[dns-operations] gtld servers in oz

are there servers for com, net, org, ... in australia? randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list

Re: [dns-operations] Restrict ANY query to TCP ? Re: Why would an MTA issue an ANY query instead of an MX query?

how about much simpler configuration option to force all any queries to be reissued over TCP, restrict-any-udp yes/no; as i charge by the byte, i like it a lot. ymmv. randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] How to transfer DS records to parent zone?

As an industry, we have the opportunity of giving our customers the blue pill and keeping them happy, or letting someone else give them the red pill and show them what can really happen. yep up a level. we are deploying new technology that we think is important to the internet, ipv6 and

Re: [dns-operations] PIR's (.org) Web site looks… default...

that's byedaddy randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

[dns-operations] socialsecurity.gov

what am i not understanding here? from seattle westin psg.com:/usr/home/randy doc -p -w socialsecurity.gov.Doc-2.2.3: doc -p -w socialsecurity.gov. Doc-2.2.3: Starting test of socialsecurity.gov. parent is gov. Doc-2.2.3: Test date - Wed Sep 12 09:57:32 GMT 2012 Summary:

Re: [dns-operations] socialsecurity.gov

I can't reach the v6 addresses of dns5 or dns6; I can reach dns1 and dns2. I don't see anything in the log that indicates which transport was being used, but that would be consistent with the problem if the IIJ host is v6-enabled. actually, both hosts are v6 enabled. isn't everything? so i

Re: [dns-operations] dotless domains

perhaps narrowing core technologies to the intersection of the un-flawed abilities of all applications will be an increasingly narrowing path which leads no place pleasant. True. I'm not particularly against the idea of using dotless domains, but we know who's going to live with the support

Re: [dns-operations] keeping ICANN busy

It would be nice if the IAB or IETF could issue some sort of RRs in single-label domain names considered harmful document. or rrs in single-label domain names are legal. applications should be able to handle them. What's the path of least resistance ? putting mrs. greenberg in the cattle

Re: [dns-operations] which software is easier to setup a geo-based dns?

For those what's the best suitable for setup a geo-based DNS server? what is a 'geo-based' server? and is it authoritative or caching? randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

i keep wondering about the use of hsms in dnssec and rpki signing. i suspect that the threat model is not well thought out. I wonder what other operator's reasons for using a HSM with DNSSEC are (security-relevant, not performance-relevant). exactly. and folk are spending very large

Re: [dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

Making a tamper-evident box with SoftHSM is (I think) much easier to do, more scalable and done quicker. Right. I think that one question has not been asked so far: why? What's the real benefit that you'd get out of this? sounds like a diy hsm to me. and i still want to understand the threat

Re: [dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Be trustee is a key to use HSM or hardware encryption. And because we are running a critical Internet infrastructure, I think should be the way, be trustee. that's called security theater. what is the threat model? what is the asset you are protecting against what attack by what adversary?

Re: [dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

The same is true for systems that act like HSMs. Indeed. So what's the difference between HSMs and systems that act like HSMs? what is the difference between airport nudie scanners and sniffer dogs? the dogs do not have a commercial lobby. randy ___

Re: [dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

The dogs also cant get sued ;-) Sometimes it is a matter of CYA. what is the difference between airport nudie scanners and sniffer dogs? the dogs do not have a commercial lobby. in the amurikan so-called culture, dogs are more easily sued than the lobbiests and the makers of the nudie

[dns-operations] swiss cheese

kiddies are out this afternoon. no big deal, no real services but this makes uplinks prety ugly turning off dnssec no real help 108.193.206.169 is not the only source. and i presume it is spoofed anyway. clue bat? randy 108-193-206-169.lightspeed.frsnca.sbcglobal.net: udp 06:28:26.448671

[dns-operations] zone format bind9

a remote master has gone sick. i need to restore an older zone file. the file(s) on backup are in binary format. if i stick an old one in the directory and restart bind, psg.com:/usr/home/randy/public_html# dig @rip cctld. soa ; DiG 9.4.3-P2 @rip cctld. soa ; (1 server found)

Re: [dns-operations] zone format bind9

File corrupted ? I can take a look off-list if you want. two diff copies? cf.tgz Description: Binary data ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing

Re: [dns-operations] zone format bind9

it turns out 9.9 did not install named-compilezone. it was antique ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list

Re: [dns-operations] zone format bind9

On my FreeBSD boxes, I don't overwrite the system named, but rc.conf is set to run /usr/local/sbin/named. Typical mistake when one invokes named* commands as PATH will usually have /usr/sbin first. precisely what happened randy ___ dns-operations

Re: [dns-operations] Defending against DNS reflection amplification attacks

Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. as will black helicopters. can we stick to reality as we actually experience it? it is the reality on which the management, of which joe spoke so

Re: [dns-operations] Defending against DNS reflection amplification attacks

Civil lawsuits by victims of DNS reflection and other attacks that depend on failures to deploy BCP38 might help convince boards of directors. Having been a witness in two of these lawsuits, cites, please randy ___ dns-operations mailing list

Re: [dns-operations] Defending against DNS reflection amplification attacks

Are you willing to also help us do the hard work to do the right thing? I'm pretty sure the answer is Yes. So let's get busy, and stop finding reasons not to do the Right Thing. - ferg you may have a problem with your mail system. it seems to be re-sending messages from a decade ago,

Re: [dns-operations] DS keys for child zones on same server inline signing

Hrm, I have some imminently expiring zones which I didn't bother setting up DNSSEC on. I'll see if I can reproduce. please report back. and maybe a recipe. thanks. randy, who uses opendnssec and bind ___ dns-operations mailing list

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

if they won't close the open resolver, you think they're gonna force tcp only? Not all open resolvers are run by brainless admins. between the brainless and those who don't read mailing lists or update software, i fear enough will remain to keep us foaming at the mouth like rabid racoons.

Re: [dns-operations] weird DNS problem

You have only two authoritative name servers, in the same /16 and the same AS. From traceroute, they also seem to be in the same physical location. That is not enough to providence resilience and reliability. A network issue with this prefix/AS/location is sufficient to explain the symptoms

Re: [dns-operations] old dnscap files

#!/bin/sh set -e . /etc/sysconfig/dnscap cd `dirname ${DNSCAP_BASEPATH}` while sleep 1 ; do GB_FREE=`df -B 1G . | awk 'NR==2 {print $4}'` echo $GB_FREE GB free | logger test $GB_FREE -gt ${DNSCAP_FREE_GB} break; ls -rt | grep '^dnscap\.' | head -n 1 | xargs rm

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/ them aussies certainly know how to do a nice bit of wide-scale measurement. now we can descend into the religions un-asserted implications violate. randy ___ dns-operations mailing

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

http://www.circleid.com/posts/20130820_a_question_of_dns_protocols disappointed me with this characterization of RRL: There is a conversation thread that says that resolvers should implement response rate limiting (RRL), and silently discard repetitive queries that exceed some

Re: [dns-operations] Implementation of negative trust anchors?

I'm still not convinced that the right answer is not to standardise, or not to write up a BCP how about a wcp? nancy regan was right. i am still at the other end of the elephant. why is the frelling software on the farbled server not detecting that is has been farbled and screaming loudly?

Re: [dns-operations] Implementation of negative trust anchors?

i will try once more an american idiom is keep your eye on the doughnut not the hole. this NTA discussion focuses on the wrong thing. why is the frelling software on the farbled server not detecting that is has been farbled and screaming loudly? why is it not preventing most of these

Re: [dns-operations] All NSs for a TLD being in the TLD itself

xn--ngbc5azd. 172800 IN NS a.nic.xn--ngbc5azd. xn--ngbc5azd. 172800 IN NS b.nic.xn--ngbc5azd. xn--ngbc5azd. 172800 IN NS c.nic.xn--ngbc5azd. xn--ngbc5azd. 172800 IN NS d.nic.xn--ngbc5azd. a.nic.xn--ngbc5azd. 172800

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

# dig +short txt berlin ;; Truncated, retrying in TCP mode. The .berlin-zone is protected through the German Copyright-Law. Beyond it is protected by criminal law and data protection law. Unauthorised entry to the zone is prohibited. All rights, in particular the right of duplication,

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

These ICANN rules (against dotless domains) are meaningless and ridiculous, anyway. not at all. they serve to remind us of icann's relevance. randy pgpy8iUxci4Km.pgp Description: PGP signature ___ dns-operations mailing list

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

If you believe the laws are wrong (as many do!), come help change them. i know this will come as a shock, warren. but some people do not see bashing their heads against concrete walls as a good use of their time. randy pgprHfxoA80bE.pgp Description: PGP signature

Re: [dns-operations] signing reverse zones

hi mark, I'm interested in knowing if it is standard practice amongst folks to sign .arpa zones. Is there a compelling use case for signing reverse zones? standard practice? you some kinda control freak? first there is the arguments about whether reverse zones are useful and should be

Re: [dns-operations] about list's MX

Anyway I think all the lists should have an explicit MX RR, which should not make confusing for MTA and people like me. :P mail delivery works, and it is well-specified. maybe work on getting RRs randy ___ dns-operations mailing list

Re: [dns-operations] hong kong workshop, day 2, live link

Complementing what Edmon Chung mentioned that root-servers was already reserved in the last new gTLD round, here follows the complete list of reserved names: AFRINIC IANA-SERVERS NRO ALAC ICANN RFC-EDITOR APNIC IESG RIPE ARIN IETF ROOT-SERVERS ASO INTERNIC RSSAC CCNSO INVALID

Re: [dns-operations] [DNSOP] hong kong workshop, day 2, live link

this is an amusing list. i can understand EXAMPLE, LOCALHOST, and TEST. maybe even WHOIS and WWW. but the rest sure look as if lawyers wanted and got what is in effect a super trademark. Its also missing one thats actually really important to be reserved: .onion. very much agree randy

[dns-operations] traffic jam

i have two modest auth servers, a few MB/s each. ten days ago, they went to 80MB. sources and dests are widely distributed. so is it just a ddos, or is there something for which i should be looking? randy ___ dns-operations mailing list

Re: [dns-operations] traffic jam

and sources 9895 64.89.233.211 8957 207.102.138.158 6665 64.89.230.9 6602 65.55.37.38 6569 65.55.37.40 6508 65.55.37.41 6463 65.55.37.37 6411 65.55.37.36 6394 65.55.37.39 6317 208.115.113.82 5558 216.117.191.20 2883 65.54.225.186 2487 192.0.84.33 2118 67.195.93.161 2007 209.190.113.85 1809

Re: [dns-operations] traffic jam

What do the queries look like? Any patterns you can seine out? waiting for the daily dnscap/dnstop cyclic report spent a bit of time looking for a simple query log analysis tool. maybe i needed more coffee. pointers appreciated. If it's running BIND, try turning on RRL. did that a couple

Re: [dns-operations] traffic jam

just a quick awk smash and grab 195524 A 64539 17229 MX 6391 NS 6139 ANY 4418 TXT 3153 DS 1827 PTR 1681 SOA 1379 DNSKEY 1187 SRV 611 SPF 308 A6 205 CNAME 7 NAPTR 6 TKEY 4 NSEC 1 RRSIG 1 PX 1 AXFR interesting in itself, eh? :) looks normal except the server is not

Re: [dns-operations] .MW inconsistent zone updates?

all true. but mw is a tough case, hard circumstances. and a sat link does not help. so frank from tz helps watch and debug. warren also watches, but he is up at layers nine and ten this week. life goes on. randy ___ dns-operations mailing list

Re: [dns-operations] .MW inconsistent zone updates?

The Zone-OPS according to iana.org are in cc'ed and should hopefully have enough debug data to see the problem and solve it? frank has been working with them for a while and debugging. just did not see the need to start screaming fire in a crowded theater. randy

Re: [dns-operations] .MW inconsistent zone updates?

I did a domain update last week on cheki.mw, but it seems like some OPs are either sleeping or their syncing is not really working ;) The following auth-ns is still delivering a old record: mw.21599INNSrip.psg.com. $ dig +nocomments ns cheki.mw @rip.psg.com ;

Re: [dns-operations] Lack of tlsa support

Do we really have to fight to get every new type supported? likely so, especially at the rate the dns-infected invent them randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

Re: [dns-operations] .MW inconsistent zone updates?

the occasional packet can get through rip.psg.com:/root# ping 196.45.188.5 PING 196.45.188.5 (196.45.188.5): 56 data bytes 64 bytes from 196.45.188.5: icmp_seq=2 ttl=44 time=360.147 ms 64 bytes from 196.45.188.5: icmp_seq=55 ttl=44 time=377.265 ms 64 bytes from 196.45.188.5: icmp_seq=78 ttl=43

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

>> Neither Cogent or HE buy transit from anybody else i believe this statement to be false randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

> The speculation I've seen is that Cogent refuses to treat HE as a Tier1 > network in v6 because they don't try to also be one in v4 s/try to be/are not/ for cogent, v6 and v4 are parity > but that they should because HE's v6 network is much wider reaching > and much longer established than

Re: [dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01

> there are other things on the internet besides DNS yes, bgp! :) see rfc 8654 randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] DNS Flag Day 2020 will become effective on 2020-10-01

> We should admit that actual Internet MTU is ~1500 sad but true > PMTUD ... doesn’t work sad but true ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Monitoring for impending expiration of domains?

you folk are sure making me appreciate the registrar i use randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Monitoring for impending expiration of domains?

tangent, but you started it > [1] IANAL, but this rather looks like a gross over-reaction to GDPR, > with some registries and registrars continuing to provide usable > contact details with no ill consequence. The practice even among > European ccTLDs varies rather widely. It would sure be great

Re: [dns-operations] maybe a small tcp flood

>> tcp query flood for cctlds and sec.cctlds, could be others >> being sent via popular open servers: goog, neustar, ... >> O(100)qps or higher > > - What was the duration of the event (UTC time start and end)? after a short break, it is ongoing > - Any stats on the rtype(s)? > - Any stats

Re: [dns-operations] maybe a small tcp flood

thanks to clue from duane Query Type Count % cum% -- - -- -- A?735975 96.1 96.1 NS?109411.4 97.5 TXT? 108881.4 99.0 ? 51200.7 99.6 MX? 8220.1 99.7 DS? 642

Re: [dns-operations] maybe a small tcp flood

> Does your dnstop support TCP? The man page on my machine has the > following mentioned under BUGS: > > Does not support TCP at this time. doh :( randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

[dns-operations] maybe a small tcp flood

trying to understand what we are seeing, and assume other are seeing it too. tcp query flood for cctlds and sec.cctlds, could be others being sent via popular open servers: goog, neustar, ... O(100)qps or higher randy --- ra...@psg.com `gpg --locate-external-keys --auto-key-locate wkd

[dns-operations] cheap traffic measure for a small set of zones

is there a simple tool to run on a server to measure query and data rates for a small set of zones? i just want to run it for a day. it is a a bind9 server which serves a few hundred zones. i would like to know the query rate and byte count for six of them. randy --- ra...@psg.com `gpg

Re: [dns-operations] cheap traffic measure for a small set of zones

> is there a simple tool to run on a server to measure query and data > rates for a small set of zones? > > bingo! thanks. randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net

[dns-operations] AL

rip.psg.com runs secondary for AL. but rip.psg.com:/usr/home/dns# dig @194.1.149.230 al axfr ; <<>> DiG 9.18.16 <<>> @194.1.149.230 al axfr ; (1 server found) ;; global options: +cmd ; Transfer failed. the contact in the SOA does not answer, nor does the dom...@akep.al, nor

Re: [dns-operations] AL

> Add +all to the request to see the rcode. > >> rip.psg.com runs secondary for AL. but >> >>rip.psg.com:/usr/home/dns# dig @194.1.149.230 al axfr >> >>; <<>> DiG 9.18.16 <<>> @194.1.149.230 al axfr >>; (1 server found) >>;; global options: +cmd >>; Transfer failed. >>

Re: [dns-operations] differ

>> it occurred to me that it migh tme wise to have a rancid like >> (https://shrubbery.net/rancid/) equivalent for critical domains. >> i.e. to git record changes and warn of radical diffs. >> >> is there any foss tooling in this space? > > Assuming there isn't - yet...- What would you want a

Re: [dns-operations] Input from dns-operations on NCAP proposal

> Do we have any idea how many systems still use search lists? linux and freebsd installs encourage them ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Stale .GN and .LR zone data in some instances of "ns-{gn, lr}.afrinic.net"

100 53103 gn. [omitted] > > ;; AUTHORITY SECTION: > gn. 14400 IN NS rip.psg.com. > gn. 14400 IN NS fork.sth.dnsnode.net. > gn. 14400 IN NS ns-gn.afrinic.net. > gn. 14400 IN RRSIG

Re: [dns-operations] BlackHat Presentation on DNSSEC Downgrade attack

have you folk sufficiently damaged your academic reputations and public images that we will not have to read more of this? randy ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] differ

it occurred to me that it migh tme wise to have a rancid like (https://shrubbery.net/rancid/) equivalent for critical domains. i.e. to git record changes and warn of radical diffs. is there any foss tooling in this space? randy ___ dns-operations

Re: [dns-operations] DNS Operations

> As I checked with ChatGPT ROFL! ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations