ISC has made root-delegation-only the default behaviour in the new bind,
actually, though, we havn't, and wouldn't (ever). the feature is present
but must be explicitly enabled by a knowledgeable operator to have effect.
how about drafting up an RFC making it an absolute default requirement
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
linux powercomputing machine tonight. It worked. And the mail queues
began clearing out. Just for an oddball success report.
Are others having similar luck? What needs to be done to make this a
standard feature set? Is
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
linux powercomputing machine tonight. It worked. And the mail queues
began clearing out. Just for an oddball success report.
oh hell. thanks for the kind words, but we just released rc4.
Are others having similar
I am using bind 9.2.2-p2 on our resolver name servers so far.. And I have no
problems to report at this time, it's been running smooth so far; mail queues
started clearing out nice and clean.
-hc
--
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and
On Tue, Sep 23, 2003 at 02:35:48AM -0400, William Allen Simpson wrote:
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
linux powercomputing machine tonight. It worked. And the mail queues
began clearing out. Just for an oddball success report.
We've been using
On 23.09 06:07, Paul Vixie wrote:
We call on the IAB, the IETF, and the operational community to
examine the specifications for the domain name system and consider
whether additional specifications could improve the stability of
the overall system. Most
On 23 Sep 2003, Paul Vixie wrote:
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
linux powercomputing machine tonight. It worked. And the mail queues
began clearing out. Just for an oddball success report.
oh hell. thanks for the kind words, but we just
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the new bind,
how about drafting up an RFC
At 06:29 AM 9/23/2003, you wrote:
I hate to point this out but this sounds spammy as hell, and while I've
been on this list a very short time, very very big alarm bells went off
when I read it.
I have no financial interest in the company and I was just letting the list
know about a cheap
All comparable solutions were $2000-3000 for the same number
of sensors. I
was half expecting to loose $445 to a scam company in
Slovakia. I was very
pleasantly surprised and I wanted to share my positive
experience. I was
no-scam
actually being from .sk, i just can tell that what
At 06:29 AM 9/23/2003, you wrote:
I hate to point this out but this sounds spammy as hell, and while I've
been on this list a very short time, very very big alarm bells went off
when I read it.
Well, if you had been on the list a little longer you would have realized
that this is something
Hello Paul , All , Is there a url listing the TLD's that
officially use wild cards in their deployment ?
TIa , JimL
On Sat, 20 Sep 2003, Paul Vixie wrote:
this feature is only in the latest release candidate is 9.2.3rc3.
our patches to 9.2.2 and 9.1 only
John Dvorak wrote:
and the response from Russell Lewis:
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm
explenative deleted! The Internet works perfectly fine for years. They
make a change which is confirmed to disrupt service. Instead of
restoring the stable state while
...
We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity.
What else does the IETF need to do here?
issue an rfc. iab is not a representative body, and their opinions
are not refereed.
Paul Vixie wrote:
i do not expect the ietf to say that root and tld zones should all be
delegation-only. but good luck trying.
It hasn't been that large an issue in the past, and as pointed out by
some, the countermeasures are just as harmful. I hope that
delegation-only is only a temporary
On 23.09 14:34, Paul Vixie wrote:
What else does the IETF need to do here?
issue an rfc. iab is not a representative body, and their opinions
are not refereed.
brilliant_draft = rfc-format(relevant(good(iab-statement)) + night_sleep(own-ideas));
suggest(dnsop-wg, brilliant_draft);
On Mon, Sep 22, 2003 at 10:02:57AM -0700, Owen DeLong wrote:
Ok then different idea, assuming that we're all agreed its MS's
responsibility to ensure users are patched promptly and without extra
cost to the end user.
The problem is that while we agree, Micr0$0ft does not. They feel
-BEGIN PGP SIGNED MESSAGE-
Paul Vixie wrote:
We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity.
What else does the IETF need to do here?
issue an rfc. iab is not a
On 23.09 14:34, Paul Vixie wrote:
What else does the IETF need to do here?
issue an rfc. iab is not a representative body, and their opinions
are not refereed.
brilliant_draft = rfc-format(relevant(good(iab-statement)) + night_sleep(own-ideas));
suggest(dnsop-wg,
-Original Message-
From: ISS XForce
Sent: Tuesday, September 23, 2003 10:54 AM
To: [EMAIL PROTECTED]
Subject: ISS Security Brief: ProFTPD ASCII File Remote Compromise
Vulnerability
*** PGP SIGNATURE VERIFICATION ***
*** Status: Good Signature
*** Signer: X-Force [EMAIL PROTECTED]
At 01:55 PM 21/09/2003, Justin Shore wrote:
On Sun, 21 Sep 2003, Mike Tancsa wrote:
Yes, this is all too familiar. Luckily it was not so acute for us. The
porn company in question was using legit credit cards and we knew where
they were located. We too got to the point where I had to
Mike Tancsa wrote:
Local government has nothing to do with it. It was just some dime a
dozen porn company.
Back to the everyone's doing it, so let's not bother syndrome.
-Jack
Dan Riley wrote:
It breaks a few things we care about--for example, www.ithaca.ny.us is
a naked CNAME in the the us root:
There's no reason to force .us as delegate only. Force com and net to
delegate only and you'll have the Internet as it was before this debate
started.
-Jack
Now all I need is a patched version of the 9.3 snapshot tree, so I
don't need to kill my dnssec stuff :P (And it's time for a
non-snapshot bind version with full dnssec capabilities anyway :)
if you ask that question on [EMAIL PROTECTED], i promise to answer.
but i do not think details of
Mike Tancsa wrote:
I am not advocating that at all. (everyone's doing it, so let's not
bother) However, I dont see what the municipal government has to do
with a matter like this. I imagine its a civil issue where you have to
get the lawyers involved :( Certainly if the company persisted,
Hello Paul , All , Is there a url listing the TLD's that
officially use wild cards in their deployment ?
nope. right now you just have to know. we're trying to keep a list of
places that either use wildcards and have been accepted by the community,
or don't use wildcards but run
At 01:18 PM 23/09/2003, Jack Bates wrote:
Mike Tancsa wrote:
I am not advocating that at all. (everyone's doing it, so let's not
bother) However, I dont see what the municipal government has to do with
a matter like this. I imagine its a civil issue where you have to get
the lawyers involved
If you bought your Windows from an OEM, you're pretty much screwed because
Micr0$0ft has transferred all responsibility to the OEM, and, the OEMs don't
want to issue refunds because that costs them on their deal with Micr0$0ft.
(A questionable business practice on M$ part, at best).
However, every
On Tue, 2003-09-23 at 01:35, William Allen Simpson wrote:
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog
linux powercomputing machine tonight. It worked. And the mail queues
began clearing out. Just for an oddball success report.
I upgrade our DNS server the
I wonder btw why Verisign didn't catch the typo's in their
own domains if they think it is that important:
...
;; QUESTION SECTION:
;.verisign.com. IN A
wildcards don't work that way. there are ns rr's in .com for verisign.com,
so you get a referral to those servers no
Paul Vixie wrote:
wildcards don't work that way. there are ns rr's in .com for verisign.com,
so you get a referral to those servers no matter whether a *.com wildcard
exists or not.
I think the point was that if catching typographical errors was so
important to verisign, they would have created
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour in the
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default behaviour
-BEGIN PGP SIGNED MESSAGE-
Paul Vixie [EMAIL PROTECTED] wrote:-
We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity.
What else does the IETF need to do here?
issue an rfc.
[EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has
it would ust make wildcards illegal in top level domains,
not subdomains.
there are tlds with top level wildcards that are needed and
in legitimate use.
verisign has not done anything strictly against spec. this
is a social and business issue.
all this noise and bluster is depressing.
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of
.net
and .com and can do pretty much anything they want with
We're considering switching to Foundry BigIrons (probably the 4000, as
opposed to Cisco 6500 series switches. We're currently using 7206VXRs).
Anyone have opinions (on or off list) on this product? Looking through
the archives, I don't notice any discussions of this since about 2001 [1].
lets try this again... why should a valid DNS protocol element
be made illegal in some parts of the tree and not others?
if its bad one place, why is it ok other places?
because some engineers think that all social and business problems
can be solved by technical hacks.
Daniel Karrenberg wrote:
What else does the IETF need to do here?
Recognize the legacy status of certain zones and establish strict
criteria for making configuration changes to them. This would
be in addition to any guidance for all zones with delegations.
KL
Hey Will,
I do not have experience using any Foundry boxes.
I do however use Riverstone extensively; my whole network is composed of
RS boxes ranging from RS3000's up to RS8600's.
I have an RS8600 handling my core routing right now! Im taking full bgp
tables from 3 upstreams and several gig and
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of
.net
and .com
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of
.net
and
Randy Bush wrote:
it would ust make wildcards illegal in top level domains,
not subdomains.
there are tlds with top level wildcards that are needed and
in legitimate use.
verisign has not done anything strictly against spec. this
is a social and business issue.
And this in itself indicates a
Hi!
After Osirusoft was shut down most likely Infinite-Monkeys are doing down
also ??
See:
[Mimedefang] monkeys.dom UPL being DDOSed to death
Jon R. Kibler [EMAIL PROTECTED]
Tue Sep 23 14:15:01 2003
Greetings to all:
I have some really sad news. I just got off the telephone with Ron
On Tue, 23 Sep 2003, Randy Bush wrote:
some engineers think that all social and business problems
can be solved by technical hacks.
Dunno about some engineers, but engineers in general can do a lot to avoid
creation of many problems in the first place. This wildcard flop is a
perfect
At 11:47 AM -0700 9/23/03, [EMAIL PROTECTED] wrote:
lets try this again... why should a valid DNS protocol element
be made illegal in some parts of the tree and not others?
if its bad one place, why is it ok other places?
There's a simple answer and a not so simple. The
Dan Hollis wrote:
On Tue, 23 Sep 2003 [EMAIL PROTECTED] wrote:
On Mon, 22 Sep 2003, Dave Stewart wrote:
Courts are likely to support the position that Verisign has control of .net
and .com and can do pretty much anything they want with it.
ISC has made root-delegation-only the default
Leo Bicknell wrote:
Looks like the lawsuits are going to be the ones to settle this
dispute...anyone think there's a chance of ICANN pulling .COM and .NET
from Verisign due to breach of contract? I think it's highly unlikely.
Dave Stewart wrote:
Oh, I dunno... ICANN has no teeth, so that won't
On Tue, 23 Sep 2003, Raymond Dijkxhoorn wrote:
After Osirusoft was shut down most likely Infinite-Monkeys are doing down
also ??
Anyone SERIOUSLY interested in designing a new PTP RBL system 100% immune
to DDOS, please drop me a line.
By seriously, i mean those who actually want to solve
Raymond Dijkxhoorn wrote:
[Mimedefang] monkeys.dom UPL being DDOSed to death
Jon R. Kibler [EMAIL PROTECTED]
Tue Sep 23 14:15:01 2003
The computer security industry really needs to figure out how to get law
enforcement to take these attacks seriously. It would only take a few good
I've gotten some really useful responses off list. Sorry for the extra
noise, but I'm going to summarize the responses to the list later today
(for the archives)...
I'm removing names, email addresses, company names and other identifying
stuff in case anyone doesn't want to be quoted publicly,
Forwarded for your information. That leave 2 proxy DNSbls left - SORBS and
DSBL... Looking at the stats for SORBS over at SDSC looks like SORBS is
pretty ineffective thanks to the DDoS:
(see: http://www.sdsc.edu/~jeff/spam/cbc.html)
Original Message
From: Jon R. Kibler
Getting practical for a minute. What is the optimal way now to see
if a given host truly exists? Assume that I can't control the DNS
server--I need to have this code run in any (*ix) environment.
Assume also that I don't want to run around specialcasing specific IP
addresses or TLDs--this
Folks,
EL And this in itself indicates a possible failure in our model. When
EL someone can do something that causes so much outrage, and we the
EL community have no recourse, something is wrong. Maybe we're in the
EL realm of politics, but our implementations reflect our values.
Verisign
http://www.openrbl.org
is also offline due to a DDoS.
---Mike
At 05:04 PM 23/09/2003, Joe St Sauver wrote:
Hi,
#This goes beyond spam and the resources that many mail servers are
#using. These attacks are being directed at anti-spam organizations
#today. Where will they point
On Tue, 23 Sep 2003, Mike Tancsa wrote:
The credit cards in our case were legit. They were different numbers, but
they were not stolen.
That would make a difference. The credit card companies probably wouldn't
care if you told them that the cards were being used by their customer for
On Tue, 23 Sep 2003, Joe St Sauver wrote:
There are absolutely *no* consequences to their security inactivity, and
because of that, none of us should be surprised that the problem is
becoming a worsening one.
china seems hellbent on becoming a LAN. i see the same thing eventually
happening
On Tue, 23 Sep 2003, Jack Bates wrote:
This goes beyond spam and the resources that many mail servers are
using. These attacks are being directed at anti-spam organizations
today. Where will they point tomorrow? Many forms of breaking through
network security require that a system be DOS'd
On Tue, 23 Sep 2003, Kee Hinckley wrote:
Getting practical for a minute. What is the optimal way now to see
if a given host truly exists? Assume that I can't control the DNS
Look for a SOA record for the domain - this should be the proper way to
check for the existance of a domain, instead
On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said:
china seems hellbent on becoming a LAN. i see the same thing eventually
happening to networks which refuse to deal with their ddos sources.
Well.. that's all fine and good, except we first need one large player to
put their foot down and say
Joe St Sauver wrote:
Note that not all DNSBLs are being effectively hit. DNSBLs which run with
publicly available zone files are too distributed to be easily taken down,
particularly if periodic deltas are distributed via cryptographically
signed Usenet messages (or other push channels). You can
Kee Hinckley wrote:
Getting practical for a minute. What is the optimal way now to see if a
given host truly exists? Assume that I can't control the DNS server--I
need to have this code run in any (*ix) environment. Assume also that I
don't want to run around specialcasing specific IP
On Tue, 23 Sep 2003, Kee Hinckley wrote:
Getting practical for a minute. What is the optimal way now to see
if a given host truly exists? Assume that I can't control the DNS
Look for a SOA record for the domain - this should be the proper way to
check for the existance of a domain,
On Tue, Sep 23, 2003 at 04:24:32PM -0500, Dominic J. Eidson wrote:
Look for a SOA record for the domain - this should be the proper way to
check for the existance of a domain,
No, because there doesn't _have_ to be a SOA RR for a 2nd level
domain. For example, in the .de TLD, there are (many)
Lewis, Chris [CAR:W669:EXCH] wrote:
See cbl.abuseat.org. It's effectively a proxy DNSBL, and is more
effective than any of the others. More effective than many of the more
reasonable combo DNSBLs too.
I should also mention that OPM and PSS (originally osirus's open socks
proxy BL) are also
On Tuesday, Sep 23, 2003, at 17:32 Canada/Eastern,
[EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003 14:15:48 PDT, Dan Hollis said:
china seems hellbent on becoming a LAN. i see the same thing
eventually
happening to networks which refuse to deal with their ddos sources.
Well.. that's all fine
Dan Hollis wrote:
china seems hellbent on becoming a LAN. i see the same thing eventually
happening to networks which refuse to deal with their ddos sources.
This invites the question if the hijacked PC or the hijacker in the
sunshine state is more
guilty of the spam and ddos?
I would
On Tue, 23 Sep 2003, Joe Abley wrote:
If transit was uniformly denied to every operator who was not equipped
to deal with DDoS tracking in a timely manner, I think 90% of the
Internet would disappear immediately.
it gets worse. there are operators who *are* equipped, but refuse to deal
not
On Tue, 23 Sep 2003, Jason Slagle wrote:
It's somewhat funny. Quite some time ago, us IRC server operators warned
about this same thing, and were mostly just told to not run IRC servers.
A private IRC server with one user isn't much fun.
The anti-spammers will likely just get told to not
On 9/23/2003 at 5:16 PM, Mike Tancsa [EMAIL PROTECTED] wrote:
http://www.openrbl.org
is also offline due to a DDoS.
And the ignorance of front-end personnel in LE agencies, unless you are
the NY Times and claim $500,000 in purely fictious damages, can be a bit
frustrating.
Spamcop and
On Wed, 24 Sep 2003, Petri Helenius wrote:
Dan Hollis wrote:
china seems hellbent on becoming a LAN. i see the same thing eventually
happening to networks which refuse to deal with their ddos sources.
This invites the question if the hijacked PC or the hijacker in the
sunshine state is
Getting practical for a minute. What is the optimal way now to see
if a given host truly exists?
You first have to define what you mean by 'exists'. I have a machine here
that I call 'stinky'. It's not on the Interent though. Does the 'host'
'stinky' exist?
Assume that I can't
Hi all,
Sorry people I had forgotten about EasyNet.nl's proxy list (Wirehub)
and for the record for a proxy spam blocker I don't rate the opm.
Yours
Matthew
On Tue, Sep 23, 2003 at 03:15:06PM -0700, David Schwartz wrote:
As for 'fsck.de', a good argument can be made that this is not really a
legal domain.
