Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

Stephane, On May 14, 2012, at 11:14 PM, Stephane Bortzmeyer wrote: BTW fair and equitable is one of those unfortunate phrases that gets Internet governance types very excited, not always in a good way: eg fair and equitable distribution of IP addresses. We disagree here. Asking for fairness

Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

On May 17, 2012, at 3:25 AM, Joe Abley wrote: Even ignoring folks who slave the zone now, is coordinated measurement of the root system realistically possible today given the business/political/philosophical environments of the root operators? Yes. [citation needed] However, there's a

Re: [dns-operations] Documenting root slave operation Re: The (very) uneven distribution of DNS root servers on the Internet

Andrew, On May 17, 2012, at 1:36 PM, Andrew Sullivan wrote: [rebuttals to suggested advantages] I feel like this is going stuff already discussed so I won't bother going point by point as I suspect it would be a waste of both our time (particularly given your view as expressed below). I am

Re: [dns-operations] I know I'm a curmudgeon but

On Jul 9, 2012, at 9:17 AM, Edward Lewis wrote: At 17:53 +0200 7/9/12, Benny Pedersen wrote: ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 2 last zerro is bad sign Not really. Some folks like minimal-response. The name isn't a problem, it's dig. Sounds like a

Re: [dns-operations] Authoritative Name Server at Wikipedia

Paul Mockapetris founded Nominum? How offensive! I'm shocked to hear Wikipedia got something wrong. Oh. Wait. Did you mean to highlight something else? :-) Regards, -drc On Aug 8, 2012, at 1:23 PM, Jan-Piet Mens jpmens@gmail.com wrote: From [1]: Authoritative Name Server

Re: [dns-operations] dotless domains

Stephane, On Sep 21, 2012, at 1:40 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: I'm not particularly against the idea of using dotless domains, but we know who's going to live with the support questions when users start complaining. Paul's piece on CircleID sums it up

Re: [dns-operations] dotless domains

Florian, On Sep 24, 2012, at 12:07 AM, Florian Weimer f...@deneb.enyo.de wrote: * Paul Vixie: those are country code top level domains. cctld's enjoy national sovereignty Uhm, most of them are companies, and not subjects of international law. Few of them, however, have entered binding

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Oct 2, 2012, at 12:54 PM, Paul Vixie p...@redbarn.org wrote: if ietf hadn't declared the dns protocol finished, and were not even now working to close up the dnsext working group, i'd propose that we develop a standard for carrying edns over tcp/80 and/or tcp/443, which is for most mobile

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Oct 2, 2012, at 5:49 PM, Vernon Schryver v...@rhyolite.com wrote: The only reasonable solution is to give stub resolvers some of the features of recursive resolvers including DNSSEC validation and caching to make the costs of DNSSEC tolerable. Why not get rid of stub resolvers completely

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

Vernon, On Oct 3, 2012, at 6:38 AM, Vernon Schryver v...@rhyolite.com wrote: Any popular scheme that works around DNS, HTTP, ssh, etc. man-in-the-middle attacks that become popular will be blocked, proxied, or hijacked unless most users normally use tools that detect and refuse to work with

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

Vernon, On Oct 3, 2012, at 8:57 AM, Vernon Schryver v...@rhyolite.com wrote: You're assuming the MITM attacks are intentional. No, I assume only either that the men in the middle will back off if they irritate enough users or that they can be detected. They can only back off if they're aware

Re: [dns-operations] ATT DNS Cache Poisoning?

Robert, On Oct 27, 2012, at 1:37 PM, Robert Edmonds edmo...@isc.org wrote: i don't think it's cache poisoning. note that there are two out-of-zone nameservers for ben.edu: ... and that bobbroadband.com was updated recently, Good catch! Makes sense. I checked the history on ben.edu but

Re: [dns-operations] ATT DNS Cache Poisoning?

Bert, On Oct 27, 2012, at 10:55 PM, bert hubert bert.hub...@netherlabs.nl wrote: Thus continuing the trend that all purported cache poisonings observed have been registry hacks. Looks that way, although it looks like this wasn't really a registry hack but rather what happens when a domain

Re: [dns-operations] responding to spoofed ANY queries

Vernon, On Jan 12, 2013, at 3:11 PM, Vernon Schryver v...@rhyolite.com wrote: We just need to admit that self-regulation by the industry has failed to address this matter adequately. That statement is wrong and irritating. While I might agree it is irritating, it is so because it is true.

Re: [dns-operations] responding to spoofed ANY queries

Paul, On Jan 12, 2013, at 4:51 PM, Paul Vixie p...@redbarn.org wrote: in that having only spoofing and not amplification would mean there would be a smaller problem, it's less true. In a world of million-zombie botnets, amplification is merely icing on the cake. the internet is extra-legal

Re: [dns-operations] responding to spoofed ANY queries

Vernon, On Jan 12, 2013, at 5:55 PM, Vernon Schryver v...@rhyolite.com wrote: Laws requiring that all routers support one or more of the BCP 38 mechanisms sound rather late and redundant and wouldn't do much to make ISPs turn them on, Do you really believe that in the aftermath of a

Re: [dns-operations] getting .CW recognised in the Google ccTLD tables/databases ...

A nit: On Jan 20, 2013, at 4:35 PM, Doug Barton do...@dougbarton.us wrote: ISO-3166-1 table which shows valid ccTLDs in green: http://www.iso.org/iso/home/standards/country_codes/iso-3166-1_decoding_table.htm Yellow (exceptionally reserved) code elements used for ccTLDs are also considered

Re: [dns-operations] getting .CW recognised in the Google ccTLD tables/databases ...

Hi, On Jan 21, 2013, at 1:07 AM, Jaap Akkerhuis j...@nlnetlabs.nl wrote: ISO-3166-1 table which shows valid ccTLDs in green: http://www.iso.org/iso/home/standards/country_codes/iso-3166-1_decoding_table.htm Yellow (exceptionally reserved) code elements used for ccTLDs are also considered

Re: [dns-operations] What's a suffix?

On Jan 21, 2013, at 1:00 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Mon, Jan 21, 2013 at 09:25:03AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 21 lines which said: A suffix is any string ending a domain name. A reader even more nazi than I am suggested a

Re: [dns-operations] Monday rant againt the uses of the Public Suffix List

On Jan 28, 2013, at 4:31 AM, Franck Martin fmar...@linkedin.com wrote: There are plenty errors in the public suffix list for Pacific Island countries. I guess the operators of the ccTLDs there, never heard of the PSL. Should they have? Regards, -drc

Re: [dns-operations] Another whitepaper on DDOS

On Feb 22, 2013, at 2:58 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: they keep pretending that the DNS attack in Brazil was cache poisoning, while it has been widely documented for a long time http://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems. I

Re: [dns-operations] Another whitepaper on DDOS

Warren, On Feb 22, 2013, at 7:42 AM, Warren Kumari war...@kumari.net wrote: http://dnssec-deployment.org/pipermail/dnssec-deployment/2012-July/006003.html Thanks! Missed that message somehow. BIND 4.8.anything in 2010? I weep for humanity. Regards, -drc

Re: [dns-operations] N-Root

On Apr 1, 2013, at 2:40 PM, Lutz Donnerhacke l...@iks-jena.de wrote: * Stephane Bortzmeyer wrote: Congratulations: you've solved the easy problem, the technical one, and left open the really hard one, finding who has the legitimacy to hire/fire root name server operators :-) Oh, this

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Geoff, I personally think this is really interesting work. A question about methodology: On Aug 21, 2013, at 4:36 PM, Geoff Huston g...@apnic.net wrote: - Our experiment used a modified DNS server that truncated all UDP at 512 bytes, and over 10 days we enlisted some 2 million end clients to

Re: [dns-operations] Implementation of negative trust anchors?

Doug, On Aug 22, 2013, at 12:06 PM, Doug Barton do...@dougbarton.us wrote: As stated before, the problem is that after the early adopter period is over we'll be stuck with NTAs forever. A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 22, 2013, at 3:19 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Aug 22, 2013, at 2:47 PM, David Conrad d...@virtualized.org wrote: A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite protocol indications that is may not be. Where

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 22, 2013, at 3:25 PM, Paul Vixie p...@redbarn.org wrote: A resolver operator deploying an NTA is making an assertion that data behind a name is safe despite protocol indications that is may not be. Where is that stated? I ask, because it would seem that a better description would be

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 22, 2013, at 5:13 PM, Paul Vixie p...@redbarn.org wrote: Randy Bush wrote: from a conversation with a friend wiser than i the problem is that we are going through a deployment phase where there is little penalty for sloppy server ops because so few are validating. patching over

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 23, 2013, at 9:02 AM, Vernon Schryver v...@rhyolite.com wrote: Eyeball networks would be best served by turning off DNSSEC. I believe this is what they're trying to avoid. Let's be honest and admit that talk about NTA today and tommorow (as opposed to last year) is really a statement

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 23, 2013, at 9:19 AM, Paul Vixie p...@redbarn.org wrote: if nasa.gov had screwed up its delegation or had allowed its public secondary servers to expire the zone due to primary unreachability, i do not think the phone at comcast would have rung less, but i also don't think that comcast

Re: [dns-operations] Implementation of negative trust anchors?

Vernon, On Aug 23, 2013, at 11:10 AM, Vernon Schryver v...@rhyolite.com wrote: They would be better served by `rndc validation off X hours` with a limit on the X hours of 24 than any sort of NTA hook. So, because one zone messes up signing, instead of opening up that one zone to spoofing

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 7:08 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: A fictitious 100-person company has an IT staff of 2 who have average IT talents. They run some local servers, and they have adequate connectivity for the company's offices through an average large ISP. Should that

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

Florian, On Oct 15, 2013, at 10:24 PM, Florian Weimer f...@deneb.enyo.de wrote: There's a tendency to selectively block DNS traffic, which can be a pain to debug. True. Hate that. A lot. Various network issues might only affect DNS recursor traffic. Given the information provided in the

Re: [dns-operations] ALERT: .QA CCTLD in wrong hands currently

On Oct 19, 2013, at 5:36 AM, Kauto Huopio kauto.huo...@ficora.fi wrote: It seems that .QA TLD could be currenty in wrong hands: https://twitter.com/Official_SEA16/status/391339315562688513 The TLD appears to be fine (that is, it hasn't been redelegated). Looks like the registry might be

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Oct 20, 2013, at 2:16 PM, Vernon Schryver v...@rhyolite.com wrote: Should the people working on DNS implementations prioritize making their DNSSEC code more robust and easier to use above or below addressing your issues? I'd say below. Resolver operators (hopefully) want to protect their

Re: [dns-operations] It's begun...

On Nov 5, 2013, at 8:52 AM, Matthäus Wander matthaeus.wan...@uni-due.de wrote: The operator of xn--80asehdb. and xn--80aswg. is using a custom-made name server according to their version.bind. I don't know if I'd call http://www.irondns.net custom. Regards, -drc smime.p7s Description:

Re: [dns-operations] It's begun...

On Nov 14, 2013, at 1:41 PM, Joseph S D Yao j...@tux.org wrote: When it will get interesting is when there are 5000+ TLDs, 2500+ of which have been abandoned because the entrepreneurs who proposed them decided it wasn't fun and abandoned them, leaving lame servers galore. Is there any

Re: [dns-operations] Issue with www.bing.com resolution in Time Warner

On Nov 18, 2013, at 1:54 PM, Ashley Flavel ashle...@microsoft.com wrote: I’ve had reports that users in TWC are getting incorrect IPs back from their local resolvers. Both of the IPs below are proxy servers and sometimes redirect the user to dnsrsearch.cominstead of bing.com. Perhaps

Re: [dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Ed, On Nov 27, 2013, at 6:00 AM, Edward Lewis ed.le...@neustar.biz wrote: My excuse is - operators limit the effort expended in fighting entropy. Imagine an average operations environment operating as most environments go. ... Eventually one day something breaks and then... ...include

[dns-operations] Fwd: [perpass] A reminder, the Network is the Enemy...

Hi, I'm taking the liberty of forwarding the following off the IETF perpass list as Nicholas' analysis matches my own intuition. Stephane Bortzmeyer asked on the same list: Very convincing reasoning. But I would feel better if it were actually tested in a lab with common resolvers. Any

Re: [dns-operations] Uptick in number of domains losing delegation recently

Jothan, On Apr 22, 2014, at 8:45 PM, Jothan Frakes jot...@gmail.com wrote: Actually I am all about making sure contact info is correct and trimming away perp abuses. My understanding is that the toolbox to do this is somewhat limited. What other mechanisms than domain suspension would you

Re: [dns-operations] Uptick in number of domains losing delegation recently

Dave, On Apr 22, 2014, at 9:57 PM, Dave Warren da...@hireahit.com wrote: On Apr 22, 2014, at 8:45 PM, Jothan Frakes jot...@gmail.com wrote: Actually I am all about making sure contact info is correct and trimming away perp abuses. My understanding is that the toolbox to do this is somewhat

Re: [dns-operations] Uptick in number of domains losing delegation recently

Jothan, On Apr 22, 2014, at 11:17 PM, Jothan Frakes jot...@gmail.com wrote: David I think the desired outcome is honorable and important, but the mechanism needs to be thought out a bit so it doesn't crush the innocent in pursuit of the guilty. My understanding that the RAA requirements

Re: [dns-operations] most of root NS and com's NS fail from here

Emmanuel, On Apr 29, 2014, at 3:05 AM, Emmanuel Thierry m...@sekil.fr wrote: If i'm not mistaken, the Chinese filtering is performed on a per-service basis. The (presumably UDP) based traceroute appears to get stuck just after entering the DREN, not at the Chinese border... Regards, -drc

Re: [dns-operations] about the underline in hostname

On May 29, 2014, at 9:54 AM, Phillip Hallam-Baker ph...@hallambaker.com wrote: This implies that ICANN can't delegate an all-numeric TLD, and in fact, ICANN (in section 2.2.1.3.2, sub-section 1.2.1 of the Applicant's Guide Book) states: I am rather worried when specifications rely on what is

Re: [dns-operations] First new gTLD using ICANN's Name Collision Occurrence Management Framework

Hi, On Aug 28, 2014, at 11:59 PM, Patrik Fältström p...@frobbit.se wrote: On 29 aug 2014, at 07:04, SM s...@resistor.net wrote: At 14:13 28-08-2014, Rod Rasmussen wrote: I note that these documents speak to many of the issues being exposed here (and yes, full disclosure, I wrote a small

Re: [dns-operations] Validating or not validating (ICANN controlled interruption)

Rubens, hatless But isn’t it better we shake these sorts of things out now? /hatless Regards, -drc On Sep 3, 2014, at 5:41 AM, Rubens Kuhl rube...@nic.br wrote: What I can tell you is that registries and applicants suggested ICANN to not require DNSSEC-signign of wildcard controlled

Re: [dns-operations] Hearing first complains about failing internal resolving due to .prod TLD

Franck, On Sep 13, 2014, at 2:19 AM, Franck Martin fmar...@linkedin.com wrote: I’m not sure why the dot prod was not first set up to return NXDOMAIN, queries logged, and then source IP contacted to warn them of such upcoming change. The source IP is a resolver, not the original querier. I’m

Re: [dns-operations] resolvers considered harmful

On Oct 22, 2014, at 10:27 AM, Florian Weimer f...@deneb.enyo.de wrote: I've suggested multiple times that one possible way to make DNS cache poisoning less attractive is to cache only records which are stable over multiple upstream responses, and limit the time-to-live not just in seconds, but

Re: [dns-operations] resolvers considered harmful

Mark, On Oct 22, 2014, at 12:18 PM, Mark Allman mall...@icir.org wrote: Why not just turn on DNSSEC? Important zones are still unsigned, so I can understand why there is a desire for altenative solutions. Right. It isn't like we are lacking for ways to solve the problems we know about.

Re: [dns-operations] resolvers considered harmful

Mark, On Oct 22, 2014, at 6:07 PM, Mark Allman mall...@icir.org wrote: David Conrad d...@virtualized.org: As I understand it, you're proposing pushing the resolvers out to the edges That is not what we are proposing. We are not suggesting resolvers be *moved*, but rather *removed

Re: [dns-operations] resolvers considered harmful

Hi, On Oct 23, 2014, at 10:36 AM, Paul Vixie p...@redbarn.org wrote: until you have done this and have results to report, you'd be wise not to make any claims about this possibility. I've done so, on an off over the years (including mirroring the root zone), and found that it mostly just

Re: [dns-operations] cool idea regarding root zone inviolability

Patrik, On Nov 26, 2014, at 10:40 PM, Patrik Fältström p...@frobbit.se wrote: FWIW, I have been working on this for a while with the Diplo foundation, and I am happy to answer questions (and of course listen to concerns). It is an interesting idea, but I don't get how it would work. I asked

Re: [dns-operations] knot-dns

Hi, I'm having a bit of trouble believing this isn't April 1. On Dec 14, 2014, at 10:38 AM, Florian Weimer f...@deneb.enyo.de wrote: While it sounds good on phosphor, the concept of code diversity is so abstract, compared to the significant operational challenges and associated security

Re: [dns-operations] knot-dns

On Dec 14, 2014, at 3:05 PM, Roland Dobbins rdobb...@arbor.net wrote: I've never run into a situation in which a monoculture would've made things any worse. ?? Two words: Microsoft Windows. a) packet-of-death vulnerabilities are rare, Sure, but they happen. For example: - the resolver

Re: [dns-operations] knot-dns

Matt, On Dec 14, 2014, at 6:08 PM, Matthew Ghali mgh...@gmail.com wrote: Given the set of practical issues we’re worried about today, delivering a service via multiple codebases certainly isn’t a magic bullet. Agreed. I would be surprised if anyone seriously argues that it is. Upon closer

Re: [dns-operations] knot-dns

Florian, On Dec 14, 2014, at 10:55 PM, Florian Weimer f...@deneb.enyo.de wrote: When you aim for diversity, you get the union of all bugs, not the intersection. In the sense that some portion of your infrastructure may be affected by all bugs, sure. The point is that _all_ your

Re: [dns-operations] knot-dns

Roland, I am suggesting that when building out infrastructure, it is prudent to try to minimize single points of failure. One such single point of failure is reliance on a software monoculture. You appear to be suggesting that the Internet is so broken that taking steps to minimize single

Re: [dns-operations] Lack of tlsa support

On May 27, 2015, at 6:16 PM, Mark Andrews ma...@isc.org wrote: Do we really have to fight to get every new type supported? Is this a trick question? The Empirical Evidence 8-ball would appear to say Yes. Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail

Re: [dns-operations] root? we don't need no stinkin' root!

[Sorry for the slow response — US holidays and a resolution not to look at my computer over said holidays got in the way] > On Nov 28, 2019, at 12:42 AM, Petr Špaček wrote: > On 27. 11. 19 21:49, David Conrad wrote: >> Petr, >> >>> I think there is even more funda

Re: [dns-operations] root? we don't need no stinkin' root!

On Nov 26, 2019, at 11:33 AM, Jim Reid wrote: >> On 26 Nov 2019, at 09:16, Florian Weimer > > wrote: >> >> Up until recently, well-behaved recursive resolvers had to forward >> queries to the root if they were not already covered by a delegation. >> RFC 7816 and in

Re: [dns-operations] root? we don't need no stinkin' root!

Petr, > I think there is even more fundamental problem: > Someone has to pay operational costs of "the new system”. The “new system” is simply the existing network of resolvers, augmented to have the root zone. As far as I can tell, the operational cost would be in (a) ensuring the resolver

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

Adam, On Oct 10, 2019, at 8:28 AM, Adam Vallee wrote: > In my opinion, a new C root operator should be chosen based on the fact that > Cogent is not fulfilling its duty to operate their root servers for the > benefit of the internet as a whole. > > It seems to me that they are operating the

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

Adam, On Oct 11, 2019, at 12:36 AM, Adam Vallee wrote: > On Thu, Oct 10, 2019 at 10:40 AM David Conrad <mailto:d...@virtualized.org>> wrote: > Adam, > > I’d recommend reading "A Proposed Governance Model for the DNS Root Server > System” (https://www.icann.org/en

Re: [dns-operations] Input from dns-operations on NCAP proposal

Hi, On Jun 1, 2022, at 12:39 AM, Petr Špaček wrote: > On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote: >>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries with >>> no SOA provided in the authority section. >>> Configuration 2: Generate a synthetic NXDOMAIN

Re: [dns-operations] [Ext] How should work name resolution on a modern system?

Mark, On Jun 15, 2022, at 6:57 PM, Mark Andrews wrote: > Views come down to lack of IPv4 address space forcing RFC 1918 on people No. Split DNS existed before RFC 1918 was written. What ISC defined as “views" in BIND 9 is simply an implementation of an independent namespace. The fact that it

Re: [dns-operations] Single label queries on Windows (11)

A very long time ago (i.e., back when I was executive director of ISC and BINDv9.0.0 was being released) we tried to encourage people to NOT use nslookup as it tends to try too hard to “help", leading to all sorts of confusion, e.g., the kind you experienced. Instead, we recommended dig as (a)

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

Hi, On Jul 20, 2023, at 7:29 AM, Viktor Dukhovni wrote: > Finally, for the RSAC (yes not the right forum to formally lodge the > question), should the root zone DS TTL still be 1 day? Would a change > to one hour be acceptable (aligning with it with the practice of many > TLDs and aiding in

Re: [dns-operations] [Ext] Re: in-addr.arpa. "A" server "loopback network" misconfiguration

Mark, Kim indicated the relevant IETF Area Director advised that no action be taken. I suspect instead of reiterating what the changes are that you believe should be made, a more useful course of action would be to understand why the relevant IETF Area Director provided the advise that they

Re: [dns-operations] DNS Operations

--- Begin Message --- Hi, On Mar 2, 2024, at 4:57 AM, Lee wrote: > On Sat, Mar 2, 2024 at 1:53 AM Turritopsis Dohrnii Teo En Ming via > dns-operations wrote: >> >> As I checked with ChatGPT, it says ISC BIND DNS Server is the most popular >> DNS server software in the world. ChatGPT is the