Google's security.txt
Anyone from Google, You might want to fix a tiny typo in your security.txt. RFC9116 uses American spelling, not British spelling, like you did. Check here: https://www.uriports.com/tools?method=securitytxt=google.com It's only a small issue, but it might spread when people start using Google's security.txt for inspiration. -- 퓜퓪퓻퓬퓸
IPv6 connectivity to mx[1-4].smtp.goog.
Hi, At https://internet.nl we're seeing IPv6 connection issues on TCP port 25 (SMTP) to mx[1-4].smtp.goog. Either 100% DROP (so no TCP connection) or ⅔ failure to setup connection. Further testing seems to confirm the problem is bigger and on Google's side. So, this fails: echo 'quit' | nc -6 -w 3 mx1.smtp.goog. 25 and this works: echo 'quit' | nc -4 -w 3 mx1.smtp.goog. 25 (on MacOS use -G instead of -w) Is anyone else seeing this? Any idea what is causing this? -- Marco
Re: starlink ixp peering progress
Or this? https://bgp.he.net/AS14593#_peers6 Op 27/02/2024 om 13:17 schreef b...@uu3.net: Well, for some basic overview you can use CAIDA AS rank. You can use it directly, or you may try my (more user friendly) frontend for it: http://as-rank.uu3.net/?as=14593 -- Original message -- From: Dave Taht To: NANOG Subject: starlink ixp peering progress Date: Tue, 27 Feb 2024 02:54:44 -0500 One of the things I learned today was that starlink has published an extensive guide as to how existing BGP AS holders can peer with them to get better service. https://starlink-enterprise-guide.readme.io/docs/peering-with-starlink I am curious if there is a way to see how many have peered already, how many they could actually peer with?, and progress over time since inception what would be the right tools for that? This is pretty impressive for peering so far: https://www.peeringdb.com/net/18747 Is there a better email list to discuss ixp stuff? -- Marco
Re: junos config commit question
rollback 0 Op 11-02-22 om 23:18 schreef Lyndon Nerenberg (VE7TFX/VE6BBM): On an EX4300 switch running JunOS 14.1 let's imagine I typed config delete interfaces before coming to my senses. How am I supposed to back out of that mess? For the life of me, after a week of reading the 3000 page reference manual, and endless DuckDuckGoing, I cannot see a simple way of just abandoning the commit. I've got to be missing something stunningly obvious here because it's unthinkable that this functionality doesn't exist. Help?!? The only way out I can see is to drop into the shell, make an uncompressed copy of juniper.conf.gz, then pop back into the config editor and load that over top of the editor's config view. Surely there's a saner way of dealing with this. --lyndon -- Marco Davids
Re: Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)
Hi Laura, Something seems the matter, indeed: https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/ It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL. -- Marco Op 08-12-2021 om 14:27 schreef Laura Smith via NANOG: Bit of a long stretch given the US audience, but I'm seeing lots of things like this at the moment: info: validation failure : key for validation european-union.europa.eu. is marked as invalid because of a previous validation failure : DS got unsigned CNAME answer from 2600:9000:5301:a200::1 and 34.255.155.194 for DS european-union.europa.eu. while building chain of trust info: validation failure : DS got unsigned CNAME answer from 2600:9000:5302:9a00::1 and 34.255.155.194 for DS european-union.europa.eu. while building chain of trust validation failure : signatures from unknown keys from 147.67.12.3 info: validation failure : signatures from unknown keys from 147.67.12.3
Re: IPv6 and CDN's
Hi again, Op 22-10-21 om 17:13 schreef Job Snijders: Tl;DR Not at all. This was a very interesting read! Thank you. While pondering over it, I noticed that the ns[1234].fastly.net servers are nicely anycasted throughout the globe. If anyone could turn on IPv6 on their authoritatives without therisk of loosing too much performance, I reckon it would be them... our Cloudflare. But they already did it. ;-). > work in progress! I have good hopes. Rumour has it that Fastly employs some very smart people. I'm sure we'll see nice things happening when the time is right. -- Marco
Re: IPv6 and CDN's
On second thoughts... I seem to have been confused by the 'no records for fastly.net' (as a DNS-purist: that should have said "ns[1234].fastly.net" instead, to make it relevant). ;-) I ran into this some time ago with deb.debian.org Right. So please ignore: Just for the record; your issue is slightly different: You wrote: "deb.debian.org is a CNAME for debian.map.fastly.net. There are no records for fastly.net so any DNS querys from an IPv6 only resolver will not work." -- Marco
Re: IPv6 and CDN's
Hi Jens, Op 22-10-21 om 14:03 schreef Jens Link: I ran into this some time ago with deb.debian.org on an IPv6 only Debian VM with a locally installed resolver. I opened a ticket which was closed in record time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961296 Just for the record; your issue is slightly different: You wrote: "deb.debian.org is a CNAME for debian.map.fastly.net. There are no records for fastly.net so any DNS querys from an IPv6 only resolver will not work." At the moment debian.map.fastly.net has an -record though. The thing is; the authoritative name servers of fastly.net are only willing to hand out that -record via IPv4. So it still doesn't work with the (locally installed) IPv6-only resolver ;-) Cheers, -- Marco
IPv6 and CDN's
Hi! We currently live in times where is actually fun to go IPv6-only. In my case, as in: running a FreeBSD kernel compiled without the IPv4-stack. A few years back doing such thing was mostly disappointing, but nowadays is actually quite doable and entertaining. So, the other day I decided to take this experiment to the next level by disconnecting my local resolver from IPv4 as well. Then things started to break. LinkedIn, Bing, Openstreetmap... Although they all work great on IPv6-only, now they no longer did. It turns out that there underlying CDN's with domain names such as ‘l-msedge.net’ and ‘trafficmanager.net’ (Microsoft) or 'fastly.net', that reside on authoritative name servers that *only* have an IPv4 address. I guess my question is simple: Why? Are there good architectural reason for this? Or is it just something that is overlooked and forgotten about? I would love to find out! Thank you. -- Marco This is also fun by the way. Look at that nice banner on https://clintonwhitehouse2.archives.gov/ :-)
Trying to get in touch: ntp.org sites broken
Hello, I'm trying to get in touch with webmas...@ntp.org. But so far without luck. Maybe this route will help. I noticed that quit a number of pages you mention on https://www.ntp.org/ are no longer functioning. Like http://lists.ntp.org/ and http://support.ntp.org/. If anyone knows a way to get this fixed, please help. Thank you. -- Marco
Re: cloud automation BGP
Op 29-09-20 om 00:08 schreef Randy Bush: > have folk looked at https://github.com/nttgin/BGPalerter Yes. It does the job. And it's easy to install and run. -- Marco
Re: Update to BCP-38?
On 03/10/2019 15:51, Stephen Satchell wrote: > For a start, *add* IPv6 examples in parallel with the IPv4 examples. 1000 times +1 We need (much) more IPv6 examples! -- Marco (pushing for IPv6 examples since 2007 or so like in: https://youtu.be/OLEizGPoB5w?t=30)
Re: any interesting/useful resources available to IPv6 only?
Op 03-05-19 om 17:14 schreef Brian J. Murrell: I wonder if anyone has any references to interesting/useful/otherwise resources on are only available to IPv6 users that they can forward to me. Most of my personals websites are IPv6-only, but they are neither interesting nor useful. Although, perhaps https://dnslabs.nl/ is of any use, because I made every attempt to make it entirely IPv6-only, including it's authoritative name servers. That sometimes leads to interesting results. And furthermore I'd like to recommend a site that is not mine, but that I appreciate a lot: https://42.be/ -- Marco
Re: NTP question
Op 02-05-19 om 02:00 schreef Ask Bjørn Hansen: Though, on the topic of unusual requirements there are a bunch of contributors to the NTP Pool using this curious device It continues to surprise me that there is still hardware being sold that doesn't even support IPv6. -- Marco
Re: Purchasing IPv4 space - due diligence homework
Op 04-04-19 om 01:14 schreef Mike Hammett: Do you have sources for the ~90% T-Mobile IPv6? Not arguing, but to use that as a source myself when spreading the IPv6 good word. https://www.worldipv6launch.org/apps/ipv6week/measurement/images/graphs/T-MobileUSA.png https://stats.labs.apnic.net/ipv6/US (a bit slow, but informative) -- Marco
Re: Spectrum residential IPv6 rDNS - thank you !
Op 10-10-18 om 00:42 schreef Brandon Applegate: I’m guessing synthesized. There are a couple of dns servers out there that can do this. An interesting one I just found: https://all-knowing-dns.zekjur.net Or, if you prefer DNSSEC capable alternatives, try: https://github.com/cmouse/pdns-v6-autorev https://www.knot-dns.cz/docs/2.4/html/modules.html -- Marco signature.asc Description: OpenPGP digital signature
Re: Buying IPv4 blocks
Op 04-10-18 om 22:07 schreef John Levine: Even if you do have v6, some things like DNSSEC don't work very well if you can't do them over v4. Is that so? -- Marco signature.asc Description: OpenPGP digital signature
Question to Google
Hi, Anyone knows why coogle.com only have IPv4-adresses on their authoritative DNS? https://ip6.nl/#!google.com Are there any plans to fix this? -- Marco smime.p7s Description: S/MIME Cryptographic Signature
Re: DNSSEC and ISPs faking DNS responses
On 13/11/15 23:01, Stephane Bortzmeyer wrote: > On Fri, Nov 13, 2015 at 09:54:28AM +, > a.l.m.bu...@lboro.ac.ukwrote > >> well, in EU I dont think that would ever fly. > > It is done in France, for a long time And it is common practice in Belgium as well. http://networkmsg.telenet.be/blocked/fccu/ http://networkmsg.telenet.be/blocked/ksc/ -- Marco smime.p7s Description: S/MIME Cryptographic Signature
Re: How to force rapid ipv6 adoption
Op 29-09-15 om 22:37 schreef David Hubbard: > Had an idea the other day; we just need someone with a lot of cash > (google, apple, etc) to buy Netflix and then make all new releases > v6-only for the first 48 hours. I bet my lame Brighthouse and Fios > service would be v6-enabled before the end of the following week lol. Sounds like a plan, let's do it. -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening
Gmail contact?
Hi, Is there anyone on this list that can get me in touch with someone at Google/Gmail? I would like to discuss a suggested improvement with them in regard to RFC-compliance of DKIM/DMARC. Please contact me off-list. Thanks. -- Marco smime.p7s Description: S/MIME Cryptographic Signature
Re: Remember Internet-In-A-Box?
Mark is right and I couldn't agree more with him. On 15/07/15 08:22, Mark Andrews wrote: Yet I can take a Windows XP box. Tell it to enable IPv6 and it just works. Everything that a node needed existed when Windows XP was released. The last 15 years has been waiting for ISP's and CPE vendors to deliver IPv6 as a product. This is not to say that every vendor deployed all the parts of the protocol properly but they existed. Most of the noise was people saying We don't need IPv6 and second guessing the design decisions because they still had IPv4 think. If you look at the protocol it basically hasn't changed in the last 15 years. There has been minor tweak but what was there was complete enough to deploy. -- Marco smime.p7s Description: S/MIME Cryptographic Signature
Youtube / IPv6 / Netherlands
Hi, Would anyone from Google care to explain to me off-list why certain Youtube-content is blocked in the Netherlands while using IPv6 when it is working fine via IPv4? Geolocation imperfections perhaps? The IPv6-address is within 2a02:a47f:e000::/36 (actually, it is: 2a02:a444:443b:0::::) Thank you. -- Marco smime.p7s Description: S/MIME Cryptographic Signature
Re: 192.0.1.0/24?
Wasn't (part) of this space assigned to RFC6333? Carrier Grade NAT and stuff... https://tools.ietf.org/html/rfc6333 ? -- Marco manning schreef op 17-04-15 om 22:45: nothing that is authoritative (anymore)… 1996-2000 last century, 192.0.0.0/24 and 192.0.1.0/24 were identified as usable address blocks, post-CIDR testing/evaluation. they were both earmarked for use in the (then) four new root servers (which became J, K, L, and M)… they were then supposed to be used as the blocks for the root zone distribution masters. ICANN emerged and claimed them for itself, at one point using them for internal ICANN networking. I lost interest/control at that point and don;t know what happened after that. manning bmann...@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 17April2015Friday, at 13:26, Harley H bobb.har...@gmail.com wrote: It is mentioned in RFC 1166 as BBN-TEST-C. I suppose it's still not publicly allocated. On Fri, Apr 17, 2015 at 4:18 PM, Josh Luthman j...@imaginenetworksllc.com wrote: No one? http://whois.arin.net/rest/net/NET-192-0-0-0-0/pft http://www.dslreports.com/forum/r28692406-Outgoing-traffic-to-192.0.1.0-port-1000- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Apr 17, 2015 at 4:14 PM, Harley H bobb.har...@gmail.com wrote: Does anyone know the status of this netblock? I've come across a malware sample configured to callback to an IP in that range but it does not appear to be routable. Yet, it is not mentioned in RFC 5735 nor does it have any whois information. Thanks, Harley smime.p7s Description: S/MIME-cryptografische ondertekening
Re: 192.0.1.0/24?
Marco Davids schreef op 17-04-15 om 23:08: https://tools.ietf.org/html/rfc6333 ? Oh wait, that's 192.0.0.0/29, not 192.0.1.0/24... -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening
Re: 192.0.1.0/24?
Doug Barton schreef op 18-04-15 om 01:52: Harley is correct that 192.0.1/24 is mentioned in 1166, but AFAICS after cursory examination it has fallen through the cracks since then. It has been seen in the wild a few times though (for whatever reason...) https://stat.ripe.net/192.0.1.0%2F24#tabId=routing -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening
Re: Seeking IPv6 Security Resources
Hi, Perhaps https://tools.ietf.org/html/rfc7217 might also fit in the list. -- Marco Arturo Servin schreef op 26-11-14 om 10:28: Chris Some that come to my mind: draft-ietf-v6ops-balanced-ipv6-security and (not sure how up to date is this one) RFC 6092 Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service RFC 5157 IPv6 Implications for Network Scanning and draft-ietf-opsec-ipv6-host-scanning RFC 6104, 6105, 7113 All about Router Advertisement Guard (RA-Guard) draft-ietf-opsec-v6 RFC 6583 Operational Neighbor Discovery Problems Regards as On Tue Nov 25 2014 at 8:34:16 PM Chris Grundemann cgrundem...@gmail.com wrote: Hail NANOG! I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/ These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really. I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful. Thanks! ~Chris Note: Not every document shared will get posted to the Deploy360 site. -- @ChrisGrundemann http://chrisgrundemann.com -- Marco Davids smime.p7s Description: S/MIME-cryptografische ondertekening
Re: abha ahuja
Op 20-10-13 00:36, Randy Bush schreef: abha ahuja, researcher and operator, died this day in 2001 All these dear people that have passed away... Makes you think about your own mortality, doesn't it? And the list isn't going to get shorter, I am afraid. Kinda depressing... Perhaps we should create a special remembrance day, once a year, where we remember all of them? And carry on with joy on all other days. -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening
Re: DNS Reliability
On 09/13/13 03:53, Larry Sheldon wrote: On 9/12/2013 3:25 PM, Phil Fagan wrote: Its a good point about the anycast; 99.999% should be expected. A small choice of attitude-reflecting language. I expect 100.000% I'll accept 99.999% or better. It depends... define 'lost queries'. For example; is RRL included here or not (sometimes you want to deliberatly 'loose' queries). -- Marco
Re: Open Resolver Problems
Op 27-03-13 16:54, Owen DeLong schreef: It's been available in linux for a long time, just not in BIND… Not entirely true: http://www.redbarn.org/dns/ratelimits Here is a working ip6tales example: Tricky... There is also the 'hashlimit' module (at least for v4, not sure about v6), that may be a better approach, because it works on a 'per ip address'-basis. See https://lists.isc.org/pipermail/bind-users/2012-July/088223.html for some inspiration of how it may be of value. -- Marco On Mar 27, 2013, at 6:47 AM, William Herrin b...@herrin.us wrote: On Tue, Mar 26, 2013 at 10:07 PM, Tom Paseka t...@cloudflare.com wrote: Authoritative DNS servers need to implement rate limiting. (a client shouldn't query you twice for the same thing within its TTL). Right now that's a complaint for the mainstream software authors, not for the system operators. When the version of Bind in Debian Stable implements this feature, I'll surely turn it on. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Marco Davids smime.p7s Description: S/MIME-cryptografische ondertekening
Re: GeoDNS
Op 21-03-13 15:48, kg9020 schreef: Hello Have you tried https://github.com/blblack/gdnsd Or maybe https://github.com/miekg/geodns, if you are into Go. Here it an be seen 'in action': http://dns-status.ntppool.org/# -- Marco smime.p7s Description: S/MIME-cryptografische ondertekening
Google's Public DNS does DNSSEC validation
This is interesting news; it seems that Google's Public DNS is performing DNSSEC validation (when the DO-bit is set): dig +dnssec +multi www.dnssec.nl @8.8.8.8 ; DiG 9.9.1-vjs163.18-P1 +dnssec +multi www.dnssec.nl @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 51937 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.dnssec.nl.IN A ;; ANSWER SECTION: www.dnssec.nl.21580 IN A 213.154.228.160 www.dnssec.nl.21580 IN RRSIG A 8 3 86400 ( 20130227071505 20130128071505 33084 dnssec.nl. J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= ) ;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jan 29 08:03:53 2013 ;; MSG SIZE rcvd: 227 -- Marco Davids smime.p7s Description: S/MIME-cryptografische ondertekening
Re: Big day for IPv6 - 1% native penetration
On 11/26/12 15:53, sth...@nethelp.no wrote: Again, where're the compelling IPv6-only content/apps/services? To answer your rhetorical question, http://www.kame.net/ has a dancing kame. To my knowledge, that's the most compelling IPv6-only content. Don't forget http://loopsofzen.co.uk/ - that's definitely the most compelling IPv6-only content I've found. http:///thepiratebay/.se./ipv6/.sixxs.org was popular for a while, when major ISP's in the Netherlands where forced to block 'The Piratebay' overhere in the Netherlands, I believe... -- Marco
DNS issues with tools.ietf.org
Hi, Something seems wrong with the DNS of 'tools.ietf.org'. Can anyone conform? -- Marco
Re: DNS issues with tools.ietf.org
On Wed, 4 Apr 2012, Matt Ryanczak wrote: On 04/04/2012 04:28 PM, Craig Van Tassle wrote: It works for me. works for me too but there do appear to be some problems: And what about this: dig tools.ietf.org @merlot.levkowetz.com. ; DiG 9.7.0-P1 tools.ietf.org @merlot.levkowetz.com. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 33101
Re: DNS issues with tools.ietf.org
On Wed, 4 Apr 2012, Stephane Bortzmeyer wrote: And what about this: But two name servers, gamay and shiraz still work. So the domain works Actually it didn't resolve at all. Even an 'unbound-host -v -d' failed. But... things seem to be working fine again, at least to the extend that I can reach the website. -- Marco
RE: root zone stats
On Sun, 11 Mar 2012, Frank Bulk wrote: Some nice info here, too: http://bgp.he.net/report/dns Nice, but... not 100% up to date? .cw seems to be missing. -- Marco Frank -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Saturday, March 10, 2012 5:14 PM Cc: APNIC Mailing List; nanog@nanog.org Subject: root zone stats Since there was a question about this, some numbers: Serial: 2012031001 Statistics == Number of root servers: 13 Roots with IPv6 glue: 9 Number of gTLDs: 22 Number of ccTLDs:249 Number of IDN TLDs: 42 Total number of TLDs:313 Number of IPv4 hosts: 1176 Number of IPv4 addresses: 1145 Number of IPv6 hosts:427 Number of IPv6 addresses:412 TLDs with IPv6 glue: 258 Total name server hosts:1177 Total NS addresses: 1557 Number of DS records:141 Number of TLDs with DS: 85 Enjoy, Doug -- If you're never wrong, you're not trying hard enough
RE: root zone stats
On Mon, 12 Mar 2012, Marco Davids (Prive) wrote: Some nice info here, too: http://bgp.he.net/report/dns .cw seems to be missing. Oops, it isn't... it's just not wehere I expected it. -- Marco
Paging OpenDNS
Hi, Can someone responsible for 'malware-bl...@opendns.com' please contact me offline? Thank you. -- Marco
DNSSEC on the resolver-side?
Hi, I wonder... How many people here have activated DNSSEC validation on their resolvers? Please let me know off-list when the page below results in a green tick: http://dnssectest.sidn.nl/ Additional details are welcome, like: - The IP-address of the resolver(s) you used (if you know) - Whether this is an 'official' resolver at an ISP or not - You current IP-address, or the ISP you are at (http://ip.sidn.nl might be helpful). Maybe some of you DNS-gurus are even able to tell why DNSSEC validation failed, even when using DNSSEC-enabled resolvers. For example because of some old-school DNS-forwarder in your ADSL modem or something. That would be great information also. The reason for this post is just for me to get a rough understanding of the level of DNSSEC adoption on the resolver-side and the problems that might still exist with DNSSEC validation. The NANOG wiki (http://nanog.cluepon.net) has nothing about DNSSEC yet. Would it be an idea to add something about DNSSEC? I am more than willing to do the kick-off for that. Regards, -- Marco
Looking for 'websitewelcome.com' contact
Hi, Could anyone responsible for ns[12].websitewelcome.com please contact me off-list? Or, can anyone give me a good pointer on how to contact the technical staff of websitewelcome.com? Thank you so much, -- Marco Davids