by any vendor, so
I'm not intending to pick on Extreme individually here.)
--
Paul Vixie
scale code review one gets from open source software engineering
is only a marginal solution to monocultural weakness vectors.
--
Paul Vixie
.
--
Paul Vixie
What do you think of OpenBSD still installing BIND4 as part of the
default base system and recommended as secure by the OpenBSD FAQ ?
(See Section 6.8.3 in http://www.openbsd.org/faq/faq6.html#DNS )
i think that bind4 was relatively easy for them to do a format string
audit on, and that
Homogenous, in this context, does not mean similar platform
connectivity, but nodes with same degree connecting to each
other.
Ah, that makes it more clear. So a full mesh would be better? ;-)
no, fine grained peering would be better.
--
Paul Vixie
Deal Enables ISC to Mirror DNS Root Server in Additional U.S. Locations
http://biz.yahoo.com/bw/030210/102340_1.html
path to always have enough capacity makes planning crunchy.
(which sounds like the same thing as quoted above, but really isn't.)
--
Paul Vixie
For the past 15 months, NJABL has reactively tested systems that have
connected to participating SMTP servers to see if those systems are open
relays. ...
We do not consider what NJABL does abuse, ...
Jon,
If they are indeed only testing systems who connect to them, it's not
abuse,
i realize now that i may have misread my IDS reports from the scanning
i received from jon's blackhole list a few months ago, and that i have
no basis for my claim that he scanned every address i own. --paul
prober in asia right now who actually *is* an ISP, though, and so,
there's really no basis for discussion.
--
Paul Vixie
.
--
Paul Vixie
[EMAIL PROTECTED] (Martin Hannigan) writes:
I applaud RBL, spamcop, etc., but without funding and consolidation, it's
another waste of offensive time that could be spent on a far more
effective defense.
i had no idea that MAPS was unfunded. do tell.
--
Paul Vixie
scruz.net
X-Original-To: [EMAIL PROTECTED]
From: Gio Sico [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: I need help finding SAN-FRANCISCO.CA.US Registrar
Date:
check for updates and issue local mail is appealing, but
i'm more concerned about MIM when fetching update information than i am with
simply registering package version numbers, hosts, and e-mail addresses.
--
Paul Vixie
in addition to many public comments (cc'd to nanog or just sent there),
i received a number of private replies. here's a representative sample:
problem is if the default is off you will probably not catch the
clueless folk that you want to target, better would be default on and
the clueful
/whatever.
--
Paul Vixie
(*) best could mean lowest time to last byte, lowest latency for first
byte, lowest average latency for all segments, largest tcp window size,
fewest likely retime/retransmit events; and could be file size dependent
since a satellite connection will probably win on large files
the
steering wheel, and that no technological force will ever change that
fact. but that's not an excuse to design a car without brakes and then
use monopoly power to put other carmakers out of business.
--
Paul Vixie
Should ISPs control what applications their customers can run?
frankly and truly, i would be satisfied if isp's wouldn't run outlook/exchange
in their noc/abuse departments, so that they could safely accept mime-mail
rather than bouncing it as their only means of keeping themselves virus-free.
therefore
3) why would anyone ever run outlook
i love outlook2003. no joke, i use it every day. whenever i get an
attachment that seems reasonable and i need to open it, i put it in the
folder that outlook can see, and i read it. i also share a calendar (in
three directions) using
/irresponsibility
and the people who sell/buy/deploy/whatever the technology that strips or
bounces mime attachments because of what they might contain should get a
clue.
--
Paul Vixie
it will be.
--
Paul Vixie
block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
--
Paul Vixie
Its a sucky world sometimes. Perhaps Paul complained to
ATT/other-unnamed-provider with logs and such? :)
oh yes. i tried *several* ways to get their attention. however, this
kind of activity is so common these days that a noc literally has no
choice but to focus their efforts on less common
.
trustlessness is a lifestyle.
--
Paul Vixie
...are doing more to help spam than to stop it, in spite of themselves.
consider microsoft-yahoo-aol's big fad of the moment which is suing spammers
and blaming asia. the number one (#1) contributor to spam is open proxies
running on windows/xp, several of which are installed by default as side
gr.
telia has been on my list for 2.5 years now for this stuff.
let the public shaming begin, then.
four isp abusebots have rejected my complaints tonight because (gasp!)
i included a copy of the virus i was complaining about. cluestick please!
, implied consent, recourse, and standing.
so if ``someone'' writes this up, count me as a gratefulwilling reviewer.
--
Paul Vixie
[EMAIL PROTECTED] (Huopio Kauto) writes:
How about IODEF? Lots of CERT:s and company-internal abuse teams:s ticketing
systems are going to eat it with ease - if not now, soon.
please post a url so we can all take a look at the IODEF complaint format.
--
Paul Vixie
foo.vix.com, no matter who the local dhcp server was configured by.
but when i went about removing this sick behaviour from isc dhcp, it turned
out that many people depend on dhcp to get the only dns search list they
ever have. the world seems very strange to me sometimes.
--
Paul Vixie
listen up, you abusedeskers. if you aren't going to track spammers/abusers
WITHIN A FEW HOURS, don't bother, they're LONG GONE by that time. if you
want help from victims in keeping your network clean, READ THE COMPLAINTS.
if you want information intact by the time it reaches you, ACCEPT
We're losing the battle, aren't we?
no. a battle was held, but we didn't even show up. now the world is different.
took
the answer in that context, and I completely agree. Not so much that it's
what we are, that it's what they are fighting against.
But I moralize.
--
Paul Vixie
I'd estimate than less than a tenth of a percent (that's 0.1%) of
edge paths use RPF, even though BCP38 states the case clearly and the
technology makes it easy
Makes it easy if you live in an Internet with a number of routes
significantly less than the limit imposed for having stable RPF
adjacent to
o on the qwerty keyboard, or some other such problem.
--
Paul Vixie
, because
there's so much inertia to be overcome (patents, false starts, etc) but it
seems to me that computers and networks, with all their cryptogoo and mega-
computrons, should be able to make the average human's privacy better --
but so far they've only succeeded in making it worse.
--
Paul Vixie
... but so far they've only succeeded in making it worse.
Computers are absolutely capable of this, but as with security in
general the problem lies with the people that are controlling what
they do...
i agree, but we may mean different things. most people have no control
over what their
consent of the recipients.
watching the growth of the anti-ddos and anti-spam industries makes the
internet look like a grade school science fair project run amok.
--
Paul Vixie
the equivilent of big 8 (big 2 now?) accounting firms,
and these certifications will be prerequisite to getting BGP set up.)
--
Paul Vixie
http://www.oisafety.org/ announced the GA version of guidelines for security
vulnerability reporting and response process, v1.0, whose URL is
http://www.oisafety.org/reference/process.pdf
this is asynchronous to the NIAC presentation jim duncan gave at the
last nanog, but it's
firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
--
Paul Vixie
However, since improvements are always welcome, please recommend tools
which would allow us to progress above and beyond C and it's deficencies.
I've never been able to program a buffer overrun vulnerability in Modula 3,
or Perl, or any version of Lisp or Scheme. It's possible that the
Private deployment of software written in C is very different from a
major public release, especially so when included with source code.
you're right. when i've been involved in non-opensource products which
were written in C and then shipped as binaries, i was scared to death
about the lack
, either. to get the attention of the
people who make this kind of decision in a company like ebay, you'd have to
go to the better business bureau, or congress. good luck storming the
castle, boys.
--
Paul Vixie
[EMAIL PROTECTED] writes:
And so we should do nothing?
of course not. but the first thing to do is ignore naysayers. anybody
who tells you something can't be done should be suspected of extreme and
pervasive laziness until either they or you prove otherwise.
--
Paul Vixie
list
the kinds of rpf you know of and why none can be used on a backbone.
--
Paul Vixie
How would the spoofing program, or its user, be able to tell if
it was successful? Unless I'm very confused, the definition of
spoofing is that the return packets aren't going to come back to you.
the whole thing would have to take place during a tcp control session
which used d-h to
port number will figure into the hash function, so
you won't multipath your tcp sessions.)
This is how f-root has worked for years. Look ma, no appliances.
--
Paul Vixie
I don't believe I ever said that the edges shouldn't filter... did I?
nope. but you said that backbones couldn't/wouldn't/shouldn't, and i
showed that transitivity = laundering, which means backbones MUST
filter, to within the best capabilities of current technology.
[EMAIL PROTECTED] (Petri Helenius) writes:
I´m constantly seeing responses to queries for AOL servers which come
in from different IP addresses than the query was sent to.
due to the weakness of the 16-bit query id field, bind will throw that
stuff away. the source address and port has to
squid-era cache now! thing.)
--
Paul Vixie
as a stub host
and your upstream routers will dtrt wrt flow hashing for udp or tcp traffic
(that is, the udp/tcp port number will figure into the hash function, so
you won't multipath your tcp sessions.)
This is how f-root has worked for years. Look ma, no appliances.
--
Paul Vixie
?
See http://www.rls.com/. Randy Sparks and Associates, in San Francisco.
--
Paul Vixie
i'm getting spammed from there...
[sa:i386] ./find-spam.pl 209.251.0.0/19
SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
FROM spam s LEFT JOIN bodies b ON
[EMAIL PROTECTED] (Bil Herd) writes:
Anyone have positive or negative experiences with XO as a 'tier1'
provider? We are re-evaluating orur backbone connections.
xo seems to have pretty good splay and we've seen no congestion or instability.
--
Paul Vixie
$foo.maps.vix.com zones in favour of the their
corresponding replacements $bar.mail-abuse.org some years ago, i had the
foresight to ensure that no mail would be blocked by people who failed to
put in the configuration change. now you can all see why that was nec'y.
--
Paul Vixie
Someone has suggested 'anycasting' what do people (particually you
Paul) think of using anycasting for a DNSbl? (- AS112 anyone?)
unowned anycast, such as that used in as112, is only possible when the
replies have no value (and thus need not be synchronized or centrally
authorized.)
?
--
Paul Vixie
that require active intermediation when downstreams misbehave.
you can have peace. or you can have freedom. don't ever count on having
both at once. -LL (RAH)
--
Paul Vixie
(backup?) MX's, and the spammers know this, and take advantage of it.)
--
Paul Vixie
situation where the good
guys follow the above policy and the bad guys do not, it's a slaughter.
--
Paul Vixie
That's why we must encourage all ISPSs to be good guys, because we don't
want Government Regulators setting standards in these areas, do we?
if recent activity in the VoIP market is any indication, then we here
won't have much input as to when and how the ISP market gets regulated.
--
Paul
as for outgoing.)
see below.
IndependentPaul Vixie (Ed.)
Request for Comments: Category: Experimental
June 6, 2002
Repudiating MAIL FROM
Status of this Memo
This memo describes an experimental procedure
these kids are usually spam victims and almost never spam perps.
--
Paul Vixie
are generally, by long standing tradition,
inconsistent.
the rest of the paper is also germane to this thread. just fya, we keep
rehashing the UNimportant part of this argument, and never progressing.
(from this, i deduce that we must be humans.)
--
Paul Vixie
. the problem microsoft has with software quality that
they have no competition, and their marketing people know that ship dates
will drive total dollar volume regardless of quality. (when you have
competition, you have to worry about quality; when you don't, you don't.)
--
Paul Vixie
networks like uunet.
--
Paul Vixie
192.5.5.241.53: 12388 SOA? 12.2.10.in-addr.arpa. (38)
16:34:47.981405 172.20.1.1.3436 192.5.5.241.53: 8189[|domain]
^C
3205 packets received by filter
0 packets dropped by kernel
--
Paul Vixie
gotten faster of late, and so have cpus/memory/motherboards.
--
Paul Vixie
dns techs in the industry. nothing that's happening with dot-com or dot-net
should be considered relevant to verisign's *root* servers in any way. the
*root* servers do not carry dot-com or dot-net, they just carry . itself,
and arpa, and in-addr.arpa, and in some cases root-servers.net.
--
Paul
) it. root server operators (see www.root-servers.org
for details) include verisign as one of 11 organzations worldwide. the
dot-com and dot-net zones, by comparison, are only served by verisign's
own servers, and i do not think that verisign will refuse to accept them.
--
Paul Vixie
a good idea at this point. I see nothing else as a
serious long-term technical solution.
sounds like mob rule to me -- count me out. so, block me first, i guess?
--
Paul Vixie
Anyone have a magic named.conf incantation to counter the verisign
braindamage?
zone com { type delegation-only; };
zone net { type delegation-only; };
Or does this require a patch to bind?
yes, it does. to be released shortly.
--
Paul Vixie
I trust your assessment of the DNS techs. But what about [their] bosses?
the ones i've met in recent years seemed like reasonable people.
They ordered some pretty lumpy things be done with .com and .net.
Given that track record, whats to stop them from ordering [the techs]
from doing
Can you also program something to do this for all root zones,
i.e. something like 'zone .* { type deligation-only; };'
no. not just because that's not how our internal hashing works, but
because hosted tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly
So, Verisign just returns a NS pointer to another name server Verisign
controls which then answers the queries with Verisign's helpful web
site.
Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason
they implemented the wildcard was to
Following Internet Standards and to improve performance for all Internet
users, what if Verisign decided to start including other A records
directly in the .COM/.NET zones?
For example, the A records for the servers for the .COM/.NET zones?
funnily enough, that would work fine, since it
: zone com { type delegation-only; };
: zone net { type delegation-only; };
My first reaction to this was: 'yuck'.
mine also.
I'm not sure of the side-effects this will introduce. Anyone?
if verisign served a subdomain of com or net on the same server they use
for com or net, and if
Something like this can be seen on www.airow.com:
$ dig www.airow.com @a.gtld-servers.net
...
looks good to me, man.
; DiG 8.3 @f.6to4-servers.net www.airow.com a
; (2 servers found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
send dig results and we'll check it out. (not host,
and probably not to nanog.)
--
Paul Vixie
I've implemented the official ISC Bind hack on every single one of my
name servers and am pushing it and the configuration changes out to my
customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
--
Paul Vixie
are tru64. try it, you'll like it.
but I would suggest any discussion about that move over to the BIND list
or the USENET gateway comp.protocols.dns.bind.
agreed, other than to clear up the above in the same forum where it was heard.
--
Paul Vixie
... shouldn't they get to decide this for themselves?
Returning NXDOMAIN when a domain does not exist is a basic
requirement. Failure to do so creates security problems. It is
reasonable to require your customers to fix known breakage that
creates security problems.
that sounds
How about rewriting all DNS responses to your liking? :-)
Like if you ask for www.register.com, you would get the A record for
www.verisign.com ?
done.
#fh:i386# ping -c 1 www.register.com
PING www.register.com (216.21.229.101): 56 data bytes
64 bytes from
i'm not sure how many people inside verisign, us-DoC, and icann agree
that COM and NET are a public trust, or that verisign is just a caretaker.
If there's a disagreement on this concept, we have *BIGGER* problems than
just DNS b0rkage.
yes. i'm sorry, i thought you knew that. well,
i don't think so. verisign is on public record as saying that the
reason they implemented the wildcard was to enhance the services
offered to the internet's eyeball population, who has apparently
been clamouring for this.
My question is, if this was to serve some need of internet
unless it's .museum or a non-root non-tld. i guess the ietf has a lot to
think about now.
re:
Date: Wed, 17 Sep 2003 09:58:40 -0500
From: Jack Bates [EMAIL PROTECTED]
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624
To: Paul Vixie [EMAIL PROTECTED]
Cc: [EMAIL
to the membership of the bind forum who make this possible.
--
Paul Vixie
-0400 (EDT)
From: Mr. James W. Laferriere [EMAIL PROTECTED]
To: Paul Vixie [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: bind patches++ (Re: Wildcards)
Hello Paul , Am I correct in the understanding that the below
tells me that 9.2.2p2 does NOT contain the ablility to do
wondering if
i'm a verisign apologist lately and i believe that open debate is better
for this kind of thing.
--
Paul Vixie
Is it possible for the client resolver code to distinguish between a
wildcard answer and an explicit answer?
no.
If this was available, it would mail clients and other things
interested in the specific domain name could get the answers they
want. While other stuff would get the wildcard
, uniform dealing, and
nonconflict with the public's interest.
--
Paul Vixie
I have been following the various threads relating to Verisign and wanted
to make one comment that I feel has been missing. Simply put, I would like
to publicly express my appreciation to Mr. Vixie for taking the time to add
the root-delegation-only patch for Bind. I'm fairly new to NANOG,
else on the table or in existence today.
--
Paul Vixie
website: www.alt-servers.org.
what a BAD idea. worse than anything else on the table or in
existence today.
Splitting the root you mean? I'm not sure there was enough info on that
site to come to any other conclusion, but I wanted to make sure.
this is just dns piracy, dressed up
.
and it does seem rather urgent that if a wildcard in the root domain or in
a top level domain is dangerous and bad, that the ietf say so out loud so
that icann has a respected external reference to include in their contracts.
--
Paul Vixie
luck? What needs to be done to make this a
standard feature set? Is somebody working on an RFC?
i do not expect the ietf to say that root and tld zones should all be
delegation-only. but good luck trying.
--
Paul Vixie
...
We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity.
What else does the IETF need to do here?
issue an rfc. iab is not a representative body, and their opinions
are not refereed.
Now all I need is a patched version of the 9.3 snapshot tree, so I
don't need to kill my dnssec stuff :P (And it's time for a
non-snapshot bind version with full dnssec capabilities anyway :)
if you ask that question on [EMAIL PROTECTED], i promise to answer.
but i do not think details of
Hello Paul , All , Is there a url listing the TLD's that
officially use wild cards in their deployment ?
nope. right now you just have to know. we're trying to keep a list of
places that either use wildcards and have been accepted by the community,
or don't use wildcards but run
I wonder btw why Verisign didn't catch the typo's in their
own domains if they think it is that important:
...
;; QUESTION SECTION:
;.verisign.com. IN A
wildcards don't work that way. there are ns rr's in .com for verisign.com,
so you get a referral to those servers no
101 - 200 of 738 matches
Mail list logo