Re: disable dnssec in bind resolver

2010-06-05 Thread Joe Baptista
On Fri, Jun 4, 2010 at 11:32 PM, Doug Barton do...@dougbarton.us wrote:



 With my business hat on though I can see at least 2 possible use cases for
 DO=0. The first being related to this thread, I can't/won't fix/remove the
 firewall today, I just want my resolver to work. The hapless user in that
 spot is either going to use another vendor, or go back to the old version of
 BIND that works. I know market share isn't a _primary_ concern for BIND,
 but I would argue that the go back to old version answer to this dilemma
 is something that we should all be concerned about.


I understand - I do anticipate others share your concern.


 The other use case that leaps immediately to mind is We do 42 scintillion
 DNS queries per second and our bandwidth cost has tripled in the last 3
 months! What in the name of J. Jonah Jameson is going on around here?!?


DNSSEC support is a world wide expense. Not only for the users who deploy it
and the registries that support it. But also in bandwidth. If your saying
your DNS traffic has tripled thats sounds about right.

Everybody profits and everybody pays.

Since we have Paul's attention here my question is will he incorporate
DNScurve into BIND now or does he intend to wait until it becomes an RFC?

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [ga] Re: Resolving .gov w/dnssec

2010-04-23 Thread Joe Baptista
On Fri, Apr 23, 2010 at 12:15 AM, Hugh Dierker hdierker2...@yahoo.comwrote:

 Fair trade is necessary trade. Unnecessary tradeoffs are lame.


I agree. It is a tradeoff and not fair trade.


 These problems are not necessary -- except that they are within the given
 framework of lack of motivation to do better.  It comes down to this, if we
 set our standards outside of competitive models there is no incentive to do
 better.  ICANN, the Dnssec and this SAIC are working within government
 sanctioned slobbery, both intellectual and economic slobbery.  I used to
 think it was snobbery, now I know it is a laziness born of shovel leaning
 bureaucrats. You may be kind and call it make work but would you call
 intentional fraud make work? Buggy whips and Railroad fireman is what this
 is.


Again I agree. DNSSEC is a snow job by committee.  SAIC is a joke.  I root
server in Beijing is still down. Where is SAIC on that.



 The plan I am putting together for the inculsives will generate some new
 fire under the pants of these obstructionists and they will find that a
 better mousetrap can be built.


Thank you - I and my TLD holders thank you.

regards
joe baptista






 --- On *Thu, 4/22/10, Joe Baptista bapti...@publicroot.org* wrote:


 From: Joe Baptista bapti...@publicroot.org
 Subject: [ga] Re: Resolving .gov w/dnssec
 To: c...@cam.ac.uk, g...@gnso.icann.org  GA g...@gnso.icann.org
 Cc: Paul Wouters p...@xelerance.com, Bind Users Mailing List 
 bind-users@lists.isc.org, Timothe Litt l...@acm.org
 Date: Thursday, April 22, 2010, 8:07 AM

 Looks like the future of the DNSSEC make work project includes resolution
 failures here and there. More security - less stability - guaranteed
 slavery. I wounder if it's a fair trade.

 we'll see ..
 regards
 joe baptista

 On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson 
 c...@cam.ac.ukhttp://us.mc529.mail.yahoo.com/mc/compose?to=c...@cam.ac.uk
  wrote:

 On Apr 22 2010, Paul Wouters wrote:

 On Thu, 22 Apr 2010, Timothe Litt wrote:

 I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
 configured as valdidating resolvers.

 Using dig, I get a connection timeout error after a long (~10 sec)
 delay.
 +cdflag provides an immediate response.


 Is anyone else seeing this?  Ideas on how to troubleshoot?


 I have the same problems with our validating unbound instance.


 I suspect that this has to do with

  dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
  dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.

 failing with timeouts, while   dig +dnssec +norec +vc dnskey uspto.gov @
 dns1.uspto.gov.
  dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.

 work fine ... with a 1736-byte answer. Probably the fragmented
 UDP response is getting lost somewhere near the authoritative
 servers themselves.

 --
 Chris Thompson
 Email: 
 c...@cam.ac.ukhttp://us.mc529.mail.yahoo.com/mc/compose?to=c...@cam.ac.uk


 ___
 bind-users mailing list
 bind-users@lists.isc.orghttp://us.mc529.mail.yahoo.com/mc/compose?to=bind-us...@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users







-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: http://baptista.cynikal.net/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Resolving .gov w/dnssec

2010-04-22 Thread Joe Baptista
Looks like the future of the DNSSEC make work project includes resolution
failures here and there. More security - less stability - guaranteed
slavery. I wounder if it's a fair trade.

we'll see ..
regards
joe baptista

On Thu, Apr 22, 2010 at 10:52 AM, Chris Thompson c...@cam.ac.uk wrote:

 On Apr 22 2010, Paul Wouters wrote:

  On Thu, 22 Apr 2010, Timothe Litt wrote:

  I'm having trouble resolving uspto.gov with bind 9.6.1-P3 and 9.6-ESV
 configured as valdidating resolvers.

 Using dig, I get a connection timeout error after a long (~10 sec) delay.
 +cdflag provides an immediate response.


  Is anyone else seeing this?  Ideas on how to troubleshoot?


 I have the same problems with our validating unbound instance.


 I suspect that this has to do with

  dig +dnssec +norec dnskey uspto.gov @dns1.uspto.gov.
  dig +dnssec +norec dnskey uspto.gov @sns2.uspto.gov.

 failing with timeouts, while   dig +dnssec +norec +vc dnskey uspto.gov @
 dns1.uspto.gov.
  dig +dnssec +norec +vc dnskey uspto.gov @dns2.uspto.gov.

 work fine ... with a 1736-byte answer. Probably the fragmented
 UDP response is getting lost somewhere near the authoritative
 servers themselves.

 --
 Chris Thompson
 Email: c...@cam.ac.uk


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-25 Thread Joe Baptista
On Wed, Feb 24, 2010 at 10:23 PM, Alan Clegg acl...@isc.org wrote:

 Joe Baptista wrote:

dnssec-enable yes;
  and
dnssec-validation yes;
 
  are the defaults since BIND 9.5
 
 
  How do I turn it off.

 Since you edited out the most important part of my post, I'll repeat it
 here before I answer your question:


Sorry - not my intention. It's just that part of the post did not apply to
me. My question was not related to an authoritative server but a recursive
only server.



Serving signed zones requires signed zone data to serve.
Validation requires configuration of trust anchors.

 To turn it off,

 Don't sign your zones and don't configure trust anchors.


Like I said the server is recursive only - no zones served.



 Or, if you think you might accidentally sign your zones or configure
 trust anchors, you can:

 dnssec-enable no;
 dnssec-validation no;


OK - so if I do the above - will that prevent my recursive server from doing
DNSSEC if it gets information from a DNSSEC signed zone?


Thanks for your help here
joe
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Joe Baptista
reply below

On Wed, Feb 24, 2010 at 1:06 AM, Evan Hunt e...@isc.org wrote:


  I humbly suggest Dr. Bernstein who is behind DNScurve thinks the IETF is
  full of wackos. So it is unlikely he will ever be bothered to dance the
  IETF RFC jig.

 Is there a requirement that Dr. Bernstein must personally do the dancing?
 Let someone else write the RFC, if it needs writing.


Someone else has written the RFC draft - which see http://bit.ly/b5mFkV

Looks like Matthew Dempsky and OpenDNS have taken the lead here.




 While the existence of an RFC isn't an absolute requirement for BIND to
 implement something, it certainly helps.  But what helps a lot more is
 evidence that the thing in question is getting widespread use, or that
 there's significant user demand for it.


Now there is. OpenDNS support of DNScurve means over 20 billion DNS queries
per day. I think thats enough evidence to get cracking and write the code.


 So far, we're not seeing either
 of those things with DNSCurve.


Were not seeing much of the same with DNSSEC.

Thats not the case with DNScurve. Again I stress - over 20 billion requests
per day at OpenDNS are DNScurve compatible.The traffic in DNSSEC is chicken
feed compared to DNScurve.


 When we do, I'll be happy to write the
 code.


It's happened - start writing.

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Joe Baptista
On Wed, Feb 24, 2010 at 1:13 AM, Michael Sinatra 
mich...@rancid.berkeley.edu wrote:

 As someone who both signs his production zones and does DNSSEC validation,
 I can assure you that DNSSEC works.  But you've done as good job as I can
 imagine in making the case for DNScurve.


Done.

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Joe Baptista
On Wed, Feb 24, 2010 at 11:33 AM, Evan Hunt e...@isc.org wrote:

  Thats not the case with DNScurve. Again I stress - over 20 billion
  requests per day at OpenDNS are DNScurve compatible. The traffic in
  DNSSEC is chicken feed compared to DNScurve.

 ORG and GOV and quite a lot of the ccTLD's are DNSSEC compatible, so I
 don't actually think it'd be much of a horserace if compatibility is all
 you're looking for.


I agree they are both DNSSEC compatible but .GOV has only deployed DNSSEC in
20% of it's zones. I'm not sure what the percentage is in .ORG - 5% ? less ?
is it even 1% of the zones? The make work project continues.

Thats what I like about DNScurve. No make work projects.

But I get your point.


  What'll be interesting is how many queries the root
 and TLD servers start seeing for uz5*/NS.


It's going to be interesting to watch. I guess that depends on if DNSSEC is
turned on by default in BIND. Incidentally - is it?

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-24 Thread Joe Baptista
On Wed, Feb 24, 2010 at 10:08 PM, Alan Clegg acl...@isc.org wrote:


   dnssec-enable yes;
 and
   dnssec-validation yes;

 are the defaults since BIND 9.5


How do I turn it off.

Thanks
joe
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-23 Thread Joe Baptista
Now that OpenDNS the largest provider of public DNS supports DNSCurve

http://twitter.com/joebaptista/status/9555178362

Would it be possible to include DNScurve support in bind?

thanks
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

2010-02-23 Thread Joe Baptista
It would be nice to see it as an RFC. I agree with that. But from what I
know it will be a pretty cold day in hell before it becomes an RFC. I humbly
suggest Dr. Bernstein who is behind DNScurve thinks the IETF is full of
wackos. So it is unlikely he will ever be bothered to dance the IETF RFC
jig.

I do disagree with you that bind should only implement what is in the RFC.
Lets not forget the IETF has had 15 years to secure the DNS. The result is
the DNSSEC abortion. It has failed. This announcement today is a stiff well
deserved kick in the balls to the DNSSEC crowd.

We can not rely on the IETF for security. Commerce and simple common sense
communications are screaming for security solutions today. DNSCurve is
perfect and it works out of the box.

Folks. OpenDNS has set the DNS standard. We can start securing the DNS with
every new dnscurve upgrade to bind. Imagine how much money is being spent on
the DNSSEC make work project - time and energy wasted.

DNScurve installs - configures and runs. No need for a make work project.

agreed?

regards
joe baptista

On Tue, Feb 23, 2010 at 10:28 PM, Michael Sinatra 
mich...@rancid.berkeley.edu wrote:

 On 02/23/10 18:31, Joe Baptista wrote:

 Now that OpenDNS the largest provider of public DNS supports DNSCurve

 http://twitter.com/joebaptista/status/9555178362

 Would it be possible to include DNScurve support in bind?

 thanks
 joe baptista


 I'd love to see BIND adopt DNScurve...when it becomes an RFC.  Until then,
 I'd prefer that BIND stick to the existing body of RFCs.  If DNScurve is
 important enough for the whole Internet to use, then it's important enough
 to drag it through the whole IETF process, political as it may or may not
 be.

 Personally, I think DNScurve misses the mark.  My concern, as someone who
 operates both authoritative and recursive servers, is that the data on the
 authority side be authentic end-to-end.  With DNSSEC, I can validate that
 that's true.

 DNScurve advocates, on the other hand, point out that DNS isn't encrypted.
  Well, neither is the phone book.  So what?  I regard DNS as a public
 database, and it's more important to me that it be authentic--from the
 source--than obscurified.

 While I think the OpenDNS people (especially David U., their founder) have
 a huge amount of clue, I think they're barking up the wrong tree here.

 michael
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to setup a local root nameserver?

2010-02-02 Thread Joe Baptista
see my comments below ...

On Tue, Feb 2, 2010 at 8:18 AM, Joseph S D Yao j...@tux.org wrote:

 On Tue, Feb 02, 2010 at 12:50:56AM +0100, fddi wrote:
  Hello,
  I need to setup a local named configuration so that ANY request will be
  resolved
  to a specific single IP only.
 
  I mean any kind of DNS resolutin request
 
  www.luth.se
  www.isc.org
  www.anything.tld
 
  should be resolved in 172.16.30.30 for example


 zone . {
type master;
file zone.root;
 };

 zone.root:
 @   SOA ...
NS  localhost

localhost A 127.0.0.1


 *   A   172.16.30.30

 NOTE: this does exactly what you asked.  And may have unexpected
 consequences [as in, be careful what you ask for; you may get it].  For
 instance, this had better be the name server, as well!  NO OTHER IP
 ADDRESS IN THE ENTIRE WORLD will be resolved.


 Unless you add domains on this same name server.


Correct .. but as you say you just add domains on the same name server.
Simple make the NS the localhost and assign localhost the A record of
127.0.0.1. Or lets say the name server is at 172.16.30.31 then you can do as
follows

   NS any.domain.name
any.domain.name A 172.16.30.31
* A   172.16.30.30

That will work too.

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to setup a local root nameserver?

2010-02-01 Thread Joe Baptista
Thats the baptista vortex. I've used it to clean up root servers of traffic.
Where every name resolves to the same IP address. I don't know if it still
works under bind. You can try.

You simply setup a root zone file with a wildcard pointing to the A record.
Or you can build a server to do that.

regards
joe baptista

If you need help get back to me privately.

On Mon, Feb 1, 2010 at 6:50 PM, fddi f...@gmx.it wrote:

 Hello,
 I need to setup a local named configuration so that ANY request will be
 resolved
 to a specific single IP only.

 I mean any kind of DNS resolutin request

 www.luth.se
 www.isc.org
 www.anything.tld

 should be resolved in 172.16.30.30 for example

 I need this because I need to redirect users to a local web portal
 authentication page and I need
 to do it using DNS.

 is there any kind of named configuration which can allow me to achieve this
 result ?

 I tryed hard but without any success

 for example I tryed this:

 in named.conf:

 zone . IN {
   type master;
   file named.root;
 };


 then in named.root:

 $TTL86400
 $ORIGIN .
 @   1D IN SOA   @ root (
   42  ; serial (d. adams)
   3H  ; refresh
   15M ; retry
   1W  ; expiry
   1D ); minimum

   1D IN NS@
   1D IN A 172.16.30.30



 but it works only for   .
 and not recursively for anydomain issued in the request.


 thank you

 Rick


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS inventor Dr. Paul Mockapetris audio interview available at NPR

2009-12-13 Thread Joe Baptista
Since we have been talking about DNS recently here is an audio interview by
NPR with DNS inventor Dr. Paul Mockapetris

quote: *A friend of mine said I was smart enough to invent the DNS, but not
smart enough to own it,
*
http://bit.ly/8iSEql

This link guaranteed free of evil
(signed joe baptista)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-04 Thread Joe Baptista
You configure an idn zone the same way you do for any other - so I assume
your config below is correct - although the location of the master file
master/umlauttestäöü.de.hosts contains non ascii char I don't think that is
an issue in todays unix/linux environment. It would of been a problem in the
old days.

As for you question concerning the browser converting the domain to punycode
before asking a nameserver - yes that is what some browsers do. I'm not sure
why because it must confuse some users when that happens.

regards
joe baptista

On Fri, Dec 4, 2009 at 9:41 AM, Kai Szymanski k...@codebiz.de wrote:

 Hi!

 One of our customers wan't a Domain with Umlaute (german special
 characters like ä).

 Is it correct when i have configured the zone like

 zone xn--umlauttest-z5a0tyc.de {
   type master;
   file master/umlauttestäöü.de.hosts;
   allow-transfer { can_transfer; };
   # allow-update { can_update; };
 };

 and the record like

 xn--umlauttest-z5a0tyc.de.   IN  SOA ns.foobar.de.
 hostmaster.foobar.de. (
   2009120401  ; Serial
   8H  ; refresh
   4H  ; retry
   5w6d16h ; expiry
   1D ); minimum

   IN NS ns.foobar.de.
   IN NS ns2.foobar.de.

 If so: When you enter the Domainname in a Browser: Did the Browser also
 encode the url to punycode before asking a nameserver ?

 Thanks for your hints!

 Best regards,
  Kai.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-04 Thread Joe Baptista
On Fri, Dec 4, 2009 at 10:23 AM, Kai Szymanski k...@codebiz.de wrote:

 Hi Joe,

 my problem is: I can't test the zone with nslookup (only when i use the
 puny-encoded domainname). Also other tools who uses dns to resolv the
 entered domainname (like ping 
 www.umlauttestäöü.dehttp://www.xn--umlauttest-z5a0tyc.de)
 did'nt work.


I'm not sure what the state of nslookup is these days with respect to
support for idn. One would think it should accept umlauts and translate to
punycode. I can see how a lack of idn support can cause even programmers
confusion.



 So i thought that

 1. The User enters a url with Umlauts in browser
 2. Browser examine url, see that there is umlaut in the domainname, an
 encoded it (internal, so the user did'nt see it) to puny code and ask the
 default nameserver for the domainname in punycode

 Is this correct ?


Thats how it should work. Its more of a cosmetic user thing and if browsers
did that much user confusion would be reduced if they could see the idn
domain instead of so an xn--* domain. Now there could very well be a browser
that does this. I don't know - the last time I tested this was back when
Ubuntu 7.?? was released. Don't remember the exact date and the only browser
I tested it on was Firefox.

Have you tried other browsers? And what browser(s) have you tested this on.

You have hit on a very important point here.

regards
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Punycode nslookup

2009-12-04 Thread Joe Baptista
On Fri, Dec 4, 2009 at 12:26 PM, Chris Buxton cbux...@menandmice.comwrote:


 nslookup will only understand IDN if BIND is compiled with that option in
 the ./configure step.


might be a good idea if it was the default option. as idn becomes popular
the lack of idn support for the tools will result in confusion.


 The browser has to understand IDN. Most current browsers do, including (I
 believe) IE 7 and later, Firefox 2 and later, and Safari 3 and later.


Does anyone have a list of idn domains? I'd like to try it out.

cheers
joe baptista
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: When dnssec-validation stops working?

2009-08-16 Thread Joe Baptista
On 8/16/09, John Marshall john.marsh...@riverwillow.com.au wrote:

 I'm new at DNSSEC.  This server is the first one we have configured.
 I have the following in the global configuration options:

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside . trust-anchor dlv.isc.org.;


my recommendation is

dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside . trust-anchor dlv.isc.org.;

that should fix the problem.

then lobby the bind bunnies at isc to incorporate dnscurve into bind.
dnscurve is the future of dns security. dnssec is just a bad joke best
avoided at all costs.

cheers
joe baptista

-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

  Office: +1 (360) 526-6077 (extension 052)
 Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The Year of the Sevenfold Increase

2009-07-30 Thread Joe Baptista
You guys get excited over small potatoes. There are hundreds of millions of
potential DLV RRsets. This is not even a drop in the bucket.

cheers
joe baptista

p.s. this message does not imply i support dnssec deployment. dnscurve is
the solution to our woes http://bit.ly/pJVq4

On Thu, Jul 30, 2009 at 11:37 AM, Chris Thompson c...@cam.ac.uk wrote:

 [You'll find a mighty strange web page if you google for that subject,
 but I couldn't resist...]

 On 30 July 2008, dlv.isc.org had 113 DLV RRsets
 On 30 July 2009, dlv.isc.org had 791 DLV RRsets

 (and I didn't cheat! it came out exactly 7x)

 So, will we see another 7x increase by 30 July 2010, or will the
 numbers start dropping as higher-level domains get their signed
 delegation procedures going?

 Anyway, congratulations and thanks to ISC for providing this service.

 --
 Chris Thompson
 Email: c...@cam.ac.uk
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The Year of the Sevenfold Increase

2009-07-30 Thread Joe Baptista
I don't think buddha cares much for bind.

cheers
joe baptista

On Thu, Jul 30, 2009 at 2:26 PM, fakessh fake...@fakessh.eu wrote:

 nb : Buddha peace themselve

 On Thu, 30 Jul 2009 13:41:17 -0400, Joe Baptista bapti...@publicroot.org
 wrote:
  You guys get excited over small potatoes. There are hundreds of millions
 of
  potential DLV RRsets. This is not even a drop in the bucket.
 
  cheers
  joe baptista
 
  p.s. this message does not imply i support dnssec deployment. dnscurve is
  the solution to our woes http://bit.ly/pJVq4
 
  On Thu, Jul 30, 2009 at 11:37 AM, Chris Thompson c...@cam.ac.uk wrote:
 
  [You'll find a mighty strange web page if you google for that subject,
  but I couldn't resist...]
 
  On 30 July 2008, dlv.isc.org had 113 DLV RRsets
  On 30 July 2009, dlv.isc.org had 791 DLV RRsets
 
  (and I didn't cheat! it came out exactly 7x)
 
  So, will we see another 7x increase by 30 July 2010, or will the
  numbers start dropping as higher-level domains get their signed
  delegation procedures going?
 
  Anyway, congratulations and thanks to ISC for providing this service.
 
  --
  Chris Thompson
  Email: c...@cam.ac.uk
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
  --
  Joe Baptista
 
  www.publicroot.org
  PublicRoot Consortium
  
  The future of the Internet is Open, Transparent, Inclusive,
 Representative
  
  Accountable to the Internet community @large.
  
   Office: +1 (360) 526-6077 (extension 052)
  Fax: +1 (509) 479-0084
 
  Personal: www.joebaptista.wordpress.com




-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: domain name length

2009-06-29 Thread Joe Baptista
yes - you can do that. and even assign the same NS or other if you want.  a
domain can be very large to the human eye.  I'm not sure how many characters
- but more then 200 I think.

Go crazy.
regards
joe baptista

On Mon, Jun 29, 2009 at 9:28 PM, Dan Letkeman danletke...@gmail.com wrote:

 Hello,

 Are there any issues with have domains like location.domain.com so
 all of my hosts will be host.location.domain.com ?  Currently we
 have everything under domain.com and it is getting to be very messy.

 Dan.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSDigger.com - An announcement and request for feature tips.

2009-06-16 Thread Joe Baptista
Can DNSdigger see .GOD?  What about .SATAN.

Does DNSdigger see the Peking University on the China National TLD DNS?
What happens if I ask it a question on the domain 北京大学.中国 or the equivalent
ascii IDN of  xn--1lq90ic7fzpc.xn--fiqs8s ?

Well I tried digger.  I know it does not speak Chinese, Peaking University
at 北京大学.中国 does not resolve.  Nor does the ascii xn--1lq90ic7fzpc.xn--fiqs8s
resolve - so we can assume digger can't yet see China.  Thats unfortunate.

Until digger can see China - it sure won't see .GOD and .SATAN.

But that fault aside - I like digger.  I'll use it - so sad it has limited
vision of the name space.  But I'm sure it will improve.

cheers
joe baptista

- thats one recommend bookmark ;)


On Tue, Jun 16, 2009 at 8:19 PM, Jay Ess li...@netrogenic.com wrote:

 DNSDigger.com - A massive reverse resolver that lets you dig deeper into
 the Net.

 DNSDigger.com is a service that lets you get more information about an
 domain name. It can show you what other domain names is hosted on a server.
 For example can that information be a valuable data for a hosting company
 that want to estimate how many customers a competitor has or se what other
 domains is hosted on a shared server and estimate the likelihood of that
 server being DDOSed.


 I am posting this to the Bind emailing list for two reasons.
 1. To announce a relevant service (relevant to DNS)
 2. To ask you for feature requests.

 I hope you don't get to pissed off ;)

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unified Root - Domain Configuration Issue

2009-01-18 Thread Joe Baptista
On Sun, Jan 18, 2009 at 9:39 PM, Mark Andrews mark_andr...@isc.org wrote:



 http://tld and u...@tld can *never* work *reliably* as they
would cause namespace clashes.   Single label represent local
names not global names.


Thats incorrect.  It does work but is not recommended because it does not
always work depending on the application.  If the application relies solely
on gethostbyname then it will probably work - but some applications do a bit
more checking of the domain name and not all applications will allow it.

cheers
joe baptista

-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium

The future of the Internet is Open, Transparent, Inclusive, Representative 
Accountable to the Internet community @large.

 Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users