today AOL thoughtfully supplied the following to [EMAIL PROTECTED]:
[EMAIL PROTECTED]
SMTP error from remote mailer after initial connection:
host mailin-02.mx.aol.com [64.12.137.89]:
554-(RLY:B1) The information presently available to AOL indicates this
554-server is
pv of the foundational principles which made the internet
pv possible and which made it different from alternatives such as
pv OSI, very few remain.
Would SPF http://spf.pobox.com/ be a bit less destructive than many
other proposals to counter trivial forgery.
No. Nor will
as NS.ISC.ORG and the man
who said it was ok for us to be a root name server was jon postel. i'm
not sure he had any authority either, but folks pointed at him and
so what he said was relevant in spite of any authority he mightn've had.
--
Paul Vixie
or the output side of a proxy (which might be hard
to detect). so it turns out that ignoring 5XX is like sending up a
flare, blackhole me!.
--
Paul Vixie
would happen if everybody did callbacks;
first, what would happen to the load on the world's nonabusing mail servers,
and then, what would the spammers do in response if this was effective?
--
Paul Vixie
and then there's the granddaddy of them all, MAPS. see www.mail-abuse.org.
--
Paul Vixie
(transit pricing).
I'm looking for legitimate ways to generate a significant amount of pull
traffic, including partnerships with Southern California ISPs.
Thanks.
--
Paul Vixie
Ahh, but are you saying that current blow-based transit pricing is stable?
ah. no. current transit pricing is way way lower than a non-bankrupt
provider can afford to do it for on an ROI that the public markets would
find worthy of their praise. eventually, all kinds of flies are going
to
out if your peering agreements
require your peers to permanently disconnect repeat abuse sources, and
to temporarily disconnect first time abuse sources. assuming that $YOU
do these things, but that $YOUR_PEERS do not, then what have you really
accomplished?
--
Paul Vixie
and complain about it. funny assymetry.
anyway, when they call, and they learn that it was a legit port scan, then
they can learn of the need to shut down wormridden customer hosts.
so no matter what, it's good to listen to complaints, and good to complain.
--
Paul Vixie
listen up. just because many of the infected hosts won't be disinfected,
don't assume that there's no value in tracking and reporting them, or that
there's no reason to spend money listening to and acting on complains about
them. the internet's immune system needs *more* resources, not fewer.
--
Paul
or times that these
tests had been run, nor did they say they would preannounce future tests,
so nobody but verisign will be able to synchronize other measurements
with these tests.)
--
Paul Vixie
my survey is over. see http://sa.vix.com/~vixie/comnetsurv/ for the results.
-- so investment isn't a direct issue.
finally, sclavos described their investment in their gtld servers and then
acted as if this investment had been solely for the benefit of their a-root
and j-root servers, which is not the case at all.
all in all a most disappointing exposition.
--
Paul Vixie
it.
sorry rodney. sloppy editing.
--
Paul Vixie
if
we all stop calling this NXDOMAIN. the proper term is RCODE 3. when you say
NXDOMAIN you sound like you've only read the BIND sources and not the RFC's.
NXDOMAIN is a BINDism, whereas RCODE 3 refers to the actual protocol element.
--
Paul Vixie
on the sitefinder address, and
as such, would have enabled nameserver administrators to break _sitefinder_.
isc's patches for bind9 enable nameserver administrators to break only the
_redirection_ to sitefinder.
--
Paul Vixie
see http://sa.vix.com/~vixie/comnetsurv/
this is not an icann thing btw, it's just me.
see http://sa.vix.com/~vixie/comnetsurv/
An incentive to take the survey: If you fill it out, it'll tell you the
aggregated results so far, which are, lemme tell you, pretty surprising.
Who knew that NANOG subscribers would anonymously admit they were
clueless? :-)
that's just bad
find it now. can someone privately send it to me if you've got it?
--
Paul Vixie
things like:
zone waw.pl { type delegation-only; };
to random zones that they think -SHOULD- be delegation-only, regardless
of what the zone admin specifies.
and remember, kids, all power tools can kill.
--
Paul Vixie
you wanted restricted. With the latter, you need to be alert
all the time, keep an eye on all TLDs, whether they are legally using
delegations. If I am not mistaken, exclude statement to this option had
four revisions already.
Four revisions in the first two days, none since.
--
Paul Vixie
whats disturbing is how many contact addresses for both whois and AS#'s
bounce
sure, i agree, that's disturbing. however, it's a different problem than
having mail get ignored or ignorebotted and then depref'd so low that nobody
even bothers to call you or let you know whether a human ever
... probably most of the Abuse issues (especially via email) would
continue to be ignored. Noone wants to handle that stuff. But
someone(s) must handle that stuff.
the underlying question is, or else what?
this is an assymetric-benefit situation. when folks ignore reports from
noncustomers
customers is allowed to ride.
Why is dynamic DNS update enabled by default on some operating systems?
Microsoft's culpability in this mess is not even on my mind today. They will
at least talk about their role in the situation, so they're more responsible
than Comcast this week.
--
Paul Vixie
to MSN and
buy a real domain name. That is, they could be making money here rather
than just giving my syslogd a headache. If MSFT would behave more greedily
then their customer PCs would be contacting them rather than me, right?
--
Paul Vixie
How should an ISP tell the difference between good DNS packets and bad
DNS packets?
the bad ones are the ones people complain about.
You aren't complaining about your dynamic update packets or even all
dynamic updates. You are complaining about someone sending you packets
you don't want.
the whole end-to-end argument depends on uniform clue distribution
for scale.
...
Getting vendors to supply more appropriate defaults offers better
scaling possibilities. Your complaint might fix one user's computer,
Microsoft updating the default behaivor would fix tens of millions
of
Is there a way to configure bind so that when an **unauthorized** update
comes in it enstates an address of the owner's choice?
well, i'm thinking of setting up a wildcard A RR pointing at 127.255.255.255.
--
Paul Vixie
. see [4.3.2].
What this means is, there is no such thing as a wildcard CNAME.
--
Paul Vixie
What this means is, there is no such thing as a wildcard CNAME.
Funny...
$ host -t cname \*.TD
*.TD is an alias for www.nic.TD.
just because bind does it doesn't make it a standard.
--
Paul Vixie
noc@ and abuse@ are ignoring me as usual, so i'm spamming nanog@ in
hopes of locating attbi clue. i need somebody who can educate one of
your customers who is dns-updating me.
re:
[fh:i386] grep -c 'client 24.129.84.175.*update.*denied' messages
74
[fh:i386] zgrep -c 'client
See the NANOG archives for my post reguarding wildcard caching and set
comparison with additional resolver functionality for requesting if the
resolver wishes to receive wildcards or NXDOMAIN.
oh... that wasn't a joke, then?
there won't be a protocol change of that kind, not in a million
read rfc's 1033, 1034, 1035, 2136, 2181, and 2317.
--
Paul Vixie
this week, this one is offtopic.
--
Paul Vixie
so far, the BIND8 code itself has been resistant to this feature, but...
see the current http://www.isc.org/products/BIND/delegation-only.html page.
.
and it does seem rather urgent that if a wildcard in the root domain or in
a top level domain is dangerous and bad, that the ietf say so out loud so
that icann has a respected external reference to include in their contracts.
--
Paul Vixie
luck? What needs to be done to make this a
standard feature set? Is somebody working on an RFC?
i do not expect the ietf to say that root and tld zones should all be
delegation-only. but good luck trying.
--
Paul Vixie
...
We recommend that any and all TLDs which use wildcards in a manner
inconsistent with this guideline remove such wildcards at the earliest
opportunity.
What else does the IETF need to do here?
issue an rfc. iab is not a representative body, and their opinions
are not refereed.
Now all I need is a patched version of the 9.3 snapshot tree, so I
don't need to kill my dnssec stuff :P (And it's time for a
non-snapshot bind version with full dnssec capabilities anyway :)
if you ask that question on [EMAIL PROTECTED], i promise to answer.
but i do not think details of
Hello Paul , All , Is there a url listing the TLD's that
officially use wild cards in their deployment ?
nope. right now you just have to know. we're trying to keep a list of
places that either use wildcards and have been accepted by the community,
or don't use wildcards but run
I wonder btw why Verisign didn't catch the typo's in their
own domains if they think it is that important:
...
