Re: [dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency
As to, Yes, that clearly violates the TTL of the rrset, but wouldn't be over-all better for the health of the internet?” Absolutely not! Save us from decisions based on assumptions rather than fact! If you really believe that decisions based on ignorance are better, set your MTA to pick a recipient for email whenever the left-hand part is unrecognized. As some others here would do, I also encourage my competitors to follow your idea. James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu On Dec 24, 2014, at 5:34 PM, Colm MacCárthaigh c...@stdlib.net wrote: There's a good question embedded in that discussion: when a resolver fails to get an answer from all of the authoritative nameservers for a domain, why not use the last known answer, even if it's stale. Yes, that clearly violates the TTL of the rrset, but wouldn't be over-all better for the health of the internet? On Wed, Dec 24, 2014 at 1:56 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: https://news.ycombinator.com/item?id=8784210 After the successful attacks against Rackspace, Namecheap, DNSsimple and 11, it is clear that dDoS attacks against DNS servers are very common this winter, and they succeed :-( ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Colm ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs James R. Cutler james.cut...@consultant.com PGP keys at http://pgp.mit.edu signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
On Jun 24, 2014, at 12:29 PM, Robert Willmann robert.willm...@gordito.de wrote: The only situation where this wouldn't be advisable is if you face the possibility that the internal network at some point in time will be merged with the outside world. It is never to engineer a solution based on predicting management behavior. Your internal/external network relationship may change at the whim of company ownership/management policy. Real registered and assigned names and addresses helps insulate your network (and you) from such caprice. signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] A reserved domain name for private use
On Jun 24, 2014, at 12:52 PM, Jim Reid j...@rfc1035.com wrote: On 24 Jun 2014, at 17:29, Robert Willmann robert.willm...@gordito.de wrote: In my opinion it's a pity that there is no reserved domainname for the private use. A few attempts have been made to (sort of) do this. See RFCs 2606, 6761 and 6762. Private name spaces suffer the same collision problem as RFC 1918 IPv4 addressing. Company A may create a private name space identical to that of company B. First, this creates confusion if Company A and Company B must interoperate. Then, it hits the fan when Company A and Company are merged in some fashion. Good design insulates from caprice like this. signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Current thinking on internal corporate/campus domain names
On Jun 23, 2014, at 4:28 PM, Kelly Setzer kelly.set...@wnco.com wrote: What is current thinking/accepted practice for internal domain names? * Registered domain name (e.g., somecompany.com) * Fantasy tld (e.g., .mycorp) * .local (collides zeroconf/mDNS) This is for use within a corporate/campus setting. Recipe for Success: 1. Design your DNS namespace as if your network is intimately connected to the Internet. 2. Use internal subdomains for general end systems if needed. 3. Don’t serve the zones for internal subdomains to the Internet at large. 4. Keep in mind that DNS resolution .ne. reachability. 5. Last, but not least, expect policy change from your management about connectivity. Ingredient 1 is key here. signature.asc Description: Message signed with OpenPGP using GPGMail ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs