/2024-bind-security-release/
Kind regards,
--
Peter van Dijk
PowerDNS.com B.V. - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Hello DNS enthusiasts and other developers,
After four earlier successful and packed DNS devrooms, we are happy to
announce a half-day DNS devroom at FOSDEM 2024.
As with the previous events, we hope to host talks anywhere from
hardcore protocol stuff, to practical sessions for programmers that
Hello DNS enthusiasts and other developers,
After three earlier successful and packed DNS devrooms at FOSDEM 2018,
2019, and 2020, we are happy to announce a half-day DNS devroom at
FOSDEM 2023.
As with the previous events, we hope to host talks anywhere from
hardcore protocol stuff, to
ned by all
.ma name servers I can find.
Can you please investigate? Thank you!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailma
before) :
>
> It seems it works everywhere now.
Last SERVFAIL was 20 minutes ago. Looks good to me!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
http
On Thu, 2021-10-07 at 15:31 +0200, Stephane Bortzmeyer wrote:
> On Thu, Oct 07, 2021 at 01:54:18PM +0200,
> Peter van Dijk wrote
> a message of 16 lines which said:
>
> > https://www.namecheap.com/status-updates/archives/63707
> >
> > Update @ 7:45 AM EDT |
On Thu, 2021-10-07 at 13:27 +0200, Jaap Akkerhuis wrote:
> Peter van Dijk writes:
>
> > Forwarded Message
> > From: Peter van Dijk
> > To: ultrasupp...@neustar.biz
> > Subject: .club TLD appears to be completely down
> > D
https://www.namecheap.com/status-updates/archives/63707
Update @ 7:45 AM EDT | 11:45 UTC
We have received an update from the registry. They are working to
resolve the issue within the nearest time possible. Thank you for your
patience and understanding.
Kind regards,
--
Peter van Dijk
Forwarded Message
From: Peter van Dijk
To: ultrasupp...@neustar.biz
Subject: .club TLD appears to be completely down
Date: Thu, 07 Oct 2021 12:34:48 +0200
Hello,
Quick email, please see
https://dnsviz.net/d/powerdns.club/YV7Mpg/dnssec/
All of the name servers for .club
or performs 'query chaining' to prevent those duplicate
queries. It is not described in the docs outside of this small phrase:
https://doc.powerdns.com/recursor/metrics.html?highlight=chaining#chain-resends
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https:
ck.com/TXT and 2 days on slack.com/NS, which may
hurt.)
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
breaks domains. If there was a bad call (which we can't know
from our back seats), yanking the DS was not it.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
the cost is, in fact, horrific.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
On Thu, 2021-09-30 at 20:00 +0200, Peter van Dijk wrote:
> Judging from the DS as I see it coming out of some resolvers, the DS is
> about 15 hours old at this point (so, introduced around 03:15 UTC I
> think). Those cached DSes still have 10 hours to go.
It turns out the resolvers I wa
On Thu, 2021-09-30 at 20:00 +0200, Peter van Dijk wrote:
> Judging from dnsviz, a DS was present in the .com zone for slack.com
> around 15:25 UTC today, and records inside slack.com were correctly
> signed with the related KSK/ZSK set.
https://dnsviz.net/d/slack.com/YVXX_g/dnssec/
not have
a contact with them; perhaps somebody in here does?
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns
h doesn't interact well, or...
To me William's problem is still entirely unexplained, unless the 172/8
theory fits!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.
> > Forbidden:
> > HTTP/1.1 403 Forbidden
This one is reproducible by not sending an SNI (like with 'openssl
s_client -connect 172.64.80.1:443').
As far as I can tell -right now-, the IP is entirely valid for the
site, as long as the client sends the correct SNI and Host header
(which
Hello Casey,
On Thu, 2021-03-11 at 09:58 -0700, Casey Deccio wrote:
> > On Mar 11, 2021, at 2:59 AM, Peter van Dijk
> > wrote:
> >
> > On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
> > > That actually looks fine to me - DS is signed by parent
On Thu, 2021-03-11 at 10:33 +0100, Peter van Dijk wrote:
>
> That actually looks fine to me - DS is signed by parent (dla.mil),
> DNSKEY is signed by child (gtm-ext.dla.mil).
This means that the error reported by DNSViz:
RRSIG quicksearch.gtm-ext.dla.mil/A alg 8, id 29085: The Sign
ies) can validate it, but this domain certainly is walking a very
thin line.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
of the child zone; I
wonder if after ISC removed that, they made BIND, as a validator,
stricter about it when detected.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
n on behalf of a client every second' - so put a
juicy TTL on it.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
On Tue, 2021-03-02 at 15:50 +, Paul Hoffman wrote:
> On Mar 2, 2021, at 5:23 AM, Peter van Dijk
> wrote:
> > My suggestion (seriously): prohibit NSEC and RRSIG queries.
>
> Prohibiting queries is pointless. Systems query freely, even if stupidly. (
> Have you ever
that
RRSIG queries are pointless. PowerDNS (authoritative) has been replying
REFUSED to RRSIG queries for years, and only two things noticed. (1) a
Nagios plugin (it was fixed) (2) a registry with weird pre-delegation
checks (it was fixed). We're not aware of any trouble ot
On Sat, 2021-02-27 at 10:48 +0100, Peter van Dijk wrote:
> On Sat, 2021-02-27 at 01:33 +, Wessels, Duane via dns-operations
> wrote:
> > Verisign is in the process of patching affected systems, and rolling
> > out the new version, and bringing affected instances bac
ervers suggests.
Earlier, inconclusive, discussion on that:
https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015114.html
('DS-side NSEC query')
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-operation
01:678:2c:0:194:0:28:
53
ns2.dns.nl. 172800 IN A 194.146.106.42
ns2.dns.nl. 172800 IN 2001:67c:1010:10::53
;; Query time: 2 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Sat Feb 27 10:47:10 CET 2021
;; MSG SIZE rcvd: 255
Kind regards,
--
Pe
Over an hour ago, I stopped observing bad responses. Verisign support
reported 'resolved' to Brian Dickson some time after that.
On Fri, 2021-02-26 at 20:52 +0100, Peter van Dijk wrote:
> I have confirmation that Verisign is on it.
>
> On Fri, 2021-02-26 at 11:34 -0800, Brian Dick
I have confirmation that Verisign is on it.
On Fri, 2021-02-26 at 11:34 -0800, Brian Dickson wrote:
> This is of interest to both resolver operators and Verisign.
>
> We have noticed broken responses to certain query types from some instances
> of A and J.
> This was raised originally by David
ot self-tooting train,
https://doc.powerdns.com/authoritative/manpages/sdig.1.html also
supports DoH. It's part of pdns-tools, available via the
'authoritative' repos at https://repo.powerdns.com/
(DoT support is pending).
Kind regards,
--
Peter van
=[{iov_base="l\1\2\1
\0\0\0\2\0\0\0\242\0\0\0\1\1o\0\31\0\0\0/org/fre"..., iov_len=184},
{iov_base="\0\0\0\0\6\0\0\0horse.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
iov_len=32}], msg_iovlen=2, msg_controllen=0, msg_flags=0},
MSG_DONTWAIT|MSG_NOSIGNAL) = 216
Indeed, the trai
and the developers that put in
effort to write that software. This demonstrates a messed up sense of
entitlement and a total disrespect for developers that is all too common today.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
ans
that the kernel already drops responses from wrong addresses, so there
is no way we would even know, and thus could not log such an event even
if we wanted to.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
___
dns-opera
to be allowed to use for synthesis, the
actual name needs to be proven non-existent in the zone.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
REFUSED?
Some auths (like PowerDNS, depending on send-root-referral setting) respond
with an empty non-aa non-ra NOERROR to indicate don't have authoritative data
for you.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl
results.
gets referral on all of them, MX only on 42, and those 42 are indeed
mostly in the US.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
___
dns-operations mailing list
dns-operations@lists.dns
is
dynamic. I do not have deployment stats, but I can ask around. I don't think
white lies are going away anytime soon.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
___
dns-operations mailing list
dns
38 matches
Mail list logo