Bad firewall/nameserver behaviour causing timeouts of DNS queries.

[Mark Andrews]

The following nameservers for Alexa top 1M names fail to respond
to EDNS queries with EDNS options specified or fail to respond to
consecutive EDNS queries.  These have been run through the checks
multiple times to reduce the probability of false positives as
timeout can be the due to multiple causes.

For many there are other errors that should also be addressed.

This misbehaviour can cause DNSSEC validation to FAIL when the
servers serve signed zones.

This misbehaviour does result in significantly slower DNS resolution
(multiple seconds).

You can test your servers at https://ednscomp.isc.org/

This is sent here because both SOA and whois contact details are
wrong too often to bother trying to send to these addresses even
if whois was easy to parse.

Please fix your firewalls / nameservers as they are causing operational
problems.

Mark

lb.pagofacil.com.ar lb.pagofacil.com.ar lb.pagofacil.com.ar
server.inet.edu.ar siet.inet.edu.ar ns2.pillar.com.au ns1.agric.wa.gov.au
ns2.agric.wa.gov.au ns3.agric.wa.gov.au ns1.win.be ns2.win.be
ns.ahlia.edu.bh lb3.ache.com.br ns2.bibliomed.com.br
ns3.caixaseguros.com.br sdccd01.light.com.br ns1.poupex.com.br
ns3.poupex.com.br ns1.semparar.com.br ns2.semparar.com.br
creaprw12.crea-pr.org.br dns5.allstate.ca ns1.bellnhs.ca ns3.bellnhs.ca
ns5.bellnhs.ca ns1.cpr.ca ns2.cpr.ca ns1.cnsc-ccsn.gc.ca
ns2.cnsc-ccsn.gc.ca ns1.knowledgeone.ca ns2.knowledgeone.ca ns3.mmms.ca
gemini.hrsb.ns.ca ns.city.windsor.on.ca ns2.city.windsor.on.ca
ns1.thomascookgroup.ca ns2.thomascookgroup.ca ns1.bger.ch ns2.bger.ch
dn2.1.cl ns.autopistacentral.cl peumo.bancoconsorcio.cl
roble.bancoconsorcio.cl dns.bci.cl dns2.bci.cl ns.subtel.cl
nsaut.tie.cl ns2.sina.com.cn name.srit.com.cn dns.hncj.edu.cn
dns2.hncj.edu.cn dns.hut.edu.cn dns2.hut.edu.cn dns.jju.edu.cn
dns.lit.edu.cn dns.by.gov.cn dns2.gxeea.cn ns1.coscologistics.sh.cn
ariadne.presidencia.gov.co bdpalacio.presidencia.gov.co ns3.360safe.com
ns4.360safe.com ns5.360safe.com ns2.51dns.com ns8.91989.com
ns9.91989.com ns1.advisorlynx.com ns2.advisorlynx.com ns1.aegis-k.com
ns2.aegis-k.com ns1.affinity-petcare.com ns01.airliquide.com
ns03.airliquide.com ns1.alidns.com ns1.alidns.com ns2.alidns.com
ns2.alidns.com ns2.alidns.com vip1.alidns.com vip1.alidns.com
vip1.alidns.com vip1.alidns.com vip1.alidns.com vip1.alidns.com
vip2.alidns.com vip2.alidns.com vip2.alidns.com vip2.alidns.com
vip2.alidns.com vip2.alidns.com vip2.alidns.com ns1.amaes.com
ns2.amaes.com ns1.amatteroffax.com ns3.amvescap.com ns5.amvescap.com
ns1.arcatapet.com office.arcatapet.com pridns.ascendas.com
ns01.avanade.com ns02.avanade.com ns2.avastkorea.com det.dns.bbdo.com
ns1.bcbsmn.com ns2.bcbsmn.com harris-ns.bcharrispub.com
harris-ns2.bcharrispub.com bor-cp01.borouge.com bvdns.broadviewnet.com
bvdns2.broadviewnet.com ns5.carbonlogic.com ns2.ccmnyc.com
ns1.cmsbiztech.com ns1.corsicaferries.com ns3.corsicaferries.com
ns4.corsicaferries.com ns1.credibanco.com ns2.credibanco.com
cscdnscph002d.csc.com cscdnshyd002d.csc.com cscdnsklm002d.csc.com
cscdnsmds002d.csc.com cscdnsnoi002d.csc.com cscdnssng002d.csc.com
palladium.csc.com wserver.cyberdental.com webmail.dbfsindia.com
ns1.deseretdigital.com ns2.deseretdigital.com huey.disney.com
huey11.disney.com a.dnspod.com a.dnspod.com c.dnspod.com c.dnspod.com
ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com ns1.dnsv2.com
ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns2.dnsv2.com ns1.dnsv3.com
ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com ns1.dnsv3.com
ns2.dnsv3.com ns2.dnsv3.com ns1.dnsv4.com ns1.dnsv4.com ns1.dnsv4.com
ns1.dnsv4.com ns1.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com
ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns2.dnsv4.com ns1.dnsv5.com
ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com
ns1.dnsv5.com ns1.dnsv5.com ns1.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com
ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com ns2.dnsv5.com
ns2.dnsv5.com ns2.dnsv5.com ns03.dominos.com ns04.dominos.com
ns05.dominos.com ns1.dynalifedx.com ns1.dynamex.com ns2.dynamex.com
name1.eidebailly.com name2.eidebailly.com ns1.evaair.com ns2.evaair.com
ns3.evaair.com ns4.evaair.com ns.excodaegu.com ns.fanforum.com
ns1.fanforum.com leo.generator.com ns1.gesnetwork.com
ns01.globalexchangetechnology.com ns02.globalexchangetechnology.com
gtmgrin.gmrc.com gtmnew.gmrc.com ns3.gmrc.com ns4.gmrc.com
ns2.greensburgdailynews.com dns.heffel.com dns1.hichina.com
dns1.hichina.com dns1.hichina.com dns10.hichina.com dns10.hichina.com
dns10.hichina.com dns11.hichina.com dns11.hichina.com dns11.hichina.com
dns13.hichina.com dns13.hichina.com dns13.hichina.com dns14.hichina.com
dns14.hichina.com dns14.hichina.com dns17.hichina.com dns17.hichina.com
dns18.hichina.com dns18.hichina.com dns2.hichina.com dns2.hichina.com
dns21.hichina.com dns21.hichina.com dns21.hichina.com dns22.hichina.com
dns22.hichina.com dns22.hichina.com dns25.hichina.com dns25.hichina.com
dns25.hichina.com dns26.hichina.com dns26.hichina.com dns26.hichina.com
dns29

