Re: [dns-operations] Link-local IP addresses for a resolver?
On Wed, Sep 25, 2019 at 6:33 PM Joe Abley wrote: > > On 25 Sep 2019, at 18:18, Warren Kumari wrote: > > > Yes, the best practice and advice is to choose something random, but > > network engineers are humans too, and if you had to remember and try > > tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1 > > or fd00:1::1 as the default gateway, which would you rather do? > > You could choose something random then give the end-user a DNSSEC-signed DNS > name instead of the address. That only works once they have a working network, which is why I used the example of "default gateway" and not "browse to fd5a:8109:a679:180a:45d3:d653:22:1". I've seen people encode the building number / floor / VLAN / etc into the network address, when you are configuring a router you almost always enter interface address instead of using DNS, etc. Having a deterministic, and easy to remember address is much much easier at 3AM, I'm less likely to typo fd00:13:1 than fde3:783e:127d: , etc. I personally don't use ULAs / site local, but I fully understand why those who do use easy addresses... > So long as they are using a centralised resolver service with a long enough > privacy policy, a different address family to do the resolution over and the > operating system uses DoH by default, security is guaranteed and end-users > gain the reliability of having large companies responsible for communicating > their local network parameters instead of unreliable local technicians who > are invariably up to no good. All we need is the universal deployment of > IPv6, DNSSEC and DoH. Yup, let me know once that's done and I'll buy you dinner :-P Thanks, W > > > Joe -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
> On 26 Sep 2019, at 10:39 am, John R Levine wrote: > > On Wed, 25 Sep 2019, Warren Kumari wrote: >> ULAs are very from unique -- there is a huge bias towards things which >> humans can remember / cute names, etc (this is very similar to the >> "IPv6 space is namp / scannable because people name hosts in >> deterministic ways" - see some presentations from Fernando Gont). >> There is a large ULA bias towards fd00::, fd10::, fdfd::, >> fd00:dead:beef:, fd00:bad:coff:ee::. > > Sigh. If people don't follow the spec, not much we can do about that. My > ULAs start with fde3:783e:127d: which I generated with a one line shell script > > $ jot -r -w%02x 10|rs And BIND’s test prefix is fd92:7065:b8e::/48 which was generated with dd if=/dev/random bs=5 count=1 | od -tx1 for bits [9..48] > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
On Wed, 25 Sep 2019, Warren Kumari wrote: ULAs are very from unique -- there is a huge bias towards things which humans can remember / cute names, etc (this is very similar to the "IPv6 space is namp / scannable because people name hosts in deterministic ways" - see some presentations from Fernando Gont). There is a large ULA bias towards fd00::, fd10::, fdfd::, fd00:dead:beef:, fd00:bad:coff:ee::. Sigh. If people don't follow the spec, not much we can do about that. My ULAs start with fde3:783e:127d: which I generated with a one line shell script $ jot -r -w%02x 10|rs Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
On 25 Sep 2019, at 18:18, Warren Kumari wrote: > Yes, the best practice and advice is to choose something random, but > network engineers are humans too, and if you had to remember and try > tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1 > or fd00:1::1 as the default gateway, which would you rather do? You could choose something random then give the end-user a DNSSEC-signed DNS name instead of the address. So long as they are using a centralised resolver service with a long enough privacy policy, a different address family to do the resolution over and the operating system uses DoH by default, security is guaranteed and end-users gain the reliability of having large companies responsible for communicating their local network parameters instead of unreliable local technicians who are invariably up to no good. All we need is the universal deployment of IPv6, DNSSEC and DoH. Joe signature.asc Description: Message signed with OpenPGP ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
On Tue, Sep 24, 2019 at 8:03 PM John R Levine wrote: > > On Wed, 25 Sep 2019, Mark Andrews wrote: > > > ISP’s advertings ULA’s to customers have similar problems with > > advertising LLL to customers. The CPE should be the site boundary making > > the ISP’s DNS servers unreachable from inside the customer’s network. > > > DNS servers that are expected to be reached across sites need to be > > globally unique addresses which ULA and LL are not. > > If a ULA isn't globally unique, something is pretty broken. Each ULA > contains a 40 bit random global ID in the prefix that's there so ULAs on > different networks won't collide if they happen to be connected. That's > why the U stands for, you know, Unique. > ULAs are very from unique -- there is a huge bias towards things which humans can remember / cute names, etc (this is very similar to the "IPv6 space is namp / scannable because people name hosts in deterministic ways" - see some presentations from Fernando Gont). There is a large ULA bias towards fd00::, fd10::, fdfd::, fd00:dead:beef:, fd00:bad:coff:ee::. Yes, the best practice and advice is to choose something random, but network engineers are humans too, and if you had to remember and try tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1 or fd00:1::1 as the default gateway, which would you rather do? W > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. > https://jl.ly___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
On Tuesday, 24 September 2019 22:54:28 UTC Mark Andrews wrote: > ... > > DNS servers that are expected to be reached across sites need to be globally > unique addresses which ULA and LL are not. that's normal. i know of networks (enterprise and captive-ISP) using RFC 1918 ipv4 and ULA ipv6 whose internal DNS, like their internal point to points, are not expected to be used globally and do not have globally unique addresses. so, yes. but not every time. -- Paul ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
ISP’s advertings ULA’s to customers have similar problems with advertising LL to customers. ULAs do not need scope IDs, so some of the problems are avoided. As Mark later reminded us, ULAs are not normally routed across customer boundaries. They work great within a single network, not so great from ISP to customer. In view of the fact that global IPv6 addresses are cheap and plentiful and are likely to remain so, the solution here is pretty obvious. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
* Mark Andrews: >> On 25 Sep 2019, at 6:13 am, John Levine wrote: >> >> In article you >> write: >>> Florian Weimer wrote: We added scope ID support to /etc/resolv.conf in upstream glibc a couple of years ago, in 2008. I can easily see that others may not have done this, so I agree that there could be problems. >>> >>> I did a bit of a survey in 2014 and found that prominent DNS >>> libraries didn't support link-local addresses back then >>> http://lists.cluenet.de/pipermail/ipv6-ops/2014-July/010035.html >>> Maybe it's better now :-) >> >> How are they with RFC 4193 ULAs? I've been using a cache at a ULA on >> my two-segment home network and it seems to work fine. >> >> (And why would you use link local rather than ULA for your DNS >> resolver, anyway?) > > ISP’s advertings ULA’s to customers have similar problems with > advertising LL to customers. ULAs do not need scope IDs, so some of the problems are avoided. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Link-local IP addresses for a resolver?
John Levine wrote: > > How are they with RFC 4193 ULAs? I've been using a cache at a ULA on > my two-segment home network and it seems to work fine. I would expect them to "just work" modulo the network connectivity issues associated with ULAs mentioned by Mark. The problem with link-local addresses is "which link?" so to answer that the resolver address has to be scoped. When I looked, the common problem was to store the resolver address as 16 bare bytes which lacks space for the interface scope, rather than sockaddr_in6 which includes the scope and other complications. That's if the code parsed and ignored the scope; it was also common to simply fail to parse the scoped address. I also have vague worries about lurking bugs with RDNSS and DHCPv6 resolver configuration: the addresses on the wire are bare and only implicitly scoped to the interface they arrived on, which offers so many opportunities to make mistakes. Tony. -- f.anthony.n.finchhttp://dotat.at/ Thames, Dover, Wight, Portland, Plymouth: Southwesterly 5 to 7, occasionally gale 8 at first in Thames, Dover and Wight. Slight or moderate in Thames, but elsewhere mainly moderate or rough, although very rough at first in southwest Plymouth. Rain or showers. Good, occasionally poor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Mass deletion of .tw sub-domains?
In our statistics, in the past year, about 4.1 million domain names were registered in batches under the tw top-level domain. In fact, the number of free domain name registrations during the Asian Games is not very significant (up to less than 5% of the domain names are due to the Asian Games). The real reason is that TWNIC has promoted the tw top-level domain from August 1st, 2018 to September 30th, 2018. The price during the promotion period is only 6.25% of the normal price (NT$50 vs NT$800), and the registration time is 1 year. Domain name merchants used this opportunity to register a large number of tw (about 3.2 million) domain names. The data we monitored showed that these domain names were mainly used in black and gray businesses such as gambling, pornography and fraud. After the registration period has expired, most of these domain names have not been renewed, and they have expired. TWNIC promotion info: https://www.twnic.net.tw/doc/a_report/2018/domain.htm zhangzaifeng 360netlab QIHOO On 2019/9/25, 03:03, "dns-operations on behalf of Viktor Dukhovni" wrote: > On Sep 24, 2019, at 11:19 AM, Az wrote: > > One year ago, a .tw registrar NET-CHINESE announce a promotion to celebrate 2018 Asian Games. > They offer free .tw domain registration without any restriction for one year. > And now, the domains registered during that promotion is expiring. Thanks, much appreciated! I think that clears up the mystery. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations