Re: [dns-operations] most somethind DNS something, DNS Operations
On 3/2/24 11:34, John Levine wrote: I’d be very surprised if this were the case. I’d have thought the vast majority of what end users would use (at least on the recursive side) would be whatever their ISP was providing, which I strongly suspect is not pi-hole. I'd also expect it's whatever they use in the cheap NAT routers that broadband providers hand out. That's often dnsmasq, the default that ships with OpenWRT and the like. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] differ
On 11/12/23 13:07, Randy Bush wrote: it occurred to me that it migh tme wise to have a rancid like (https://shrubbery.net/rancid/) equivalent for critical domains. i.e. to git record changes and warn of radical diffs. is there any foss tooling in this space? It's not exactly what you are looking for, but dns.coffee: https://dns.coffee/ Does some neat stuff from a zone global view perspective. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Cannot send mail to outlook.com due to olc.protection.outlook.com configuration issues
On 10/7/23 04:11, Noel Butler wrote: Hrmmm you used to be able to use rs.dns-oarc.net to test edns but it's either gone MIA or I'm thinking of the wrong hostname, in which case I'm sure someone will chime in with the correct one :) Just to confirm, OARC's test servers, including reply-size were deprecated in favor of CheckMyDNS back in June. See https://www.dns-oarc.net/oarc/services/cmdns for more information on the replacement service. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] cmdns.dev.dns-oarc.net down?
On 9/4/23 08:27, Christoph wrote: https://dnsviz.net/d/cmdns.dev.dns-oarc.net/dnssec/ since cmdns.dev.dns-oarc.net appears to be down, Please report issues with OARC services to , rather than to this entire mailing list of 1800+ people. We have most of our team traveling and out of timezone right now for the OARC41 workshop in Vietnam this week. We will investigate the issue with CheckMyDNS and get it back up and running, but some patience would be appreciated. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] BlackHat Presentation on DNSSEC Downgrade attack
Now seems like a good time to remind everyone of the OARC Conduct Policy: https://www.dns-oarc.net/oarc/policies/conduct which applies to all interactions on OARC fora, online and in-person, and including this mailing list. By all means respectfully debate the subject matter, please avoid making it personal. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Vodafone AS25135 sending 3k req/s to AS112
On 7/13/22 13:36, Alarig Le Lay wrote: Vodafone is sending 3k req/s (~10Mbps) of DNS garbage to my AS112 node from 88.82.0.0/19 If someone knows somebody there, could you please tell them to fix their resolvers? Noting this prefix is AS5378 Vodafone UK, UKNOF has a mailman list and a mattermost chat server. I don't know any Voda UK contacts, but you might have some luck asking in UKNOF fora. There are certainly AS112 servers at the main UK IXPs they should be preferring at the least. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSviz and G-root: EDNS issue?
On 10/12/21 11:14 AM, Stephane Bortzmeyer wrote: DNSviz currently always flags the root with a warning "./DNSKEY (alg 8, id 14748): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (192.112.36.4, UDP_-_EDNS0_4096_D_KN)". Testing G-root/192.112.36.4 with the RIPE Atlas probes, bit DO and bufsize=4096 shows no evidence of a problem (and the answer is well below 4096 bytes). It seems it affects only the path between G-root and DNSviz. Any idea? This might be a known intermittent IPv6 routing issue with DNSviz, do you see this problem for v4 and/or v6 ? Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Monitoring for impending expiration of domains?
On 12/13/20 2:58 PM, Randy Bush wrote: > tangent, but you started it > >> [1] IANAL, but this rather looks like a gross over-reaction to GDPR, >> with some registries and registrars continuing to provide usable >> contact details with no ill consequence. The practice even among >> European ccTLDs varies rather widely. It would sure be great if some >> sense returned to this space. Speaking personally, +1 Joining the tangent, it's particularly annoying in the case of one bitcoin-spam operation, which is using a set of DGA domains registered out of a small number of European ccTLDs to daily-bombard one of my orgs in a way which seems particularly impervious to the regular RBLs. Being able to trace these back sure would help with filtering them and/or submitting abuse complaints. I have a carefully-curated list of domains and IP prefixes if anyone cares. > i realize that i am a dinosaur I can offer you only company on that... Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers
On 9/14/20 1:54 PM, Fernando Gont wrote: > On 14/9/20 10:14, Stephane Bortzmeyer wrote: >> On 1 and 2 September 2020, several French IAPs (Internet Access >> Providers), including SFR and Bouygues, were "down". Their DNS >> resolvers were offline, and it does indeed seem that this was the >> result of an attack carried out against these resolvers. >> >> https://www.afnic.fr/en/resources/blog/about-the-attack-on-french-isps-dns-resolvers.html > > Any more details about the attack? e.e., what vectors they used, etc.? This report also appears to be relevant, if brief: https://www.nbip.nl/en/news/report-ddos-attacks-the-state-of-affairs-september-2020/ Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Nameserver responses from different IP than destination of request
On 8/31/20 12:40 PM, Puneet Sood via dns-operations wrote: > Is there an online tool that does mark up on RFCs to show which other > RFCs are referring to specific sections in it? I suspect you may find: https://powerdns.org/dns-camel/ helpful here. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] New OARC Chat Platform
On 8/25/20 4:26 AM, Ondřej Surý wrote: > The details has been provided on OARC members list, so I’ll let > Keith and Matt to decide the level of detail to provide, but the > service is being hosted by a professional organization and is subject > to confidentiality agreement. OARC Mattermost (the software) is not > being run by OARC staff. Thanks everyone who has pointed out that to some extent this discussion is a bikeshed - there are many, many chat platforms out there, and it's simply impossible to choose one that's going to satisfy everyone. It was clear however that our existing jabber platform was satisfying fewer and fewer people, and that we needed to replace it with something more modern and appealing. A major consideration on adopting an open platform like Mattermost vs a closed proprietary platform like Slack are the specific requirements in the OARC Participation Agreement for sharing information collectively between OARC Members on a confidential basis. Slack logs everything, and the only confidentiality guarantees you get are their standard click-through contract. Once you are signed up the relationship is sticky and hard to migrate away from should there be issues. The other downside of Slack is the cost - even with nonprofit discount on their service, for our community of 300+ users, the managed Mattermost solution was vastly cheaper. We can scale Mattermost without having to worry about pay-per-play on users/team/channels/messages. Using an open-source platform allows us the *choice* of self-hosting vs outsourced, and our own Member Participation Agreement-compliant policies on confidentiality and retention. While these may be stronger than is required for an open community platform, it does not make sense to run different platforms for Members vs everyone else. I'll be the first to admin that OARC's systems engineering resources are over-stretched, and that's why we took the decision to outsource this service, which has successfully given us one less arcane thing to manage. The out-sourcing agreement is with Mythic Beasts, a UK-based cloud provider who offer managed Mattermost to other customers. As part of the service agreement, Mythic signed up as OARC Supporters, which binds them and the service to the same collective confidentiality terms as OARC Members are bound by. There's also many other organizations in our space using Mattermost already (e.g. CAIDA, EFF, ISC, Mozilla,...), and it feels like good company to keep. Finally, now that we've moved to an openly-available platform, we have the flexibility to keep that outsourced, change providers, or in-source as appropriate, should we decide to do so in future. Keith >> On 25. 8. 2020, at 8:19, Doug Barton >> wrote: >> >> Is this something that OARC is operating and maintaining, or is it >> something that you're acting as a conduit for? The former would be >> included in my definition of "rolling your own." Are there >> seriously no existing communications platforms anywhere that >> provide adequate security? >> >> I don't intend this as armchair quarterbacking, I'm looking at it >> from the standpoint of whether or not putting resources into OARC >> is a good investment. Certainly the people involved, and the >> intentions of those people, are top notch. But without good >> decision making to support those intentions it's hard to justify >> contributing additional resources. Of course, that's just my >> opinion, and I hope that I'm wrong. >> >> On 8/24/20 10:00 PM, Ondřej Surý wrote: >>> Doug, that’s *exactly* what OARC is doing. It’s not rolling >>> “own” platform, it’s using existing platform that many existing >>> teams are using as a communication platform. The added >>> requirement for choosing a chat platform was a strong data >>> protection. This is something that centralized platform (like >>> Slack) can’t offer. Mattermost is a solid competitor on the >>> market and I am glad that OARC moved away from Jabber both as a >>> board member and OARC member. While I think it's great that you're offering this service, I can't help asking why you're rolling your own instead of utilizing any of the many chat services that already exist? Slack comes immediately to mind, but it's far from the only commonly used platform at the moment. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] off-topic - live interview / discussion about dns/infrastructure
On 6/24/20 4:04 PM, Mehmet Akcin wrote: > I cant think of any way this is commercial , it’s available on > multiple platforms to make it accessible where these platforms are > free for use You do not appear to be confirming your entity is explicitly nonprofit per my question. In general we're fine with announcements on this list of nonprofit activities, events, projects that are DNS operations-relevant. Promotion of commercial activities is discouraged and unlikely to be well-received. Keith > On Wed, Jun 24, 2020 at 13:03 Keith Mitchell > wrote: > On 6/23/20 4:47 PM, Mehmet Akcin wrote: >> >> A few weeks ago I've started hosting a youtube/twitch/twitter live > video >> show > > With regard to posting this here, please could you clarify whether > the entity publishing this show is doing so on a commercial or > nonprofit basis ? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] off-topic - live interview / discussion about dns/infrastructure
Mehmet, On 6/23/20 4:47 PM, Mehmet Akcin wrote: > hey there, sorry for cross-posting in few lists. > > A few weeks ago I've started hosting a youtube/twitch/twitter live video > show With regard to posting this here, please could you clarify whether the entity publishing this show is doing so on a commercial or nonprofit basis ? Keith > (simultaneous stream) hosting key people who are involved in the > exec/operations/engineering of internet infrastructure companies either > as consumer or service providers. > > my idea is to create a platform where questions/concerns can be asked > directly to executives/key decision-makers and hopefully get answers. > Very similar to Reddit AMA but with focus on > telecom/datacenter/infrastructure/DNS/etc. > I thought I would share this here, I am sorry if this is off-topic. > > Mehmet ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] anyone from facebook?
On 4/17/20 1:52 AM, Mark Andrews wrote: > Subject: Re: [dns-operations] Anyone from Google here? A reminder to OARC Members that they can use the "Contact Directory" feature of the OARC Member Portal to find DNS Operations contacts at other Members. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Extended Submissions Deadline: 33rd DNS-OARC Workshop, Paris, France, May 09 - 10th 2020
As per the statement at: https://indico.dns-oarc.net/event/34/page/93-covid-19-situation OARC has been tracking the Covid-19 situation, and exploring contingencies should we not be able to proceed as planned with OARC33. At this point in time, we are still working to our plans to have the workshop in Paris on 9/10 May, but the situation is very fluid, and a lot could change in the 9 weeks between now and then. OARC33 is being co-located with, and hosted by ICANN, in conjunction with their IDD, RoW and IDS events. So whether ICANN proceeds with these will be a strong determinator of whether OARC33 goes ahead in Paris or not. Clearly ICANN will have a well-informed view of the practicalities of running remote-only meetings after ICANN67 has taken place remotely this week, and we will be consulting and meeting with them on their plans for GDD/IDS once that has completed. We've looked at a number of fallback contingencies, and while there are some other options, it looks like the most feasible are: - to cancel OARC33 in Paris in May, and move the submitted content to OARC34 in Milan in October. - to conduct a remote-only meeting. The state of recent OARC Board discussions on this is tending towards the first option, but we have reviewed internally and confirmed that we could conduct a remote workshop with the resources available to us, given 2-3 weeks notice and preparation, if the community feels there is value in doing so. Either way it makes sense to continue to solicit content for OARC33. We expect that ICANN will be working with the local authorities in Paris, the venue, and professional sources of advice; and it is our intention to work closely with them in deciding whether OARC33 proceeds there as planned. Once again, we are grateful for ICANN's support of our workshops. We believe an appropriate point to make a go/no-go decision on a physical workshop for OARC33, so people can plan or cancel travel etc, is no later than 5 weeks before, i.e. around the 1st April, and the OARC Board has scheduled a meeting shortly before that to make this decision, should events not overtake matters meantime. We will communicate that decision no later than 2nd April. We'd be grateful for input from workshop participants' preferences on the options available, but in the meantime if folks could refrain from engaging in "armchair epidemiology" threads on this list I think everyone would appreciate it :-) Keith OARC President On 2020-03-09 14:50, Shumon Huque wrote: > On Mon, Mar 9, 2020 at 2:41 PM Paul Vixie wrote: > > On Monday, 9 March 2020 14:44:09 UTC Shumon Huque wrote: > > ** We have extended the submissions deadline for the 33rd DNS-OARC > > ** workshop to March 19th 2020 (midnight CEST). > > > > The 33rd DNS-OARC Workshop will take place at the Marriott Rive Gauche > > Hotel & Conference Center in Paris, France on May 9th and 10th > 2020. > > Early May is going to be a very bad time: > > https://threadreaderapp.com/thread/1236095180459003909.html > > i suggest ICANN and DNSOARC be ready to convert to virtual for this. > > Yeah, I'm aware that contingencies are being actively discussed. But > I'll defer to OARC and ICANN staff to officially comment. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] really old root zones for saveroot
On 12/14/19 5:43 PM, Tony Finch wrote: > I have been playing around with the old update journal in the saveroot > repository, to see if I can reconstruct root zones between July 2005 and > March 2014. > I think reconstruction is mostly feasible, but it would be super helpful > if anyone can give me a copy of the root zone from any point in that time > period to fill in a couple of gaps. OARC's Zone File repository has root zone data going back to 1993, though coverage is spotty before 2000: https://www.dns-oarc.net/oarc/data/zfr/root Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] root? we don't need no stinkin' root!
On 11/29/19 8:32 PM, Rubens Kuhl wrote: > including making studies that other parties can't reproduce due to > being limited to DITL data. DITL data is available to any party who signs an OARC Data Sharing agreement. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] root? we don't need no stinkin' root!
On 11/26/19 7:40 PM, Mark Allman wrote: > I wonder if we're ever allowed to just decide this sort of thing is > ridiculous old shit and for lots of reasons we can and should just > garbage collect it away. To some extent, "get rid of ridiculous old sh*t" is kind of what the DNS Flag Days are working on, though with rather more baby steps than I suspect you are conceiving. Even these small, rational proposals have met with push-back in some sectors. It's quite a lot of work to deprecate stuff in a way that minimizes operational fall-out. > To me, this whole notion is that we can in fact get rid of this > giant network service. If we don't get rid of it then what is the > incentive to move one's own resolver away from using the root > nameservers? On garbage-collecting crap traffic, it's worth looking at AS112. Mostly this runs on a bottom-up community-driven basis, where the incentive to run an AS112 node comes from the simple self-interested economic basis of not wanting this crap taking up capacity on one's own outbound infrastructure. While AS112 makes a difference, it is far from ubiquitous or optimal. Probably there are gains to be made from more aggressive co-ordination and advocacy (*), but I suspect these would need stronger resource support from a more top-down source. It's far from the whole problem space, but makes some difference at the root for sure. Keith (*) every so often I get a stark reminder of how low awareness of AS112 is...no, we don't want to buy transit for it, thanks.. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] glitch on [ip6|in-addr].arpa?
On 10/11/19 6:30 PM, Shumon Huque wrote: > It might be much more important for diagnostic and measurement services > like DNSviz though. At the moment, if you run IPv6 DNS servers on > networks that are singly connected to Cogent, it will probably > incorrectly flag those servers as unavailable. For such services, > perhaps it would be better if they were not single-homed to either > Cogent or HE. > (To be clear, I'm happy that DNSviz is housed at OARC. So, I guess I > might be suggesting that the community might consider how to fund a > second ISP connection for OARC). Thank You :-) That would be most welcome if anyone is prepared to step up (and/or open to other potential solutions) ? FWIW, we are at HE's Fremont2 facility, and peer at SFMIX. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Verifying that a recursor is performing DNSSec validation
On 07/21/2015 07:48 AM, Edward Lewis wrote: Come to think of it, does DNS-OARC have a set of such zones? I have a vague memory that this may have been set up once. If not, might this be a good idea to provide? (Alongside other test services like reply size as described here: https://www.dns-oarc.net/oarc/services/replysizetest) We have I recall various *signed* zones for testing, but not a deliberately-always-unsigned zone. We'd be happy to implement that if the community felt it useful. Keith (An idle suggestion.) On 7/20/15, 22:13, dns-operations on behalf of Frank Bulk dns-operations-boun...@dns-oarc.net on behalf of frnk...@iname.com wrote: Does anyone have an zone that will always remain unsigned? verteiltesysteme.net is going to make one, but if there was a second organization that could provide a zone that will never be signed, that would be great as a control. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] 5s TTL on IANA /8s
On 07/15/2015 08:49 PM, Mauricio Vergara wrote: There is an operational reason to have the TTLs low, the good thing is that it is completely temporary, and by the time you get this those TTLs will be back to normal everyday values. We are actually thinking, if there is interest, of sharing our experiences at the Montreal DNS-OARC workshop. A reminder that both the Call for Presentations, Registration and accommodation bookings for our Montreal workshop are open at: https://indico.dns-oarc.net/event/24/ Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] Survey/Videos of Spring Workshop
Thank you all for the many kind words and postings about our Amsterdam workshop. Running successful events is very much a team effort, and on behalf of OARC I'd like to express our gratitude to all our speakers, sponsors, PC and other volunteers for making this one happen. There's always room for improvement, however, and if you attended or watched the workshop, we'd still love to hear your feedback on our meeting survey: https://www.surveymonkey.com/r/OARC-Spring2015-Amsterdam Video of the 4 public workshop sessions is available via YouTube as follows: - Saturday Morning: https://www.youtube.com/watch?v=Lr3prqyXHNw - Saturday Afternoon: https://www.youtube.com/watch?v=UcAygzNSxlI - Sunday Morning: https://www.youtube.com/watch?v=YCXx0RlaokQ - Sunday Afternoon: https://www.youtube.com/watch?v=PX3YYmBER7E We'll do the work to split these into individual talks over the next few weeks, which will be indexed from the agenda/presentations page. Our next workshop ( AGM) will be co-located with NANOG65 in Montreal on 3rd and 4th October. We're looking for speakers and sponsors - the call for presentations will be published around May 29th, when registration also opens. Please contact Denesh via spon...@dns-oarc.net (or find us at RIPE70 this week) if you are interested in sponsoring an OARC workshop. Thanks again to everyone who participated, and look forward to seeing you next time ! Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] [Security] Glue or not glue?
On 05/04/2015 04:51 AM, Peter Koch wrote: On Mon, May 04, 2015 at 09:11:28AM +0200, Stephane Bortzmeyer wrote: http://www.ssi.gouv.fr/entreprise/guide/bonnes-pratiques-pour-lacquisition-et-lexploitation-de-noms-de-domaine/ (in french only) Getting these recommendations straight is not an easy task. Balancing between different target audiences and breadth and depth of the advice versus available space almost always makes it a matter of compromise and I'm sure the next version might benefit from feedback by the community. Don't forget there's an opportunity to do this on Saturday when we have a speaker at our workshop on these very guidelines: https://indico.dns-oarc.net/event/21/contribution/12 Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Spring 2015 Workshop - Amsterdam, Netherlands 9/10th May - AGENDA
The agenda for DNS-OARC's 2015 Spring Workshop on the 9th and 10th May, in Amsterdam, The Netherlands is now available at: https://indico.dns-oarc.net/event/21/timetable/#all This will be held at the same location the subsequent RIPE70 meeting, and we're grateful to SIDN, Verisign and Nominum for being our sponsors this time. The theme for this workshop is DDoS attack report and mitigation techniques, and we have a range of talks on this topic, including on attack experiences and side-effects, and countermeasures against random subdomain attacks. We also have various DNSSEC talks, looking at the effects of increasing the root Zone KSK size, on-the-fly signing, and use of ECDSA crypto in practice, as well as several new DNS tool presentations. A big thank you to our speakers and programme committee for putting another full and high-quality agenda together. You can register as a member (free) or non-member ($150) at: https://indico.dns-oarc.net/event/21/registration/ Please note that the registration fee increases by $100 for all attendees on 24th April. Proceedings start mid-Saturday morning - although the Saturday morning sessions are about DNS-OARC status/business, all but one closed member- only presentation will be open to all registered attendees. I'll also being giving a retrospective on OARC's evolution in the 10 years since it was founded. The full public workshop starts at 14:00 CEST Saturday until 17:30 Sunday. There will be a social event sponsored by SIDN on Saturday evening. We're planning to webcast the public workshop, further details to follow. All accommodation at the venue Hotel Okura is now fully booked, however we have arranged for discounted room rates at other local hotels, please see: https://indico.dns-oarc.net/event/21/page/0 For travel and additional venue information, see the RIPE70 meeting site at: https://ripe70.ripe.net/venue/meeting-venue/ With our thanks to the RIPE NCC for connectivity and other logistical support. Additional sponsors for this meeting and the social event remain welcome - please contact spon...@dns-oarc.net if interested. Look forward to seeing everyone in Amsterdam ! Keith Mitchell OARC President ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Mozilla Firefox and ANY queries
On 02/27/2015 05:09 AM, Reed Loden wrote I notified Mozilla's release management team, and they are tracking this. They believe this is https://bugzilla.mozilla.org/show_bug.cgi?id=1093983 FWIW, I also reached out to a contact within Mozilla, who added to the internal escalation on this, they indicated to me the issue should be resolved promptly. In any case, it would be helpful to the release mgmt team if they had a better idea of the problems this is causing and how critical of an issue it is, in order to better prioritize it (once a true cause has been found). Also, any ideas on timeline as to when this started would help a lot. The up-tick in ANY queries since the Firefox 36 release is indeed visible on OARC's DSC statistics that some root operators share with us, though the publicly visible data is delayed a week behind what our members get to see, and the start of this issue. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] cache flush request
On 01/19/2015 07:57 AM, Tim Wicinski wrote: On 1/17/15 12:12 PM, Paul Hoffman wrote: Would it be helpful if OARC maintained a page containing links to the cache flushing interfaces and/or PoCs of interested resolver operators that support such things ? If OARC could define such interfaces well, including who gets to use them, yes it certainly would. https://datatracker.ietf.org/doc/draft-jabley-dnsop-dns-flush/ To be clear, protocol definition work is explicitly _not_ in OARC's remit, but is very much within the IETF's. I seem to remember this idea being broached, and a portion of the audience gasped in horror, while another portion were very interested. We're open to implementing more than just a web page of references, but would need a clear support indication from the community this was a desired thing. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] cache flush request
On 01/17/2015 09:35 AM, Eli Heady wrote: Is there a better place for such requests? Honestly curious ... as an operator of dns for a large-ish network, I'd like to know when our caches have been polluted. To that point, and to the OP and others making flush requests, it would be helpful to include correct and incorrect records in your request so rdns operators may validate their cache content. Would it be helpful if OARC maintained a page containing links to the cache flushing interfaces and/or PoCs of interested resolver operators that support such things ? Keith On Jan 16, 2015 2:08 PM, Paul Vixie p...@redbarn.org wrote: Mehmet Akcin meh...@akcin.net Friday, January 16, 2015 10:31 AM ... we need a quick cache flush for windowsmedia.com http://windowsmedia.com domain name to resolve a domain resolution issue. can you let me know privately once the cache is flushed? flushed in la honda, california. do you really hope to reach 20M+ RDNS operators via this mailing list, though? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Best Resources for Deep Dive Understanding of DNS
On 12/31/2014 05:07 PM, Roland Dobbins wrote: On 31 Dec 2014, at 20:05, Alexander Neilson wrote: Particularly looking at performance tuning and resilient architecture however any good resources that provide a good understanding of the deeper details of the operation of DNS. In addition to the good things you're already doing on your own initiative (great work!), and the excellent advice you've received from Ralph and Rubens, these may also be of interest: Also, various parties (several of them OARC members :-) offer DNS training courses that you may find of value. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] knot-dns
On 12/15/2014 02:40 PM, Roland Dobbins wrote: On 16 Dec 2014, at 1:42, Mike Hoskins (michoski) wrote: You can acknowledge things aren't a panacea, while still deriving some benefits from them. My point is that the negatives far outweigh the benefits in most organizations. It's interesting to note that most of the software diversity growth in the DNS space has been for alternative authoritative servers. At least for the larger players in the TLD space, they probably have enough clue and resources to not fit into the most organizations category But I have to say, IME whenever I have gone to great lengths to diversify infrastructure, the failure mode that bites you is all too often the SPoF one didn't think of. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] OARC's DNS Reply Size Test Server is not EDNS compliant
On 12/14/2014 11:45 AM, Keith Mitchell wrote: On 12/13/2014 04:30 PM, Mark Andrews wrote: OARC's DNS Reply Size Test Server is not EDNS compliant. It does not return a OPT record to EDNS requests. This causes named from BIND 9.10.0 and later to classify the servers as not EDNS compliant and to only send plain DNS queries. This in turn results in bug reports saying we fail the test when it is the test that is broken. We'll look into it. Thanks Mark for bringing this to our attention. We believe we have now addressed this shortcoming, if others could test and verify that would be helpful. The best way to report issues with OARC services is by e-mail to ad...@dns-oarc.net Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Interesting messages in our logs
If you didn't already check it out, you may find this presentation at our last workshop adds some background: https://indico.dns-oarc.net//contributionDisplay.py?contribId=37sessionId=3confId=20 Keith On 11/02/2014 08:52 AM, Lyle Giese wrote: Just to flush out the details here, in case anyone is wondering. We have a small number of domains that are DNSSEC signed, but those under attack are not signed. In the past two days, I am seeing RRL kicking in heavily for queries for host names or subdomains in the form: variable.example.com From IPv4 and IPv6 Google ip addresses. At the same time, but I see a few of the 'no more TCP clients: quota reached' messages. Again, after the RRL limit kicking in, rolling over to TCP is expected. I am seeing the 'attack' first against one domain for a period of only a few(less than 5) minutes. And then the next day, another flurry of activity against another domain lasting about 4 minutes. I am not sure what the goal is of the attackers yet. But in bouncing the queries through Google does a pretty good job of hiding their identity from me. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS BoF@DNS OARC 2014 Fall LA
On 10/11/2014 01:43 AM, han feng wrote: We are working on organizing a DNS BoF at DNS OARC 2014 Fall in LA, and we wanted to share the test report regarding to DNS dynamic update and xfr (please refer to the attachment), and ask your opinions on the topics that we should cover on this BoF. I'd just like to make it clear that this proposed event is not part of the OARC workshop programme. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS-OARC's Web-based DNS Randomness Test site
On 10/09/2014 07:32 AM, Yasuhiro Orange Morishita wrote: Now DNS-OARC's Web-based DNS Randomness Test site doesn't work properly... Is this service closed? No, this service is still supported, though note that there have been a number of exploits published since this test was derived which means that results previously stated as safe are now less clear-cut. For questions/issues with OARC services, the best place to request help is ad...@dns-oarc.net. We will investigate, though this may take a little longer than usual due to the upcoming workshop and planned systems maintenance over the next few days. Keith Web-based DNS Randomness Test http://entropy.dns-oarc.net/ (redirected to https://www.dns-oarc.net/oarc/services/dnsentropy) txt (dig/drill) version seems to be OK, but web version is better for plenty of users. % dig +short porttest.dns-oarc.net txt porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. xxx.xxx.xxx.xxx is GREAT: 26 queries in 2.7 seconds from 26 ports with std dev 17312 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS-OARC Fall 2014 Workshop - Final Information
A final reminder DNS-OARC's 2014 Fall Workshop and Member AGM will be taking place *this* weekend in Los Angeles. Our workshop will be held in co-operation with the ccNSO Tech Day of the co-located ICANN51 meeting. The OARC AGM and member-only session will be held on from 14:00 PDT on Saturday 11th October, social event Saturday evening, the main workshop starts at 09:00 PDT on Sunday 12th, and a joint session with ICANN's Tech Day on Monday 13th starts at 10:30 PDT. Our agenda is now finalized and very full of great quality content, at: https://indico.dns-oarc.net//conferenceTimeTable.py?confId=20#all.detailed Note that we are regrettably unable to accept any last-minute submissions or lighting talks, unless there are any speaker cancellations. We are also full from a venue space point of view, and registration is closed. We have a few places left for OARC members only, please contact ad...@dns-oarc.net if you are a member who wishes to attend but did not already register and we'll try to accommodate. The good news is remote participation will be supported, via ICANN's AdobeConnect system: Webcast: https://icann.adobeconnect.com/lax51-westside Audio: http://stream.icann.org:8000/lax51-westside-en.m3u with slides linked to from the above meeting timetable page, and OARC's Jabber room: xmpp://dns-operati...@conference.dns-oarc.net You can find full information about the workshop at: https://indico.dns-oarc.net/event/workshop-2014-10 Finally, a big Thank You to our sponsors: * Microsoft (Platinum and Social) * Nominet (Silver, T-shirts) * Dyn (Bronze) and ICANN as our meeting host, for making this event possible :-) Keith Mitchell OARC President ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS-OARC Fall 2014 Workshop - Los Angeles, California, 11th-13th October
A reminder DNS-OARC's 2014 Fall Workshop and Member AGM will be taking place in Los Angeles, California, USA on the 11th through 13th October, and we are pleased to announce a very strong confirmed agenda at: https://indico.dns-oarc.net//conferenceTimeTable.py?confId=20#all.detailed This will be held in co-operation with the ccNSO Tech Day of the subsequent ICANN51 meeting. The OARC AGM and member-only session will be held on Saturday 11th October, the main workshop on Sunday 12th, and a joint session with ICANN's Tech Day on Monday 13th. You can find more information about the workshop at: https://indico.dns-oarc.net/event/workshop-2014-10 Registration is open at: https://indico.dns-oarc.net/confRegistrationFormDisplay.py?confId=20 OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with ICANN attendees particularly welcome this time around. Meeting registration is free, with priority given to OARC Members, Speakers, Donors and Sponsors in the event of limited space. We are planning remote participation for this event, including video webcast, details to follow. Although our agenda is full and submissions are closed at this point, we hope to be able to allow a small number of lightning talks of late- breaking topical material, with submissions for these open between 8th and 10th October. We are grateful to Microsoft as our Platinum meeting sponsor, and ICANN for their support of our workshop. Keith Mitchell OARC President ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Hearing first complains about failing internal resolving due to .prod TLD
On 09/13/2014 10:45 AM, David Conrad wrote: On Sep 13, 2014, at 2:19 AM, Franck Martin fmar...@linkedin.com wrote: I’m not sure why the dot prod was not first set up to return NXDOMAIN, queries logged, and then source IP contacted to warn them May be this is an insight now, may be this is something to do for ALL newly introduced TLDs, set up the resolution for a month with NXDOMAIN and then analyze the logs and see if it could be an issue. You might want to look at https://www.jasadvisors.com/namespace-expansion-i.pdf. Interestingly, .prod had only 146 (filtered) unique SLDs in the DITL data. This was discussed in the last year or so of ‘discussions’ related to name collision. Trivial to game, difficulties finding the actual source, difficulties in establishing what could be an issue vs. a false positive, etc. I've tried (I hope) to make it clear whenever opportune, that OARC's DITL data should only ever have been regarded as *a* source of policy-informing analysis for Name Collisions, and should not in any way be regarded as comprehensive or definitive. We were more than happy to step up with what we had in the absence of anything else, but other data sources would have been and would remain welcome. It seems we may be seeing the first signs of the gap between reality and the dimensionally-constrained worldview of OARC data. Here's a couple of ideas I'd like to put out there: - now that various of the nTLDs have been delegated into Controlled Interruption mode, would it be helpful for OARC to do an additional (or periodic) DITL capture(s), so we can get some comparison between what we thought we'd be seeing and what are seeing ? - are there any other types of data-gathering that OARC could perform for the community that would help us understand these issues better (and if so what, and who would like to help) ? There were some proposals for such data gathering mooted, but AIUI did not get sufficient support in the ICANN process to be mandated. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] resolvers - which do you care about?
It's list policy that subscriptions from which a natural person is not identifiable are auto-moderated. Apologies that this one slipped through. Please can the poster identify themselves. P Vixie p...@redbarn.org wrote: Who is we? Why are we allowing role accounts to subscribe here? Who is intdnsops? On August 6, 2014 3:24:39 PM PDT, intdnsops intdnsops intdns...@gmail.com wrote: We are working on a DNS consistency check tool tool and a component includes checking several public recursive name servers for the latest SOA/A/ records and TTLs. The zones we publish often have TTLs measured in the 7+ day range, changes are incredibly low volume, and we always plan on waiting out the TTL. Of all the public resolvers in the wild - which ones do you care about? While some services like OpenDNS Google provide a web based interface to issue a cache clear - do any services offer an API style cache clear/zone drop? If providing a list of resolvers you care about, please limit to open resolvers and resolvers that provide a web based cache check tool. Best regards. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] ISC Network Issue affecting OARC services
On 07/21/2014 01:57 PM, Keith Mitchell wrote: For those of you not already aware, many of OARC's services are being impacted by a significant DDoS attack against ISC who host most of our infrastructure. Please see below for a statement from them on this. We've been seeing major packet loss to our systems hosted in Redwood City, currently around 40% (down from over 80% at worst) - none of our services are down, but many are working very slowly. Obviously we're working with ISC to try and address this - we're sorry for the inconvenience and will keep you updated as we know more from them. Today's update from ISC indicates that this was collateral damage from an attack on one of the ccTLD registry operators which they host secondary auth servers for, and that for now it is mostly mitigated. We will continue to monitor. Having successfully stabilized, updated and rationalized OARC infrastructure over the past year, rest assured that after the past week's incidents, giving it greater geographic/provider diversity and higher availability rank high on our next round of development plans... Thanks for all the offers of help with this. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] ISC Network Issue affecting OARC services
For those of you not already aware, many of OARC's services are being impacted by a significant DDoS attack against ISC who host most of our infrastructure. Please see below for a statement from them on this. We've been seeing major packet loss to our systems hosted in Redwood City, currently around 40% (down from over 80% at worst) - none of our services are down, but many are working very slowly. Obviously we're working with ISC to try and address this - we're sorry for the inconvenience and will keep you updated as we know more from them. Keith On 07/21/2014 12:20 PM, Jim Martin wrote: Gentlepeople, Since approximately 3am Pacific this morning, ISC's network has been subject to a significant Distributed Denial of Service (DDoS) attack. We've been deploying various mitigation techniques, and tuning over time, but the attack continues. We are actively defending against the attack, and will let this alias know when we believe it's been resolved. We apologize for the impact! - Jim Martin, Director of Operations, ISC ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] OARC server outage
Unfortunately one of our (new) servers, ix2.dns-oarc.net, has suffered a major hardware failure, and is currently out of service. This means that number of OARC public-facing tools are not currently available: - DODVR, Porttest, Reply Size Test, DLVtest, Don't Probe Production services based on our ix1 server, including the public and member websites, mailing lists, jabber, TLDmon, and our data storage/analysis facilities remain unaffected. We're working both to get the faulty hardware repaired, and to interim migrate the services to another server, this may take a number of days. We will of course post updates on this, with our apologies for any inconvenience this causes. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] OARC server outage
I'm pleased to report this issue is not as serious as we feared, and this server is now back up and all OARC services restored. We may however need to perform some scheduled maintenance work on it in the near future to diagnose/rectify the underlying cause, and will give as much notice as possible if we do. Keith On 07/18/2014 09:17 AM, Keith Mitchell wrote: Unfortunately one of our (new) servers, ix2.dns-oarc.net, has suffered a major hardware failure, and is currently out of service. This means that number of OARC public-facing tools are not currently available: - DODVR, Porttest, Reply Size Test, DLVtest, Don't Probe Production services based on our ix1 server, including the public and member websites, mailing lists, jabber, TLDmon, and our data storage/analysis facilities remain unaffected. We're working both to get the faulty hardware repaired, and to interim migrate the services to another server, this may take a number of days. We will of course post updates on this, with our apologies for any inconvenience this causes. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Prevalence of query/response logging?
On 07/04/2014 07:44 AM, Stephane Bortzmeyer wrote: On Fri, Jul 04, 2014 at 06:00:48PM +0700, Roland Dobbins rdobb...@arbor.net wrote a message of 23 lines which said: and/or logging queries/responses out-of-band via packet-capture taps, databases, etc.? Following OARC workshops, it seems many operators of authoritative name servers log everything, with capture taps We recently finished cleaning up the data from the DITL2014 collection exercise, captured and shared by many authoritative operators in exactly this way. You can see who contributed and what data is available at: https://www.dns-oarc.net/node/341 Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS-OARC Spring Workshop Final Information
Couple of quick updates: On 05/09/2014 10:34 AM, Keith Mitchell wrote: jabber remote participation at: xmpp:dns-operati...@conference.jabber.dns-oarc.net Note this should be: xmpp:dns-operati...@conference..dns-oarc.net apologies for my typo. For remote attendance, we plan to webcast the open workshop via Google Hangouts: Unfortunately our webcasting team and gear are *still* en-route due to a series of flight delays - it remains feasible they will be here for a 14:00 CEST/12:00 start, but we may have some delay before we can get things working. If it looks like being a significant delay we'll see if we can get a voice-only teleconference bridge going as a stop-gap. Otherwise, everything else is ready and we're good to go ! Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Spring Workshop Final Information
Here's final information for OARC's Spring workshop and EGM this weekend in Warsaw. Saturday morning will be an OARC Extraordinary General Meeting starting at 10:00AM, with formal business and content for OARC Members only. Note that this session will *not* be webcast. The full workshop timetable is now available at: https://indico.dns-oarc.net/conferenceTimeTable.py?confId=19 Saturday afternoon's open workshop starts at 2pm local time (12:00 UTC) and will have sessions on Security Privacy, and Operations. Sunday's open workshop starting at 09:00AM includes sessions on Tools, DNSSEC, Research, and Data Analysis. For remote attendance, we plan to webcast the open workshop via Google Hangouts: https://plus.google.com/u/0/b/103122883228036975926/103122883228036975926/about/p/pub with slides linked to from the above meeting timetable page, and jabber remote participation at: xmpp:dns-operati...@conference.jabber.dns-oarc.net Video recordings of presentations will be available a week or two after the workshop. Finally, a big thank you to our Platinum sponsor Microsoft, and Gold sponsor Verisign for covering our workshop costs. Major thanks also to the Programme Committee, speakers and all our volunteers for helping out with meeting content and setup Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Opened Pandora's box of Cache Poisoning
On 05/01/2014 01:00 PM, Stephane Bortzmeyer wrote: On Fri, May 02, 2014 at 01:48:59AM +0900, T.Suzuki t...@reflection.co.jp wrote Opened Pandora's box of Cache Poisoning http://www.e-ontap.com/dns/endofdns-e.html Conclusions of this report: I'm confused. I expected a scientific/technical paper/report and I find only one Web page with a very short text describing very broadly the attack, without discussion of details, or measurements. There's also no mention of DNSSEC. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Spring 2014 Workshop - Warsaw, Poland, 10/11th May - AGENDA
The agenda for DNS-OARC's 2014 Spring Workshop and Member EGM on the 10th and 11th May, in Warsaw, Poland is now available at: https://indico.dns-oarc.net//conferenceTimeTable.py?confId=19 This will be held at the same location the subsequent RIPE68 meeting, and we're grateful to Microsoft and Verisign for being our main sponsors for this workshop. Our talks include a study of Open Resolvers, on detection of Botnet Domains, and on connection-oriented improvements to DNS security. There's also a review of new IETF work on DNS privacy, and a survey of the Namecoin P2P DNS system. A big thank you to our speakers and programme committee for putting a packed agenda together. The session on Saturday morning will be for OARC members only, and includes an EGM and private presentations. The public workshop starts at 14:00. We're hoping to webcast the public workshop, but still need to confirm arrangements for this. Registration remains open at: https://indico.dns-oarc.net//confRegistrationFormDisplay.py?confId=19 Workshop registration is free of charge, with priority given to OARC Members, Speakers, and Sponsors - we still have some 20 places available, after that non-OARC members will be admitted on a standby basis only, so please register ASAP if attending. It's now possible to support OARC though an optional workshop attendee donation at: http://oarc-spring2014-warsaw.eventbrite.com/ Additional sponsors for this meeting and and/or a potential social event remain welcome - please contact spon...@dns-oarc.net if interested. For accommodation, travel and venue information, please see the RIPE68 meeting site at: https://ripe68.ripe.net/venue/meeting-venue/ though note that discounted room rates end on Monday April 21st. See you in Warsaw ! Keith Mitchell OARC President ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC May Warsaw workshop, Indico Server
This is a quick note to confirm that OARC's next DNS Operations Workshop will be taking place in Warsaw, Poland, on the 10th and 11th May, at the same location as the subsequent RIPE68 meeting. At this point I'd refer you to our conference server, https://indico.dns-oarc.net for further details. Unfortunately it has suffered some database issues in the past few days, and we're currently working to fix these. In the meantime we apologize for the non-availability of this platform for submitting abstracts for the May workshop, and accessing past OARC workshop content. The original abstract submission deadline for the workshop was this Friday 28th February. We are now extending the submission deadline to FRIDAY 21ST MARCH, submissions remain very welcome. We plan to have Indico back up and running in the next couple of days, at which point we will open registrations for the workshop. If you'd like to submit an abstract meantime, the Programme Committee is accepting these by e-mail to submissi...@dns-oarc.net. If attending, you may also want to start booking your accommodation/ travel for the meeting, the necessary details are at: https://ripe68.ripe.net/venue/meeting-venue/ All other OARC systems are running normally, thanks for your patience while we address this, The OARC Team, Board and PC members will be attending IETF89 in London next week and happy to discuss the workshop or other OARC business at any time. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Atlas Probe - Result question hostname.bind = clboh-dns-cac-307
On 02/07/2014 12:17 PM, Tony Finch wrote: $ host clboh-dns-cac-307.ohiordc.rr.com clboh-dns-cac-307.ohiordc.rr.com has address 65.24.26.42 clboh-dns-cac-307.ohiordc.rr.com has IPv6 address 2605:a000:200:16::a (rrcs-70-61-238-78.central.biz.rr.com, only 20ms away, wonders how he too can get an IPv6 address...) Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] [OT] What are the most desirable skills, experience education for [becoming] a good DNS engineer?
On 01/29/2014 01:27 PM, Stefan wrote: I know this may sound a little odd, but have been struggling with trying to identify a good candidate for a DNS ( DHCP) migration of a large infrastructure, from Windows based environment, to a vendor based appliance (and keeping such as a full time employee, in the process, in the network group, for administration and lifecycle of such). IMHO given the requirements stated below, in today's hiring environment, you are asking for the moon-on-a-stick, with added pony. Good luck ! I would think that primordial to a level of strong engineering abilities would be networking (TCP/[UDP]/IP on top of which DNS as protocol and its behaviors knowledge would be a must). The OS level knowledge comes next, as bind on *nix or on F5 (thinking GTM here), for example, needs to be comprehensively understood, as well as the Windows implementation and relationship between DNS and AD. In previous hiring, I've particularly found it very difficult to find people who are strong in both of DNS and Windows. Security comes as a given, of course, as name resolution is critical from that stand point, especially on the public facing part. Vendor X appliance background is also desirable, on top of all these, 'cause that would be the moving to point, and understanding specifics will be critical. I wouldn't get too hung up on appliance-vendor-specific experience - while they will all have their deep wrinkles, someone with a good grounding in sysadmin/neteng basic principles should be able to pick these up without too much difficulty. Add to this knowledge of applications and possible name resolution specifics at layer 7, maybe not following the rules of the OS stubs, and I pretty much covered the entire computer science spectrum ;-) I note you did not mention any software engineering/coding skills, I expect the extent to whether you want these and/vs network operations skills is something to consider carefully for your environment. Considering all of the above - what is your experience and/or opinion in regards to how a good DNS engineer (or a good engineer with primary responsibility in another technology) came to become? What helped you the most in becoming one? (Having been doing DNS stuff since 1986, I suspect I'm not a good candidate to answer the second question :-) My advice would be to find someone who has at least some of the relevant background, is demonstrably flexible and willing to learn, and then be willing to make an investment in their growing the extra skills they need to fill your full requirements. Hope that is some help, Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] summary of recent vulnerabilities in DNS security.
On 10/22/2013 10:52 AM, Haya Shulman wrote: Disclosing such potential vulnerabilities remains valuable work, but I think careful consideration needs to be applied to the engineering economics of the best operational-world mitigation approaches. @/Keith Mitchell/ (My head is *really* hurting from this quotation formatting..)-: (re-wrapping and indenting to list conventions...) I do not advocate to deploy these or other countermeasures. Above any doubt you are in the best position to decide which countermeasures to deploy. Not really, OARC does not operate production service-providing infrastructure except to support a membership organization, most of our infrastructure is dedicated to data-gathering/testbed/research purposes. So I defer to *real* DNS infrastructure operators and implementors on any such judgments. The situation with DNS checkers is different from deployment of port randomisation. DNS checkers is a very important service to the community and the efforts that their operators took to make them available is very valuable. However, an illusion of security is more dangerous than not being protected at all (in the later case one is aware that he is not protected and may be attacked). Fair enough. I admit that I do not know what economic effort is required to patch DNS checkers which report per-destination ports, recommended in [RFC6056], as secure Well, more than we've been able to dedicate in the past month or so. I'm trying to get an estimate of this from those best placed to do the actual work. but I suggested a fix to this vulnerability some time ago, that should be fairly simple to implement; Yes, but as I explained privately previously, there is no record of this correspondence through official OARC channels - I did request you re-send, but I don't have a copy of it. the problem with the porttest checker is that each IP address of the checker system receives a single query from the tested resolver, and so to each such IP address a random port is selected. But, if more than a single query were sent to each checker IP during the test, then the predictable sequence would be easily identified. Thank you for this clarification - any further points you have about the best way to implement the fix to this would be welcome, but are likely best taken off-list. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] summary of recent vulnerabilities in DNS security.
On 10/22/2013 02:41 PM, Haya Shulman wrote: Yes, but as I explained privately previously, there is no record of this correspondence through official OARC channels - I did request you re-send, but I don't have a copy of it. I am not sure what you mean by `official OARC channels`, I forwarded my communication on this issue, with porttest operators, to you a month or so ago. I've now tracked down the relevant correspondence, which you sent to a couple of Verisign contacts with non-current OARC roles back in April 2012, then re-sent to me on 9th Sep. Sorry for saying you didn't send me this, it's been a busy couple of months. Maybe these were not official channels, but I have not contacted OARC otherwise, via a different channel. Can you please advise how to contact OARC through official channels? You already did this by communicating directly with me last month and should continue to do so, thank you. I think we now have all the disparate information we need to look into fixing the port tester, just please understand that you are dealing with a community with many issues to address and finite resources to do so. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Fall Workshop Final Information
Here's final information for the our AGM and Fall workshop for this weekend in Phoenix. Saturday morning will be OARC's Annual General Meeting, with formal business and content targeted at OARC Members. The webcast for this is closed, if you represent a member and did not get credentials and proxy voting information already, please contact ad...@dns-oarc.net ASAP. The full meeting timetable is now available at: https://indico.dns-oarc.net/indico/conferenceTimeTable.py?confId=1 Saturday afternoon's open workshop starts at 2pm local time (22:00 UTC), and includes a themed session from various contributors who have been analysing DITL data for ICANN's High-Risks Strings Collisions study. We then wrap up Saturday with a number of talks about DNS tools. Note that we will only be providing attendee lunch on Saturday, on Sunday you will need to make your own eating arrangements. Sunday starts with an update on OARC's infrastructure improvements, then has a range of talks on various ways in which is abused, finishing with an overview of DNS Abuse intended to appeal to NANOG attendees. For remote attendance, our ARIN-sponsored webcast will be at: http://clients.kikaua.com/oarc with slides linked to from the above meeting timetable page, and jabber remote participation at: xmpp:dns-operati...@conference.jabber.dns-oarc.net For on-site connectivity, we'll be using the NANOG/ARIN meeting wireless network, see: http://www.nanog.org/meetings/nanog59/internet for details. During the Saturday lunch break, Peter Losher will be running a PGP signing session, please submit your keys to plos...@isc.org for upload to the meeting keyring which will be published on the meeting site. Finally, a big thank you to our sponsors ARIN and CIRA, and to NANOG and ICANN for their support of this workshop. Keith (and apologies for the outage to the Indico server during the past 24 hours, I'm pleased to report we now have this upgraded to new hardware.) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] DNS Attack over UDP fragmentation
On 09/09/2013 06:07 AM, Haya Shulman wrote: For instance, DNS-OARC does not detect port prediction attacks, and reports clients as secure, while they are vulnerable to attacks. OARC does many things, I assume here you are referring to our port entropy tester: https://www.dns-oarc.net/oarc/services/porttest I contacted the maintainers of DNS-OARC and notified them of this vulnerability last year, and proposed a simple fix to the problem... but the system was not updated and still reports vulnerable systems as secure, so relying on its feedback may be risky. I didn't see that communication, so I can only assume it pre-dated my current OARC tenure. Thanks for the heads-up and apologies it did not get responded to. If you could please re-send me what you sent off-list, we'll see about getting your proposed fix incorporated into the tool and/or an appropriate caveat meantime. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Implementation of negative trust anchors?
From: Doug Barton do...@dougbarton.us As stated before, the problem is that after the early adopter period is over we'll be stuck with NTAs forever. This is one of those fundamental disagreements between those who believe that DNS should always be forgiving of operator error, and those of us who do not. So, for DNSSEC deployment transition work-arounds: - ISC's DLV is the white list - NTAs are the black list and both need a best-before date ? Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Fall 2013 Workshop - Phoenix , Arizona 5th/6th October
DNS-OARC is pleased to announce that its 2013 Fall Workshop and Member AGM will take place in Phoenix, Arizona, USA on the 5th and 6th October. This will be held in co-operation with the subsequent NANOG59 meeting, and we're grateful to NANOG and ICANN for their support of our workshop. OARC Workshop meetings are open to OARC members, presenters, and to all other parties interested in DNS operations and research, subject to available space. NANOG attendees are particularly welcome this time around, and OARC plans to additionally contribute DNS-related material to the NANOG59 program. We are seeking sponsors for this meeting and potential social events - if your organization is interested in sponsorship, please contact spon...@dns-oarc.net for more information. NANOG have kindly arranged for us to be added to their accommodation booking room block with the venue hotel - this has given us significant savings both for our meeting room expenses, and the room rate available to attendees - please help NANOG and OARC by booking your accommodation as early as possible. Workshop registration is free, with priority given to OARC Members and Sponsors in the event of limited space. Call for Presentations -- This workshop continues OARC's tradition of having meetings include a strong operational component. Presentations from DNS operators are particularly welcome. We'll also gladly accept talks from DNS researchers, as well as any other DNS-related subjects. Please submit a brief abstract of your proposed talk by creating an account and completing the form at: https://indico.dns-oarc.net/indico/conferenceCFA.py?confId=1 by the submission deadline of 6th September. We are also planning to submit DNS Tutorial and/or Track material to the NANOG Programme Committee, please contact submissi...@dns-oarc.net if you wish to contribute to this. OARC is seeking volunteers to serve on our Programme Committee for this and subsequent meetings, please contact submissi...@dns-oarc.net if you are interested in helping. (Please note that OARC is run on a non-profit basis, and is not in a position to reimburse expenses or time for speakers at its meetings.) -- Dates: Saturday 5th and Sunday 6th October, 2013 Venue: Sheraton Wild Horse Pass Registration: https://indico.dns-oarc.net/indico/event/workshop-2013-10 Address:5594 W. Wild Horse Pass Boulevard Chandler, Arizona 85226, USA Room: Komatke E/F/G Accommodation: http://www.nanog.org/meetings/nanog59/hotelinformation ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] OARC website down ?
On 06/14/2013 08:11 AM, Stephane Bortzmeyer wrote: On Fri, Jun 14, 2013 at 12:55:27PM +0100, Billy Glynn billy.gl...@iedr.ie wrote a message of 52 lines which said: The DNS-OARC website appears to be down... Down from 1150 UTC to 1205 UTC for maintenance. Apologies for this - we're making good progress with building the replacement servers, but most services still rely on the aging in1 server, which got itself into something of a mess over the past few days and we needed to do emergency re-boots. It has been re-booted and is in a much better state, however: ODVR did not restart yet :-( There's a number of the many services that OARC has accumulated over the years that we still don't have as deep an understanding of the operation of as we would like, hence the delay in re-starting OVDR. This will change as these services are migrated over to the new servers. We'll undertake to give advance notice when we have to take services down for maintenance in future. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[dns-operations] DNS-OARC Spring Workshop Final Information
Our Dublin workshop is proving to be packed, from both a content and attendance point of view. Our main themed session for the workshop is on the ever-topical subject of open resolver-based attacks, with 4 speakers, chaired by Merike Kaeo on Sunday afternoon. Much of Monday morning is devoted to talks and operational experience and measurement of DNSSEC. We have a number of talks on various approaches to DNS monitoring, and several research talks. My new colleague William Sotomayor will be reporting on his progress rejuvenating OARC's infrastructure, and I will be speaking about the recent member survey, board retreat, and ensuing OARC development plan. Note that although these talks in the second half of Monday morning are targetted at and mostly of interest to OARC Members, we are not having a formally closed members-only session this time. Please note that the meeting venue is now *full*, and we can't accept and further registrations or walk-ins. If you registered, please ensure you pick up your badge when you arrive so you have access to lunch and the evening social event. If you didn't register, you can still attend remotely - you can find the speakers' slides via the agenda at: https://indico.dns-oarc.net/indico/conferenceTimeTable.py?confId=0 and we will be webcasting proceedings with help from ICANN at: http://icann.adobeconnect.com/dns-oarc/ with jabber remote participation at: xmpp:dns-operati...@conference.jabber.dns-oarc.net For on-site connectivity, we'll be using the RIPE meeting wireless network, look for SSID ripemtg. During the Sunday lunch break, Sebastian Castro will be running a PGP signing session, please check the with him for keyring details. At the end of the Sunday (18:30) we have a social event, we're grateful to OARC members APNIC, NZRS and RIPE External Relations for sponsoring this, and also INEX and DB Events for helping organise it. Finally, a big thank you to IEDR for sponsoring and helping with the meeting, Nominet for sponsoring our coffee breaks, and the RIPE NCC meeting and Ops teams for providing connectivity. Look forward to seeing you all in Dublin ! Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] [Off-topic] DNS dataset for academic research
On 04/18/2013 11:23 AM, Kaio Rafael wrote: Hi, I am looking for a DNS dataset for academic research. I have been studying .BR DNS dataset (DITL 2008 on DNS-OARC servers), however, I would like to investigate more recent traffic. More recent DITL datasets are available from OARC, please contact us offline at ad...@dns-oarc.net and we'll let you know what we have. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Advisory — D-root is changing its IPv4 address on the 3rd of January.
Jason, On 12/14/2012 01:01 PM, Sebastian Castro wrote: On 14/12/12 11:54, Jason Castonguay wrote: Advisory — D-root is changing its IPv4 address on the 3rd of January. The new IPv4 address for this authority is 199.7.91.13 Also, do you have plans to capture traffic on a regular basis to keep track of the transition process? More than a few researchers lurking on this list will be very interested on that data :) Indeed, it could be interesting to do DITL-style data capture at the various migration transition points, and to see what the long tail decay on traffic to the old address looks like. OARC can potentially help with sharing such data if that would be desirable/acceptable. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Re: [dns-operations] Upgrade to 9.9.1-p3 and zone transfer problem
Ayca Taskin (Garanti Teknoloji) wrote: Well, that's zone transfers, so of course it will still work! You can even have your master server running BIND, and transferring to other DNS servers (NSD, MS, ...) or the other way around. Yes we’re using BIND for primary and secondary DNS servers and I wonder that in the case of primary dns server’s BIND version(9.9.1.3-P3) is different the secondary BIND version(9.6.1) BIND 9.6.1 is a rather old version, with at least half-a-dozen known security vulnerabilities, you should really think about upgrading your secondary to a newer BIND version is it possible any problem between primary and secondarys like zone transfer etc.? As Nicolas says, this is highly unlikely. Keith ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs