On Wed, May 16, 2012 at 08:52:26PM -0400,
Joe Abley jab...@hopcount.ca wrote
a message of 50 lines which said:
For example, a ccTLD is redelegated, the root zone is stale on the
local ISP's resolver, and since most of that ISP's customers never
have a reason to look for names under that cc,
On Sun, Jun 10, 2012 at 04:24:51AM -0700,
Kyle Creyts kyle.cre...@gmail.com wrote
a message of 65 lines which said:
are there legitimate reasons to continue supporting ANY queries?
They are very useful for debugging. I would regret their
disappearance. What about forcing TCP for ANY requests
On Tue, Jun 12, 2012 at 03:32:56AM +,
Vernon Schryver v...@rhyolite.com wrote
a message of 76 lines which said:
Joe and Joan should be using their ISP's validating, load balancing,
well (or at least somewhat) maintained DNS servers, just as they
should be using their ISP's SMTP systems.
On Sun, Jun 10, 2012 at 01:25:06PM +0200,
DTNX Postmaster postmas...@dtnx.net wrote
a message of 37 lines which said:
Google is known to be obsessed with latency, for example, so I
wouldn't be suprised if they deliberately request ANY and then parse
and cache the results for a multitude of
On Tue, Jun 12, 2012 at 08:15:00PM +,
Paul Vixie p...@redbarn.org wrote
a message of 21 lines which said:
[recursive servers are] a separate problem, and most of the time the
fix is to add an ACL to deny off-net or off-campus query traffic.
If you don't do ingress filtering, it still
verisigninc.com/DNSKEY: DS RRs exist for algorithm(s) 8 in the com
zone, but no matching DNSKEYs of algorithm(s) 8 were used to sign
the verisigninc.com DNSKEY RRset.
Indeed, the DS goes to key 24570, while the DNSKEY RRset is signed
only with KSK 64326 and ZSK 48824.
Nice DNSviz graph.
On Thu, Jun 28, 2012 at 04:04:47AM +,
Michael Hoskins (michoski) micho...@cisco.com wrote
a message of 61 lines which said:
or even firewall based rate limiting like iptables or dummynet.
http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
Did you try this on a
On Thu, Jun 28, 2012 at 09:41:03AM +0800,
pangj pa...@riseup.net wrote
a message of 20 lines which said:
My named service got 1GB or more incoming traffic of attack
recently.
One gigabyte/s is quite serious and I'm afraid no solution on your
name server will help (it is too late). Can you
On Mon, Jul 16, 2012 at 10:27:07AM -0400,
Mark Jeftovic mar...@easydns.com wrote
a message of 40 lines which said:
I think what he means is that the other TLD ( ie .com ) does not yet
have a glue record in place for the .info nameserver
Of course. There is no need for glue since the name
On Mon, Jul 23, 2012 at 08:45:21AM +,
Paul Vixie p...@redbarn.org wrote
a message of 21 lines which said:
this is the right approach if you're running that server.
There is currently no way to write a program which will work with any
server because there is no standard to configure the
On Mon, Aug 27, 2012 at 09:05:05AM +,
Dobbins, Roland rdobb...@arbor.net wrote
a message of 16 lines which said:
http://www.skullsecurity.org/blog/2010/stuffing-javascript-into-dns-names
Funny but I'm not sure it is really useful for attacks in
practice. Several technical errors in the
Configuring a small network, I had the problem to test if the Internet
connectivity is working [side note: so I can use the result in the
test in the parents directive of Nagios/Icinga, to avoid alarms for
every target when the outside link is simply down]. The problem is to
find suitable targets
On Wed, Sep 05, 2012 at 11:45:23AM +0100,
Tony Finch d...@dotat.at wrote
a message of 80 lines which said:
It's really weird. The name servers are serving two versions of the zone,
one signed and one unsigned, and they seem to be alternating between
them.
I assume it is on purpose, part of
A friend sent me the script he uses against DNS DoS attacks by
reflection+amplification. I reject any responsability for it but I
found it cute and geeky :-)
It uses tcpdump + typical Unix tools to automatically detect IP
addresses used in such attacks and block them (not something I
endorse).
On Wed, Sep 05, 2012 at 04:50:02PM +,
Paul Vixie p...@redbarn.org wrote
a message of 12 lines which said:
health checks should be to ping something you own,
Or something you have an *explicit* right to use, may be because you
paid for it. Actually, it could be a business plan, renting
On Wed, Sep 05, 2012 at 12:43:46PM -0400,
Paul Wouters p...@cypherpunks.ca wrote
a message of 34 lines which said:
with the stubs doing more resolving/validating themselves, the root
servers are going to see a higher load. I think that's unavoidable.
I cannot speak for the root name servers
On Thu, Sep 06, 2012 at 10:43:12AM -0700,
Wessels, Duane dwess...@verisign.com wrote
a message of 39 lines which said:
We changed the RRSIG-remover so that it won't remove the signatures
from validatorsearch.verisignlabs.com itself. Hopefully that
allows you to view the page now.
But we
On Thu, Sep 06, 2012 at 10:43:12AM -0700,
Wessels, Duane dwess...@verisign.com wrote
a message of 39 lines which said:
I wouldn't say our setup assumes only one recursive in the path,
From my colleague Kim Minh Kaplan:
In the case where one of the forwarders is non validating, it will
On Mon, Sep 10, 2012 at 08:20:45PM +0200,
bert hubert bert.hub...@netherlabs.nl wrote
a message of 20 lines which said:
Go Daddy's servers appear to be down.
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
___
On Mon, Sep 10, 2012 at 09:57:48PM +0200,
Phil Regnauld regna...@nsrc.org wrote
a message of 15 lines which said:
How is that different from ping the increasingly ubiquitious L
and F-root ?
Root name servers are critical: if you disrupt them, many kittens will
be killed. AS112
On Wed, Sep 05, 2012 at 02:44:34PM +,
Vernon Schryver v...@rhyolite.com wrote
a message of 78 lines which said:
I've heard that 8.8.8.8 is not a useful DNS DoS tool, perhaps
because Google, like any competent, well known provider, must know
about rate limiting.
I've tried using a
The TLD .td is down again, the two authoritative name servers are
broken (one servfails and the other timeouts).
Do not ask me if I know who to contact, the situation on the ground
is... complicated. (SOTEL, the TLD manager, was bought by lybian
business just before the Arab spring and it seems
On Fri, Sep 21, 2012 at 11:23:02AM -0700,
David Conrad d...@virtualized.org wrote
a message of 38 lines which said:
I'm not sure how ICANN is supposed to do that without 'regulations'.
I don't think I said that ICANN should regulate nothing. It is a
regulator (even if it denies it, claiming
On Fri, Sep 21, 2012 at 07:38:44PM -0700,
P Vixie p...@redbarn.org wrote
a message of 77 lines which said:
To change the internet so that foo@Microsoft has universal not local
meaning would require action by many millions of parties not just by
Microsoft.
Yes. It is also true for IPv6,
On Fri, Sep 21, 2012 at 06:32:01PM -0700,
David Conrad d...@virtualized.org wrote
a message of 27 lines which said:
I understand and sympathize with this point of view, however, as a
counter-example: wildcards in .COM were outside of the root zone,
was that also none of ICANN's business?
On Mon, Sep 24, 2012 at 02:48:38PM +,
Lutz Donnerhacke l...@iks-jena.de wrote
a message of 16 lines which said:
Please have a look at http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening
The basic security issue of DNS-based DoS is that the IP address of
the attacker is forged. There are
On Thu, Sep 27, 2012 at 12:23:12PM -0400,
Olafur Gudmundsson o...@ogud.com wrote
a message of 64 lines which said:
Usually when this happens in a debate that reflects a
partial/non-shared understanding of the problem.
It may simply means there are inherent contradictions. This is common
in
On Thu, Sep 27, 2012 at 01:19:53PM -0400,
Phil Pennock dnsop+p...@spodhuis.org wrote
a message of 69 lines which said:
Experiment to see if OS fingerprinting yields useful signal on DNS
UDP queries (I suspect not?).
I'm not an expert in OS fingerprinting but, judging from the traffic
of
A big fail, I'm afraid. Apple's software tried to contact
bogusapple.com (presumably to have a known to failed test) but
someone registered the domain yesterday :
https://discussions.apple.com/thread/4380270?tstart=0
___
dns-operations mailing list
On Mon, Nov 07, 2011 at 02:01:14PM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 17 lines which said:
http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil
A long article about DNS poisoning without even a dig output, bad.
One sentence
On Tue, Oct 02, 2012 at 08:07:09PM +,
Paul Vixie p...@redbarn.org wrote
a message of 30 lines which said:
has the ssl format been submitted as an internet-draft, or is this a
private standard?
AFAIK, no, but it is very simple and build over the existing DNS: it
is the same format as
On Thu, Oct 18, 2012 at 06:06:13PM -0400,
Bill Owens ow...@nysernet.org wrote
a message of 16 lines which said:
So the registry-NetSol
NetSol (Network Solutions) is not the registry of .com for... how
many... ten years?
___
dns-operations mailing
On Fri, Oct 26, 2012 at 10:11:33AM +,
Lutz Donnerhacke l...@iks-jena.de wrote
a message of 65 lines which said:
For the first query the glue data will be used (NS in the parent zone).
For later queries the resolver should requery the NS from the authorititve
servers.
And, at the
On Sun, Oct 28, 2012 at 02:22:04AM -0400,
Paul Wouters p...@cypherpunks.ca wrote
a message of 20 lines which said:
You missed the announcement of the 450 million downloads by iOS6 of
the IANA root key?
Poisoning the cache of an one-user iPhone is fun but less useful than
poisoning the
On Mon, Oct 29, 2012 at 10:13:55AM +,
Dobbins, Roland rdobb...@arbor.net wrote
a message of 20 lines which said:
We apply iptables based rate-limiting on ANY queries with RD bit set.
The problem with fronting your DNS servers with a stateful firewall
? iptables != stateful
On Mon, Oct 29, 2012 at 10:21:46AM +,
Dobbins, Roland rdobb...@arbor.net wrote
a message of 20 lines which said:
I've only ever seen it deployed with connection tracking - i.e.,
statefully.
Several TLD use iptables for rate-limiting ANY amplification
attacks. They typically use the
On Tue, Nov 06, 2012 at 03:20:51PM +0800,
zhanglikun zhangli...@cnnic.cn wrote
a message of 187 lines which said:
Bad point is: you have to keep the data be consistent by hand
without some automated tools
Why by hand? NOTIFY + IXFR is implemented in every name server
software, and is
On Tue, Nov 06, 2012 at 10:12:42AM +0800,
Feng He fen...@nsbeta.info wrote
a message of 87 lines which said:
It inclouds godaddy, cloudflare, dnsbedand dnspod. Does this have
any hidden problem for resolving?
No.
___
dns-operations mailing list
On Thu, Nov 08, 2012 at 02:29:38PM +,
Ayca Taskin (Garanti Teknoloji) ayc...@garanti.com.tr wrote
a message of 181 lines which said:
is it possible any problem between primary and secondarys like zone
transfer etc.?
As Nicolas and Keith said, it is very unlikely. That's the power of
On Tue, Nov 20, 2012 at 06:25:48PM +0800,
Feng He fen...@nsbeta.info wrote
a message of 59 lines which said:
;; ADDITIONAL SECTION:
ASPMX.L.GOOGLE.COM.2626IN A 1.2.3.4
ALT1.ASPMX.L.GOOGLE.COM.2626IN A 5.6.7.8
ALT2.ASPMX.L.GOOGLE.COM.2626IN
On Sat, Dec 08, 2012 at 03:26:43PM +0100,
Sebastian Wiesinger dns-operati...@ml.karotte.org wrote
a message of 55 lines which said:
since last night around 0:30 CET I'm getting sporadic validation
failures for a hand full of reverse delegation. Not many but a few
each hour, from seemingly
On Fri, Dec 14, 2012 at 04:37:05PM +0800,
Feng He fen...@nsbeta.info wrote
a message of 17 lines which said:
does the TXT record allow a underline in its hostname?
1) What is on the left side is not always a host name, far from it (if
you have learned in a book that DNS is here to map host
On Fri, Dec 14, 2012 at 04:50:48PM +0800,
Feng He fen...@nsbeta.info wrote
a message of 23 lines which said:
From RFC 952
It's old, it was not even for the DNS! As I said, read the RFCs about
the DNS (RFC 1035, section 2.3.1 and RFC 2181, section 11).
And pay attention to the difference
On Fri, Dec 14, 2012 at 01:36:05PM +0100,
Florian Streibelt dnsops_x730df7...@spamfaenger.f-streibelt.de wrote
a message of 14 lines which said:
May I quote you wherever possible, especially at some special
university Professor who teaches such nonsense?
OK, if you provide the gasoline, I
On Mon, Dec 17, 2012 at 02:57:28PM -0500,
Patrick, Robert (CONTR) robert.patr...@hq.doe.gov wrote
a message of 36 lines which said:
mitigation is available at the O/S and network layer. As an
example, there are connection limits that can be enforced with
iptables on Linux.
The attached
On Mon, Dec 17, 2012 at 08:17:18PM +,
Paul Vixie p...@redbarn.org wrote
a message of 33 lines which said:
if you limit your request flows rather than your response flows,
then your only choice is: too low, where a legitimate client asking
a legitimately diverse set of questions, does
On Tue, Dec 18, 2012 at 10:21:03AM +0800,
Feng He fen...@nsbeta.info wrote
a message of 12 lines which said:
The next(!) stable version of Debian (wheezy) will have bind 9.8(!).
How to make debian 6 to apt-get install BIND 9.8?
It's not a DNS question but a Debian-specific system
On Tue, Dec 18, 2012 at 08:51:18AM +0100,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 80 lines which said:
[Not public]
Actually, it was the censored version, the not-public one has more
details, useful for the attacker.
___
dns
The future RFC 6864, currently in AUTH48 state, talks about the
unicity of the ID (datagram identifier) field for IPv4. Its section
5.2 is of interest to us: basically, it says that senders of
non-atomic packets (a non-atomic packet is an IPv4 packet which is
fragmented or will possibly be, since
On Sun, Jan 13, 2013 at 08:59:39PM +0100,
Florian Weimer f...@deneb.enyo.de wrote
a message of 30 lines which said:
A typical initial TTL is 64, so the packet lives for at most 64
seconds. (Originally, the TTL was measured in seconds,
It was a very long time ago. RFC 1122, in 1989, already
On Wed, Jan 16, 2013 at 12:46:30AM +1100,
Mark Andrews ma...@isc.org wrote
a message of 126 lines which said:
For clean transfers of zones from one provider to the next the
losing provide should slave the zones from the new provider. This
ensures that caches only see current content
On Fri, Jan 18, 2013 at 09:08:37AM +1100,
Mark Andrews ma...@isc.org wrote
a message of 38 lines which said:
.mm failed to re-sign their DNSKEY RRset.
Note that, because Unbound is tolerant by default (10 % rule),
Unbound users will see the problem only on Sunday:
# BIND
% dig @149.20.64.20
allow-recursion is not enough:
http://304geeks.blogspot.co.uk/2013/01/dns-scraping-for-corporate-av-detection.html
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs
On Sun, Jan 20, 2013 at 06:55:44PM -0400,
.CW Registry Curacao regis...@una.net wrote
a message of 187 lines which said:
We need some help with getting our ccTLD registered worldwide.
You're in the news :-)
http://www.cloudshield.com/applications/dns-control-traffic-load.asp
My first reaction was These solutions are incredibly stupid and my
second one But let's check among the experts at the dns-operations ML
before trolling.
___
dns-operations mailing
On Wed, Feb 20, 2013 at 08:48:19AM +0100,
Jan-Piet Mens jpmens@gmail.com wrote
a message of 12 lines which said:
FYI, a paper (Feb 2013) titled Defending against DNS reflection
amplification attacks at [1].
Very good paper, highly recommended.
I was surprised they did not test NSD+RRL
http://blog.icann.org/2013/03/icann-coordinated-disclosure-guidelines/
The Security Team has prepared a set of guidelines to explain ICANN’s
Coordinated Vulnerability Disclosure Reporting. The guidelines serve
two purposes. They define the role ICANN will perform in circumstances
where
On Sun, Mar 31, 2013 at 01:32:13PM +0100,
Jim Reid j...@rfc1035.com wrote
a message of 23 lines which said:
Keeping state for bazillions of DNS TCP connections to a resolving
server will present further challenges.
Only the DNS people think that. The HTTP people are used to many TCP
On Sun, Mar 31, 2013 at 02:30:50AM -0700,
Xun Fan xun...@isi.edu wrote
a message of 90 lines which said:
Instead of closing the open resolvers, can we just force queries
from external networks to use TCP?
A very good idea, IMHO.
Say reply to queires from external networks with a short
On Sun, Mar 31, 2013 at 12:27:05PM -0400,
Paul Wouters p...@nohats.ca wrote
a message of 18 lines which said:
Not all open resolvers are run by brainless admins. And I
believe open resolvers are crucial to the open nature of the
internet.
There are two categories of open resolvers. The
On Sun, Mar 31, 2013 at 12:54:23PM -0400,
Paul Wouters p...@nohats.ca wrote
a message of 34 lines which said:
Not true. unbound allows you to only accept clients using TCP.
Ah, thanks, I should read the documentation more closely.
OK, I've set up an open resolver (best effort only) with
On Mon, Apr 01, 2013 at 04:17:36PM -0400,
Robert Edmonds edmo...@isc.org wrote
a message of 182 lines which said:
so that just leaves the decision of who gets to operate the new
N-root DNS server.
Congratulations: you've solved the easy problem, the technical one,
and left open the really
On Wed, Apr 03, 2013 at 10:11:16AM -0400,
Joe Abley jab...@hopcount.ca wrote
a message of 23 lines which said:
As advised a month or so ago, the following public comment period is open:
http://www.icann.org/en/news/public-comment/root-zone-consultation-08mar13-en.htm
humor
On Tue, Apr 16, 2013 at 08:21:14AM -0400,
Jared Mauch ja...@puck.nether.net wrote
a message of 15 lines which said:
You can view the results here:
http://openresolverproject.org/version.bind.report.txt
'BIND 8.3.3'
If it's true, it's a collector's edition...
On Tue, Apr 16, 2013 at 08:43:33AM -0400,
Joe Abley jab...@hopcount.ca wrote
a message of 13 lines which said:
'The name is Bind, James Bind'
Slightly better, in the same list, My named is Bind, James Bind
___
dns-operations mailing list
On Tue, Apr 16, 2013 at 08:52:39AM -0400,
Jared Mauch ja...@puck.nether.net wrote
a message of 36 lines which said:
Ok, I didn't expect everyone to post this to twitter/facebook so fast :)
Welcome to the Internet :-)
___
dns-operations mailing list
Anyone has more technical and factual information about this problem?
Error in .SE, in one.com or in Telia?
http://www.one.com/en/info/profile
Update - April 27, 2013 12:52 PM CET
Telenor have solved the issues, but unfortunately some customers using Telia
and Bredbandsbolaget as internet
On Tue, May 21, 2013 at 09:01:08PM +0700,
Randy Bush ra...@psg.com wrote
a message of 9 lines which said:
http://www.intodns.com/ does not seem to work for cctlds
I would say it does not work for any TLD. For .COM, I get:
Invalid request!
___
On Thu, May 23, 2013 at 04:39:13PM +0300,
Vitalie Cherpec vita...@penguin.ro wrote
a message of 73 lines which said:
After 5 years of running it without any issues, I've received today
a compliant through my ISP from a big company in a foreign country.
It is a common problem with active
Is it reasonable/legal to have both tc and ad?
% dig +noignore @8.8.8.8 ANY fr
; DiG 9.7.3 +noignore @8.8.8.8 ANY fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 46304
;; flags: qr tc rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
On Fri, Jun 14, 2013 at 12:55:27PM +0100,
Billy Glynn billy.gl...@iedr.ie wrote
a message of 52 lines which said:
The DNS-OARC website appears to be down...
Down from 1150 UTC to 1205 UTC for maintenance. ODVR did not restart
yet :-(
___
On Sun, Jun 16, 2013 at 05:29:40PM -0700,
Colm MacCárthaigh c...@stdlib.net wrote
a message of 62 lines which said:
At this point, several providers are using EDNS client
subnet. That's probably the most common option, by several orders of
magnitude.
I don't see option 8 at all in my data.
On Sun, Jun 16, 2013 at 10:43:05PM +0200,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 13 lines which said:
.FR name servers seem to indicate that they are almost never used (a
few 3, NSID and a few 5, DAU, even if the RFC on DNSSEC signaling of
algorithms is not yet published
On Tue, Jun 18, 2013 at 11:03:30PM +0200,
Marjorie marjo...@id3.net wrote
a message of 30 lines which said:
Basically I am researching early Internet usage and I would be
interested in (very) old zone files (or plain domain lists) from
around between 1985 and 1990,
This is really old. You
On Thu, Jun 20, 2013 at 01:10:01PM +0200,
abang ab...@t-ipnet.net wrote
a message of 9 lines which said:
..It seems your nameservers don't agree on the SOA serial number!...
But they seem to agree on the content. I assume that Dynect does not
enable AXFR with the customer's own name servers
On Thu, Jun 20, 2013 at 07:52:36AM -0400,
Andrew Sullivan a...@anvilwalrusden.com wrote
a message of 23 lines which said:
Without saying anything on the case at hand, I can tell you with
great certainty that Dyn will cheerfully act as slave for a zone.
Point taken. But the problem could be
On Wed, Jun 26, 2013 at 11:15:32PM -0500,
alex flores a...@mordormx.net wrote
a message of 58 lines which said:
One more weird thing is that just as the problem appeared, just
dissapeared from the dns affected and it start to work correctly,
but now we received the report from another
On Tue, Aug 27, 2013 at 04:55:19PM -0500,
da...@from525.com da...@from525.com wrote
a message of 22 lines which said:
I am a DNS Administrator at NYTimes.com.
I regret there is no more authentification. I don't know from25.com...
Earlier today we had issues with
our registrar updating
On Wed, Sep 04, 2013 at 04:04:13PM +0200,
Ondřej Surý ondrej.s...@nic.cz wrote
a message of 93 lines which said:
Isn't is a good idea to limit the maximum size of the response,
like .com/.net (and may be other TLD: examples welcome) do? This
will make the attack more difficult.
That
On Wed, Sep 04, 2013 at 06:02:20PM +0200,
Jaroslav Benkovský jaroslav.benkov...@nic.cz wrote
a message of 23 lines which said:
the authors mention that the recommendation for IP-ID on IPv6 is a
sequential value,
IMHO, RFC 2460, section 4.5 is badly wrong, security-wise, because of
that. As
On Wed, Sep 04, 2013 at 05:01:47PM +,
Dan York y...@isoc.org wrote
a message of 32 lines which said:
My interest in understanding this attack is to understand how severe
it may be and whether or not it would be prevented by full
deployment of DNSSEC.
My opinion is that, yes, it is a
On Tue, Sep 10, 2013 at 07:14:04PM +0300,
Haya Shulman haya.shul...@gmail.com wrote
a message of 187 lines which said:
the trouble with randomizing the IPID is that this would require
kernel-level patches (as opposed to just DNS server software
upgrade), I believe. This makes it
On Mon, Sep 30, 2013 at 09:41:48PM +0200,
Stephane Bortzmeyer bortzme...@nic.fr wrote
a message of 39 lines which said:
have verified the DNS zone settings for the domain and all are
correct.
I do not think so.
There are other errors:
1) the set of name servers at the parent (the .ORG
On Sun, Oct 20, 2013 at 05:19:45PM +0100,
Jim Reid j...@rfc1035.com wrote
a message of 14 lines which said:
https://twitter.com/Official_SEA16/status/391339315562688513
If it's on Twitter it must be true, right? :-)
It has been discussed on this list more than 24 h ago so it is old
news,
On Thu, Oct 24, 2013 at 02:12:10PM +0100,
Chris Thompson c...@cam.ac.uk wrote
a message of 28 lines which said:
Neither dnssec-debugger.verisignlabs.com nor dnsviz.net are able to
analyse validations problems for NXDOMAIN responses,
DNSviz does not do it by default but you can activate it
On Thu, Oct 24, 2013 at 04:33:52PM +0200,
Anne-Marie Eklund-Löwinder anne-marie.eklund-lowin...@iis.se wrote
a message of 39 lines which said:
Twitter is so last year.
IANA notifications over 4chan? Or am I so late I don't even know the
trend of the day?
On Thu, Oct 24, 2013 at 09:11:41AM +0300,
Daniel Kalchev dan...@digsys.bg wrote
a message of 247 lines which said:
This is not an attack on DNS, but an attack on IP reassembly
technology.
Frankly, I do not share this way of seeing things. Since the DNS is,
by far, the biggest user of UDP
On Tue, Oct 22, 2013 at 11:59:04PM +,
Vernon Schryver v...@rhyolite.com wrote
a message of 50 lines which said:
Why would there be extra support calls? Wrong keys are no worse
than wrong delegations
Of course, they are worse. In the vast majority of cases, lame
delegations (or other
On Tue, Oct 22, 2013 at 01:28:15PM -0700,
Paul Vixie p...@redbarn.org wrote
a message of 24 lines which said:
BIND9 V9.9 may surprise you. it has inline signing and automatic key
management.
I don't think it is a fair description of BIND 9.9 abilities. It does
not manage keys (which, IMHO,
On Thu, Nov 14, 2013 at 06:02:23PM +0100,
Phil Regnauld regna...@nsrc.org wrote
a message of 25 lines which said:
I'm waiting for the first news articles reporting corporate
networks who've used .[insert new tld] as their private domain
and are now seeing strange things.
On Thu, Nov 21, 2013 at 06:17:24PM -0500,
David Dagon da...@sudo.sh wrote
a message of 31 lines which said:
Trying from various locations, I can't seem to reach these
authorities:
By the way, this is not the full list. The real one is larger (returned
here by f.gtld-servers.net):
;;
On Sun, Nov 24, 2013 at 10:52:27AM -0500,
Mark E. Jeftovic mar...@easydns.com wrote
a message of 16 lines which said:
Now, if someone from Microsoft can explain why IPv4 was down on all
these sites and not IPv6, I'm all ears...
DDoS?
I have a lot of trouble trying to imagine a DoS
On Sat, Dec 21, 2013 at 12:52:06PM +0100,
Klaus Darilion klaus.mailingli...@pernau.at wrote
a message of 72 lines which said:
Currently, the TLD name servers do not provide glue records for itself.
...
I think this i correct, because nic.wien is delegation:
I don't know if it is correct :-)
[Yes, problems should be reported to the zone manager first. In that
case, the listed address gets a dns-ad...@fcc.gov: host
dc-ip-2.fcc.gov[192.104.54.91] said: 550 #5.1.0 Address rejected. (in
reply to RCPT TO command)]
ns3.fcc.gov and ns4.fcc.gov (but not the other two) time out when
queried
On Wed, Jan 08, 2014 at 08:51:00PM +,
Jeff Schmidt jschm...@jasadvisors.com wrote
a message of 110 lines which said:
Please look here:
http://domainincite.com/15512-controlled-interruption-as-a-means-to-prevent-name-collisions-guest-post
Will serving localhost IPs cause the kind of
On Fri, Jan 10, 2014 at 03:56:56PM +,
Jeff Schmidt jschm...@jasadvisors.com wrote
a message of 184 lines which said:
I'm not sure I understand this thinking precisely - if Joe Employee has a
problem accessing Acme's resources (the bookmarked web page) isn't he
likely to seek support
On Sat, Jan 11, 2014 at 06:32:00PM +0100,
Peter Koch p...@denic.de wrote
a message of 21 lines which said:
Take a breath - or let the compliance jihad begin:
These ICANN rules (against dotless domains) are meaningless and
ridiculous, anyway. I agree that such a TXT or TYPE65534 does no harm
On Sat, Jan 11, 2014 at 09:41:51PM +0100,
Jaap Akkerhuis j...@nlnetlabs.nl wrote
a message of 18 lines which said:
I vaguelt remember that the AFNIC.fr people also noticed these
popping up in some cases.
On Mon, Jan 13, 2014 at 01:16:43PM -0200,
Rubens Kuhl rube...@nic.br wrote
a message of 43 lines which said:
There's also been a dot less A record for .dk for ages,
Many TLD have a A at the apex. .dk is the only one with a at the
apex :-) See RFC 7085
.red and .rich both have a nic.$TLD which is unsigned. The lack of DS
is not validated, since only one NSEC3 is returned. It seems similar
to the problem of .онлайн / .xn--80asehdb three months ago.
% dig SOA nic.red
; DiG 9.8.4-rpz2+rl005.12-P1 SOA nic.red
;; global options: +cmd
;; Got
1 - 100 of 303 matches
Mail list logo