It's a perfectly valid domain registered with DE-NIC. DE-NIC offers two
types of domains: delegated and so-called MX-only domains, where
On Tuesday, Sep 23, 2003, at 18:15 Canada/Eastern, David Schwartz wrote:
As for 'fsck.de', a good argument can be made that this is not really
a
legal domain. It's a host. Checking for an SOA is a good way to tell
if a
domain is valid, depending upon what you mean by 'domain' and 'valid'.
On Tue, 23 Sep 2003 18:12:11 -0400 (EDT) [EMAIL PROTECTED] wrote:
These will,
of
course, get out of date and out of sync almost immediately.
one wonders how many private blocking lists still have the old aegis
netblocks in them.
i make it a point to date entries in my lists and
Here are the responses I got so far, trimmed and edited. Thanks once
again - I got way more than I bargained for in the way of responses.
I did also receive a response directly from someone at Foundry, (with at
least one of the expected emails from $SALES_DROID at $COMPETITOR).
Sorry for the
[EMAIL PROTECTED] (Matthew Sullivan) writes:
... That leave 2 proxy DNSbls left - SORBS and DSBL...
well, and, there's the MAPS OPL, which is also part of the RBL+. (just 'cuz
i'm not operationally involved with maps doesn't mean i stopped subscribing.)
--
Paul Vixie
It's still to be seen if ISC's cure is worse than the disease; as
instead of detecting and stoping wildcard sets, it looks for delegation.
that's because wildcard (synthesized) responses do not look different
on the wire, and looking for a specific A RR that can be changed every day
or even
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting
[EMAIL PROTECTED] wrote:
- BGP anycast, ideally suited for such forwarding proxies.
Anyone here feeling very adapt with BGP anycast (I don't) for
the purpose of running such a service? This is a solution that
has to be
On Tue, 23 Sep 2003, John Payne wrote:
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting
[EMAIL PROTECTED] wrote:
- BGP anycast, ideally suited for such forwarding proxies.
Anyone here feeling very adapt with BGP anycast (I don't) for
the purpose of running such a
--On Tuesday, September 23, 2003 4:56 PM -0700 Dan Hollis
[EMAIL PROTECTED] wrote:
On Tue, 23 Sep 2003, John Payne wrote:
--On Tuesday, September 23, 2003 6:11 PM -0400 Kai Schlichting
[EMAIL PROTECTED] wrote:
- BGP anycast, ideally suited for such forwarding proxies.
Anyone here feeling
At 3:15 PM -0700 9/23/03, David Schwartz wrote:
How would you do this before? Does an A record for a hostname
mean that a
host with that name exists? If so, then all *.com 'hosts' now 'exist'. If
not, what did you mean by exist before?
Okay, let's be very specific. I need to know if a given
At 3:15 PM -0700 9/23/03, David Schwartz wrote:
How would you do this before? Does an A record for a hostname
mean that a
host with that name exists? If so, then all *.com 'hosts' now 'exist'. If
not, what did you mean by exist before?
Okay, let's be very specific. I need to know if
This request is largely for anecdotal/historical purposes. The recent
Foundry/Riverstone posts reminded me of a topic I'd kept meaning to
broach.
My organization will probably be replacing all of our L2/L3 Lucent/Avaya
Cajun switches in the next few months with Catalyst 65XX series boxes.
Our
Ron, good luck with it. You're stuck between a rock and a hard place. If
you down it the kiddies win again, and will feel they can bully the next
guy. If you don't your network is crippled. It's a no win situation.
If any of the dos'ed to death rbls really want's to get back at the
Word is Gray Davis signed this law,
http://info.sen.ca.gov/pub/bill/sen/sb_0151-0200/sb_186_bill_20030911_enrolled.html
today. It seems to be a pretty strong anti-spam bill. Given all
the talk of black lists and DDOS's and the like does anyone think
this will make a difference? Is anyone
Hi Leo,
#Word is Gray Davis signed this law,
#http://info.sen.ca.gov/pub/bill/sen/sb_0151-0200/
#sb_186_bill_20030911_enrolled.html today. It seems to be a pretty
#strong anti-spam bill. Given all the talk of black lists and DDOS's
#and the like does anyone think this will make a difference?
On Tue, 23 Sep 2003, Geo. wrote:
If any of the dos'ed to death rbls really want's to get back at the spammers
it's easy. Write software that allows any ISP or business to use their mail
servers and their customers/employees (via a foward to address) to maintain
their own highly dynamic
91 matches
Mail list logo
