Re: [dns-operations] Hearing first complains about failing internal resolving due to .prod TLD
On 13.09.14 17:54, Phillip Hallam-Baker wrote: On Thu, Sep 11, 2014 at 9:12 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Sep 11, 2014, at 4:27 PM, Paul Vixie p...@redbarn.org wrote: for the time being, and perhaps for a long time to come, the people who call the presence of .PROD a bug and/or depend on its absence as a feature, outnumbers and will outnumber the people who call it a feature or who will call its absence a bug. How do you measure that? This is a serious question, one that affects DNS operators. If you have a way of determining how many enterprises are negatively affected as a new gTLD rolls out, that would be very useful information. My advice to enterprises is to consider the following: Let the value to your enterprise of resolving the new domains be X Let the value at risk due to resolving the new domains be Y Let the cost of disabling new domain resolution be Z If Y X-Z then the obvious choice is to turn off resolution of new domains. Since X and Z are both zero the choice is obvious. However nice this sounds in theory, the reality is that you can never tightly control name resolution. Of course, you could try to control it, and that attempt too has it's costs, which you should add to the right part of the expression.These costs are far from zero. Daniel ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sat, Sep 13, 2014 at 09:37:52AM +, Franck Martin fmar...@linkedin.com wrote a message of 61 lines which said: -limit size to 1500? on both IPv4 and IPv6? It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). For fragmentation, I would not care, as explained here. On an authoritative name server, you know the response sizes (use DSC to see it). DNSKEY responses are typically the largest. Check it before decreasing the limit. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 3:25 PM, Stephane Bortzmeyer bortzme...@nic.fr wrote: It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). Actually, this isn't really what we're seeing - ntp and SSDP and SNMP and chargen and tftp reflection/amplification attacks are all taking place *alongside* DNS reflection/amplification attacks, rather than supplanting them. We sometimes see DNS reflection/amplification attacks mixed with ntp or SSDP in multi-vector reflection/amplification attacks, mainly in the gaming space. Differing communities of 'interest', IMHO. -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 5:52 PM, Tony Finch d...@dotat.at wrote: That is, you need to limit the size of response that you send (max-udp-size in BIND terms). Do you recommend that it be lowered to 1280 or thereabouts for IPv6? -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
On Sep 15, 2014, at 5:52 PM, Tony Finch d...@dotat.at wrote: max-udp-size in BIND terms btw, my impression is that the OP was asking about network policies, not DNS server settings - correction welcome if this wasn't the case. -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Hearing first complains about failing internal resolving due to .prod TLD
On 09/13/2014 10:45 AM, David Conrad wrote: On Sep 13, 2014, at 2:19 AM, Franck Martin fmar...@linkedin.com wrote: I’m not sure why the dot prod was not first set up to return NXDOMAIN, queries logged, and then source IP contacted to warn them May be this is an insight now, may be this is something to do for ALL newly introduced TLDs, set up the resolution for a month with NXDOMAIN and then analyze the logs and see if it could be an issue. You might want to look at https://www.jasadvisors.com/namespace-expansion-i.pdf. Interestingly, .prod had only 146 (filtered) unique SLDs in the DITL data. This was discussed in the last year or so of ‘discussions’ related to name collision. Trivial to game, difficulties finding the actual source, difficulties in establishing what could be an issue vs. a false positive, etc. I've tried (I hope) to make it clear whenever opportune, that OARC's DITL data should only ever have been regarded as *a* source of policy-informing analysis for Name Collisions, and should not in any way be regarded as comprehensive or definitive. We were more than happy to step up with what we had in the absence of anything else, but other data sources would have been and would remain welcome. It seems we may be seeing the first signs of the gap between reality and the dimensionally-constrained worldview of OARC data. Here's a couple of ideas I'd like to put out there: - now that various of the nTLDs have been delegated into Controlled Interruption mode, would it be helpful for OARC to do an additional (or periodic) DITL capture(s), so we can get some comparison between what we thought we'd be seeing and what are seeing ? - are there any other types of data-gathering that OARC could perform for the community that would help us understand these issues better (and if so what, and who would like to help) ? There were some proposals for such data gathering mooted, but AIUI did not get sufficient support in the ICANN process to be mandated. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs