Re: [dns-operations] question on query to DNS server's IPv6 interface

On Tue, Mar 31, 2020 at 08:37:30PM +0800, Tessa Plum wrote a message of 13 lines which said: > Another question, in DNS server, how to count how many queries were > from IPv6 interface, and how many queries were from IPv4 interface? It depends on the name server. Here, is an example with

[dns-operations] Algorithm but no signature in .in?

Some resolvers protest on .in. It seems they have a RSASHA256 key but no RSASHA256 signatures, thus violating RFC 4035, section 2.2 "There MUST be an RRSIG for each RRset using at least one DNSKEY of EACH ALGORITHM". (Cannot show a nice DNSviz picture, DNSviz seems broken at this time.)

[dns-operations] DNS of Turk Telekom

Anyone has more detailed concrete information about this "DNS attack"? https://www.itnews.com.au/news/turk-telekom-says-internet-access-restored-after-cyber-attack-536767 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 07:05:04PM +0800, William C wrote a message of 15 lines which said: > 1. how to check if a zone has a valid DNSSEC key? If you are not a DNSSEC expert, DNSviz is a handy tool > 2. how to validate if the zone has been signed with correct key?

Re: [dns-operations] help with a resolution

On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote a message of 59 lines which said: > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9 > etc) can't resolve this domain? As explained by several experts, this domain is DNSSEC-broken. This has nothing to to with

Re: [dns-operations] IPv6 only for nameservers

On Mon, Dec 30, 2019 at 05:18:01PM +0300, Anand Buddhdev wrote a message of 17 lines which said: > If your domain's authoritative name servers have only IPv6 > addresses, then your domain will not be resolvable by many resolvers > on the Internet, because many of them only have IPv4

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 03:51:14PM +, Livingood, Jason wrote a message of 7 lines which said: > Seems like the answer then is to have the resolver check for updates > more frequently. The file is tiny and so this is not in the least > going to be resource-intensive. Just check every XX

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Dec 11, 2019 at 01:20:13PM +, Jim Reid wrote a message of 22 lines which said: > In principle, they could all change at once, In reality, they > don’t. When making a change of this nature, established wisdom is to > change half of the NS records (or their glue), wait a few days to

Re: [dns-operations] root? we don't need no stinkin' root!

On Mon, Dec 02, 2019 at 10:17:30AM -0500, Mark Allman wrote a message of 36 lines which said: > Obviously, there could be a more comprehensive analysis, but I think > that gives some idea about how stable the root zone file is in > practice. IMHO, this is by far the biggest issue with your

Re: [dns-operations] root? we don't need no stinkin' root!

On Wed, Nov 27, 2019 at 10:38:32AM -0500, Keith Mitchell wrote a message of 37 lines which said: > On garbage-collecting crap traffic, it's worth looking at AS112. There have been a proposal at IETF to use AS112 as a sinkhole for "special" TLDs such as .local or .home, which are responsible

Re: [dns-operations] s3.amazonaws.com problem?

On Wed, Oct 23, 2019 at 11:34:57AM +0100, Greg Choules via dns-operations wrote a message of 136 lines which said: > It appears that Amazon are blocking queries of type CNAME. Not for me. % dig @ns-27.awsdns-03.com. CNAME mycloudydatadffgdfssdf.s3.amazonaws.com. ; <<>> DiG

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 04:36:32PM -0400, Adam Vallee wrote a message of 114 lines which said: > DoH and DoT have only become a thing since GDPR. Why is no one > saying anything? Are you serious? A lot of electrons are moved around DoH. Many articles (most of them wrong). You certainly

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 04:39:19PM +0200, Warren Kumari wrote a message of 64 lines which said: > The lack of peering with a network doesn't prevent my accessing them, This is true for the IPv4 Internet, where there is always another route, but the IPv6 Internet is not so well connected, and

[dns-operations] An interesting attack against the SOA MNAME of some TLDs

It appears some TLDs have a MNAME (primary server) field in the SOA record which does not exist *and* is in a registrable SLD. A bad guy can buy the SLD and then receive the traffic aimed to the MNAME. This is mostly Dynamic Update traffic for Windows machines. If you like big data, you will get

Re: [dns-operations] sibling glue

On Tue, Jun 23, 2015 at 02:18:59PM -0300, Joe Abley jab...@hopcount.ca wrote a message of 119 lines which said: The EPP data model includes host objects and domain objects. Every domain is linked to one or more host objects (two or more in practice, for policy reasons orthogonal to the data

Re: [dns-operations] .MW inconsistent zone updates?

On Thu, Jun 25, 2015 at 11:12:40AM +0200, Gunter Grodotzki gun...@grodotzki.co.za wrote a message of 78 lines which said: But shouldn't that raise a big red flag - even if it is not your fault? DNS operator hat _on_. At $DAYJOB, we both have secondaries for other domains, and domains for

Re: [dns-operations] .MW inconsistent zone updates?

On Thu, Jun 25, 2015 at 10:23:46AM +0200, Gunter Grodotzki gun...@grodotzki.co.za wrote a message of 47 lines which said: I did a domain update last week on cheki.mw, but it seems like some OPs are either sleeping or their syncing is not really working ;) Inconsistencies are always fun to

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 11:18:11PM +0200, Jaap Akkerhuis j...@nlnetlabs.nl wrote a message of 12 lines which said: There are also expired sigs etc., see http://dnssec-debugger.verisignlabs.com/stratcom.mil. And kingfisher1.stratcom.mil reply NXDOMAIN (with aa and ra...) to a request for a

Re: [dns-operations] 答复: about answer status

On Mon, Jun 08, 2015 at 08:47:12AM +, 张在峰 zhangzaif...@360.cn wrote a message of 43 lines which said: I think you can read this article https://engineering.opendns.com/2014/06/23/nxdomain-nodata-debugging-dns-dual-stacked-hosts/ and get the answer. Unfortunately, this article starts

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 04:12:03PM +0800, Kevin C. ke...@dnsbed.com wrote a message of 56 lines which said: At what case the nameserver returns NOERROR or NXDOMAIN for a non-exist record? NOERROR is when there was no error :-) NXDOMAIN means this name does not exist. They are two completely

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 10:45:34AM +0100, Jim Reid j...@rfc1035.com wrote a message of 13 lines which said: It's dwdns2 that returns NODATA and dwdns1 that returns NXDOMAIN. Lack of coffee again... % drink coffee % repeat 3 drink coffee % dig @dwdns1.nsbeta.info defensor.game.yy.com

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 09:49:34AM +0100, Jim Reid j...@rfc1035.com wrote a message of 21 lines which said: FWIW there's an inconsistency between the two authoritative name servers for game.yy.com. dwdns1.nsbeta.info returns NOHOST while dwdns2.nsbeta.info returns NXDOMAIN for lookups of

Re: [dns-operations] about answer status

On Mon, Jun 08, 2015 at 11:16:35AM +0100, Jim Reid j...@rfc1035.com wrote a message of 25 lines which said: FWIW at 08:43 UTC today: ... At 10:04 UTC today: They read the mailing list and fix in real-time :-) ___ dns-operations mailing list

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 03:33:09PM -0400, Jim Popovitch jim...@gmail.com wrote a message of 15 lines which said: Is anyone else seeing DNS issues .MIL today? Specifically with stratcom.mil? Yes, stratcom.mil has DNS resolution problems. Testing with RIPE Atlas probes, I can see that 30 %

Re: [dns-operations] DNS issues with .MIL

On Sun, Jun 07, 2015 at 03:48:30PM -0400, Paul Wouters p...@nohats.ca wrote a message of 53 lines which said: paul@bofh:~$ dig stratcom.mil @CON2.NIPR.mil. Wrong test, only www.stratcom.mil has a A record, stratcom.mil does not. According to DNSDB, this has always been the case.

[dns-operations] [Security] Glue or not glue?

A new edition of the DNS security guide by ANSSI (French cybersecurity agency) recommends to prefer delegations with glue because glueless delegations may carry additional risks since they create a dependency. Is there any other best practices text which makes such a recommendation?

[dns-operations] Authoritative name server replies NODATA for a non-existing domain

Strange behavior: % for ns in $(dig +nodnssec +short NS adult.); do echo $ns dig @$ns NS thisdomaincertainlydoesnotexist.adult | grep status: done d0.nic.adult. ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 13433 c0.nic.adult. ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 23111

Re: [dns-operations] Authoritative name server replies NODATA for a non-existing domain

On Wed, Apr 22, 2015 at 03:12:24PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 30 lines which said: IMHO, all the name servers should reply NXDOMAIN, no? Or could it be a minimum response, intended to prevent zone enumeration

[dns-operations] Stunning security discovery: AXFR may leak information

https://www.us-cert.gov/ncas/alerts/TA15-103A http://haxpo.nl/haxpo2015ams/sessions/all-your-hostnames-are-belong-to-us/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 11:28:17AM +, Edward Lewis edward.le...@icann.org wrote a message of 126 lines which said: Newsflash: Water can make you wet. You can also notice that the US CERT, to explain how AXFR works, links to djb and not to RFC 5936...

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 03:59:10PM +0100, Simon Munton simon.mun...@cdns.net wrote a message of 19 lines which said: What year is this? 1986? Its a shame, cos over-reporting renders an alerts system useless. Ignorance from the US CERT, plus teasing from fame-deprived security researchers.

[dns-operations] Funny DNSSEC problem

The domain juralib.nologs.org does not resolve (SERVFAIL) from Free (2nd ISP in France, uses DNSSEC validation). % dig A juralib.noblogs.org ; DiG 9.9.2-P2 A juralib.noblogs.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 25509 ;; flags: qr

Re: [dns-operations] DNSSEC validation failures for .KE

On Tue, Mar 31, 2015 at 01:37:51PM +0200, Anand Buddhdev ana...@ripe.net wrote a message of 25 lines which said: Their current DS record points to a key that has the revoke bit set, but it is no longer signing the DNSKEY rrset. There are other problems: * 10 (!) DNSKEY which seems too many

Re: [dns-operations] Mozilla Firefox and ANY queries

On Fri, Feb 27, 2015 at 12:02:57AM -0500, Sadiq Saif li...@sadiqs.com wrote a message of 30 lines which said: Checking local resolver logs and am seeing a large amount of ANY queries originating from Firefox, is anybody else seeing such behavior?

Re: [dns-operations] Bad IP in glue records (Godaddy)

On Fri, Mar 06, 2015 at 02:01:22PM +0100, Grzegorz Dabrowski tes...@implix.com wrote a message of 58 lines which said: I have a problem with bullet prof Godaddy I'm not convinced it is GoDaddy's fault, the host record is controlled by Network Solutions: % whois a.ns.domadd.getresponse.COM

[dns-operations] [dns-privacy] Start of WGLC for draft-ietf-dprive-problem-statement - please review.

This work on DNS privacy is now in IETF Working Group Last Call. May be some people from the operations crowd may be interested to review it? If you have remarks to do, you can send them directly to me or use the Github issue system. But, in most cases, it is better to use the IETF system: send

[dns-operations] The Sichuan pepper attack: turning a DNS censorship system into a dDoS vector

We all know that the chinese network intercepts DNS requests and returns fake answers http://cs.nyu.edu/~pcw216/work/nds/final.pdf http://research.dyn.com/2010/03/fouling-the-global-nest/ https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005340.html

[dns-operations] DNS training at the NSA

On http://www.spiegel.de/media/media-35658.pdf p. 9 (NSA slides, leaked to the press), the DNS resolution process is strange, as if recursion, instead of iteration, were used by all DNS servers of the world, including the root name servers. Too much haste in using PowerPoint? Ignorance? Deliberate

Re: [dns-operations] Sharing a DNSSEC key between zones

On Sat, Jan 10, 2015 at 07:46:55PM -0500, Warren Kumari war...@kumari.net wrote a message of 120 lines which said: Obligatory marketing message on automating this: https://tools.ietf.org/html/rfc7344 I would be interested by a Web page / Wiki recording the registries (or, for those who have

Re: [dns-operations] issue with m root server from China?

/26/dns-spoofing-in-china-by-stephane-bortzmeyer https://lists.dns-oarc.net/pipermail/dns-operations/2009-June/003944.html http://arstechnica.com/tech-policy/2010/03/china-censorship-leaks-outside-great-firewall-via-root-server/ ___ dns-operations mailing

[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

https://news.ycombinator.com/item?id=8784210 After the successful attacks against Rackspace, Namecheap, DNSsimple and 11, it is clear that dDoS attacks against DNS servers are very common this winter, and they succeed :-( ___ dns-operations mailing

Re: [dns-operations] What is the exact response?

On Tue, Dec 23, 2014 at 03:52:19PM +0800, scottjiang1...@hotmail.com scottjiang1...@hotmail.com wrote a message of 284 lines which said: When the resolver sends the DNSKEY RR query, irrespecitve of keyrollover period, I think the response message should reply a KSK, a ZSK No. Nothing in

Re: [dns-operations] Etisalat DNS hack

On Thu, Dec 18, 2014 at 12:04:45PM -0500, David C Lawrence t...@akamai.com wrote a message of 11 lines which said: http://gulfnews.com/business/technology/domain-name-structure-of-etisalat-poisoned-1.1428889 This news report claims it was a cache poisoning, but it also reads like it could

Re: [dns-operations] Namecheap Contact?

On Tue, Dec 09, 2014 at 06:50:38PM +0100, Anthony Eden anthony.e...@dnsimple.com wrote a message of 47 lines which said: Does anyone have a contact for someone at Namecheap who would be familiar with the latest DDoS they experienced? By the way, it just resumed. % check-soa -ns

[dns-operations] 11 down

For more or less 15 hours (with some remissions). Seems very severe now. Their own domains work but the customer-hosted domains are down: % check-soa -n 5 -t 5 -i -ns ns-us.1and1-dns.us ns-us.1and1-dns.de ns-us.1and1-dns.org ns-us.1and1-dns.com edmtrancefm.com ns-us.1and1-dns.com.

Re: [dns-operations] Fwd: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

On Sun, Dec 07, 2014 at 01:17:40PM -0800, Doug Barton do...@dougbarton.us wrote a message of 16 lines which said: FWIW, I get the expected answer from the goog here in California. It seems there is *something* (but I don't know what) for *some* people

[dns-operations] Looking for a public blackhole/sinkhole IP address

I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. I can do that on my network but I'm wondering if it already exists somewhere, may be as an anycasted service (AS112-style). The idea is to delegate some domain names to unresponsive

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 03:25:47PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 25 lines which said: I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. A possible example is blackhole.webpagetest.org

Re: [dns-operations] cache flush request - craigslist.org

On Sun, Nov 23, 2014 at 07:38:40PM -0800, Brad Volz br...@curmudgeon.net wrote a message of 60 lines which said: The craigslist account at one of our registrars was compromised and the NS records migrated away from their rightful home. That issue has since been corrected, but the various

[dns-operations] The Largest Cyber Attack In History Has Been Hitting Hong Kong Sites

CloudFlare claims it is a DNS attack. I thought amplifications attacks using the DNS were old-fashioned, everybody moving to NTP and SNMP? http://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/

[dns-operations] CVE-request: systemd-resolved DNS cache poisoning

There is everything in systemd, including a (broken) DNS resolver : http://seclists.org/oss-sec/2014/q4/592 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing

Re: [dns-operations] Interesting messages in our logs

On Sat, Nov 01, 2014 at 10:10:07AM -0500, Lyle Giese l...@lcrcomputer.net wrote a message of 23 lines which said: Interesting error messages. Someone was running a host name scan against a domain hosted here and it looks like they were doing it via Google DNS. It seems also that RRL

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 10:36:37AM -0700, Paul Vixie p...@redbarn.org wrote a message of 24 lines which said: until you have done this and have results to report, you'd be wise not to make any claims about this possibility. I run Unbound on my laptop for many years, using ::1 as the only

Re: [dns-operations] resolvers considered harmful

On Thu, Oct 23, 2014 at 03:29:02PM -0400, Mark Allman mall...@icir.org wrote a message of 64 lines which said: Same interface to the applications. But, underneath it doesn't go query whatever is in /etc/resolv.conf, but rather just walks the tree itself (to the extent needed, based on the

Re: [dns-operations] resolvers considered harmful

On Fri, Oct 24, 2014 at 11:55:03AM +0100, Tony Finch d...@dotat.at wrote a message of 32 lines which said: As I understand it the plan is to tell clients about the network's NAT64/DNS64 configuration so that clients can do their own DNS64 synthesis, which means the DNSSEC breakage no longer

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 12:47:39PM -0400, Mark Allman mall...@icir.org wrote a message of 64 lines which said: Short paper / crazy idea for your amusement ... The biggest problem I have with this paper is of terminology. I thought at the beginning that the idea was to get rid of resolvers,

Re: [dns-operations] resolvers considered harmful

On Wed, Oct 22, 2014 at 11:03:11PM -0400, Mark Allman mall...@icir.org wrote a message of 110 lines which said: The paper quantifies this cost for .com. We find that something like 1% of the records change each week. So, while increasing the TTL from the current two days to one week

[dns-operations] IETF working group on DNS privacy

Yes, I know, it is not really operations. But it may have an influence on DNS operations so I prefer the operations people to be aware of it: IETF just created a working group on DNS privacy, named DPRIV :-) The charter of the working group, if you want to know what this group is up to, is

[dns-operations] ShellShock exploit through the DNS

Funny: an OS sends the result of some DNS queries to bash, allowing the DNS operator to attack DNS clients with ShellShock: http://packetstormsecurity.com/files/128650 What about an evil AS 112 operator attacking 168.192.in-addr.arpa users? ___

Re: [dns-operations] latest bind, EDNS TCP

On Fri, Oct 10, 2014 at 02:53:38PM +0100, Simon Munton simon.mun...@cdns.net wrote a message of 33 lines which said: Is anyone else seeing this? No, not really. On one server, I see an increase of no-EDNS from Oct. 6th. On the others, I see nothing. For instance, here is the DSC graph for

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sat, Sep 13, 2014 at 09:37:52AM +, Franck Martin fmar...@linkedin.com wrote a message of 61 lines which said: -limit size to 1500? on both IPv4 and IPv6? It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the

Re: [dns-operations] is there a diagnostic tool to obtain delegated ns?

On Fri, Sep 12, 2014 at 12:13:00PM +1000, Mark Andrews ma...@isc.org wrote a message of 57 lines which said: The following will work for any zone w/o a embedded period in a label. Loops endlessly for names like ssi.gouv.fr parent=`expr X$zone : '^[^.]*.\(.*\)'` Should it be

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

On Fri, Sep 12, 2014 at 12:46:29PM +0100, Tony Finch d...@dotat.at wrote a message of 27 lines which said: they have switched to a more standard EPP implementation. This is absolutely NOT more standard. EPP allows both models (in other words, you do not have to implement RFC 5732).

Re: [dns-operations] Botnets, botnets everywhere

On Thu, Sep 11, 2014 at 04:38:25PM +0400, Peter Andreev andreev.pe...@gmail.com wrote a message of 29 lines which said: a lot of very weird queries, like the following: 16:11:41.450794 IP 217.195.66.253.37426 62.76.76.62.53: 42580+ A? swfjwvtkhqx.www.feile.com. (47) 16:11:41.450796

Re: [dns-operations] Botnets, botnets everywhere

On Thu, Sep 11, 2014 at 09:00:37PM +0800, Roland Dobbins rdobb...@arbor.net wrote a message of 29 lines which said: FYI, most of these queries seem to be reflected through abusable CPE devices which are misconfigured by default as open recursors or DNS forwarders. It may be worth

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

On Thu, Sep 11, 2014 at 07:52:31AM -0700, Colm MacCárthaigh c...@stdlib.net wrote a message of 26 lines which said: So why is it that name servers need to be registered? What's the benefit of doing it? As an employee of a registry which does not require name server registration, I wonder,

[dns-operations] Validating or not validating (ICANN controlled interruption)

BIND validates A nimportequoi.otsuka and yields an answer with AD bit set. Unbound gives back the answer but without the AD bit. [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka'] In some cases (difficult to

Re: [dns-operations] Validating or not validating (ICANN controlled interruption)

On Wed, Sep 03, 2014 at 10:19:29AM +0200, Ralf Weber d...@fl1ger.de wrote a message of 23 lines which said: In some cases (difficult to pinpoint, depending on the resolver's state), both BIND and Unbound return SERVFAIL. Could you be more specific. % dig @relay1 A nimportequoi.otsuka

Re: [dns-operations] A report on a DNS issue that was causing page redirections

On Tue, Aug 12, 2014 at 06:59:37PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 14 lines which said: The author says your domain name registrar can introduce an error to the root domain database and match your domain to an incorrect DNS servers (this actually happened

[dns-operations] A report on a DNS issue that was causing page redirections

Long and technically detailed story of a big DNS blunder, with unexpected consequences: http://blog.qbaka.com/post/94537269389/a-report-on-a-dns-issue-that-was-causing-page The author says your domain name registrar can introduce an error to the root domain database and match your domain to an

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of mm ?

On Wed, Jul 30, 2014 at 07:45:10PM +, Phil Regnauld regna...@nsrc.org wrote a message of 28 lines which said: (v6 is not reachable from here, Then, use the -4 option of check-soa ... but looks ok to me otherwise. Strange. dig agrees with check-soa: % dig @193.0.9.96 SOA net.mm ;

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of mm ?

On Thu, Jul 31, 2014 at 09:48:07AM +, Phil Regnauld regna...@nsrc.org wrote a message of 46 lines which said: Not what I'm seeing, and it was like this already yesterday... Have more coffee and retry with the same domain as me (which is not .mm) :-)

Re: [dns-operations] difference between several NS with several glue

On Thu, Jul 24, 2014 at 10:44:29AM -0700, Dave Warren da...@hireahit.com wrote a message of 29 lines which said: From what I understand, when 1.1.1.1 fails to respond, all of a.example.net will be considered bad, so 2.2.2.2 and 3.3.3.3 won't be queried at all, and a resolver will return a

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of mm ?

On Wed, Jul 30, 2014 at 01:55:19PM +0800, Zheng Wang zheng_...@126.com wrote a message of 104 lines which said: @mm.cctld.authdns.ripe.net. The referral is bad. Yes, net.mm has a lame delegation: % check-soa -i net.mm mm.cctld.authdns.ripe.net.

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of mm ?

On Wed, Jul 30, 2014 at 09:10:12AM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 28 lines which said: I often see these problems with deep TLD (those with registration in a SLD). TLD managers ask for a secondary hosting and wrongly assume that it will work for all

Re: [dns-operations] ISC Network Issue affecting OARC services

On Mon, Jul 21, 2014 at 01:57:48PM -0400, Keith Mitchell ke...@dns-oarc.net wrote a message of 30 lines which said: a significant DDoS attack against ISC https://twitter.com/ISCdotORG/status/491641920582844417 ___ dns-operations mailing list

[dns-operations] Another public DNS resolver, this time with DNSSEC

Note that they are validators: https://dns.watch/ Unlike what they claim, I find them quite slow, specially outside of Europe. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Another public DNS resolver, this time with DNSSEC

On Sun, Jul 20, 2014 at 08:11:43PM +, Evan Hunt e...@isc.org wrote a message of 19 lines which said: I wish I knew who they were, though: it's not obvious from the website, and dns.watch doesn't have an MX record. It's harder to evaluate claims of neutrality and data privacy when I

Re: [dns-operations] dnssec ecc

On Fri, Jul 11, 2014 at 06:46:16PM -0400, James Cloos cl...@jhcloos.com wrote a message of 6 lines which said: Are enough current verifiers capable of verifying ecdsa to make is reasonable to deploy ECDSAP256SHA256 or ECDSAP384SHA384 keys? I'm not aware of any published survey (Geoff

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 03:45:18PM +0200, sth...@nethelp.no sth...@nethelp.no wrote a message of 30 lines which said: But according to the name servers for .fr, gmail.fr. 172800 IN NS dns1.emarkmonitor.com. gmail.fr. 172800 IN NS

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 05:10:29PM +0200, Emmanuel Thierry m...@sekil.fr wrote a message of 45 lines which said: Contrarily to dnsN.emarkmonitor.com, nsN.markmonitor.com replies to queries. But the answer is still different from google servers : It does not matter what server X or server Y

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 05:14:10PM +0200, Emmanuel Thierry m...@sekil.fr wrote a message of 52 lines which said: By the way, as far as i know french people use gmail.com in place of gmail.fr. They won't even notice ! ;) Indeed, I've never seen gmail.fr advertised by Google and I'm surprised

Re: [dns-operations] Prevalence of query/response logging?

On Fri, Jul 04, 2014 at 06:00:48PM +0700, Roland Dobbins rdobb...@arbor.net wrote a message of 23 lines which said: I know that some DNS operators disable logging of queries/responses due to the overhead of doing so Logging in the name server itself is typically very slow, take resources

Re: [dns-operations] Need contacts

On Wed, Jul 02, 2014 at 10:28:31PM +0200, bert hubert bert.hub...@netherlabs.nl wrote a message of 7 lines which said: On Wed, Jul 02, 2014 at 09:36:38PM +0200, Stephane Bortzmeyer wrote: We know how to use dig and whois :-) The No-IP zones are all back to No-IP (from Microsoft) and seem

Re: [dns-operations] What's wrong with my domain?

On Wed, Jul 02, 2014 at 06:29:22AM -0400, Mohamed Lrhazi ml...@georgetown.edu wrote a message of 82 lines which said: Some DNS servers, notably Google's, return SERVFAIL, When using a validating resolver, like Google's, always test *also* with +cd (Checking Disabled). If it works with +cd

Re: [dns-operations] validation failure ietf.org

On Fri, Jun 27, 2014 at 11:37:38AM +0100, Billy Glynn billy.gl...@iedr.ie wrote a message of 64 lines which said: Jun 27 11:27:49 rhel65-esxi unbound: [4761:3] info: 83.71.193.115 ietf.org. A IN Jun 27 11:27:51 rhel65-esxi unbound: [4761:3] info: validation failure ietf.org. A IN: No

Re: [dns-operations] alidns

On Tue, Jun 17, 2014 at 10:43:04AM -0700, Matthew Ghali mgh...@snark.net wrote a message of 133 lines which said: Your methodology may have been sufficient 20 years ago, but just about any CDN complicates the issue. How do you propose distinguishing between deliberate traffic engineering

Re: [dns-operations] alidns

On Tue, Jun 17, 2014 at 09:29:54AM +0800, hua peng huap...@arcor.de wrote a message of 6 lines which said: Lying resolver. (The real addresses are in 173.252.96.0/19) HOw do you know that? You just query DNS resolvers that are outside of the reach of the chinese government.

[dns-operations] Tor and the answers 512 bytes

It appears that Tor is still limited to 512 bytes / no TCP :-( https://trac.torproject.org/projects/tor/ticket/4734 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs

Re: [dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

On Tue, May 06, 2014 at 09:09:47AM -0700, Paul Ferguson fer...@people.ops-trust.net wrote a message of 36 lines which said: http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html A good debunking: http://fanf.livejournal.com/127748.html

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Sun, May 04, 2014 at 01:43:06AM +0900, Daisuke Kotani dais...@kotachi.com wrote a message of 66 lines which said: One thing that should be noted in the Additional Page is that the jp. name servers directly delegate example.ac.jp to the authoritative servers of it, and no RR of QNAME

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 01:48:59AM +0900, T.Suzuki t...@reflection.co.jp wrote a message of 20 lines which said: Opened Pandora's box of Cache Poisoning http://www.e-ontap.com/dns/endofdns-e.html Conclusions of this report: I'm confused. I expected a scientific/technical paper/report and

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 02:52:16AM +0900, T.Suzuki t...@reflection.co.jp wrote a message of 26 lines which said: For expert, the page shows enough hints. I must conclude that I am not an expert (something I managed to hide from my employer until now).

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 02:52:16AM +0900, T.Suzuki t...@reflection.co.jp wrote a message of 26 lines which said: And they already issued the waring. (in Japanese) http://jprs.jp/tech/security/2014-04-15-portrandomization.html That's unrelated: the JPRS text was about the fact that, six

Re: [dns-operations] rdata out of range

On Wed, Apr 30, 2014 at 06:03:58PM +0800, Ken Peng kp...@terra.com wrote a message of 22 lines which said: 800099 is the serial I setup. RFC 1035 says: SERIAL The unsigned 32 bit version number [...] So, its maximum value is 4294967295

Re: [dns-operations] about the rName with dot

On Mon, Apr 28, 2014 at 10:43:35PM +0800, Ken Peng kp...@terra.com wrote a message of 13 lines which said: Is there a live example for this kind of rName? fdupont.fr ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] AAAA record for c.root-servers.net

On Mon, Apr 21, 2014 at 10:33:42AM +0300, Daniel Kalchev dan...@digsys.bg wrote a message of 165 lines which said: This is apparently an bug in the RIPE Atlas probe management software — it needs to make sure the probe can generally reach it’s own measurement targets, before assigning it to

Re: [dns-operations] should recursors think there are only delegation data in tld name servers?

On Wed, Mar 26, 2014 at 08:22:03PM +0800, 刘明星 lmxha...@gmail.com wrote a message of 59 lines which said: if a recursor ask a tld server for A records of a domain name, such as a.test.tld, the .tld server return a nxdomain response to the recursor. Only if test.tld does not exist. In this

Re: [dns-operations] New IETF work on DNS privacy

On Thu, Mar 20, 2014 at 04:07:34PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 167 lines which said: We'll talk more about that at the OARC workshop in Warsaw but, in case some people here are not aware of it, IETF now has a mailing list dedicated to DNS privacy

Re: [dns-operations] shunning malware-hosting registrars

On Tue, Jan 28, 2014 at 10:43:21AM -0500, Daniel Sterling sterling.dan...@gmail.com wrote a message of 31 lines which said: Would it be possible for the larger DNS community to blacklist and stop serving domains from registrars that are known to be friendly to malware authors? For example,

<    1   2   3   4   >