is http://www.isc.org/ops/dlv/.
--
Paul Vixie
dilute as to be powerless and
therefore trustworthy, but still barely potent enough to operate a DLV
zone.
--
Paul Vixie
can you say does not scale?
Indeed.
this is why we're trying to sign up some registrars, starting with alice's,
who can send us blocks of keys based on their pre-existing trust
relationships.
--
Paul Vixie
touch with the Real World!) to keep myself entertained.
You may flame when ready, Gridley.
isc depends on a lot of volunteers, i'm happy to hear of your availability
and i assume that joao will also be happy to hear it when he catches up on
[EMAIL PROTECTED]
--
Paul Vixie
... we're trying to sign up some registrars, starting with alice's,
who can send us blocks of keys based on their pre-existing trust
relationships.
so a key roll or change of delegation requires two levels of human
intervention to work?
no.
in the normal, non-DLV DNSSEC-bis
thanks for actual technalia.
i've also been warned that this isn't ops-related and told to move elsewhere.
( first, i suspect much of the confusion could come from your
thinking that the place up on skyline is *the* alice's restaurant.
*the* alice's restaurants are the ones in our own
jargon.
that's just bitterness, though.
--
Paul Vixie
The effect of Nanog is remarkable. All the hybrid cells became fully
converted to embryonic stem cells, said Jose Silva of the University of
Edinburgh, Scotland, who reported the findings in the journal Nature.
/current/msg00671.html
--
Paul Vixie
as an option,
but they all describe session-level redirection and most recommend that (as i
do) and some even say using dns for this is bad (as i do, but for different
reasons.)
--
Paul Vixie
://www.tenereillo.com/GSLBPageOfShameII.htm.
the references sections of those last three are particularly informative.
--
Paul Vixie
akamai's or ultradns's DNS GSLB services,
that's for sure.
--
Paul Vixie
of abnormally low DNS TTL?
i'm not as much interested in whether a technology causes no problems for its
operator as whether its cost:benefit is worthwhile to the internet community.
--
Paul Vixie
. pundits please note that
the fancy thing i'm recommending sit perfectly on top of the non-fancy
thing i'm recommending.
--
Paul Vixie
There is a new player on the block that I see more and more
http://www.infoblox.com/company/
infoblox isn't new. i'm familiar with them since they use BIND as their
DNS protocol engine, and are long time members of the ISC BIND Forum. i
recently did colour commentary for an
-party:
Dinner, hosted by the ISC.
this is pizza and beer in the warehouse but it'll allow cross-pollination.
--
Paul Vixie
http://news.bbc.co.uk/2/hi/technology/5209496.stm
.
see http://fm.vix.com/internet/security/superbugs.html for details.
--
Paul Vixie
[EMAIL PROTECTED] (Scott Weeks) writes:
From: Paul Vixie [EMAIL PROTECTED]
http://fm.vix.com/internet/security/superbugs.html
... I'd like to see ...jackbooted [US is implied in the text]
government thugs...kicking in a door somewhere ...
i apologize for writing so sloppily that you
*do*.
--
Paul Vixie
want to read. Spam is manageable problem
without the self appointed censors. Get over it and move on.
damn. i've been trolled. sorry everybody.
--
Paul Vixie
not become one. nanog has other useful purposes.
--
Paul Vixie
in the world is urgent to somebody somewhere.
not everything that happens on the internet is urgent to everybody on nanog.
there are too many topics (and too many botnets) for nanog to cover them all.
--
Paul Vixie
fyi:
---BeginMessage---
EARLY KEY ROLLOVER
---
In light of the recently announced OpenSSL security advisory: RSA Signature
Forgery (CVE-2006-4339), ISC has instigated an early rollover of the DLV Key
Signing Key (KSK). ISC reccomends reconfiguration of resolvers to use the DLV
KSK published on
[EMAIL PROTECTED] (Paul Vixie) writes:
EARLY KEY ROLLOVER
---
In light of the recently announced OpenSSL security advisory: RSA Signature
Forgery (CVE-2006-4339), ISC has instigated an early rollover of the DLV Key
Signing Key (KSK). ISC reccomends reconfiguration of resolvers to use
Francisco Bay Area,
covering topics from DNS to DHCP. Email [EMAIL PROTECTED]
--
Paul Vixie
unbudgeted expense and as a secondary burn it will make real
network problems harder to report.
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email [EMAIL PROTECTED]
--
Paul Vixie
remove the ISC training ad from my .signature for this post, since i've
gone way over my NANOG quota here -- three messages in 24 hours, oops.)
--
Paul Vixie
16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email [EMAIL PROTECTED]
--
Paul Vixie
been spamming. and it may also be that they
are out of compliance with RFC 2182. but that would be like catching al
capone for income tax evasion just because you couldn't pin murder on him.
(OPNs = Other People's Networks)
--
Paul Vixie
% of all
queries it receives? and i say, um, no, why do you ask? and the answer
is always that's what the ultradns salesman told me. i can't argue with
their success, but i guess i am ready to quibble over their manners.
--
Paul Vixie
Hi Paul, just curious, someone over at UltraDNS called and told me my own
bind server is dropping 20% of queries. Can you please explain to me how did
they log into my systems?
:-)
, unless Eneco's chip works out
in which case all bets are off in a whole lotta ways.
--
Paul Vixie
over three years? spread out over 50 network owners that's ~$3K
a month. i don't see that happening in a consolidation cycle like this one,
but hope springs eternal. give randy and hank the money, they'll take care
of this for us once and for all.
--
Paul Vixie
all ears.)
--
Paul Vixie
If you have water for the racks:
we've all gotta have water for the chillers. (compressors pull too much power,
gotta use cooling towers outside.)
http://www.knuerr.com/web/en/index_e.html?products/miracel/cooltherm/cooltherm.html~mainFrame
i love knuerr's stuff. and with mainframes or
How long before we rediscover the smokestack? After all, a colo is an
industrial facility. A cellar beneath, a tall stack on top, and let physics
do the rest.
odd that you should say that. when building out in a warehouse with 28 foot
ceilings, i've just spec'd raised floor (which i usually
bear with me, this appears to be about DNS but it's actually about e-mail.
maps.vix.com has been gone since 1999 or so. mail-abuse.org is the new thing.
i've tried just about everything to get traffic toward the old domain name to
stop... right now there's a DNAME but it made no real
... the effect of causing the subscribers to reconfigure their mailers to
stop querying the now-dead RBL in question. what's the current thinking
on this?
one problem with this is that the pain is not felt by the misconfigured
folk, but by distant innocents.
i am one of those who
One thing you might consider is putting together a script to harvest email
addresses from whois records that correspond to the PTR for the querying
IPs. Add to that list abuse, postmaster, webmaster, hostmaster, etc @ the
poorly run domain. Then fire off a message explaining the situation
(this must be my week for past-sins pennance related to RBL's.)
today someone whose e-mail was blocked when they tried to send it to an att
customer, asked the authors of RFC 2317 to please unblock their address. as
the only such author whose e-mail address hasn't changed since RFC publication
there; vs (b) hack up a BIND server so that it can
return a positive answer 1% of the time (chosen randomly).
--
Paul Vixie
and macros and e-lisp functions now. i just don't like the idea
of bouncing the stuff outright, since a lot of the senders will never guess
what went wrong. (i also appreciate the extra spam, for robot-training use.)
it's only a dozen messages a day, on average, and thus: idealism isn't dead.
--
Paul
that part of the inbound processing robotics, and i've
removed your /24 from the list.
--
Paul Vixie
getting people to fix their systems and stop querying the dead zone.
right you are. it sort of goes against my personal grain to cause folks'
mail to bounce when their only offense against the community is not reading
the qmail man page and understanding the what the defaults are.
--
Paul Vixie
(i'm guessing kc will be on the phone soon, to get from them their data?)
...
A recent report from Deloitte said 2007 could be the year the internet
approaches capacity, with demand outstripping supply. It predicted bottlenecks
in some of the net's backbones as the amount of data overwhelms the
-Chris, still-waiting-for-the-rapture, wrote as follows:
(or did I miss the hue and cry on nanog-l about full pipes and no more fiber
to push traffic over? wasn't there in fact a hue and cry about a 1) fiber
glut, 2) only 4% of all fiber actually lit?)
:-). however, you did seem to miss the
Has anyone considered that perhaps google is not looking at beating
Microsoft but instead at beating TIVO, ABC, CBS, Warner Cable, etc?
sure, but...
You can't possibly believe that there is enough bandwidth to stream
HD video to everyone, that's just not going to happen any time soon.
[EMAIL PROTECTED] (Sean Donelan) writes:
... don't believe everything you read on the net.
you had me right up until that last part, which is completely unreasonable.
--
Paul Vixie
... don't believe everything you read on the net.
you had me right up until that last part, which is completely unreasonable.
I think it's not only reasonable, but is the only sane way to approach
content on the net. Why do you feel it's unreasonable? Or are you being
sarcastic?
-multicast-00 is what i
expect. note: i've drunk that koolaid am helping on the distribution side.
--
Paul Vixie
[EMAIL PROTECTED] (Geo.) writes:
Multicast isn't going to help the phoneco atm network. ...
nothing can help, or for that matter save, the phoneco atm network.
--
Paul Vixie
plausible given recent events.)
--
Paul Vixie
during the two
decades that the internet existed before the web came along. the web is
an internet application, and the dns is part of the internet, not part of
the web. the rest of the article is equally horrific in its maltreatment
and ignorance of facts.
--
Paul Vixie
[EMAIL PROTECTED] (Dorn Hetzel) writes:
I preferred the darkness of PAIX back in the late 90's. We had a
christmas tree in our cage and it looked great in the dark :)
that was brian reid's idea, and it was a great one, and equinix-san-jose
was merely copying paix (where al and jay had just
by blackholing its domain names? if
so then i've got some phone calls to make.
--
Paul Vixie
...
Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.
As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do you
offer which we can use today?
on any
since malware isn't breaking dns, and since dns not a vector per se,
the idea of changing dns in any way to try to control malware
strikes me as a way to get dns to be broken in more places more
often.
Well, once more people learn about DLV (especially the NS override
extension that
at the other end, authority servers which means registries and registrars
ought, as you've oft said, be more responsible about ripping down domains
used by bad people. whether phish, malware, whatever. what we need is
some kind of public shaming mechanism, a registrar wall of sheep if
From: [EMAIL PROTECTED] (Dave Rand)
...
We are not fighting technology. We are dealing with very well organized,
smart, and well-funded people.
We need to focus on solutions that we can deploy, which will address the
problems at hand, as we discover them. That means we will deploy
From: Dave Crocker [EMAIL PROTECTED]
To: Paul Vixie [EMAIL PROTECTED], nanog@merit.edu, Gadi Evron [EMAIL
PROTECTED]
Subject: Re: On-going Internet Emergency and Domain Names
offlist.
actually, not, according to the headers shown above.
Paul Vixie wrote:
a push-pull. first, advance
with *that*.
(but this is not the first time I've been irritated that I can't choose which
other humans to share the galaxy with and which ones I'd like to kick out.)
--
Paul Vixie
building the infrastructure of evil. if that's what
you meant by swamp-draining, then i apologize for misunderstanding you.
--
Paul Vixie
, and where abuse policy, economics, morality, bots,
web, e-mail, ftp, firewalls, uucp, and bitnet are considered irrelevant and
off-topic? i did my time in the messaging salt mines. i'm ready to graduate.
--
Paul Vixie
that permitted automated
lookups for the purpose of abuse reporting would be good, then in the ARIN
region, http://www.arin.net/policy/irpep.html says how you can suggest such.
--
Paul Vixie
71.6.213.96
--
Paul Vixie
And who, exactly, gets to tell IANA/ICANN how to do its job??
As far as I can tell, pretty much everyone on the planet... :-)
but you never LISTEN! :-)
since somebody made the mistake of cc'ing me, i actually saw this message even
though i long ago killed-by-thread the offtopic noise it's part of. hereis:
What's weird is that they don't just return a 0-record NOERROR when you
do the follow-up A query, which would be the most logical
[EMAIL PROTECTED] (William Allen Simpson) writes:
Heads up on operational problem!
i block all gmail, too, and it causes me no operational problem at all.
--
Paul Vixie
That should read:
I have an internal datacenter. I need someone to come out and build
out a cage for me.
[EMAIL PROTECTED] has been known to take on that kind of project.
--
Paul Vixie
a brew (or more) in your honor as I consider this a significant
| contribution to the march of civilization.
|
| -W Sanders
| http://wsanders.net
+---
in general, we ought to be willing to implement almost anything if free beer
is going to be offered by non-criminal beneficiaries.
--
Paul Vixie
critical infrastructure to use a /48, then f-root's
operator will comply. if the RIR community changes its mind, then f-root's
operator will comply with that, too.
--
Paul Vixie
namespace than we do now,
and the coca cola company would probably see far fewer hits at COKE.COM
than they see now.
whether drc's idea is bad depends on what one thinks the internet is.
--
Paul Vixie
valid business reasons.
i wish that the community had the means to do revenue sharing with such
folks. carrying someone else's TE routes is a global cost for a point
benefit.
--
Paul Vixie
it working.
--
Paul Vixie
for this class of networks.
i don't think you can use route-views as a poster child for filtering having
been gotten right.
--
Paul Vixie
check API.
--
Paul Vixie
two replies here. i ([EMAIL PROTECTED]) said:
quagga ospf6d works great, and currently lacks only a health check API.
Donald Stahl [EMAIL PROTECTED] answered:
Health checks are unfortunately the most important aspect of a LB for some
people.
understood.
Can you elaborate on where you
It depends on the length of those TCP sockets. If you were load-balancing
the increasingly common video-over-http, it would be very unacceptable.
yes. i believe i said that my preferred approach works really well with UDP
and marginally well with current WWW. video over http is an example of
As with all things, the trick is to weigh the risk of disaster against the
probability of benefit and do whatever makes sense within your own
particular constraints.
is nobody using a host based solution to this? that is, are times when HA LB
is needed for TCP (like video over http) also
http://slashdot.org/article.pl?sid=07/07/12/1236231
http://www.thelocal.se/7869/20070712/
+redundancy gear. which had passed testing during
construction and subsequently, but eventually some component just wore out.
--
Paul Vixie
of there.
2mW/floor seemed like a lot at the time. ~6kW/rack wasn't contemplated.
(is it time to build out the land adjacent to 200 paul, then?)
--
Paul Vixie
america, whenever i had a choice,
i chose hitec. (which spins with an axis parallel to gravity.)
--
Paul Vixie
seems i've been ignoring it for two years. sorry about that. all the
mail i had on this topic has been processed. check your entries. i'm
in the mood for more updates if anybody's got anything. note that CCCP
died and i replaced it with an entry for SFCCP, don't know if that's
correct. i'd
of a name server's resources.
...but this is flat out wrong, dead wrong, no way to candy coat it, wrong.
--
Paul Vixie
... but a TCP connection will consume a
significant amount of a name server's resources.
...wrong.
Wanting to understand this comment, ...
the resources given a nameserver to TCP connections are tightly controlled,
as described in RFC 1035 4.2.2. so while TCP/53 can become unreliable
the resources given a nameserver to TCP connections are tightly
controlled, as described in RFC 1035 4.2.2. so while TCP/53 can become
unreliable during high load, the problems will be felt by initiators not
targets.
The relevant entry in Section 1035 4.2.2 recommends that the server
?
the DNSSEC design seems to distribute pain very fairly.
--
Paul Vixie
is. every
time someone sent me a BIND patch adding this kind of deliberate instability
(see RFC 1794 for an example) i said no.
--
Paul Vixie
Your comments have helped.
groovy.
When TCP is designed to readily fail, reliance upon TCP seems questionable.
i caution against being overly cautious about DNS TCP if you're using RFC 1035
section 4.2.2 as your basis for special caution. DNS TCP only competes
directly against other DNS
.
Even Paul Vixie, the author, will likely agree the RFC has the bug.
i'm only one author, but in any case i ain't sayin', since this is nanog,
and my only purpose in joining this thread is to say enough already! if
you want to know what i think about SRV's . rules, ask me in some forum
where
Does anyone use spamhaus drop list ?
http://www.spamhaus.org/drop/index.lasso
i do.
I'm glad to listen opinions or experience.
no false positives yet. mostly seems to drop inbound tcp/53.
log all from table(29) to any
add deny log all from any to table(29)
If you do have a process in place, not only for routing but also for
your new customer order process, it is a useful source of information.
agreed.
--
Paul Vixie
of the moderators has a beef with your
provider - look out!
agree.
--
Paul Vixie
.
like anything else. remember, all power tools can kill. that's an argument
for using them correctly, more than it's an argument for living without them.
--
Paul Vixie
at http://www.e-gerbil.net/cogent-t1r there is a plain text document with
the following HTTP headers:
Date: Fri, 28 Sep 2007 21:56:34 GMT
Server: Apache/2.2.3 (Unix) PHP/5.2.3
Last-Modified: Fri, 28 Sep 2007 19:15:53 GMT
ETag: 92c1e1-a85-43b36ea5bcc40
Randy Epstein [EMAIL PROTECTED] wrote:
Clearly you can see the article was published by T1R in their Daily T1R
report: http://www.t1r.com/
(listed under The Daily T1R Headlines)
If you subscribe to the Daily T1R, you can find Dan's report issued today.
Sorry, T1R.com requires Flash 8 or
This is a proven maneuver and Cogent is not the first to do it.
i guess that without knowing who else these de-peered networks are customers
of, it's hard for an outsider to guess which ratios into cogent's network by
other peers will improve as a result of de-peering these networks. had you
in this stew pot together.
--
Paul Vixie
601 - 700 of 738 matches
Mail list logo