Re: [dns-operations] The (very) uneven distribution of DNS root servers on the Internet

On May 15, 2012, at 4:57 AM, Stephane Bortzmeyer wrote: On Tue, May 15, 2012 at 07:28:54AM +, Michele Neylon :: Blacknight mich...@blacknight.ie wrote a message of 43 lines which said: That article and those graphics will be used and abused in hundreds of other articles. So anything

Re: [dns-operations] No to port blocking! (Was: Why would an MTA issue an ANY query instead of an MX query?

On Jun 12, 2012, at 4:14 AM, Stephane Bortzmeyer wrote: On Tue, Jun 12, 2012 at 03:32:56AM +, Vernon Schryver v...@rhyolite.com wrote a message of 76 lines which said: Joe and Joan should be using their ISP's validating, load balancing, well (or at least somewhat) maintained DNS

Re: [dns-operations] thoughts on DNSSEC

On Jul 25, 2012, at 3:36 AM, Francis Dupont wrote: In your previous mail you wrote: What about always using both types of DS record? Why does everyone publish both SHA-1 and SHA-256 digests? RFC 4509 is more than 6 years old. = in fact perhaps it is the right time to jump to SHA-256

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Sep 11, 2012, at 9:27 AM, wbr...@e1b.org wrote: Jeroen Massar jer...@unfix.org wrote on 09/11/2012 09:06:55 AM: Or should be building into a product... Given the slight odds of them getting it correct, I'd agree with that. Obligatory reference to what happens when CPE vendors

Re: [dns-operations] dotless domains

On Sep 21, 2012, at 4:12 AM, Phil Regnauld regna...@nsrc.org wrote: Paul Vixie (paul) writes: gentlefolk, i call your attention to this: http://www.icann.org/en/news/public-comment/sac053-dotless-domains-24aug12-en.htm i've already explained as best i can:

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Oct 2, 2012, at 7:59 AM, Rubens Kuhl rube...@nic.br wrote: Much better and very detailed analysis (by the same author!) So, it was not DNS poisoning at all but a change in the DNS settings of the router, after the box was cracked. (DNSchanger-style)

Re: [dns-operations] note for the peanut gallery Re: underline in TXT's host

On Dec 17, 2012, at 11:55 AM, Mike Hoskins (michoski) micho...@cisco.com wrote: -Original Message- From: Feng He fen...@nsbeta.info Date: Monday, December 17, 2012 3:31 AM To: dns-operations@lists.dns-oarc.net dns-operations@lists.dns-oarc.net Subject: Re: [dns-operations] note

Re: [dns-operations] DNS and Email

On Jan 10, 2013, at 11:57 PM, Brett Watson br...@the-watsons.org wrote: On Jan 10, 2013, at 9:25 PM, Noel Butler wrote: On Fri, 2013-01-11 at 10:43 +0800, Feng He wrote: And I have a question that, what is the good username for showing in the whois info for domain contact email?

Re: [dns-operations] Enom's name server broken?

On Jan 15, 2013, at 11:45 AM, Paul Vixie p...@redbarn.org wrote: Stephane Bortzmeyer wrote: ... dns1.name-services.com is not supposed to be recursive (it does not set the RA bit) but it is: % dig @dns1.name-services.com www.dns-oarc.net ... ;; ANSWER SECTION:

Re: [dns-operations] What's a suffix?

On Jan 21, 2013, at 6:45 AM, Jothan Frakes jot...@gmail.com wrote: Hi- Perhaps my suggestion was better for off-list, and I certainly don't know if it would be the magic solution for .cw, but it certainly could not hurt them to submit their entry to the PSL. I do hope it contributes to

Re: [dns-operations] 10% was Re: .mm ....

On Jan 21, 2013, at 5:26 AM, Jaroslav Benkovský jaroslav.benkov...@nic.cz wrote: On 01/19/2013 09:28 PM, Matthäus Wander wrote: I think it's more like I'll tolerate an expired signature for 10% of the original validity period and use that extra time to let other people notice and fix it.

Re: [dns-operations] Monday rant againt the uses of the Public Suffix List

On Jan 21, 2013, at 5:32 PM, Andrew Sullivan a...@anvilwalrusden.com wrote: On Mon, Jan 21, 2013 at 03:29:28PM -0500, Warren Kumari wrote: Please sir, if I run www.images.example.co.uk, can I set a cookie at images.example.co.uk? How about example.co.uk? Fine… Now .co.uk? Hmm

Re: [dns-operations] CloudShield advices against dDoS

On Feb 20, 2013, at 12:03 PM, Joe Abley jab...@hopcount.ca wrote: On 2013-02-20, at 12:46, Stephane Bortzmeyer bortzme...@nic.fr wrote: http://www.cloudshield.com/applications/dns-control-traffic-load.asp I think this particular information security professional with more than 16

Re: [dns-operations] Capturing 8.8.8.8 Traffic

On Feb 25, 2013, at 12:42 PM, Lyle Giese l...@lcrcomputer.net wrote: On 2/25/2013 11:31 AM, Joe Provo wrote: On Mon, Feb 25, 2013 at 07:26:07PM +0200, Graham Beneke wrote: I discovered the other day that a large customer of $dayjob has decided that it is a good idea to outsource the LAN

Re: [dns-operations] Capturing 8.8.8.8 Traffic

On Feb 25, 2013, at 7:17 PM, Robert Edmonds edmo...@isc.org wrote: Noel Butler wrote: and putting tin foil hat on now :) it would log those requests, and who knows what google does with that data, it sure as hell doesnt do it for the goodness of the planet, there is a commercial reason

Re: [dns-operations] DNS Issue

On Apr 26, 2013, at 4:32 AM, Dobbins, Roland rdobb...@arbor.net wrote: On Apr 26, 2013, at 12:27 AM, Warren Kumari wrote: I think that in many cases it is not that the named version doesn't support randomization, but rather that they / their firewall group believes that DNS should only

Re: [dns-operations] A question about changing nameservers

On May 28, 2013, at 6:32 AM, Michele Neylon :: Blacknight mich...@blacknight.com wrote: Obvious question, but did you create the glue records? -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/

Re: [dns-operations] DNSCrypt.

On May 31, 2013, at 11:38 AM, Joe Abley jab...@hopcount.ca wrote: On 2013-05-31, at 11:24, Dobbins, Roland rdobb...@arbor.net wrote: There's no crypto anything inherent in DNS today, heh. Well, apart from the use of TSIG to authenticate zone transfers. As I mentioned obliquely, I

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 21, 2013, at 1:33 AM, Ralf Weber ralf.we...@nominum.com wrote: Moin! On 20.08.2013, at 20:14, Doug Barton do...@dougbarton.us wrote: Rumor has it that Nominum and Fortidns have implementations for NTAs. Any truth to those rumors? It's not a rumor. Nominum Vantio had this feature

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 23, 2013, at 11:04 AM, Carlos M. Martinez carlosm3...@gmail.com wrote: I'm _very_ torn on the issue. On one hand I fully agree with Patrik in the sense that documenting such practices could lead to widespread 'holes' in validation. However, in my opinion the first knee jerk

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 23, 2013, at 12:19 PM, Paul Vixie p...@redbarn.org wrote: David Conrad wrote: On Aug 22, 2013, at 3:25 PM, Paul Vixie p...@redbarn.org wrote: ... over and above the absurd engineering economics behind it, i don't like NTA. if my signatures don't work because i've been

Re: [dns-operations] .ORG website experiences intermittent DNS failure

Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Sep 30, 2013, at 8:22 PM, Paul Wouters p...@nohats.ca wrote: On Mon, 30 Sep 2013, Catherine Burdon wrote: Website www.newmarketstageco.org experiencing DNS failure intermittently. I

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 14, 2013, at 9:33 PM, Carlos M. Martinez carlosm3...@gmail.com wrote: Agreed. However, at least in my experience, it is usually easy to achieve high availability figures running a linux box on relatively cheap hardware, while links are much less dependable. I've seen 400-day plus

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On Oct 16, 2013, at 10:59 AM, Jared Mauch ja...@puck.nether.net wrote: On Oct 15, 2013, at 7:28 PM, Vernon Schryver v...@rhyolite.com wrote: Folks like Comcast have large validating resolvers. Their customers should use them. Folks here are surely going to do the right thing the

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Oct 21, 2013, at 4:39 PM, Phil Regnauld regna...@nsrc.org wrote: Michele Neylon - Blacknight (michele) writes: Yes, I've noticed that Google is still not signing. Maybe the continuing hijackings of their ccTLD domains will move them. I suspect they're more interested in getting

Re: [dns-operations] All NSs for a TLD being in the TLD itself

On Oct 25, 2013, at 1:33 PM, Edward Lewis ed.le...@neustar.biz wrote: Randy, On Oct 25, 2013, at 9:45, Randy Bush wrote: the ip address clumping would worry me if i thought they were not anycast. Anycast or not, I wouldn't think this is a problem. Meaning, I don't see why this would

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

On Mon, Jan 13, 2014 at 10:54 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Sat, Jan 11, 2014 at 06:32:00PM +0100, Peter Koch p...@denic.de wrote a message of 21 lines which said: Take a breath - or let the compliance jihad begin: These ICANN rules (against dotless domains) are

Re: [dns-operations] most of root NS and com's NS fail from here

On Tue, Apr 29, 2014 at 2:18 PM, bert hubert bert.hub...@netherlabs.nl wrote: On 29 Apr 2014, at 20:55, Emmanuel Thierry m...@sekil.fr wrote: What we may observe from tests is that some dns servers failed without an obvious connectivity problem (ping is OK). As a consequence, i think it

Re: [dns-operations] most of root NS and com's NS fail from here

On Tue, Apr 29, 2014 at 5:06 PM, Xun Fan xun...@isi.edu wrote: On Tue, Apr 29, 2014 at 1:52 PM, Warren Kumari war...@kumari.net wrote: On Tue, Apr 29, 2014 at 4:45 PM, Xun Fan xun...@isi.edu wrote: China has it's own root nodes is confirmed long ago, we published that in our paper

Re: [dns-operations] What's wrong with my domain?

On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch d...@dotat.at wrote: Mohamed Lrhazi ml...@georgetown.edu wrote: gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn that after a while keys are rolled

Re: [dns-operations] Forcing BIND to randomly expire records from cache ahead of time

On Thu, Jul 3, 2014 at 6:04 PM, Tim Wicinski tjw.i...@gmail.com wrote: Mark Unbound has this feature, but its' a % of the TTL (oh they may of changed this). You may be also interested in this idea which was floated during IETF, and not rejected, just a small sliver of useful customer base:

Re: [dns-operations] Forcing BIND to randomly expire records from cache ahead of time

On Friday, July 4, 2014, Warren Kumari war...@kumari.net wrote: On Thu, Jul 3, 2014 at 6:04 PM, Tim Wicinski tjw.i...@gmail.com javascript:; wrote: Mark Unbound has this feature, but its' a % of the TTL (oh they may of changed this). You may be also interested in this idea which

Re: [dns-operations] Why would a recusrive caching server not resolve a CNAME?

On Sun, Jul 6, 2014 at 3:45 PM, Mohamed Lrhazi ml...@georgetown.edu wrote: Thanks Lyle, I did not mean to say that list was defunct, quite the opposite, I felt that I was a bit spamming it with non global operational DNS issue Nah. No worries. This list traditionally has a wide range of

Re: [dns-operations] A report on a DNS issue that was causing page redirections

On Wed, Aug 13, 2014 at 3:38 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Tue, Aug 12, 2014 at 06:59:37PM +0200, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 14 lines which said: The author says your domain name registrar can introduce an error to the root domain

Re: [dns-operations] DNS load-balancing/failover using an ASR 9xxx (few questions)

On Thu, Aug 14, 2014 at 6:00 PM, Nat Morris n...@nuqe.net wrote: On 14 August 2014 18:48, Jake Zack jake.z...@cira.ca wrote: In the ASR 9xxx series with IOS XR, the “ipsla” that it has available doesn’t seem to do either TCP connections or UDP DNS queries. It seems my only real option is to

Re: [dns-operations] First new gTLD using ICANN's Name Collision Occurrence Management Framework

On Thu, Aug 28, 2014 at 12:50 PM, SM s...@resistor.net wrote: Hi Chris, At 05:38 28-08-2014, Chris Thompson wrote: The gTLD otsuka, created sometime in the last 24 hours, appears to be the first to use the wildcards described at [snip] What do people think about this business? Is

Re: [dns-operations] First new gTLD using ICANN's Name Collision Occurrence Management Framework

On Thursday, August 28, 2014, Rod Rasmussen rod.rasmus...@internetidentity.com wrote: I note that these documents speak to many of the issues being exposed here (and yes, full disclosure, I wrote a small portion of the text/reviewed them): Yah, me too... W

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

I'd always thought that this was kinda because of the way EPP is written -- not that it is actually required, but when reading the docs you see the nameservers object and kinda assume... I think at this point much of it is hysterical raisons. W On Thursday, September 11, 2014, Stephane

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

[ Note: I haven't had my morning coffee yet, this post likely rambling / incoherent... ] What ever happened to the let's use the glue as a service address trick? There was some drama about this a number of years ago, but it died down, possibly as bandwidth and DNS became cheaper... I cannot

Re: [dns-operations] An simple observation

On Thu, Sep 25, 2014 at 9:26 AM, Matthew Pounsett m...@conundrum.com wrote: On Sep 24, 2014, at 21:27 , Davey Song songlinj...@gmail.com wrote: Hi everyone, I‘m recently doing a little survey on the penetration of IPv6 in DNS system and it's latent problems. I find that top websites like

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 12:46 PM, Jared Mauch ja...@puck.nether.net wrote: On Nov 26, 2014, at 10:13 AM, Paul Wouters p...@nohats.ca wrote: http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10 Packets with Shared Address Space source or destination addresses MUST NOT be forwarded

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 4:10 PM, Joe Abley jab...@hopcount.ca wrote: On 26 Nov 2014, at 14:06, Warren Kumari war...@kumari.net wrote: What's wrong with 127.0.0.1? It makes it clear what the intent is, and you don't get a much more distributed sinkhole than that... I'm always wary of using

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 7:12 PM, Robert Edmonds edmo...@mycre.ws wrote: Warren Kumari wrote: This thingie has many aspects that look a bunch like AS112 -- I'm wondering if it makes sense to also request an AS number for this. It's not strictly needed, but having fewer inconsistent origin

Re: [dns-operations] cool idea regarding root zone inviolability

... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who I embarrassing enough have forgotten) are planning on writing a zone signature draft (I have an initial version in an edit buffet). The 50,000 meter view is: Sort all the records in canonical order (including glue)

Re: [dns-operations] cool idea regarding root zone inviolability

On Thursday, November 27, 2014, Paul Vixie p...@redbarn.org wrote: Warren Kumari javascript:_e(%7B%7D,'cvml','war...@kumari.net'); Thursday, November 27, 2014 1:11 PM ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who I embarrassing enough have forgotten

Re: [dns-operations] cool idea regarding root zone inviolability

, at 1:55 PM, Paul Vixie p...@redbarn.org javascript:_e(%7B%7D,'cvml','p...@redbarn.org'); wrote: postbox-contact.jpg Warren Kumari javascript:_e(%7B%7D,'cvml','war...@kumari.net'); Thursday, November 27, 2014 1:11 PM ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few

[dns-operations] Reminder: Workshop on DNS Future Root Service Architecture, Hong Kong, December 8-9, 2014

Hi all, A reminder that, if you are coming to the Workshop on DNS Future Root Service Architecture, Hong Kong, December 8-9, 2014 meeting to please let Paul Vixie p...@redbarn.org or myself Warren Kumari war...@kumari.net know. We have a room block at venue hotel. To reserve a room in this block

Re: [dns-operations] cool idea regarding root zone inviolability

On Mon, Dec 1, 2014 at 6:13 PM, Paul Vixie p...@redbarn.org wrote: Paul Vixie p...@redbarn.org Sunday, November 30, 2014 2:29 PM why? (your use case is not obvious from what you've written.) ... Chuck Anderson c...@wpi.edu Monday, December 01, 2014 7:09 AM Silent on-disk

Re: [dns-operations] Sharing a DNSSEC key between zones

On Friday, January 9, 2015, Tony Finch fa...@cam.ac.uk wrote: On 9 Jan 2015, at 12:50, Stephane Bortzmeyer bortzme...@nic.fr javascript:; wrote: I'm looking for resources discussing the pros and cons of sharing DNSSEC keys between zones. I find nothing in RFC 6841 or 6781. Any

Re: [dns-operations] Saga of HBONow DNSSEC Failure

On Tue, Mar 10, 2015 at 11:09 AM, Matthew Pounsett m...@conundrum.com wrote: On Mar 9, 2015, at 23:50 , Livingood, Jason jason_living...@cable.comcast.com wrote: So earlier today HBO announced a new HBONow streaming service (at an Apple event). The FQDN to order, which should have been

Re: [dns-operations] DNS Flush Protocol

On Fri, Mar 27, 2015 at 2:40 PM, George Michaelson g...@apnic.net wrote: I would agree that assumptions are a road to perdition. But the model of concentration of eyeballs through resolvers is not new. So, whilst I agree in *principle* I think it bears thinking about: do you actually really

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 2:47 PM, Marjorie marjo...@id3.net wrote: This is an interesting discussion actually. It's all about a rather benign but widespread misconfiguration. It's only a misconfiguration if the operator didn't choose to do that intentionally... Not long ago, I ran a survey

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 4:31 PM, Michael Sinatra mich...@brokendns.net wrote: On 4/14/15 12:00 PM, Mike Hoskins (michoski) wrote: I disagree with this. There is no valid reason for exposing your network topology to the outside world. You are only making the job easier for potential

Re: [dns-operations] Stunning security discovery: AXFR may leak information

On Tue, Apr 14, 2015 at 3:15 PM, Edward Lewis edward.le...@icann.org wrote: On 4/14/15, 14:47, Marjorie marjo...@id3.net wrote: The bottom line is that unrestricted AXFR is generally evil, I'd go with generally unwise. There are folks that believe it is fine to allow access to their zones

Re: [dns-operations] .co broken for non-stock queries?

On Wed, Jun 10, 2015 at 3:48 AM, Mark Andrews ma...@isc.org wrote: See http://ednscomp.isc.org/compliance/tld-typereport.txt and covers all tld servers. Oh, cool... What would be really helpful is a description (or link to a description) of what the tests being performed are -- when it says:

Re: [dns-operations] Lack of tlsa support

On Wed, May 27, 2015 at 1:32 PM, Joe Abley jab...@hopcount.ca wrote: On 27 May 2015, at 16:16, Mark Andrews wrote: Do we really have to fight to get every new type supported? Mark marka@ednscomp ~/tld-report]$ awk '$4 == NS {print $1, $5}' root.db | sh gentypereport tlsa | grep -v all ok

Re: [dns-operations] Lack of tlsa support

On Wed, May 27, 2015 at 3:02 PM, Joe Abley jab...@hopcount.ca wrote: On 27 May 2015, at 19:14, Warren Kumari wrote: For what it's worth, I have no problem getting a reasonable (negative) response to ACCOUNTANT/IN/TLSA or SOMETHING.ACCOUNTANT/IN/TLSA from 156.154.144.195 with EDNS0.DO=1

Re: [dns-operations] The root zone at past 1000.

On Mon, Jul 13, 2015 at 3:43 PM, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Mon, Jul 13, 2015 at 01:01:36PM +, Shane Kerr sh...@time-travellers.org wrote a message of 23 lines which said: I look forward to reviewing the next DITL captures and seeing how much this has improved the

Re: [dns-operations] The root zone at past 1000.

On Mon, Jul 13, 2015 at 3:01 PM, Shane Kerr sh...@time-travellers.org wrote: William, On Wed, 8 Jul 2015 14:07:20 -0400 (EDT) William Sotomayor w...@ottix.net wrote: Well we've had December 2012 come and go, and now we're at 1003 entries in the root zone. I think we're all still here and

Re: [dns-operations] Link-local IP addresses for a resolver?

On Wed, Sep 25, 2019 at 6:33 PM Joe Abley wrote: > > On 25 Sep 2019, at 18:18, Warren Kumari wrote: > > > Yes, the best practice and advice is to choose something random, but > > network engineers are humans too, and if you had to remember and try > > tell someone over

Re: [dns-operations] Link-local IP addresses for a resolver?

On Tue, Sep 24, 2019 at 8:03 PM John R Levine wrote: > > On Wed, 25 Sep 2019, Mark Andrews wrote: > > > ISP’s advertings ULA’s to customers have similar problems with > > advertising LLL to customers. The CPE should be the site boundary making > > the ISP’s DNS servers unreachable from inside the

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 5:12 AM Matthew Pounsett wrote: > > > > On Wed, 9 Oct 2019 at 22:57, Viktor Dukhovni wrote: >> >> On Wed, Oct 09, 2019 at 05:41:43PM -0400, Viktor Dukhovni wrote: >> >> > No, even small responses receive no answers from the IPv6 addresses >> > of the C and F roots. Both

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Thu, Oct 10, 2019 at 4:59 PM Frank Louwers wrote: > > Hi Warren, > > The lack of peering with a network doesn't prevent my accessing them, > it just means that my packets take a sub-optimal[0] route. > The above doesn't look like that at all, it looks like $something else > (like dropped

Re: [dns-operations] glitch on [ip6|in-addr].arpa?

On Fri, Oct 11, 2019 at 9:00 PM Joe Abley wrote: > On 11 Oct 2019, at 14:21, Paul Vixie wrote: > > > in the earlier days of DNS-OARC (where dnsviz migrated to recently), > there was a server at cogent, which was not reachable over IPv6 from users > are hurricane. i don't remember anybody

Re: [dns-operations] Flush DNSSEC from Cache

On Wed, Dec 18, 2019 at 9:10 AM Jay, Tim via dns-operations wrote: > > > > > -- Forwarded message -- > From: "Jay, Tim" > To: "dns-operations@lists.dns-oarc.net" > Cc: > Bcc: > Date: Wed, 18 Dec 2019 07:06:56 + > Subject: Flush DNSSEC from Cache > > Hello DNSOPS, > > > >

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote: > > On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > > > Are there any registries that configure secure delegations from DNSKEY > > records (and do their own conversion to DS records) rather than accepting > > DS records from the

Re: [dns-operations] any registries require DNSKEY not DS?

On Thu, Jan 23, 2020 at 3:39 PM Florian Weimer wrote: > > * Warren Kumari: > > > On Wed, Jan 22, 2020 at 9:19 PM Viktor Dukhovni wrote: > >> > >> On Wed, Jan 22, 2020 at 10:13:40PM +, Tony Finch wrote: > >> > >> > Are there any re

[dns-operations] ... one of the more annoying captive portal breakages I've seen...

So, I'm sitting in a hotel in Melbourne (APRICOT20), trying to get some work done[0]. They have a captive portal which a: logs you our fairly often and b: requires you use their DNS server. Ugh, but OK. ..but, they have managed to invent some new, and interesting failure mode - if I look up a

Re: [dns-operations] Google DNS Admin

Here is a RIPE Atlas measurement towards that IP https://atlas.ripe.net/measurements/23785597/#!tracemon -- 10 out of 50 probes could not traceroute to that IP, but there didn't seem to be an obvious single point that they all stopped at (BT and Cogent and Liberty and ASK4 and Comcast) - this is a

Re: [dns-operations] [Ext] Re: help with a resolution

On Wed, Jan 8, 2020 at 6:47 PM Viktor Dukhovni wrote: > > On Wed, Jan 08, 2020 at 06:00:06PM -0500, Viktor Dukhovni wrote: > > > Well, there are various services where indeed the zone administrator signs > > records from authenticated, but otherwise untrusted customers, provided > > the RR owner

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 5:26 PM Tony Finch wrote: > > Are there any registries that configure secure delegations from DNSKEY > records (and do their own conversion to DS records) rather than accepting > DS records from the registrant? I believe that at least SIDN used to (and perhaps still does)

Re: [dns-operations] any registries require DNSKEY not DS?

On Wed, Jan 22, 2020 at 7:12 PM Tony Finch wrote: > > Warren Kumari wrote: > > > > I believe that at least SIDN used to (and perhaps still does) - this > > was one of the reasons that the CDS record is actually CDS/CDNSKEY. > > > > When I first heard thi

Re: [dns-operations] [Ext] Re: help with a resolution

and then read the "sort after the innocuous prefix" phrase and the penny finally dropped. Ok, I see the concern now, and *do* feel foolish for not getting it sooner... Shame cube, W On Wed, Jan 8, 2020 at 7:12 PM Warren Kumari wrote: > > On Wed, Jan 8, 2020 at 6:47 PM Viktor

Re: [dns-operations] help with a resolution

On Wed, Jan 8, 2020 at 1:54 PM Viktor Dukhovni wrote: > > On Wed, Jan 08, 2020 at 11:34:00PM +0530, Mukund Sivaraman wrote: > > > > > [muks@jurassic ~/tmp-dnssec]$ dnssec-dsfromkey Kexample.org.+005+04222 > > > > example.org. IN DS 4222 5 1 7B83C10E0220CA65139DFFE14F3F24B8D8ACAEA2 > > > >

Re: [dns-operations] help with a resolution

Your DNSSEC is broken - see https://dnsviz.net/d/pike-aviation.com/dnssec/ .com says that the domain is signed (with keyid 41388), but there is no DNSKEY in the zone. W On Tue, Jan 7, 2020 at 8:33 PM William C wrote: > > Hi > > Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1,

Re: [dns-operations] DNSViz Service Restoration

On Wed, Mar 11, 2020 at 3:44 PM Matthew Pounsett wrote: > > Hi all! > > OARC is happy… no, ecstatic… to announce that the DNSViz historical functions > have been restored! Users will now be seeing full functionality from the > site at . > Awesome, thank you all. > A few

Re: [dns-operations] [Ext] Re: Contingency plans for the next Root KSK Ceremony

On Tue, Mar 31, 2020 at 3:40 PM Dave Lawrence wrote: > > Grant Taylor via dns-operations writes: > > I fail to see how any government would prevent the necessary parties > > from attending if / when they fully understand the need. Especially > > when some of said governments have directives ~>

Re: [dns-operations] [Ext] Re: Contingency plans for the next Root KSK Ceremony

On Fri, Mar 27, 2020 at 5:46 AM Erwin Lansing via dns-operations wrote: > > > > > -- Forwarded message -- > From: Erwin Lansing > To: Kim Davies > Cc: Sergey Myasoedov , "dns-operati...@dns-oarc.net" > > Bcc: > Date: Fri, 27 Mar 2020 10:34:51 +0100 > Subject: Re:

Re: [dns-operations] looking for suggestion: ML for DNS anti-dos

On Thu, Apr 2, 2020 at 9:38 AM Tessa Plum wrote: > > Hello > > I am not familiar with DNS servers, trying my hard to learn it. > I am a researcher on ML/DL field. > Just got a thought, do you think if it's possible to improve DNS > anti-dos capability by deep learning? > As we know, ML/DL is just

Re: [dns-operations] Strange behavior of covid.cdc.gov

On Mon, Aug 31, 2020 at 9:23 AM Yasuhiro Orange Morishita / 森下泰宏 wrote: > > Hi, > > Now covid.cdc.gov seems to be DNSSEC validation error. > Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL. > e.g. dig covid.cdc.gov @8.8.8.8 > > But it seems to be a little bit strange. The

Re: [dns-operations] New OARC Chat Platform

On Tue, Aug 25, 2020 at 12:10 PM Paul Ebersman wrote: > > warren> We've often discussed if the tools are useful / doing what we > warren> want. My concern with this is that it requires yet another app > warren> installed for people to communicate; > > I'm one of the first to bitch about this when

Re: [dns-operations] New OARC Chat Platform

On Tue, Aug 25, 2020 at 10:44 AM Ondřej Surý wrote: > > > On 25. 8. 2020, at 15:52, Barry Raveendran Greene wrote: > > > > Can we see the security risk assessment that OARC has done with Slack? That > > would be contrasted with the parallel risk assessment for MatterMost. > > This would neither

Re: [dns-operations] [Ext] Re: Separating .ARPA operations from the root zone

This seems to have died down, so I figured I'd ask if you'd managed to pull anything like consensus out of it? I intentionally didn't comment on the proposal, because, in my view it's none of my business -- this is a purely operational change. The IANA is responsible for making sure that lookups

Re: [dns-operations] .iq contacts?

On Thu, May 28, 2020 at 6:32 PM Ray Bellis wrote: > > > On 28/05/2020 22:56, Viktor Dukhovni wrote: > > > Indeed this looks rather precarious, and the SOA serial number is not > > any higher on the other remaining server, the expiration time is 7 days, > > so not much time left if the primary

Re: [dns-operations] .iq contacts?

On Thu, May 28, 2020 at 7:43 PM Warren Kumari wrote: > > > On Thu, May 28, 2020 at 6:32 PM Ray Bellis wrote: > >> >> >> On 28/05/2020 22:56, Viktor Dukhovni wrote: >> >> > Indeed this looks rather precarious, and the SOA serial number is not

[dns-operations] Deep Dive on the DNS - Tomorrow (Thursday, July 23, 2020 - 18:00-19:30 UTC)

Hi all, A reminder that the IETF Technology Deep Dives on the DNS is tomorrow, Thursday, July 23, 2020 - 18:00-19:30 UTC. Everyone understands how the Domain Name System (DNS) works, but everyone is wrong! During this Technical Deep Dive on the DNS you will learn *just how wrong you are*

Re: [dns-operations] Google ECS caching issue, looking for contact

Replied off-list. W On Wed, Jan 6, 2021 at 6:25 PM Jeff Westhead via dns-operations wrote: > > > > > -- Forwarded message -- > From: Jeff Westhead > To: "dns-operati...@dns-oarc.net" > Cc: > Bcc: > Date: Wed, 6 Jan 2021 23:17:38 + > Subject: Google ECS caching issue,

Re: [dns-operations] https://trans-trust.verisignlabs.com/

Erm, what sort of glitch? (seems to work for me - wondering if it is transient, or ...) In the meantime, you can try https://www.superficialinjurymonkey.com/ (click DNS Delegation Explorer), it might work for $whatever trans-trust didn't. Note that this was thrown together while sitting on a

Re: [dns-operations] https://secure-web.cisco.com/1ZjyzJskkYQq7sVMAaORAQUNbtLnCDdiphJXoIUgaA7_oFL6tHC8iV070aZrCZfTyULjhkVi3xJfW5opBdNn-YVZVvneE8CazN4a3cBB_5D0ERlfp-D-9kGVsbAT_XzThiOOKiL1K02Z_t969017Ug

Ah all sorted then. Thanks Duane, W On Mon, Nov 9, 2020 at 3:30 PM Wessels, Duane wrote: > > > > > On Nov 9, 2020, at 11:44 AM, Warren Kumari wrote: > > > > Erm, what sort of glitch? (seems to work for me - wondering if it is > > transient, or ...) >

Re: [dns-operations] why does that domain resolve?

