> On Mar 3, 2024, at 12:26 PM, Fred Morris wrote:
>
> Speaking to the message not the (ChetGPT) "massage"...
>
> On Sun, 3 Mar 2024, Turritopsis Dohrnii Teo En Ming wrote:
>> [...]
>> I define most popular as the largest number of DNS server installed
>> throughout the whole world.
>
> I
More of a routing thing than DNS - but this type of view from the outside in is
really helpful to detect by providers feeding RIPE RIS or route views so there
are better external views into networks.
This is an area where I want to expand and improve coverage after things like
the silent and
Often folks will use TXT with a low TTL and use a specific label path to
perform this function.
Sent via RFC1925 compliant device
> On Jun 15, 2023, at 4:22 PM, Fred Morris wrote:
>
> Hello,
>
> I'm using DNS to retrieve some distributed telemetry data from multiple
> servers. To
from what source IP?
> On Feb 3, 2020, at 3:02 PM, SM wrote:
>
> Hello,
>
> c.root-servers.net (2001:500:2::c) is not responding to queries over IPv6 [1].
>
> Regards,
> -sm
>
> 1. The error from DNSViz is "arpa zone: The server(s) were not responsive to
> queries over UDP.
While I would not recommend this generally there are a few of us that operate
free secondary services that are dual stacked. Make sure one NS is dual stacked
and you are likely fine.
Sent from my iCar
> On Dec 31, 2019, at 4:47 AM, Shane Kerr wrote:
>
> Stephane and all,
>
>> On
> On Nov 27, 2019, at 5:26 PM, Florian Weimer wrote:
>
> What's the change rate for the root zone? If there is a full
> transition of the name server addresses for a zone, how long does it
> typically take from the first change to the completion of the sequence
> of changes?
There are
> On Oct 16, 2019, at 7:41 AM, Paul Vixie wrote:
>
> hurricane and cogent are also businesses, each having employees and investors
> and customers. they are each doing what makes sense to them. this is not a
> "peering war" by any stretch of the vocabulary. cogent does not have a
>
On Thu, Oct 10, 2019 at 01:56:11PM -0700, Randy Bush wrote:
> >> Neither Cogent or HE buy transit from anybody else
>
> i believe this statement to be false
i know of at least 2 transit providers..
- jared
--
Jared Mauch | pgp key available via
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Jared Mauch | pgp key available via finger from ja...@puck.nether.net
clue++; | http
Sadly, there are devices such as the most recent Netgear routers and firmware
that block TCP queries as well in the most horrific way, e.g.:
https://www.cloudshark.org/captures/273da18d3057
- Jared
On Jan 28, 2015, at 3:45 PM, Warren Kumari war...@kumari.net wrote:
On Wed, Jan 28, 2015 at
On Nov 27, 2014, at 9:27 AM, bert hubert bert.hub...@netherlabs.nl wrote:
On Wed, Nov 26, 2014 at 12:37:57PM -0500, Jared Mauch wrote:
Is there some specific configuration magic that I’m missing to make bind
listen to TCPv6 sockets?
I do realize that in many places DNS and BIND
We have such an IP address in our backbone but don't publish it. I suppose
someone could ask for an allocation for this purpose from a local RIR and this
could be done for that whole range.
Jared Mauch
On Nov 26, 2014, at 9:25 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote:
I'm trying
Is there some specific configuration magic that I’m missing to make bind listen
to TCPv6 sockets?
Looking at what it’s doing via lsof it seems to not be listening to v6/tcp:
named 909 named 20u IPv4 24571 0t0 TCP
204.42.254.5:domain (LISTEN)
named 909 named
On Nov 26, 2014, at 10:13 AM, Paul Wouters p...@nohats.ca wrote:
http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10
Packets with Shared Address Space source or destination addresses
MUST NOT be forwarded across Service Provider boundaries. Service
Providers MUST filter such
On Nov 26, 2014, at 3:48 PM, Niall O'Reilly niall.orei...@ucd.ie wrote:
At Wed, 26 Nov 2014 12:37:57 -0500,
Jared Mauch wrote:
Is there some specific configuration magic that I’m missing to make
bind listen to TCPv6 sockets?
[...]
My configuration is fairly straightforward
If someone wanted to dispose of that volume of requests they could get
assistance if they asked the right people.
Jared Mauch
On Nov 26, 2014, at 7:12 PM, Robert Edmonds edmo...@mycre.ws wrote:
Warren Kumari wrote:
This thingie has many aspects that look a bunch like AS112 -- I'm
On Nov 26, 2014, at 8:25 PM, Mark Andrews ma...@isc.org wrote:
There are some OS where named can't enumerate the IPv6 interfaces
usually due to stupid OS hacks which means the listen-on-v6 ACL
above has nothing to match against. What was wrong with providing
this information via the
On Oct 11, 2014, at 5:00 PM, Davey Song songlinj...@gmail.com wrote:
IPv6 MTU is specified larger than IPv4. But the implementation like firewall
or other mid-box may not follow the specification. It needs test in
large-scaled network.
I am completely in favor of breaking people who
On Oct 10, 2014, at 2:54 PM, Hugo Salgado hsalg...@nic.cl wrote:
On 10/10/2014 03:24 PM, Roland Dobbins wrote:
On Oct 11, 2014, at 1:07 AM, Mohamed Lrhazi mohamed.lrh...@georgetown.edu
wrote:
The appliance vendor, Google, tells me that edns0 opt code 20732 must be
the service
with the JAS folk, and have huge respect for
them - they did, IMO, a good job.
The really fun part (for me) is that depending on the OS you can ping
127.0.53.53. (eg: Linux, Yes, MacOS, No). Linux will also give you
Connection refused for TCP connections.
- Jared
--
Jared
On Jul 2, 2014, at 9:56 AM, Stefan netfort...@gmail.com wrote:
Hello, DNS gurus,
Does anybody have a good set of tcpdump/tshark capture filters, associated
with DNS, already prep-ed for specific fields in the payload (so beyond just
the simplistic udp 53 or tcp 53)?
I've used the
On Jun 24, 2014, at 9:01 AM, Kelly Setzer kelly.set...@wnco.com wrote:
* Most respondents agreed that a registered domain for internal DNS was
the way to go.
Beware the mistakes of others as well, check out 'corp.verio.net' as an example
of a poorly operated sub-domain.
- Jared
On Jun 24, 2014, at 12:53 PM, Phil Regnauld regna...@nsrc.org wrote:
Jared Mauch (jared) writes:
On Jun 24, 2014, at 9:01 AM, Kelly Setzer kelly.set...@wnco.com wrote:
* Most respondents agreed that a registered domain for internal DNS was
the way to go.
Beware the mistakes of others
On Jun 24, 2014, at 4:29 PM, Matthew Ghali mgh...@snark.net wrote:
Hi PHB- I'm curious when this scheme would be simpler to implement or less
expensive to operate as opposed to using a delegated internal subdomain of an
existing parent domain registration (see corp.verio.net modulo the
On May 20, 2014, at 7:13 AM, cgielen+dnso...@gielen.name wrote:
DNSSEC-validation fails for 172.in-addr.arpa . This causes reverse DNS
lookups to fail for all IPv4-address starting with 172.
http://dnsviz.net/d/16.172.in-addr.arpa
Is this perhaps related to AS112 project as well or 172.16
On May 15, 2014, at 3:55 AM, João Damas j...@bondis.org wrote:
If it is 9.11, it might be good number to make attack resilience the focus of
that version (a good code audit, more robust error-condition response,
evolution of RRL and related features, logging that doesn't kill you, etc)
I
On Thu, May 15, 2014 at 03:12:07PM +, Evan Hunt wrote:
On Thu, May 15, 2014 at 07:12:53AM -0400, Jared Mauch wrote:
I heard they are skipping number 11, the next release would be 9.12.
It's on our roadmap as 9.11.
Apparently i misheard.
- Jared
--
Jared Mauch | pgp key available via
On May 14, 2014, at 3:22 AM, Jim Reid j...@rfc1035.com wrote:
On 13 May 2014, at 22:51, Andrew Sullivan a...@anvilwalrusden.com wrote:
Check every name using your nameservers at the parent side for glue before
renumbering.
If only it was that simple Andrew. :-)
A delegation in TLD1
On Mar 31, 2014, at 5:08 PM, Mark Andrews ma...@isc.org wrote:
Yes.
I posted the output for networks which cannot reach
c.root-servers.net over IPv6.
Basically anyone using Hurricane Electric.
This is well known that Cogent (nee c.psi.net - c.root-servers) is not
connected to
FYI:
https://kb.isc.org/article/AA-01078
On Dec 17, 2013, at 9:00 PM, Jared Mauch ja...@puck.nether.net wrote:
Anyone seen this crash:?
I’m hitting it fairly often right now and trying to poke at the code for
triage:
___
dns-operations
Anyone seen this crash:?
I’m hitting it fairly often right now and trying to poke at the code for triage:
17-Dec-2013 20:56:03.138 general: name.c:1727: INSIST(offset = length) failed,
back trace
17-Dec-2013 20:56:03.138 general: #0 0x43140d in ??
17-Dec-2013 20:56:03.138 general: #1
On Oct 22, 2013, at 7:42 AM, Daniel Kalchev dan...@digsys.bg wrote:
I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC
wherever I can. It has become easier and easier in the past few years to the
point I would call deploying DNSSEC today trivial. I have therefore
On Oct 17, 2013, at 4:09 AM, Daniel Kalchev dan...@digsys.bg wrote:
On 17.10.13 00:12, Jared Mauch wrote:
Even small networks (I have a friend with a ~100 user wisp) shouldn't run
their own caches. The economics of it don't support this.
Care to elaborate on this economic problem
Comcast doesn't give me broken name servers to use, there is no cognitive
dissonance here :-)
You are a DNS expert. Most end users when DNS fails think everything has
failed, including the network.
I type URLs into my browser. Do you know how many people type google into the
google search
On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote:
sure. Yet another instance of the DNS people have said Come on.
This is akin to asking the founding member of the local mercedes car club what
sort of car you should get. :)
sarcasmIs there something wrong with this?/sarcasm
On Oct 15, 2013, at 4:58 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Oct 15, 2013, at 1:36 PM, Jared Mauch ja...@puck.nether.net wrote:
On Oct 15, 2013, at 2:12 AM, Peter Koch p...@denic.de wrote:
sure. Yet another instance of the DNS people have said Come on.
This is akin
I'll say no. They don't have resources to deal with 98 angry users when DNS
fails. Using OpenDNS or the ISP is likely the best choice. Most large ISP dns
servers are good.
Jared Mauch
On Oct 14, 2013, at 7:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
A fictitious 100-person company
I've reprocessed some data on the OpenResovlerProject and wanted to share some
results.
1) I stopped filtering on if the #answers was 0 on the query to determine the
alternate ip in the data.
This filter was originally in-place because I thought DNS implementations were
sane/good. They are
On Aug 22, 2013, at 3:59 PM, wbr...@e1b.org wrote:
Running the DNS for 100+ school districts and 400,000+ devices, I really,
REALLY don't want to be the one saying Sorry, you can't use the site
called for in your lesson plan today because they messed up the DNSSEC
records. Management's
BTW, The goal of OpenResolverProject was to have an inventory so folks could
measure against attacks and determine what % of attacks utilized them.
The list is available in weekly format to security teams to download in bulk so
they can use tools like GrepCidr to perform this cross-reference.
On Aug 13, 2013, at 1:43 AM, Evan Hunt e...@isc.org wrote:
Do you mean the BIND views? It has been there for many years.
http://www.zytrax.com/books/dns/ch7/view.html
I believe Jared meant this:
http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02
Correct.
I'm not sure
On Aug 13, 2013, at 6:47 AM, Ken Peng p...@att.net wrote:
On 2013-8-13 18:30, Jared Mauch wrote:
I'm not sure how accurate this really is, but:
http://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/
Basically, it helps pass the client IP upstream so the CDN can make
Does anyone know if BIND supports the client-subnet option, or do I need to
seek another recursive resolver for this?
it does seem there are some patches, but I'm not sure if this is something
others have experimented with, e.g.:
http://wilmer.gaa.st/edns-client-subnet/
We operate a large
The openresolver project surveyed version.bind from those resolvers that
respond from port 53 based on the 20130616 dataset.
I know this will be of value to some people in understanding what resolvers may
be reaching their systems.
Here are the results:
On Jun 21, 2013, at 7:24 AM, Mike Jones m...@mikejones.in wrote:
http://code.kryo.se/iodine/ allows you to set up a full IP(v4) VPN over DNS.
Obviously a VPN type setup with IP packet headers and TCP retransmits etc
doesn't help performance compared to a program implementing its own data
On Jun 21, 2013, at 2:57 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:
Wonder about all the other people that run their own DNS (and such) on
campusOne time the physics department was all angry that we (central IT)
had changed the size of a DNS packet to be larger than 512-bytes on
On May 23, 2013, at 9:53 AM, Jim Reid j...@rfc1035.com wrote:
On 23 May 2013, at 14:39, Vitalie Cherpec vita...@penguin.ro wrote:
I would like to know if querying version.bind is illegal (in
some countries)?
Ask a lawyer or policeman in those countries. It's hard to see how such
On May 15, 2013, at 8:40 PM, Jared Mauch ja...@puck.nether.net wrote:
I fixed the patch by moving where it does this check to before query_find as
opposed to inside it.
Thanks for the insight and input.
It looks like some people deployed this patch (or at least downloaded it based
On May 15, 2013, at 5:09 PM, Matthäus Wander matthaeus.wan...@uni-due.de
wrote:
* Vernon Schryver [2013-05-15 21:40]:
From: Jared Mauch ja...@puck.nether.net
This is a crude but effective hack. It doesn't stop the system from
recursing to find the response.
I can understand
One more comment: This patch only impacts recursive servers, not authorities.
They won't set TC=1 for an ANY query.
- Jared
On May 15, 2013, at 6:03 PM, Jared Mauch ja...@puck.nether.net wrote:
On May 15, 2013, at 5:58 PM, John Kristoff j...@cymru.com wrote:
On Wed, 15 May 2013 17:52:11
On May 15, 2013, at 6:52 PM, Vernon Schryver v...@rhyolite.com wrote:
This effectively does slip=1 and does away with any amplification and just
makes it
a pure reflection attack. Still not ideal, but doesn't amplify.
On the contrary, as I just now wrote in the ratelimits mailing list
On May 15, 2013, at 8:03 PM, Vernon Schryver v...@rhyolite.com wrote:
I think the patch has a false negative rate of approximately 100%.
To check whether I am wrong again, I set up a test server and tried
two `dig +ignore isc.org any` commands. The first got a TC=1 error
response as
I think many of the problems we saw back in the win95/98 days with stickiness
of DNS records have mostly been resolved. Most software does the right thing
these days.
Jared Mauch
On May 3, 2013, at 6:45 PM, Simon. Munton simon.mun...@communitydns.net
wrote:
We were curious about
On Apr 16, 2013, at 8:52 AM, Jared Mauch ja...@puck.nether.net wrote:
On Apr 16, 2013, at 8:21 AM, Jared Mauch ja...@puck.nether.net wrote:
Greetings,
I took the latest 'Open Resolver' list and queried the hosts another time
with a version.bind query.
You can view the results here
The openresolverproject has weekly results from its survey of the ipv4 space,
including response.
It's available for ongoing research and derivative work.
Jared Mauch
On Apr 18, 2013, at 11:28 AM, Joe Abley jab...@hopcount.ca wrote:
On 2013-04-18, at 11:24, Kaio Rafael kaioraf
I'm going to automate some graphs 'soon'.
As I mentioned here and elsewhere, the methodology has been tweaked slightly in
the past few weeks and has exposed a few more than the last week.
The last change is happening on 4-21. I'm going to start showing more data,
but my time has been limited
Greetings,
I took the latest 'Open Resolver' list and queried the hosts another time with
a version.bind query.
You can view the results here:
http://openresolverproject.org/version.bind.report.txt
- jared
___
dns-operations mailing list
On Apr 16, 2013, at 8:21 AM, Jared Mauch ja...@puck.nether.net wrote:
Greetings,
I took the latest 'Open Resolver' list and queried the hosts another time
with a version.bind query.
You can view the results here:
http://openresolverproject.org/version.bind.report.txt
Ok, I didn't
On Apr 16, 2013, at 10:39 AM, Roy Arends r...@dnss.ec wrote:
On Apr 16, 2013, at 1:21 PM, Jared Mauch ja...@puck.nether.net wrote:
Greetings,
I took the latest 'Open Resolver' list and queried the hosts another time
with a version.bind query.
You can view the results here:
http
Vernon,
On Apr 16, 2013, at 11:58 AM, Vernon Schryver v...@rhyolite.com wrote:
From: Jared Mauch ja...@puck.nether.net
Check out the breakdown.html page ...
2013-04-14 results
34030764 servers responded to our udp/53 probe
914175 servers responded from a different IP than
60 matches
Mail list logo