Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

2019-12-31 Thread DaKnOb 
I still don’t see any multi-million dollar donation receipts though.. 

So if we want to do this, do we sacrifice security for the 99.9% or do we have 
Wikimedia pay the bill?

Oh, BTW, I have some network equipment with only 16-bit ASN support, or no 
large communities, or no IPv6, or no AES, or no BGP4, or no RPKI, or no [...] 
so I don’t know if it’s late but maybe we should revert at least some of those, 
because they’re not really needed.. The internet is broken anyways, so we don’t 
need more ASNs, or security, or connectivity anyways.. Oh, and it can do only 
10 Mbit Ethernet, so my buffers fill up with anything at GbE or above, can we 
scrap them too? 

On a serious note, I don’t think TLS does not provide validation of the server 
just because the Web PKI system is broken, and I don’t think TLS doesn’t 
provide security or privacy. And I also believe they are needed. There are many 
scenarios where they are vital.. 

- They protect against modifying content: now if an anonymous edit is made, 
everyone will see and revert it, without TLS everyone could see a different 
thing and we wouldn’t know. 
- They protect against knowing what people browse (privacy): I don’t want 
others to know what information I look up on Wikipedia, or at least more people 
than necessary. Someone mentioned that if I have this requirement I should work 
towards it. I think most people have this requirement and it’s easier if 
Wikipedia works towards it, than everyone setting up a network and peering 
directly with every website they want to use. 

I am usually in favor of replacing things if possible that hold back everyone 
else, even if it hurts. We’re not throwing away last year’s phones, but devices 
closing 10 years in life. If we want devices we want to keep, and reduce 
e-waste and all that, we should find a way to keep them up to date, not demand 
that nobody makes any progress.. If Android could get updates (I think it can 
now) we could just add TLS 1.2 and TLS 1.3 by backporting. No new features, 
just essentials. But for some reason, someone, not necessarily in the Android 
team, and for some reason, decided that it’s not a priority.

Would we accept network equipment that doesn’t receive updates? Maybe, due to 
cost. But should we, or just maybe put some pressure on the manufacturer to 
support it for more than 3 months?

There’s a debate on how long the new cars should receive software updates. 
People keep them for over 15 years. Should we replace our cars every 2? No. The 
manufacturers should support them for a reasonable period, and then we should 
accept that some features will stop working. 

Now you may say if the car manufacturer stops producing parts after 2 years, 
you can find some third party ones. Well, nobody stops you from operating a 
reverse proxy for Wikipedia at unsafewikipedia.org, but the pros and cons there 
are different.. 

> On 31 Dec 2019, at 17:12, Seth Mattinen  wrote:
> 
> On 12/31/19 12:50 AM, Ryan Hamel wrote:
>> Just let the old platforms ride off into the sunset as originally planned 
>> like the SSL implementations in older JRE installs, XP, etc. You shouldn't 
>> be holding onto the past.
> 
> 
> Because poor people anywhere on earth that might not have access to the newer 
> technology don't deserve access to Wikipedia, right? Gotta make sure 
> information is only accessible to those with means to keep "lesser" people 
> out.

Contact in ATU

2019-08-07 Thread DaKnOb 
Hello,
Anyone by any chance has any contact info for ATU in Albania? Any type of 
contact should probably be fine, from what I’ve seen, not necessarily 
technical. 

Thanks,
Antonis

Re: Whats going on at Cogent

2018-10-16 Thread DaKnOb 
That’s also true.. If you have a 10G connection between two DCs, and they can’t 
hash the traffic, you can only use 1/4th or 1/5th of the connection. Basically 
it is 10G but only 2G per flow. If you get transit at both places and then use 
a tunnel, which is a different service and may not satisfy all requirements, 
then you can use the full 10G, even with one flow. Otherwise you need to split 
it into 5 or more flows. 