Re: IPv4 Legacy assignment frustration

[Christopher Morrow]

how is this a problem with  the RIR ?

On Tue, Jun 21, 2016 at 11:01 PM, Suresh Ramasubramanian <
ops.li...@gmail.com> wrote:

> There is absolutely no budgeting for idiots.  Beyond a long hard process
> that is helped by internal escalations from affected people on a corporate
> network - ideally as senior as you can get - ot their IT staff.  “Missouri
> isn’t in China, you nitwit.  Fix it or I, the CFO, will go have a word with
> the CIO and ..”
>
> In other words, have affected people escalate up the chain to the ISP or
> more likely corporate IT team that’s doing this sort of stupid filteringg.
>
> > On 21-Jun-2016, at 8:07 PM, Spurling, Shannon  wrote:
> >
> > I am not sure how many on the list are Legacy resource holders from
> before the RIR's were established, but there is an extremely short sighted
> security practice that is being used across the internet.
> >
> > Apparently, the RIR that has been given "authority" for an IP prefix
> range that was a legacy assignment is being used as a geographical locator
> for those prefixes. For instance, we provide access for several /16's that
> are in the 150/8 prefix that was set as APNIC. I am aware of quite a few
> organizations in the US that have prefixes in that range. We have
> registered our legacy resources with ARIN, but there are some people insist
> that somehow the state of Missouri must be part of China because...
> "APNIC!". They set firewalls and access rules based on that, and are hard
> pressed to not fix them.
> >
> > Is there any way to raise awareness to this inconsistency so that
> security people will stop doing this?
>
>

Re: IPv4 Legacy assignment frustration

[Suresh Ramasubramanian]

There is absolutely no budgeting for idiots.  Beyond a long hard process that 
is helped by internal escalations from affected people on a corporate network - 
ideally as senior as you can get - ot their IT staff.  “Missouri isn’t in 
China, you nitwit.  Fix it or I, the CFO, will go have a word with the CIO and 
..”

In other words, have affected people escalate up the chain to the ISP or more 
likely corporate IT team that’s doing this sort of stupid filteringg.

> On 21-Jun-2016, at 8:07 PM, Spurling, Shannon  wrote:
> 
> I am not sure how many on the list are Legacy resource holders from before 
> the RIR's were established, but there is an extremely short sighted security 
> practice that is being used across the internet.
> 
> Apparently, the RIR that has been given "authority" for an IP prefix range 
> that was a legacy assignment is being used as a geographical locator for 
> those prefixes. For instance, we provide access for several /16's that are in 
> the 150/8 prefix that was set as APNIC. I am aware of quite a few 
> organizations in the US that have prefixes in that range. We have registered 
> our legacy resources with ARIN, but there are some people insist that somehow 
> the state of Missouri must be part of China because... "APNIC!". They set 
> firewalls and access rules based on that, and are hard pressed to not fix 
> them.
> 
> Is there any way to raise awareness to this inconsistency so that security 
> people will stop doing this?