On Tue, Jun 8, 2021 at 6:03 AM Mark Delany wrote: > On 07Jun21, Giovane C. M. Moura via dns-operations allegedly wrote: > > > FWIW, we did a study a couple of years ago [1] analyzing these > > inconsistencies. We found 13 million second-level domains (out of 166M) > > that were inconsistent [0]

Re: [dns-operations] IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low

On Fri, Apr 16, 2021 at 3:04 PM Viktor Dukhovni wrote: > On Fri, Apr 16, 2021 at 02:29:07PM -0400, Puneet Sood via dns-operations > wrote: > > > Google Public DNS is also planning to cap NSEC3 iterations to a safe > value. > > Do you have data you can share on the prevalence of high iteration

Re: [dns-operations] Oddness with Cloudfare authoritative servers

On Thu, Sep 23, 2021 at 9:34 AM Peter van Dijk wrote: > On Wed, 2021-09-22 at 20:13 -0400, Warren Kumari wrote: > > Oh, testing now gives a different / working result: > > > > $ curl -v https://www.deltamath.com --connect-to > > deltamath.com:443:172.64.80.

Re: [dns-operations] Oddness with Cloudfare authoritative servers

On Wed, Sep 22, 2021 at 1:01 PM Brown, William wrote: > We have a school district that is trying to resolve the domain > deltamath.com. This issue is impacting the classroom use of this service. > > > > The authoritative servers are tani.ns.cloudflare.com and > jarred.ns.cloudfare.com. Tani

Re: [dns-operations] Oddness with Cloudfare authoritative servers

On Wed, Sep 22, 2021 at 7:26 PM Adam David wrote: > This does not seem to be a DNS resolution/misconfiguration issue on > Cloudflare's end. > > https://172.64.80.1/ provides an error message (as it should) indicating > it is a CloudFlare IP. If you can't see that in a web browser, then the >

Re: [dns-operations] Oddness with Cloudfare authoritative servers

Oh, testing now gives a different / working result: $ curl -v https://www.deltamath.com --connect-to deltamath.com:443:172.64.80.1 2>&1 | grep "HTTP/2 200" So, looks like the issue is likely resolved. W On Wed, Sep 22, 2021 at 7:49 PM Warren Kumari wrote: > > > On We

Re: [dns-operations] Oddness with Cloudfare authoritative servers

at least one of the addresses that they returned gave a 403 Error when connecting and trying to fetch /. Giving out different addresses is fine, but they should all work :-) W > > > On Wed, Sep 22, 2021 at 1:29 PM Warren Kumari wrote: > >> >> >> On Wed, Sep 22, 2021 at 1:0

Re: [dns-operations] .au DNSSEC issues

This is now at least listed on the Ianix website ( https://ianix.com/pub/dnssec-outages.html [0] ), but the .FJ outage from a few weeks ago isn't. Links: - https://blog.cloudflare.com/dnssec-issues-fiji/ - https://dnsviz.net/d/fj/YicaMA/dnssec/ -

Re: [dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

On Wed, Oct 19, 2022 at 4:38 AM, Scott Morizot wrote: > On Wed, Oct 19, 2022 at 5:11 AM Petr Špaček wrote: > >> Code is your guide :-) >> > > Agreed. Any time I have a need to drill down and understand exactly what > is happening and source code is available, that is always where I look >

Re: [dns-operations] ENT NXDOMAIN problem at .BS nameserver ns36.cdns.net

[ - bs ] There is a very similar issue with 'production.cloudflare.docker.com' (https://dnsviz.net/d/production.cloudflare.docker.com/dnssec/): A query for production.cloudflare.docker.com results in a NOERROR response, while a query for its ancestor, cloudflare.docker.com, returns a name error

Re: [dns-operations] A request for "data"

On Thu, Apr 25 2024 at 12:15 PM, Tim Wicinski wrote: I know in our fancy pants nominum s/w we run at cox I add the > line "managed-keys" and like magic we're pulling 5011 automagic maintained. > > got time later today? I am open > > On Thu, Apr 25, 2024 at 11:58 AM Edward Lewis > wrote: > >> An

  1   2   >