed by: ---------------------------------------------- **subject name** c=us, st=california, l=mountain view, cn=cryptorific inc., ou=digital id class 3 - netscape object signing, ou="www.verisign.com/repository/cps incorp.
...And 30 more matches
NSS tools : certutil
-8
dns-names add a comma-separated list of
dns names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database.
... for example: $ certutil -r -k ec -q nistb409 -g 512 -s "cn=john smith,o=example corp, l=mountain view,st=california,c=us" -d sql:/home/my/share
dnssdb -p 650-5 55-0123 -a -o cert.cer generating key.
... $ certutil -s -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t tr ustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offs et-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailaddress] [-8
dns-names] [--extaia] [--extsia] [--extcp] [--extpm] [ --extpc] [--extia] [--extskid] the series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the ca.
...And 15 more matches
certutil
-8
dns-names add a comma-separated list of
dns names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database.
... for example: $ certutil -r -k ec -q nistb409 -g 512 -s "cn=john smith,o=example corp,l=mountain view,st=california,c=us" -d sql:/home/my/share
dnssdb -p 650-555-0123 -a -o cert.cer generating key.
... $ certutil -s -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailaddress] [-8
dns-names] [--extaia] [--extsia] [--extcp] [--extpm] [--extpc] [--extia] [--extskid] the series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the ca.
...And 15 more matches
Proxy Auto-Configuration (PAC) file - HTTP
(of course, the javascripts must be edited to reflect your site's domain name and/or subnets.) predefined functions and environment these functions can be used in building the pac file: hostname based conditions isplainhostname()
dnsdomainis() localhostordomainis() isresolvable() isinnet() related utility functions
dnsresolve() convert_addr() myipaddress()
dnsdomainlevels() url/hostname based conditions shexpmatch() time based conditions weekdayrange() daterange() timerange() logging utility alert() there was one associative array (object) already d...
... examples isplainhostname("www.mozilla.org") // false isplainhostname("www") // true
dnsdomainis() syntax
dnsdomainis(host, domain) parameters host is the hostname from the url.
... examples
dnsdomainis("www.mozilla.org", ".mozilla.org") // true
dnsdomainis("www", ".mozilla.org") // false localhostordomainis() syntax localhostordomainis(host, hostdom) parameters host the hostname from the url.
...And 15 more matches
XPCOM Interface Reference
rormozistoragefunctionmozistoragependingstatementmozistorageprogresshandlermozistorageresultsetmozistoragerowmozistorageservicemozistoragestatementmozistoragestatementcallbackmozistoragestatementparamsmozistoragestatementrowmozistoragestatementwrappermozistoragevacuumparticipantmozistoragevaluearraymozitxttohtmlconvmozithirdpartyutilmozivisitinfomozivisitinfocallbackmozivisitstatuscallbacknsiabcar
dnsiaboutmodulensiabstractworkernsiaccelerometerupdatensiaccessnodensiaccessibilityservicensiaccessiblensiaccessiblecaretmoveeventnsiaccessiblecoordinatetypensiaccessibledocumentnsiaccessibleeditabletextnsiaccessibleeventnsiaccessiblehyperlinknsiaccessiblehypertextnsiaccessibleimagensiaccessibleprovidernsiaccessiblerelationnsiaccessibleretrievalnsiaccessiblerolensiaccessiblescrolltypensiaccessiblesel...
...iasyncoutputstreamnsiasyncstreamcopiernsiasyncverifyredirectcallbacknsiauthinformationnsiauthmodulensiauthpromptnsiauthprompt2nsiauthpromptadapterfactorynsiauthpromptcallbacknsiauthpromptprovidernsiauthpromptwrappernsiautocompletecontrollernsiautocompleteinputnsiautocompleteitemnsiautocompletelistenernsiautocompleteobservernsiautocompleteresultnsiautocompletesearchnsibadcertlistener2nsibidikeyboar
dnsibinaryinputstreamnsibinaryoutputstreamnsiblocklistpromptnsiblocklistservicensiboxobjectnsibrowserboxobjectnsibrowserhistorynsibrowsersearchservicensicrlinfonsicrlmanagernsicachensicachedeviceinfonsicacheentrydescriptornsicacheentryinfonsicachelistenernsicachemetadatavisitornsicacheservicensicachesessionnsicachevisitornsicachingchannelnsicancelablensicategorymanagernsichannelnsichanneleventsinknsi...
...channelpolicynsicharsetresolvernsichromeframemessagemanagernsichromeregistrynsiclassinfonsiclipboar
dnsiclipboardcommandsnsiclipboarddragdrophooklistnsiclipboarddragdrophooksnsiclipboardhelpernsiclipboardownernsicollectionnsicommandcontrollernsicommandlinensicommandlinehandlernsicommandlinerunnernsicomponentmanagernsicomponentregistrarnsicompositionstringsynthesizernsiconsolelistenernsiconsolemessagensiconsoleservicensicontainerboxobjectnsicontentframemessagemanagernsicontentprefnsicontentprefcallback2nsicontentprefobservernsicontentprefservicensicontentprefservice2nsicontentsecuritypolicynsicontentsniffernsicontentviewnsicontentviewmanagernsicontentviewernsicontrollernsicontrollersnsiconverterinputstreamnsiconverteroutputstreamnsicookiensicookie2nsicookieacceptdialognsicookieconsentnsicookiem...
...And 10 more matches
What is a Domain Name? - Learn web development
(r37-lror) sponsoring registrar iana id: 292 whois server: referral url: domain status: clientdeleteprohibited domain status: clienttransferprohibited domain status: clientupdateprohibited registrant id:mmr-33684 registrant name:
dns admin registrant organization:mozilla foundation registrant street: 650 castro st ste 300 registrant city:mountain view registrant state/province:ca registrant postal code:94041 registrant country:us registrant phone:+1.6509030800 as you can see, i can't register mozilla.org because the mozilla foundation has already registered it.
...within a few hours, all
dns servers will have received your
dns information.
...
dns refreshing
dns databases are stored on every
dns server worldwide, and all these servers refer to a few special servers called “authoritative name servers” or “top-level
dns servers.” — these are like the boss servers that manage the system.
...And 7 more matches
NSS tools : modutil
for the most basic case, simply upload the library: modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] for example: modutil -dbdir sql:/home/my/share
dnssdb -add "example pkcs #11 module" -libfile "/tmp/crypto.so" -mechanisms rsa:dsa:rc2:random using database directory ...
... modutil -dbdir sql:/home/mt"jar-install-filey/share
dnssdb -jar install.jar -installdir sql:/home/my/share
dnssdb this installation jar file was signed by: ---------------------------------------------- **subject name** c=us, st=california, l=mountain view, cn=cryptorific inc., ou=digital id class 3 - netscape object signing, ou="www.verisign.com/repository/cps incorp.
...for example: modutil -list -dbdir sql:/home/my/share
dnssdb listing of pkcs #11 modules ----------------------------------------------------------- 1.
...And 6 more matches
NSS tools : modutil
for the most basic case, simply upload the library: modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] for example: modutil -dbdir sql:/home/my/share
dnssdb -add "example pkcs #11 module" -libfile "/tmp/crypto.so" -mechanisms rsa:dsa:rc2:random using database directory ...
... modutil -dbdir sql:/home/mt"jar-install-filey/share
dnssdb -jar install.jar -installdir sql:/home/my/share
dnssdb this installation jar file was signed by: ---------------------------------------------- **subject name** c=us, st=california, l=mountain view, cn=cryptorific inc., ou=digital id class 3 - netscape object signing, ou="www.verisign.com/repository/cps incorp.
...for example: modutil -list -dbdir sql:/home/my/share
dnssdb listing of pkcs #11 modules ----------------------------------------------------------- 1.
...And 6 more matches
Populating the page: how browsers work - Web Performance
dns lookup the first step of navigating to a web page is finding where the assets for that page are located.
...if you’ve never visited this site, a
dns lookup must happen.
... your browser requests a
dns lookup, which is eventually fielded by a name server, which in turn responds with an ip address.
...And 6 more matches
Subdomain takeovers - Web security
typically, this happens when the subdomain has a canonical name (cname) in the domain name system (
dns), but no host is providing content for it.
...you must cut power at the breaker or fuse box (
dns) to prevent the outlet from being used by someone else.
... you set up
dns records to direct browsers that want to access blog.example.com so that they go to the virtual host.
...And 6 more matches
Index - MDN Web Docs Glossary: Definitions of Web-related terms
7 arpa glossary, infrastructure .arpa (address and routing parameter area) is a top-level domain used for internet infrastructure purposes, especially reverse
dns lookup (i.e., find the domain name for a given ip address).
...c
dns make for fast service less affected by high traffic.
... 101
dns dns, domain name system, glossary, infrastructure
dns (domain name system) is a hierarchical and decentralized naming system for internet connected resources.
...And 4 more matches
nsIEffectiveTLDService
netwerk/
dns/nsieffectivetldservice.idlscriptable this is an interface that examines a hostname and determines the longest portion that should be treated as though it were a top-level domain (tld).
...that question is unanswerable with 100% accuracy using the psl, because what is a domain name is a property of the
dns, which is different for different people.
... ns_error_unexpected or other error returned by nsii
dnservice.normalize() when the hostname contains characters disallowed in uris.
...And 3 more matches
Navigation and resource timings - Web Performance
with the metrics above, and a little bit of math, we can calculate many important metrics like time to first byte, page load time,
dns lookup, and whether the connection is secure.
... calculating timings we can use these values to measure specific timings of interest: let
dns = time.domainlookupend - time.domainlookupstart, tcp = time.connectend - time.connectstart, ssl != time.secureconnectionstart, time to first byte time to first byte is the time between the navigationstart (start of the navigation) and responsestart, (when the first byte of response data is received) available in the performancetiming api: let ttfb = time.responsestart - time.navigati...
... let pageloadtime = time.loadeventstart - time.navigationstart;
dns lookup time the
dns lookup time is the time between domainlookupstart and domainlookupend.
...And 3 more matches
Index
to create an instance, use: 465 nsi
dnslistener interfaces, interfaces:scriptable, xpcom, xpcom interface reference called when an asynchronous host lookup completes.
... 466 nsi
dnsrecord interfaces, interfaces:scriptable, xpcom, xpcom interface reference this function copies the value of the next ip address into the given prnetaddr struct and increments the internal address iterator.
... 467 nsi
dnsrequest interfaces, interfaces:scriptable, xpcom, xpcom interface reference called to cancel a pending asynchronous
dns request.
...And 2 more matches
Autoconfiguration in Thunderbird
for example, for the email address fred@example.com , the lookup is performed as (in this order): tb-install-dir/isp/example.com.xml on the harddisk check for autoconfig.example.com look up of "example.com" in the ispdb look up "mx example.com" in
dns, and for mx1.mail.hoster.com, look up "hoster.com" in the ispdb try to guess (imap.example.com, smtp.example.com etc.) we may add
dns srv records as supported mechanism in the future, but we currently do not.
...you are "hoster.com", but your customers have "fred@flintstone.com" and "louis@kent.com" as domains, with only a few users per domain, you need to set up a configuration server (or rely on
dns mx).
...
dns for each customer domain, you add a
dns record (in addition to the existing mx, a www etc.
...And 2 more matches
Using the Resource Timing API - Web APIs
the interface's properties create a resource loading timeline with high-resolution timestamps for network events such as redirect start and end times, fetch start,
dns lookup start and end times, response start and end times, etc.
... resource loading phases an application can get timestamps for the various phases of resource loading such as redirection,
dns lookup, and tcp connection setup.
... timing resource loading phases the following example illustrates using the resource timing properties to calculate the amount of time the following phases take: redirection (redirectstart and redirectend ),
dns lookup (domainlookupstart and domainlookupend), tcp handshake (connectstart and connectend), and response (responsestart and responseend).
...And 2 more matches
CDN - MDN Web Docs Glossary: Definitions of Web-related terms
c
dns make for fast service less affected by high traffic.
... c
dns are used widely for delivering stylesheets and javascript files (static assets) of libraries like bootstrap, jquery etc.
... most c
dns have servers all over the globe, so cdn servers may be geographically nearer to your users than your own servers.
... c
dns are already configured with proper cache settings.
Prefetch - MDN Web Docs Glossary: Definitions of Web-related terms
dns prefetching domain lookups can be slow, especially with network latency on mobile phones.
... they are most relevant when there are a plethora of links to external websites that may be clicked on, like search engine results,
dns prefetching resolves domain names in advance thereby speeding up load times by reducing the time associated with domain lookup at request time.
... <link rel="
dns-prefetch" href="https://example.com/"> link prefetching link prefetching is a performance optimization technique that works by assuming which links the user is likely to click, then downloading the content of those links.
... the prefetch hints are sent in http headers: link: ; rel=
dns-prefetch, ; as=script; rel=preload, ; rel=prerender, ; as=style; rel=preload prefetch attribute value browsers will prefetch content when the prefetch <link> tag directs it to, giving the developer control over what resources should be prefetched.
How the Web works - Learn web development
dns: domain name servers are like an address book for websites.
... when you type a web address in your browser, the browser looks at the
dns to find the website's real address before it can retrieve the website.
... when you type a web address into your browser (for our analogy that's like walking to the shop): the browser goes to the
dns server, and finds the real address of the server that the website lives on (you find the address of the shop).
...
dns explained real web addresses aren't the nice, memorable strings you type into your address bar to find your favorite websites.
A Web PKI x509 certificate primer
subject alternate name this extension defines what other names (such as
dns names) are valid for this certificate.
...write extensions file by creating a new file with name openssl.ss.cnf with the following contents: basicconstraints = ca:false subjectaltname =
dns:www.example.com extendedkeyusage =serverauth 4.
... write extensions file (openssl.root.cnf) basicconstraints = critical, ca:true keyusage = keycertsign, crlsign subjectkeyidentifier = hash nameconstraints = permitted;
dns:example.com,permitted;
dns:example.net self-sign csr (using sha256) and append the extensions described in the file "openssl x509 -req -sha256 -days 3650 -in root.csr -signkey rootkey.pem -set_serial $any_small_integer -extfile openssl.root.cnf -out root.pem" now you have ca pem file with its associated key.
... write extensions file (make a new file with name openssl.ss.cnf with the following contents) basicconstraints = ca:false subjectaltname =
dns:www.example.com extendedkeyusage =serverauth authorityinfoaccess = ocsp;uri:http://ocsp.example.com:80/ intermediate signs the csr (using sha256) and appends the extensions described in the file "openssl x509 -req -sha256 -days 1096 -in example.csr -cakey intkey.pem -ca int.pem -set_serial $some_large_integer -out www.example.com.pem -extfile openssl.int.cnf" security not...
HTML attribute: rel - HTML: Hypertext Markup Language
link not allowed not allowed
dns-prefetch tells the browser to preemptively perform
dns resolution for the target resource's origin external resource not allowed not allowed external referenced document is not part of the same site as the current document.
...
dns-prefetch relevant for the <link> element both in the <body> and <head>, it tells the browser to preemptively perform
dns resolution for the target resource's origin.
... useful for resources the user will likely need, it helps reduce latency and thereby improves performance when the user does access the resources as the browser preemptively performed
dns resolution for the origin of the specified resource.
... see
dns-prefetch described in resource hints.
Network Error Logging - HTTP
e": "network-error", "url": "https://example.com/previous-page", "body": { "elapsed_time": 338, "method": "post", "phase": "application", "protocol": "http/1.1", "referrer": "https://example.com/previous-page", "sampling_fraction": 1, "server_ip": "137.205.28.66", "status_code": 400, "type": "http.error", "url": "https://example.com/bad-request" } }
dns name not resolved note that the phase is set to
dns in this report and no server_ip is available to include.
... { "age": 20, "type": "network-error", "url": "https://example.com/previous-page", "body": { "elapsed_time": 18, "method": "post", "phase": "
dns", "protocol": "http/1.1", "referrer": "https://example.com/previous-page", "sampling_fraction": 1, "server_ip": "", "status_code": 0, "type": "
dns.name_not_resolved", "url": "https://example-host.com/" } } the type of the network error may be one of the following pre-defined values from the specification, but browsers can add and send their own error types:
dns.unreachable the user's
dns server is unreachable
dns.name_not_resolved the user's
dns server responded but was unable to resolve an ip address for the requested uri.
...
dns.failed request to the
dns server failed due to reasons not covered by previous errors (e.g.
... servfail)
dns.address_changed for security reasons, if the server ip address that delivered the original report is different to the current server ip address at time of error generation, the report data will be downgraded to only include information about this problem and the type set to
dns.address_changed.
Understanding latency - Web Performance
on a first request, for the first 14kb bytes, latency is longer because it includes a
dns lookup, a tcp handshake, the secure tls negotiation.
...
dns resolution is the time it took to do the
dns lookup.
... the greater the number of hostnames, the more
dns lookups need to be done.
...like
dns, the greater the number of server connections needed, the more time is spend creating server connections.
Introduction to Public-Key Cryptography - Archive of obsolete content
for example, this might be a typical dn for an employee of example corp: uid=doe,e=doe@example.net,cn=john doe,o=example corp.,c=us the abbreviations before each equal sign in this example have these meanings: uid: user id e: email address cn: the user's common name o: organization c: country
dns may include a variety of other name-value pairs.
... the rules governing the construction of
dns can be quite complex and are beyond the scope of this document.
... for comprehensive information about
dns, see a string representation of distinguished names] at the following url: https://www.ietf.org/rfc/rfc1485.txt a typical certificate every x.509 certificate consists of two sections: the data section includes the following information: the version number of the x.509 standard supported by the certificate.
Domain sharding - MDN Web Docs Glossary: Definitions of Web-related terms
the problem with domain sharding, in terms of performance, is the cost of extra
dns lookups for each domain and the overhead of establishing each tcp connection.
...multiple domains, however, is an anti-pattern, as
dns lookups slow initial load times.
... see also transport layer security (tls)
dns http/2 ...
NSS_3.12_release_notes.html
e cert.h) cert_findcrlentryreasonexten (see cert.h) cert_findcrlnumberexten (see cert.h) cert_findnameconstraintsexten (see cert.h) cert_getclassicocspdisabledpolicy (see cert.h) cert_getclassicocspenabledhardfailurepolicy (see cert.h) cert_getclassicocspenabledsoftfailurepolicy (see cert.h) cert_getpkixverifynistrevocationpolicy (see cert.h) cert_getusepkixforvalidation (see cert.h) cert_getvalid
dnspatternsfromcert (see cert.h) cert_newtempcertificate (see cert.h) cert_setocsptimeout (see certhigh/ocsp.h) cert_setusepkixforvalidation (see cert.h) cert_pkixverifycert (see cert.h) hash_gettype (see sechash.h) nss_initwithmerge (see nss.h) pk11_createmergelog (see pk11pub.h) pk11_creategenericobject (see pk11pub.h) pk11_createpbev2algorithmid (see pk11pub.h) pk11_destroymergelog (see pk11pub.h)...
... klocwork null ptr deref in secasn1d.c bug 366390: correct misleading function names in fipstest bug 370536: memory leaks in pointer tracker code in debug builds only bug 372242: cert_comparerdn uses incorrect algorithm bug 379753: s/mime should support aes bug 381375: ocspclnt doesn't work on windows bug 398693: der_asciitotime produces incorrect output for dates 1950-1970 bug 420212: empty cert
dns handled badly, display as !invalid ava!
... bug 420979: vfychain ignores -b time option when -p option is present bug 403563: implement the tls session ticket extension (ste) bug 400917: want exported function that outputs all host names for
dns name matching bug 315643: test_buildchain_resourcelimits won't build bug 353745: klocwork null ptr dereference in pkcs12 decoder bug 338367: the gf2m_populate and gfp_populate should check the eccurve_map array index bounds before use bug 201139: ssltap should display plain text for null cipher suites bug 233806: support nist crl policy bug 279085: nss tools display public exponent as negative number bug 363480: ocspclnt needs option to take cert from specified file bug 265715: remove unused hsearch.c dbm code bug 337361: leaks in jar_parse_any (security/nss/lib/jar/jarver.c) bug 338453: leaks...
NSS tools : pk12util
pk12util -i p12file [-h tokenname] [-v] [-d [sql:]directory] [-p dbprefix] [-k slotpasswordfile|-k slotpassword] [-w p12filepasswordfile|-w p12filepassword] for example: # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/share
dnssdb enter a password which will be used to encrypt your keys.
... pk12util -o p12file -n certname [-c keycipher] [-c certcipher] [-m|--key_len keylen] [-n|--cert_key_len certkeylen] [-d [sql:]directory] [-p dbprefix] [-k slotpasswordfile|-k slotpassword] [-w p12filepasswordfile|-w p12filepassword] for example: # pk12util -o certs.p12 -n server-cert -d sql:/home/my/share
dnssdb enter password for pkcs12 file: re-enter password: listing keys and certificates the information in a .p12 file are not human-readable.
...for example: # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/share
dnssdb to set the shared database type as the default type for the tools, set the nss_default_db_type environment variable to sql: export nss_default_db_type="sql" this line can be set added to the ~/.bashrc file to make the change permanent.
NSS tools : pk12util
pk12util -i p12file [-h tokenname] [-v] [-d [sql:]directory] [-p dbprefix] [-k slotpasswordfile|-k slotpassword] [-w p12filepasswordfile|-w p12filepassword] for example: # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/share
dnssdb enter a password which will be used to encrypt your keys.
... pk12util -o p12file -n certname [-c keycipher] [-c certcipher] [-m|--key_len keylen] [-n|--cert_key_len certkeylen] [-d [sql:]directory] [-p dbprefix] [-k slotpasswordfile|-k slotpassword] [-w p12filepasswordfile|-w p12filepassword] for example: # pk12util -o certs.p12 -n server-cert -d sql:/home/my/share
dnssdb enter password for pkcs12 file: re-enter password: listing keys and certificates the information in a .p12 file are not human-readable.
...for example: # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/share
dnssdb to set the shared database type as the default type for the tools, set the nss_default_db_type environment variable to sql: export nss_default_db_type="sql" this line can be set added to the ~/.bashrc file to make the change permanent.
Multithreading in Necko
dns thread (0-1) on most platforms
dns requests a processed on a background thread.
...for example, on xp_win an invisible window is created with a message pump on a background thread for processing wsa asynchronous
dns events.
... in this way, necko takes advantage of the platforms specific routines for
dns lookups.
Resource Timing API - Web APIs
the interface's properties create a resource loading timeline with high-resolution timestamps for network events such as redirect start and end times,
dns lookup start and end times, request start, response start and end times, etc.
...the fetchstart timestamps follows and redirect processing (if applicable) and preceeds
dns lookup.
...likewise, the the domainlookupstart and domainlookupend properties return timestamps for
dns lookup start and end times, respectively.
No Proxy For configuration - Archive of obsolete content
localhost proxy 127.0.0.1 local host direct confirm the filter uses only suffix matches (hostname unit tests) hostname hostname direct name hostname direct host hostname proxy domains with numbers 3com.com .3com.com direct fq
dns hostname.domain.com hostname.domain.com domain.com proxy hostname.domain.com hostname.domain.com direct hostname.domain.com host.hostname.domain.com direct .domain.com .domain.com domain.com hostname.domain.com host.hostname.domain.com proxy direct direct *.domain.com *.domain.co...
...filter comparison notable bugs bug 172083 - [meta] proxy: "no proxy for" items bug 80917 - proxy: "no proxy" w/ form based ui bug 91587 - proxy: "no proxy for" default domain filtering fails w/ non-fqdn (e.g., http://web/) bug 201685 - no proxy for: support ipv6 address literals bug 136789 - proxy: no proxy ip entries do not block
dns resolved ips bug 314712 - no proxy for: "hostname.domain.com" should block only "hostname.domain.com" bug 72444 - proxy: "bypass proxy server for local addresses" (ie pref) bug 260883 - "no proxy for" does not use fqdn wildcards "*" like ie bugzilla sources bug 17158 comment 21: the correct separator are spaces or commas.
Tips for authoring fast-loading HTML pages - Learn web development
c
dns store cached versions of your website and serve them to visitors via the network node closest to the user, thereby reducing latency.
... further reading: understanding c
dns reduce domain lookups since each separate domain costs time in a
dns lookup, the page load time will grow along with the number of separate domains appearing in css link(s) and javascript and image src(es).
Internationalized Domain Names (IDN) Support in Mozilla Browsers
how idn works when a browser sees a host name such as http://developer.mozilla.org, it passes a request to the
dns resolver service (usually built into an os), which in turn sends a request to a nearest domain name server to return an ip address that corresponds to the host name.
... as an example, an output string to be sent to a
dns server for a japanese domain name, "http://ジェーピーニック.jp", will look like the following in ace form: http://xn--hckqz9bzb1cyrb.jp domain name registration after the technical standards were established by ietf, the last remaining issue was for domain name registrars to agree on an international guideline on the use of idn characters.
NSS tools : signver
signver -v -s signature_file -i signed_file -d sql:/home/my/share
dnssdb signaturevalid=yes printing signature data the -a option prints all of the information contained in a signature file.
...for example: # signver -a -s signature -d sql:/home/my/share
dnssdb to set the shared database type as the default type for the tools, set the nss_default_db_type environment variable to sql: export nss_default_db_type="sql" this line can be set added to the ~/.bashrc file to make the change permanent.
nsIMsgDatabase
r, in boolean bread, in nsidbchangelistener instigator); void markhdrreplied(in nsimsgdbhdr msghdr, in boolean breplied, in nsidbchangelistener instigator); void markhdrmarked(in nsimsgdbhdr msghdr, in boolean mark,in nsidbchangelistener instigator); void markmdnneeded(in nsmsgkey key, in boolean bneeded,in nsidbchangelistener instigator); boolean ismdnneeded(in nsmsgkey key); void markm
dnsent(in nsmsgkey key, in boolean bneeded, in nsidbchangelistener instigator); boolean ism
dnsent(in nsmsgkey key); void markread(in nsmsgkey key, in boolean bread, in nsidbchangelistener instigator); void markreplied(in nsmsgkey key, in boolean breplied, in nsidbchangelistener instigator); void markforwarded(in nsmsgkey key, in boolean bforwarded, in nsidbchangelistener instigator); void m...
... boolean ismdnneeded(in nsmsgkey key); markm
dnsent() void markm
dnsent(in nsmsgkey key, in boolean bneeded, in nsidbchangelistener instigator); ism
dnsent() boolean ism
dnsent(in nsmsgkey key); markread() methods to get and set docsets for ids.
nsIProtocolProxyService
proxy auto config (pac) may perform a synchronous
dns query, which may not return immediately.
...unlike resolve, this method is guaranteed not to block the calling thread waiting for
dns queries to complete.
nsISocketTransport
usually a
dns lookup.
... status_sending_to 0x804b0005 status_waiting_for 0x804b000a status_receiving_from 0x804b0006 connection flags values for the connectionflags attribute constant value description bypass_cache 0 when making a new connection bypass_cache will force the necko
dns cache entry to be refreshed with a new call to nspr if it is set before opening the new stream.
Link types - HTML: Hypertext Markup Language
<link> <a>, <area>, <form>
dns-prefetch hints to the browser that a resource is needed, allowing the browser to do a
dns lookup and protocol handshaking before a user clicks the link.
... working draft added
dns-prefetch, preconnect, and prerender values.
Proxy servers and tunneling - HTTP
they store and forward internet services (like the
dns, or web pages) to reduce and control the bandwidth used by the group.
...the example below will work in an environment where the internal
dns server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable: function findproxyforurl(url, host) { if (isresolvable(host)) return "direct"; else return "proxy proxy.mydomain.com:8080"; } see proxy auto-configuration (pac) for more examples.
Web Performance
this article explains what latency is, how it impacts performance, how to measure latency, and how to reduce it.using
dns-prefetch
dns-prefetch is an attempt to resolve domain names before resources get requested.
...in this article, we cover native browser features like rel=preconnect, rel=
dns-prefetch, rel=prefetch, and rel=preload, and how to use them to your advantage.
Subresource Integrity - Web security
how subresource integrity helps using content delivery networks (c
dns) to host files such as scripts and stylesheets that are shared among multiple sites can improve site performance and conserve bandwidth.
... however, using c
dns also comes with a risk, in that if an attacker gains control of a cdn, the attacker can inject arbitrary malicious content into files on the cdn (or replace the files completely) and thus can also potentially attack all sites that fetch files from that cdn.
URIs and URLs - Archive of obsolete content
gateways, proxies, caches, and name resolution services might be used to access some resources, independent of the protocol of their origin, and the resolution of some url may require the use of more than one protocol (e.g., both
dns and http are typically used to access an "http" url's resource when it can't be found in a local cache).
MDN Web Docs Glossary: Definitions of Web-related terms
csrf css css object model (cssom) css pixel css preprocessor d data structure decryption delta denial of service descriptor (css) deserialization developer tools dhtml digest digital certificate distributed denial of service dmz
dns doctype document directive document environment dom (document object model) domain domain name domain sharding dominator dos attack dtls (datagram transport layer security) dtmf (dual-tone multi-frequency signaling) dynamic programming language dynamic typing e ...
Creating hyperlinks - Learn web development
when you use an absolute url, the browser starts by looking up the real location of the server on the domain name system (
dns), see how the web works for more information).
Images in HTML - Learn web development
you could embed the image using its absolute url, for example: <img src="https://www.example.com/images/dinosaur.jpg"> but this is pointless, as it just makes the browser do more work, looking up the ip address from the
dns server all over again, etc.
Index - Learn web development
for example, take the following line of content: 40 how the web works beginner, client,
dns, http, ip, infrastructure, learn, server, tcp, l10n:priority this theory is not essential to writing web code in the short term, but before long you'll really start to benefit from understanding what's happening in the background.
Multimedia: Images - Learn web development
if all of this sounds a bit complicated or feels like too much work for your team then there is also online services that you can use as image c
dns that will automate the serving of the correct image format on-the-fly, according to the type of device or browser requesting the image.
HTTP logging
turning off
dns query logging you can turn off logging of host resolving (that is,
dns queries) by removing the text nshostresolver:5 from the commands above.
mozbrowsererror
possible values are: fatal(crash) unknownprotocolfound filenotfound
dnsnotfound connectionfailure netinterrupt nettimeout cspblocked phishingblocked malwareblocked unwantedblocked offline malformeduri redirectloop unknownsockettype netreset notcached isprinting deniedportaccess proxyresolvefailure proxyconnectfailure contentencodingfailure remotexul unsafecontenttype corruptedcontenterror certerror other example va...
Integrated Authentication
this is to protect the user from the possibility of
dns-spoofing being used to stage a man-in-the-middle exploit (see bug 17578 for more info).
About NSPR
to that end it is possible to perform translations of ascii strings (
dns names) into nspr's network address structures, with no regard to whether the addressing technology is ipv4 or ipv6.
Certificate functions
trevocationpolicy mxr 3.12 and later cert_getprevgeneralname mxr 3.10 and later cert_getprevnameconstraint mxr 3.10 and later cert_getsloptime mxr 3.2 and later cert_getsslcacerts mxr 3.2 and later cert_getstatename mxr 3.2 and later cert_getusepkixforvalidation mxr 3.12 and later cert_getvalid
dnspatternsfromcert mxr 3.12 and later cert_gentime2formattedascii mxr 3.2 and later cert_hexify mxr 3.2 and later cert_importcachain mxr 3.2 and later cert_importcerts mxr 3.2 and later cert_isrootdercert mxr 3.8 and later cert_isusercert mxr 3.6 and later cert_keyfromdercrl mxr 3.4 and lat...
NSS_3.12.1_release_notes.html
ails pairwise consistency test bug 330622: certutil's usage messages incorrectly document certain options bug 330628: coreconf/linux.mk should _not_ default to x86 but result in an error if host is not recognized bug 359302: remove the sslsample code from nss source tree bug 372241: need more versatile form of cert_nametoascii bug 390296: nss ignores subject cn even when san contains no
dnsname bug 401928: support generalized pkcs#5 v2 pbes bug 403543: pkix: need a way to enable/disable aia cert fetching bug 408847: pkix_ocspchecker_check does not support specified responder (and given signercert) bug 414003: crash [[@ cert_decodecertpackage] sometimes with this testcase bug 415167: memory leak in certutil bug 417399: arena allocation results are not checked in pkix_pl_i...
NSS 3.16 release notes
bug 962760: libpkix should not include the common name of ca as
dns names when evaluating name constraints.
NSS 3.39 release notes
utilpars.h nssutil_ad
dnssflagtomodulespec - a helper function for modifying the pkcs#11 module configuration.
NSS 3.44 release notes
each attribute 1531236 - provide accessor for certcertificate.dercert 1536734 - lib/freebl/crypto_primitives.c assumes a big endian machine 1532384 - in nss test certificates, use @example.com (not @bogus.com) 1538479 - post-handshake messages after async server authentication break when using record layer separation 1521578 - x25519 support in pk11pars.c 1540205 - freebl build fails with -
dnss_disable_chachapoly 1532312 - post-handshake auth doesn't interoperate with openssl 1542741 - certutil -f crashes with segmentation fault 1546925 - allow preceding text in try comment 1534468 - expose chacha20 primitive 1418944 - quote cc/cxx variables passed to nspr 1543545 - allow to build nss as a static library 1487597 - early data that arrives before the handshake completes can be rea...
NSS 3.52 release notes
bug 1630925 - guard all instances of nsscmssigneddata.signerinfo to avoid a cms crash bug 1571677 - name constraints validation: cn treated as
dns name even when syntactically invalid as
dns name this bugzilla query returns all the bugs fixed in nss 3.52: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.52 compatibility nss 3.52 shared libraries are backward compatible with all older nss 3.x shared libraries.
Enc Dec MAC Using Key Wrap CertReq PKCS10 CSR
atic secstatus createcert( certcertdbhandle *handle, pk11slotinfo *slot, char * issuernickname, char *infilename, char *outfilename, seckeyprivatekey **selfsignprivkey, void *pwarg, secoidtag hashalgtag, unsigned int serialnumber, int warpmonths, int validitymonths, const char *
dnsnames, prbool ascii, prbool selfsign) { void *exthandle; secitem reqder; certcertextension **crexts; secstatus rv = secsuccess; certcertificate *subjectcert = null; certcertificaterequest *certreq = null; prfiledesc *outfile = null; se...
sample2
(trust) { port_free(trust); } if (certder.data) { port_free(certder.data); } return rv; } /* * create a certificate */ static secstatus createcert( certcertdbhandle *handle, pk11slotinfo *slot, char * issuernickname, char *infilename, char *outfilename, seckeyprivatekey **selfsignprivkey, void *pwarg, secoidtag hashalgtag, unsigned int serialnumber, int warpmonths, int validitymonths, const char *
dnsnames, prbool ascii, prbool selfsign) { void *exthandle; secitem reqder; certcertextension **crexts; secstatus rv = secsuccess; certcertificate *subjectcert = null; certcertificaterequest *certreq = null; prfiledesc *outfile = null; secitem *certder = null; reqder.data = null; outfile = pr_open(outfilename, pr_rdwr | pr_create_file | pr_truncate, 00660); /* create a cert request object from the in...
NSS sources building testing
on machines that are configured with a hostname that has been registered in your network's
dns, this should work automatically.
Python binding for NSS
plus the implementation depdended on being able to perform a reverse
dns lookup which is not always possible.
NSS functions
trevocationpolicy mxr 3.12 and later cert_getprevgeneralname mxr 3.10 and later cert_getprevnameconstraint mxr 3.10 and later cert_getsloptime mxr 3.2 and later cert_getsslcacerts mxr 3.2 and later cert_getstatename mxr 3.2 and later cert_getusepkixforvalidation mxr 3.12 and later cert_getvalid
dnspatternsfromcert mxr 3.12 and later cert_gentime2formattedascii mxr 3.2 and later cert_hexify mxr 3.2 and later cert_importcachain mxr 3.2 and later cert_importcerts mxr 3.2 and later cert_isrootdercert mxr 3.8 and later cert_isusercert mxr 3.6 and later cert_keyfromdercrl mxr 3.4 and lat...
NSS tools : crlutil
defined options include an rfc822 name (electronic mail address), a
dns name, an ip address, and a uri.
sslcrt.html
canames a pointer to a structure that contains a list of distinguished names (
dns) against which to check the
dns for the signers in the certificate chain.
sslerr.html
mit renegotiation of ssl security parameters." ssl_error_unsupported_extension_alert -12184 "ssl peer does not support requested tls hello extension." ssl_error_certificate_unobtainable_alert -12183 "ssl peer could not obtain your certificate from the supplied url." ssl_error_unrecognized_name_alert -12182 "ssl peer has no certificate for the requested
dns name." ssl_error_bad_cert_status_response_alert -12181 "ssl peer was unable to get an ocsp response for its certificate." ssl_error_bad_cert_hash_value_alert -12180 "ssl peer reported bad certificate hash value." unspecified errors that occurred while attempting some operation: all the error codes in the following block describe the operation that ...
NSS Tools certutil
-8
dns-names add a comma-separated list of
dns names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database.
NSS Tools crlutil
defined options include an rfc822 name (electronic mail address), a
dns name, an ip address, and a uri.
NSS tools : crlutil
defined options include an rfc822 name (electronic mail address), a
dns name, an ip address, and a uri.
Necko walkthrough
then in necko http code (still on the main thread for now): nshttpchannel::asyncopen nshttpchannel::beginconnect() creates nshttpconnectioninfo object for the channel checks if we're proxying or not fires off the
dns prefetch request (dispatched to
dns thread pool) some other things nshttpchannel::connect might to a speculativeconnect (pre open tcp socket) nshttpchannel::continueconnect some cache stuff nshttpchannel::setuptransaction creates new nshttptransaction, and inits it with mrequesthead (the request headers) and muploadstream (which was created from the request ...
Installing Pork
hg clone http://hg.mozilla.org/rewriting-and-analysis/pork/ cd pork hg clone http://hg.mozilla.org/rewriting-and-analysis/elsa ./configure make building mozilla with mcpp to build mozilla with mcpp to generate annotated .ii files, use the following configure command: ac_cv_visibility_hidden=no cc="gcc34 -save-temps -wp,-w0,-k" cxx="g++ -save-temps -wp,-w0,-k" cppflags=-
dns_disable_literal_template $srcdir/configure --enable-debug --disable-optimize --disable-accessibility --enable-application=browser --disable-crashreporter building will probably require disabling warnings_as_errors: make warnings_as_errors= "-wp,-w0,-k" are options that get passed to mcpp.
nsIDocShell
allow
dnsprefetch boolean attribute that determines whether
dns prefetch is allowed for this subtree of the docshell tree.
nsIProxyInfo
if this is the case, the hostname is used in some fashion, and we shouldn't do any form of
dns lookup ourselves.
XPCOM Interface Reference by grouping
nsifilespec nsifilestreams nsifileutilities nsifileview memory nsimemory network channel nsichannel nsichanneleventsink nsirequest nsirequestobserver nsiresumablechannel nsi
dnsservice nsiftpchannel nsiftpeventsink nsihttpchannel nsihttpchannelinternal nsihttpheadervisitor nsii
dnservice nsiprotocolhandler nsiprotocolproxycallback nsiprotocolproxyfilter nsiprotocolproxyservice nsiproxyinfo preferences nsiiniparser nsiiniparserfactory nsiprefb...
Web Console remoting - Firefox Developer Tools
the geteventtimings packet: { "to": "conn0.netevent15", "type": "geteventtimings" } { "from": "conn0.netevent15", "timings": { "blocked": 0, "
dns": 0, "connect": 0, "send": 0, "wait": 16, "receive": 0 }, "totaltime": 16 } the fileactivity packet when a file load is observed the following fileactivity packet is sent to the client: { "from": "conn0.console9", "type": "fileactivity", "uri": "file:///home/mihai/public_html/mozilla/test2.css" } history protocol changes by firefox version: firefox 18: initial ...
PerformanceResourceTiming - Web APIs
the interface's properties create a resource loading timeline with high-resolution timestamps for network events such as redirect start and end times, fetch start,
dns lookup start and end times, response start and end times, etc..
HTML documentation index - HTML: Hypertext Markup Language
224 link types:
dns-prefetch attribute, html, link, link types, reference the
dns-prefetch keyword for the rel attribute of the <link> element is a hint to browsers that the user is likely to need resources from the target resource's origin, and therefore the browser can likely improve the user experience by preemptively performing
dns resolution for that origin.
Index - HTTP
117 x-
dns-prefetch-control
dns, http, header the x-
dns-prefetch-control http response header controls
dns prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as urls for items referenced by the document, including images, css, javascript, and so forth.
X-Forwarded-Host - HTTP
host names and ports of reverse proxies (load balancers, c
dns) may differ from the origin server handling the request, in that case the x-forwarded-host header is useful to determine which host was originally used.
HTTP headers - HTTP
x-
dns-prefetch-control controls
dns prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as urls for items referenced by the document, including images, css, javascript, and so forth.
HTTP Index - HTTP
199 x-
dns-prefetch-control
dns, http, x-
dns-prefetch-control, header the x-
dns-prefetch-control http response header controls
dns prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as urls for items referenced by the document, including images, css, javascript, and so forth.