IPv4 Legacy assignment frustration

[Spurling, Shannon]

I am not sure how many on the list are Legacy resource holders from before the 
RIR's were established, but there is an extremely short sighted security 
practice that is being used across the internet.

Apparently, the RIR that has been given "authority" for an IP prefix range that 
was a legacy assignment is being used as a geographical locator for those 
prefixes. For instance, we provide access for several /16's that are in the 
150/8 prefix that was set as APNIC. I am aware of quite a few organizations in 
the US that have prefixes in that range. We have registered our legacy 
resources with ARIN, but there are some people insist that somehow the state of 
Missouri must be part of China because... "APNIC!". They set firewalls and 
access rules based on that, and are hard pressed to not fix them.

Is there any way to raise awareness to this inconsistency so that security 
people will stop doing this?



Shannon Spurling

shan...@more.net

Re: Timeouts Loading Major Websites

[Job Snijders]

On Tue, Jun 21, 2016 at 06:13:10PM -0400, Christopher Morrow wrote:
> "the internet is on fire"
> 
> not as helpful a troublereport as one might want.
> 
> please provide at least (so everyone else can verify/help/troubleshoot):
>   1) from location X
>   2) site Y with protocol Z (which resolves to a.b.c.d currently)
>   3) traceroute to siteY (address a.b.c.d)

In addition to providing useful debug info, there are some good places
to check:

http://sqa.ring.nlnog.net/
(an attempt at outage correlation based on NLNOG RING data)

https://puck.nether.net/pipermail/outages/
(people (self-)reporting outages)

http://isitdownorjust.me/
http://www.downforeveryoneorjustme.com/
(self-test websites from various vantage points)

> otherwise... "sure major sites are slow, I also use a 300baud coupler
> modem these days though"

How did you know about the coupler? :)

- Job

Re: Timeouts Loading Major Websites

[Christopher Morrow]

"the internet is on fire"

not as helpful a troublereport as one might want.

please provide at least (so everyone else can verify/help/troubleshoot):
  1) from location X
  2) site Y with protocol Z (which resolves to a.b.c.d currently)
  3) traceroute to siteY (address a.b.c.d)

otherwise... "sure major sites are slow, I also use a 300baud coupler modem
these days though"

On Tue, Jun 21, 2016 at 5:14 PM, Dovid Bender  wrote:

> Major storms across the east coast.
>
> Regards,
>
> Dovid
>
> -Original Message-
> From: Josh Luthman 
> Sender: "NANOG" Date: Tue, 21 Jun 2016 17:09:49
> To: Matt Hoppes
> Cc: North American Network Operators' Group
> Subject: Re: Timeouts Loading Major Websites
>
> No issues on Frontier from Troy OH
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jun 21, 2016 at 5:06 PM, Matt Hoppes <
> mattli...@rivervalleyinternet.net> wrote:
>
> > Is anyone else seeing sporadic timeouts trying to load major websites
> like
> > Google or Facebook or SpeedTest.net?  I'm seeing it come and go on both
> > Frontier and Level3 on the east coast.
> >
>

Re: Timeouts Loading Major Websites

[Dovid Bender]

Major storms across the east coast.

Regards,

Dovid

-Original Message-
From: Josh Luthman 
Sender: "NANOG" Date: Tue, 21 Jun 2016 17:09:49 
To: Matt Hoppes
Cc: North American Network Operators' Group
Subject: Re: Timeouts Loading Major Websites

No issues on Frontier from Troy OH


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jun 21, 2016 at 5:06 PM, Matt Hoppes <
mattli...@rivervalleyinternet.net> wrote:

> Is anyone else seeing sporadic timeouts trying to load major websites like
> Google or Facebook or SpeedTest.net?  I'm seeing it come and go on both
> Frontier and Level3 on the east coast.
>

Re: Timeouts Loading Major Websites

[Josh Luthman]

No issues on Frontier from Troy OH


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jun 21, 2016 at 5:06 PM, Matt Hoppes <
mattli...@rivervalleyinternet.net> wrote:

> Is anyone else seeing sporadic timeouts trying to load major websites like
> Google or Facebook or SpeedTest.net?  I'm seeing it come and go on both
> Frontier and Level3 on the east coast.
>

Timeouts Loading Major Websites

[Matt Hoppes]

Is anyone else seeing sporadic timeouts trying to load major websites 
like Google or Facebook or SpeedTest.net?  I'm seeing it come and go on 
both Frontier and Level3 on the east coast.

Google Geolocation issue

[Chris Boyd]

Dear list readers, please forgive the noise, but if there's anyone here
from Google who can fix a geolocation issue I'd appreciate a reply.

208.81.245.226 is not in the UAE, it's in Austin, Texas.  Yes, I have
filled out the form to request a fix, but the AI or whatever that's
supposed to fix it has not, and we're well into 3 months after the first
report.

Thanks,

--Chris

Re: Recommendations, Colo Reno, Albuquerque, Phoenix, Las Vegas

[Seth Mattinen]

On 9/2/14 20:07, Stephen Satchell wrote:

On 09/02/2014 04:35 PM, Eric A Louie wrote:

Does anyone have recommendations for Colocation space in any of those 4 cities?

thanks
Eric



Co-location in Reno is a shrinking proposition.  The only place I know
about, and have toured, is:

Roller Networks
Seth Mattinen, CTO
3545 Airway Drive, Suite 114
Reno NV 89511
(775)284-0282 Ext 101
rollernetwork.com




I hate to resurrect a years old thread but for the archives Rollernet's 
correct phone number is: 775-284-0383


I'm just that behind on my NANOG (9k down to 2.4k this morning). Not 
really reading all 9k, more like liberal use of the "n" key.


~Seth

Re: Measuring the quality of Internet access

[Baptiste Jonglez]

Hi,

On Mon, Jun 13, 2016 at 10:11:47PM +0300, Max Tulyev wrote:
> Hi All,
> 
> I know there are many people from many countries.
> 
> Do you know something about mandatory measurements of Internet access
> quality from country telecom regulators? If yes, could you please share
> that information with me?

ARCEP, the telecom regulatory body from France, publishes regular reports
on the quality of Internet access:

  http://arcep.fr/index.php?id=8571&L=1&tx_gsactualite_pi1[uid]=1847

The methodology is described in the PDF (unfortunately, only available in
French, it seems).  See also:

  http://arcep.fr/index.php?id=11894&L=1

> I found ETSI EG 202 057-4 standard
> (http://www.etsi.org/deliver/etsi_eg/202000_202099/20205704/01.02.01_60/eg_20205704v010201p.pdf),
> but in fact it is about measurements inside operator's network, not
> Internet access itself.
> 
> Is it possible in general to measure the quality of Internet access? And
> if yes - how?


signature.asc
Description: PGP signature

ARIN meeting schedule (was: Re: NANOG67 - Tipping point of community and sponsor bashing?)

[John Curran]

On Jun 20, 2016, at 11:37 PM, David Conrad  wrote:
> ...
> Among others, yes (hint: not all the IPv4 and IPv6 address space is managed 
> by the RIRs).

David is quite correct - IPv4 has significant portions which are administered 
under
specification of the IETF (and this is certainly the case of the IPv6 address 
space,
the vast majority of which is administered under the stewardship of the IETF.)

> ...
> Your statement posited the nonexistence of ARIN.  ARIN is a secondary for 
> in-addr.arpa and ip6.arpa (like the other RIRs) and maintains a registry for 
> the address blocks allocated to them by ICANN as the IANA Numbering Function 
> operator. If ARIN did not exist, then the reverse delegations for which ARIN 
> is authoritative could easily be managed by the other RIRs, the entities to 
> which ARIN currently delegates, or the myriad of other DNS registries. This 
> really isn't rocket science.

Also correct - the RIRs have discussed recovery scenarios necessary should
one of the RIRs experience an major operational event.  As David notes, this
is not rocket science, although it does require a modicum of preparation, both
in terms of planning and funding; e.g. 


However, the main thread of this discussion originated in response discussions
of the meeting expenses of associations in general, including some surprise that
ARIN met this spring in Jamaica.  Everyone’s free to have their own opinion on
that, but just for information’s sake, I’d point out that ARIN has a 
straightforward
meeting schedule - we meet twice per year, once jointly with NANOG in the fall,
and once independently in the spring.  The fall meeting is at locations set by
NANOG (and predominantly in the US) so we try to alternate the spring meetings
between our other two sectors - Canada and Caribbean.  We have more than 25
countries in ARIN’s region, and getting to the Caribbean once every other year 
is
important for outreach to folks in that area - for example, the attendance at 
the
Jamaica meeting showed very strong Caribbean participation (48 attendees from
the Caribbean out of 125 total) compared the typical participant distribution 
at US
and Canada-based meetings.

Anyone who has suggestions or concerns about ARIN’s meeting schedule should
reach out with specifics to myself or other folks on the ARIN Board.

Thanks!
/John

John Curran
President and CEO
ARIN






signature.asc
Description: Message signed with OpenPGP using GPGMail