I guess people really don’t like Cogent judging by the fact that one unrelated 
email caused all this to happen again.. :-)

> On 16 Oct 2018, at 18:01, David Hubbard  wrote:
> 
> Yeah google is the issue for us.  We provide web services and a LOT of our 
> customers have software that is making calls of various types to Google 
> services, or even just email delivery to Google hosted email; if all but a 
> Cogent transit link to a given data center were down, all of those customers’ 
> sites would begin failing at some level because the servers generally try v6 
> if the application level wasn’t explicit.  Cogent doesn’t seem to care since 
> their CEO is in some pissing match with Google.  They must be deriving enough 
> revenue from last mile v4-only turn ups that they don’t really care about 
> dual stack customers.
>  
> That being said, can’t say I’ve been impressed with their MPLS / metroE 
> offerings either.  When doing the pricing/sizing routine on a project, I 
> learned that they have an internal concept of src-dst flows on those types of 
> circuits, and if they can’t see your labels, or otherwise hash the traffic, 
> or it all truly is point to point, you may not get the full bandwidth, or may 
> need to buy a capacity larger than what the flow will be.
>  
> From: NANOG  on behalf of DaKnOb 
> 
> Date: Tuesday, October 16, 2018 at 10:06 AM
> To: Dovid Bender 
> Cc: NANOG 
> Subject: Re: Whats going on at Cogent
>  
> When I call and mention it I’m told that it’s HE’s fault (despite the lovely 
> cake), but when I also bring Google, then they tell me to get a different 
> provider just for this traffic, or meet them at an IX and send my traffic 
> from there.
>  
> About the staff rotation I’ve seen it too, and I’ve also seen an increase in 
> salespeople calling, for example when an AS is registered etc. in addition to 
> the normal calls..
> 
> On 16 Oct 2018, at 16:54, Dovid Bender  wrote:
> 
> They call me every few months. the last time they emailed me I said I wasn't 
> interested because of the HE issue. I have yet to get another email...
>  
>  
> On Tue, Oct 16, 2018 at 9:29 AM, Ca By  wrote:
>  
>  
> On Tue, Oct 16, 2018 at 5:16 AM David Hubbard  
> wrote:
> Have had the same sales rep for several years now; unfortunately he has no 
> ability to fix their IPv6 peering issue so we’re slowly removing circuits, 
> but otherwise for a handful of 10gig DIA circuits it’s been stable.
>  
>  
> Yep, this.  Whenever Cogent calls, this is what i tell them. Black-holing HE 
> and Google ipv6 traffic, which is what they do if i use a default route from 
> them, is dead on arrival.  Shows they make bad decisions and dont put the 
> customer first, or even create such an illusion. 
>  
>  
> From: NANOG  on behalf of Ryan Gelobter 
> 
> Date: Tuesday, October 16, 2018 at 6:04 AM
> To: NANOG 
> Subject: Whats going on at Cogent
>  
> Anyone else seen terrible support and high turnover of sales/account people 
> at Cogent the last few months? Is there something going on over there 
> internally? I'm sure some people will say Cogent has always been crap but in 
> the past their account reps and support were pretty good. It seems to have 
> gone downhill the last 12 months really bad.
>  
> Regards,
> Ryan
>

Re: Whats going on at Cogent

2018-10-16 Thread DaKnOb 
When I call and mention it I’m told that it’s HE’s fault (despite the lovely 
cake), but when I also bring Google, then they tell me to get a different 
provider just for this traffic, or meet them at an IX and send my traffic from 
there.

About the staff rotation I’ve seen it too, and I’ve also seen an increase in 
salespeople calling, for example when an AS is registered etc. in addition to 
the normal calls..

> On 16 Oct 2018, at 16:54, Dovid Bender  wrote:
> 
> They call me every few months. the last time they emailed me I said I wasn't 
> interested because of the HE issue. I have yet to get another email...
> 
> 
>> On Tue, Oct 16, 2018 at 9:29 AM, Ca By  wrote:
>> 
>> 
>>> On Tue, Oct 16, 2018 at 5:16 AM David Hubbard 
>>>  wrote:
>>> Have had the same sales rep for several years now; unfortunately he has no 
>>> ability to fix their IPv6 peering issue so we’re slowly removing circuits, 
>>> but otherwise for a handful of 10gig DIA circuits it’s been stable.
>>> 
>> 
>> Yep, this.  Whenever Cogent calls, this is what i tell them. Black-holing HE 
>> and Google ipv6 traffic, which is what they do if i use a default route from 
>> them, is dead on arrival.  Shows they make bad decisions and dont put the 
>> customer first, or even create such an illusion. 
>> 
>> 
>>> From: NANOG  on behalf of Ryan Gelobter 
>>> 
>>> Date: Tuesday, October 16, 2018 at 6:04 AM
>>> To: NANOG 
>>> Subject: Whats going on at Cogent
>>> 
>>>  
>>> 
>>> Anyone else seen terrible support and high turnover of sales/account people 
>>> at Cogent the last few months? Is there something going on over there 
>>> internally? I'm sure some people will say Cogent has always been crap but 
>>> in the past their account reps and support were pretty good. It seems to 
>>> have gone downhill the last 12 months really bad.
>>> 
>>>  
>>> 
>>> Regards,
>>> 
>>> Ryan
>>> 
>

Re: Is WHOIS going to go away?

2018-04-14 Thread DaKnOb 
As far as IP Addresses go (and domains too), currently GDPR recognizes the 
rights of individuals, not companies, which means that a company can be in the 
whois query, since it does not have the right to privacy.

My understanding is that this will only affect natural persons. 

> On 14 Apr 2018, at 20:19, Matt Harris  wrote:
> 
>> On Sat, Apr 14, 2018 at 12:14 PM, Rich Kulawiec  wrote:
>> 
>> The only people served by restriction on WHOIS availability are abusers
>> and attackers, and the entities (e.g., registrars) who profit from them.
>> 
> 
> Not that whois data for domain names has been particularly useful for the
> past decade anyhow since most TLDs and registrars either provide for free,
> or sell as an addon, "private" registration via some "proxy corporation" or
> whatever.  Domain name whois for most TLDs has not been the sort of
> accountability measure that ICANN seems to think it is for a very long
> time, at least in practice.
> 
> I'd be much more concerned about RIPE's whois data for AS and IP address

Re: Is WHOIS going to go away?

2018-04-14 Thread DaKnOb 
Currently .eu and .gr domains do not have any whois records. .eu makes them 
available online, but .gr is under a much stricter privacy law in Greece, and 
makes no whois records available to anyone. 

This has been so for years, and I can tell you of a few things / observations 
about this, since I’ve had many domains with both TLDs.

First of all, anything that looks up for an e-mail in the whois records, just 
doesn’t work. That means that if you want a certificate for this domain, and 
you follow the traditional, manual, way, you either need a mail serve running 
there so hostmaster / postmaster / webmaster work, or the only way then is to 
add files. And that if you have something running on the base domain and you 
don’t just use this for subdomains.

Second, you never get any spam. If they can’t find your e-mail address, they 
can’t send you spam.

Third, it blocks legitimate uses of whois by people who need to know the 
identity of domain operators, such as abuse tracking projects, scam / phish 
projects, law enforcement, etc.

Finally, there are two ways to contact a domain owner. The first one is to look 
for a contact page in the website, if there is one. The second is to contact 
their registrar (the details of the domain registrar are available in the 
whois), and have them reach out to the owner on your behalf.

In my opinion, not all the information in the whois records should be there, 
from an individual point of view, but the all or nothing situation right now 
isn’t great. If I had to choose however, I would choose the no whois for now, 
over the other, more leaky one.

I personally believe a lot of people would agree, given the fact that there’s 
an entire market, and a plethora of domains using Whois Guard or in general 
whois masking tools, for free, or for a fee.

As far as abuse tracking goes, having whois available can help correlate 
websites, but only if the domain registrar allows only verified data to be 
added, whois masking is not used, or malicious actors only use the same data 
over and over. That last part may happen because the registrar does some 
verification, so it limits their choice of domain registrars.

P.S.: About the first thing, some CAs may e-mail the domain registrar’s e-mail 
(which is usually admin / support / IT) for domain verification, which I’m not 
sure if fine.. :-)



> On 14 Apr 2018, at 17:30, Rubens Kuhl  wrote:
> 
> On Sat, Apr 14, 2018 at 11:21 AM, Filip Hruska  wrote:
> 
>> EURID (.eu) WHOIS already works on a basis that no information about the
>> registrant is available via standard WHOIS.
>> In order to get any useful information you have to go to
>> https://whois.eurid.eu and make a request there.
>> 
>> Seems like a reasonable solution.
> 
> 
> GDPR and other privacy regimes apply to both port-43 and WebWHOIS.
> 
> Rubens

Re: Yet another Quadruple DNS?

2018-03-29 Thread DaKnOb 
Cloudflare’s website provides some more information: https://1.1.1.1/ 


According to Cloudflare’s CEO, we’ll have more news on 1/4, so in a few days.
https://twitter.com/eastdakota/status/979257292938911744

From their website I can see that it is a low latency and privacy oriented 
service. Now whether it’s actually needed, I think there’s place for it in the 
market. Currently in Greece, 8.8.8.8 is ~65ms away. This is 11ms away. 

Antonis 

> On 29 Mar 2018, at 14:46, Stephane Bortzmeyer  wrote:
> 
> On Thu, Mar 29, 2018 at 07:33:08AM -0400,
> Matt Hoppes  wrote 
> a message of 7 lines which said:
> 
>> We already have 8.8.8.8 and 8.8.4.4.
> 
> And 9.9.9.9 and several others public DNS resolvers.
> 
>> And any reputable company or ISP should be running their own.
> 
> I fully agree.
> 
>> What purpose would this serve?
> 
> In Europe, the most common technique of censorship is through lying
> DNS resolvers. So, in order to go to forbidden Web sites (music and
> film sharing, for instance), many users switched from the ISP's
> resolver (which implements the censorship) to a public resolver. See
> my talk at NANOG
>

Re: Yet another Quadruple DNS?

2018-03-28 Thread DaKnOb 
Out of 1,000 RIPE Atlas Probes, only 34 report it as unreachable. Very good 
latency from those who can reach it..

https://atlas.ripe.net/measurements/11859210/#!general 


Antonis 

> On 28 Mar 2018, at 23:13, Michael Crapse  wrote:
> 
> Many providers filter out 1.1.1.1 because too many people use it in their
> examples/test code. I doubt that it's a usable IP/service.
> 
> On 28 March 2018 at 12:14, Payam Poursaied  wrote:
> 
>> dig google.com @1.1.1.1
>> 
>> 
>> 
>> Cloudflare?
>> 
>> Didn't find any news around it
>> 
>>

Re: Microsoft O365 labels nanog potential fraud?

2017-03-29 Thread DaKnOb 
Indeed, in more detail (which I omitted for simplicity), these checks are 
performed in a series of headers, the last of which is the From: header. I 
think the “envelope-from” is either the first or the second in this 5-point 
list.
That said, there are a lot of implementations out there that do not respect 
that and treat the From address as the sender whose honesty must be verified. 
Every time I send mail to a mailing list from my own domain, due to DMARC I get 
back several reports of SPF and DKIM fail, mainly because the mailing list 
messed up something. 

> On 29 Mar 2017, at 18:32, William Herrin  wrote:
> 
> On Wed, Mar 29, 2017 at 11:25 AM, Grant Taylor via NANOG 
> wrote:
> 
>> Every SPF implementation I've seen has checked the SMTP envelope FROM
>> address /and/ the RFC 822 From: header address.
>> 
> 
> Hi Grant,
> 
> The gold standard, Spamassassin, does not. Indeed, the message to which I
> reply was scored by spam assassin as "SPF_PASS" even though you do not
> include NANOG's servers in the SPF record for tnetconsulting.net.
> 
> Regards,
> Bill Herrin
> 
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web:

Re: Microsoft O365 labels nanog potential fraud?

2017-03-29 Thread DaKnOb 
Usually mailing lists act like e-mail spoofers as far as SPF and DKIM is 
concerned. These two systems above try to minimize spoofed e-mail by doing the 
following:

SPF: Each domain adds a list of IP Addresses that are allowed to send e-mail on 
their behalf. 

DKIM: Each email sent by an "original" mail server is cryptographically signed 
with a key available, again, in the DNS.

When you send an e-mail to a list, you send it to the mailing list mail server. 
After that, of the server forwards that e-mail to the recipients, its original 
address is shown, therefore if Outlook checks for SPF records, that check will 
fail. An easy way to get around this is for the list to change the From field 
to something else, like "Mel Beckman via NANOG" and a local email address.

However, when you send that email, it may also be signed with DKIM: any change 
in subject (say "[NANOG]" is added) or the body (say "You received this email 
because you subscribed to NANOG" is appended) will also cause that check to 
fail. 

Typically the behavior of the recipient if one or both of these checks failed 
is described in yet another DNS record, called a DMARC Policy. Some set this to 
very strict levels (reject e-mail / send to spam), some others to warn the user 
(like what you saw?), and some others, knowing this happens, to ignore/notify.

This message probably appears because of the above SPF / DKIM / DMARC combo but 
I can't be 100% sure from the provided info.

In any case, this is likely not your fault. If you want to be sure, verify the 
contents of the e-mail against the public NANOG archive which is available over 
HTTPS. My guess is that nothing has been changed. 

Thanks,
Antonios 

> On 29 Mar 2017, at 03:22, Mel Beckman  wrote:
> 
> Is anyone else getting this message on every nanog post today?
> 
> "This sender failed our fraud detection checks and may not be who they appear 
> to be. Learn about spoofing at 
> http://aka.ms/LearnAboutSpoofing"
> 
> I don't know if this link itself is malware, as it goes to the MS store, or 
> if something is broken in the Nanog Mail machine.
> 
> If it's just me, never mind. I'll figure it out.
> 
> -mel beckman

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-16 Thread DaKnOb 
We are currently working on a scheme to successfully authenticate and verify 
the integrity of the data. Datasets in https://climate.daknob.net/ are 
compressed to a .tar.bz2 and then hashed using SHA-256. The final file with all 
checksums is then signed using a set of PGP keys.

We are still working on a viable way to verify the authenticity of files before 
there are tons of copies lying around and there’s a working group in the Slack 
team I sent previously where your input is much needed!

Thanks,
Antonios 

> On 16 Dec 2016, at 18:30, Ken Chase <m...@sizone.org> wrote:
> 
> Surfing through the links - any hints on how big these datasets are? 
> Everyone's got
> a few TB to throw at things, but fewer of us have spare PB to throw around.
> 
> There's some random #s on the goog doc sheet for sizes (100's of TB for the
> landsat archive seems credible), and there's one number that destroys
> credibility of the sheet (1000 GB (100 ZB)) for the EPA archive.
> 
> The other page has many 'TBA' entries for size.
> 
> Not sure what level of player one needs to be to be able to serve a useful 
> segment of these archives. I realize some of the datasets are tiny (<GB)
> but which ones are most important vs size (ie the win-per-byte ratio) isnt 
> indicated.
> (I know its early times.)
> 
> Also I hope they've SHA512'd the datasets for authenticity before all these
> myriad copies being flungabout are 'accused' of being manipulated 'to promote
> the climate change agenda' yadda.
> 
> Canada: time to step up! (Cant imagine the Natl Research Council would do so
> on their mirror site, too much of a gloves-off slap in the face to Trump.)
> 
> /kc
> 
> 
> On Fri, Dec 16, 2016 at 06:02:46PM +0200, DaKnOb said:
>> If you???re interested, there???s also a Slack team: climatemirror.slack.com
>> 
>> You can find more info about that here:
>> 
>> - https://climate.daknob.net/
>> - http://climatemirror.org/
>> - http://www.ppehlab.org/datarefuge
>> 
>> Thank you for your help!
>> 
>> 
>>> On 16 Dec 2016, at 17:58, Rich Kulawiec <r...@gsp.org> wrote:
>>> 
>>> This is a short-term (about one month) project being thrown together
>>> in a hurry...and it could use some help.  I know that some of
>>> you have lots of resources to throw at this, so if you have an
>>> interest in preserving a lot of scientific research data, I've set
>>> up a mailing list to coordinate IT efforts to help out.  Signup via
>>> climatedata-requ...@firemountain.net or, if you prefer Mailman's web
>>> interface, http://www.firemountain.net/mailman/listinfo/climatedata
>>> should work.
>>> 
>>> Thanks,
>>> ---rsk
>>> 
>> 
> 
> -- 
> Ken Chase - m...@sizone.org Guelph Canada

Re: Wanted: volunteers with bandwidth/storage to help save climate data

2016-12-16 Thread DaKnOb 
If you’re interested, there’s also a Slack team: climatemirror.slack.com

You can find more info about that here:

- https://climate.daknob.net/
- http://climatemirror.org/
- http://www.ppehlab.org/datarefuge

Thank you for your help!


> On 16 Dec 2016, at 17:58, Rich Kulawiec  wrote:
> 
> This is a short-term (about one month) project being thrown together
> in a hurry...and it could use some help.  I know that some of
> you have lots of resources to throw at this, so if you have an
> interest in preserving a lot of scientific research data, I've set
> up a mailing list to coordinate IT efforts to help out.  Signup via
> climatedata-requ...@firemountain.net or, if you prefer Mailman's web
> interface, http://www.firemountain.net/mailman/listinfo/climatedata
> should work.
> 
> Thanks,
> ---rsk
>

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-23 Thread DaKnOb 
Well, there’s always Cloudflare and Google that are willing to do it for free. 
Let’s hope we won’t run out of free providers any time soon.. It’s a nice blog.


> On 23 Sep 2016, at 20:58, Grant Ridder  wrote:
> 
> Didn't realize Akamai kicked out or disabled customers
> http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/
> 
> "Security blog Krebs on Security has been taken offline by host Akamai
> Technologies following a DDoS attack which reached 665 Gbps in size."
> 
> -Grant

Re: DNS Services for a registrar

2016-08-12 Thread DaKnOb 


> On 12 Aug 2016, at 18:36, Keith Stokes  wrote:
> 
> Route53 can get expensive for lots of domains. Queries are cheap with the 
> first 1M free, but if you have 1000 domains you’ll pay $500/month.
> 
> You can build dedicated servers in multiple AZs and data centers able to 
> handle that many domains for far less.

I’d also recommend multiple providers as well if you’re getting dedicated 
servers so you can avoid non-technical provider-based issues.

> 
> You might also consider running dedicated servers in each of AWS and Azure to 
> avoid a single-provider failure.
> 
> On Aug 12, 2016, at 9:44 AM, John Kinsella 
> > wrote:
> 
> Also a big fan of DNS Made easy, but I wish they’d add DNSSEC already.
> 
> I’m happy with AWS - one thing to consider is model out the network costs. 
> That seems to get some people, who just expect the bill for instances at end 
> of month. If you’re worried about availability due to an availability zone 
> going down, ensure you have the service replicated across multiple AZs or 
> regions and
> 
> It might be worth a few minutes pondering just using Amazon’s Route53 instead 
> of running the DNS server yourself. I haven’t looked at how the cost compares.
> 
> On Aug 12, 2016, at 6:41 AM, Peter Beckman 
> > wrote:
> 
> I highly recommend DNS Made Easy. Super fast, extremely reliable (100% up
> time in the last 10-12 years excluding an 8 hour period 4-5 years ago where
> they got DDOSed, no issues since), very affordable.
> 
> #2 fastest for July: http://www.solvedns.com/dns-comparison/2016/07
> 
> Has been #1 several months this year.
> 
> Beckman
> 
> On Fri, 12 Aug 2016, Ryan Finnesey wrote:
> 
> We need to provide DNS services for domains we offer as a registrar.  We were 
> discussing internally the different options for the deployment.  Does anyone 
> see a down side to using IaaS on AWS and Azure?
> 
> We were also kicking around the idea of a PaaS offering and using Azure DNS 
> or AWS Route 53.
> 
> Cheers
> Ryan
> 
> 
> 
> ---
> Peter Beckman  Internet Guy
> beck...@angryox.com   
>   http://www.angryox.com/
> ---
> 
> 
> 
> ---
> 
> Keith Stokes
> 
> 
> 
>

Re: DNS Services for a registrar

2016-08-12 Thread DaKnOb 
Someone registered the domain “corp.gr” and now sells subdomains similar to 
.com.gr, .co.uk, etc. They use a “clever” way to make sure they will have 100% 
uptime at virtually no cost:

$ dig NS corp.gr
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> NS corp.gr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47495
;; flags: qr rd ra; QUERY: 1, ANSWER: 28, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;corp.gr.   IN  NS

;; ANSWER SECTION:
corp.gr.21599   IN  NS  puck.nether.net.
corp.gr.21599   IN  NS  ns4.dnsunlimited.com.
corp.gr.21599   IN  NS  i.ns.buddyns.com.
corp.gr.21599   IN  NS  d.ns.zerigo.net.
corp.gr.21599   IN  NS  f.ns.zerigo.net.
corp.gr.21599   IN  NS  b.nskey.com.
corp.gr.21599   IN  NS  g.ns.buddyns.com.
corp.gr.21599   IN  NS  ns4.he.net.
corp.gr.21599   IN  NS  ns5.dnsunlimited.com.
corp.gr.21599   IN  NS  f.ns.buddyns.com.
corp.gr.21599   IN  NS  h.ns.buddyns.com.
corp.gr.21599   IN  NS  d.ns.buddyns.com.
corp.gr.21599   IN  NS  ns2.he.net.
corp.gr.21599   IN  NS  ns2.afraid.org.
corp.gr.21599   IN  NS  a.nskey.com.
corp.gr.21599   IN  NS  b.ns.zerigo.net.
corp.gr.21599   IN  NS  b.ns.buddyns.com.
corp.gr.21599   IN  NS  e.ns.buddyns.com.
corp.gr.21599   IN  NS  ns1.dnsunlimited.com.
corp.gr.21599   IN  NS  c.ns.zerigo.net.
corp.gr.21599   IN  NS  c.ns.buddyns.com.
corp.gr.21599   IN  NS  ns3.dnsunlimited.com.
corp.gr.21599   IN  NS  a.ns.zerigo.net.
corp.gr.21599   IN  NS  ns5.he.net.
corp.gr.21599   IN  NS  ns2.dnsunlimited.com.
corp.gr.21599   IN  NS  ns1.twisted4life.com.
corp.gr.21599   IN  NS  e.ns.zerigo.net.
corp.gr.21599   IN  NS  ns3.he.net.

;; Query time: 161 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 12 14:42:58 2016
;; MSG SIZE  rcvd: 577

Of course, I don’t recommend you do this. On a serious note, as mentioned 
previously, AWS lacks IPv6 currently. A custom solution would provide more 
control but it may have some challenges. In addition to that, you’d probably 
need some form of network redundancy but you’re most likely not going to reach 
AWS’ anycasted network’s availability easily. I’d recommend looking to some 
other providers as well, some of which may be in the list of name servers 
above.. 

Just my 2c

> On 12 Aug 2016, at 08:56, Ryan Finnesey  wrote:
> 
> We need to provide DNS services for domains we offer as a registrar.  We were 
> discussing internally the different options for the deployment.  Does anyone 
> see a down side to using IaaS on AWS and Azure?
> 
> We were also kicking around the idea of a PaaS offering and using Azure DNS 
> or AWS Route 53.
> 
> Cheers
> Ryan
>