;; QUESTION SECTION:
;.verisign.com. IN A
wildcards don't work that way. there are ns rr's in .com for verisign.com,
so you get a referral to those servers no
[EMAIL PROTECTED] (Matthew Sullivan) writes:
... That leave 2 proxy DNSbls left - SORBS and DSBL...
well, and, there's the MAPS OPL, which is also part of the RBL+. (just 'cuz
i'm not operationally involved with maps doesn't mean i stopped subscribing.)
--
Paul Vixie
loadbalanced through four /16's that may have real hosts in them
seems like the wrong way forward.
--
Paul Vixie
else on the table or in existence today.
--
Paul Vixie
website: www.alt-servers.org.
what a BAD idea. worse than anything else on the table or in
existence today.
Splitting the root you mean? I'm not sure there was enough info on that
site to come to any other conclusion, but I wanted to make sure.
this is just dns piracy, dressed up
to the membership of the bind forum who make this possible.
--
Paul Vixie
-0400 (EDT)
From: Mr. James W. Laferriere [EMAIL PROTECTED]
To: Paul Vixie [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: bind patches++ (Re: Wildcards)
Hello Paul , Am I correct in the understanding that the below
tells me that 9.2.2p2 does NOT contain the ablility to do
wondering if
i'm a verisign apologist lately and i believe that open debate is better
for this kind of thing.
--
Paul Vixie
Is it possible for the client resolver code to distinguish between a
wildcard answer and an explicit answer?
no.
If this was available, it would mail clients and other things
interested in the specific domain name could get the answers they
want. While other stuff would get the wildcard
, uniform dealing, and
nonconflict with the public's interest.
--
Paul Vixie
I have been following the various threads relating to Verisign and wanted
to make one comment that I feel has been missing. Simply put, I would like
to publicly express my appreciation to Mr. Vixie for taking the time to add
the root-delegation-only patch for Bind. I'm fairly new to NANOG,
Following Internet Standards and to improve performance for all Internet
users, what if Verisign decided to start including other A records
directly in the .COM/.NET zones?
For example, the A records for the servers for the .COM/.NET zones?
funnily enough, that would work fine, since it
: zone com { type delegation-only; };
: zone net { type delegation-only; };
My first reaction to this was: 'yuck'.
mine also.
I'm not sure of the side-effects this will introduce. Anyone?
if verisign served a subdomain of com or net on the same server they use
for com or net, and if
Something like this can be seen on www.airow.com:
$ dig www.airow.com @a.gtld-servers.net
...
looks good to me, man.
; DiG 8.3 @f.6to4-servers.net www.airow.com a
; (2 servers found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 4
send dig results and we'll check it out. (not host,
and probably not to nanog.)
--
Paul Vixie
I've implemented the official ISC Bind hack on every single one of my
name servers and am pushing it and the configuration changes out to my
customers as a *required* upgrade.
that seems a bit extreme. shouldn't they get to decide this for themselves?
--
Paul Vixie
are tru64. try it, you'll like it.
but I would suggest any discussion about that move over to the BIND list
or the USENET gateway comp.protocols.dns.bind.
agreed, other than to clear up the above in the same forum where it was heard.
--
Paul Vixie
... shouldn't they get to decide this for themselves?
Returning NXDOMAIN when a domain does not exist is a basic
requirement. Failure to do so creates security problems. It is
reasonable to require your customers to fix known breakage that
creates security problems.
that sounds
How about rewriting all DNS responses to your liking? :-)
Like if you ask for www.register.com, you would get the A record for
www.verisign.com ?
done.
#fh:i386# ping -c 1 www.register.com
PING www.register.com (216.21.229.101): 56 data bytes
64 bytes from
i'm not sure how many people inside verisign, us-DoC, and icann agree
that COM and NET are a public trust, or that verisign is just a caretaker.
If there's a disagreement on this concept, we have *BIGGER* problems than
just DNS b0rkage.
yes. i'm sorry, i thought you knew that. well,
i don't think so. verisign is on public record as saying that the
reason they implemented the wildcard was to enhance the services
offered to the internet's eyeball population, who has apparently
been clamouring for this.
My question is, if this was to serve some need of internet
unless it's .museum or a non-root non-tld. i guess the ietf has a lot to
think about now.
re:
Date: Wed, 17 Sep 2003 09:58:40 -0500
From: Jack Bates [EMAIL PROTECTED]
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624
To: Paul Vixie [EMAIL PROTECTED]
Cc: [EMAIL
gotten faster of late, and so have cpus/memory/motherboards.
--
Paul Vixie
dns techs in the industry. nothing that's happening with dot-com or dot-net
should be considered relevant to verisign's *root* servers in any way. the
*root* servers do not carry dot-com or dot-net, they just carry . itself,
and arpa, and in-addr.arpa, and in some cases root-servers.net.
--
Paul
) it. root server operators (see www.root-servers.org
for details) include verisign as one of 11 organzations worldwide. the
dot-com and dot-net zones, by comparison, are only served by verisign's
own servers, and i do not think that verisign will refuse to accept them.
--
Paul Vixie
a good idea at this point. I see nothing else as a
serious long-term technical solution.
sounds like mob rule to me -- count me out. so, block me first, i guess?
--
Paul Vixie
Anyone have a magic named.conf incantation to counter the verisign
braindamage?
zone com { type delegation-only; };
zone net { type delegation-only; };
Or does this require a patch to bind?
yes, it does. to be released shortly.
--
Paul Vixie
I trust your assessment of the DNS techs. But what about [their] bosses?
the ones i've met in recent years seemed like reasonable people.
They ordered some pretty lumpy things be done with .com and .net.
Given that track record, whats to stop them from ordering [the techs]
from doing
Can you also program something to do this for all root zones,
i.e. something like 'zone .* { type deligation-only; };'
no. not just because that's not how our internal hashing works, but
because hosted tld's like .museum have had wildcards from day 1 and
the registrants there are perfectly
So, Verisign just returns a NS pointer to another name server Verisign
controls which then answers the queries with Verisign's helpful web
site.
Half-life of the patch: 1 day?
i don't think so. verisign is on public record as saying that the reason
they implemented the wildcard was to
192.5.5.241.53: 12388 SOA? 12.2.10.in-addr.arpa. (38)
16:34:47.981405 172.20.1.1.3436 192.5.5.241.53: 8189[|domain]
^C
3205 packets received by filter
0 packets dropped by kernel
--
Paul Vixie
networks like uunet.
--
Paul Vixie
are generally, by long standing tradition,
inconsistent.
the rest of the paper is also germane to this thread. just fya, we keep
rehashing the UNimportant part of this argument, and never progressing.
(from this, i deduce that we must be humans.)
--
Paul Vixie
. the problem microsoft has with software quality that
they have no competition, and their marketing people know that ship dates
will drive total dollar volume regardless of quality. (when you have
competition, you have to worry about quality; when you don't, you don't.)
--
Paul Vixie
these kids are usually spam victims and almost never spam perps.
--
Paul Vixie
as for outgoing.)
see below.
IndependentPaul Vixie (Ed.)
Request for Comments: Category: Experimental
June 6, 2002
Repudiating MAIL FROM
Status of this Memo
This memo describes an experimental procedure
?
--
Paul Vixie
that require active intermediation when downstreams misbehave.
you can have peace. or you can have freedom. don't ever count on having
both at once. -LL (RAH)
--
Paul Vixie
(backup?) MX's, and the spammers know this, and take advantage of it.)
--
Paul Vixie
situation where the good
guys follow the above policy and the bad guys do not, it's a slaughter.
--
Paul Vixie
That's why we must encourage all ISPSs to be good guys, because we don't
want Government Regulators setting standards in these areas, do we?
if recent activity in the VoIP market is any indication, then we here
won't have much input as to when and how the ISP market gets regulated.
--
Paul
$foo.maps.vix.com zones in favour of the their
corresponding replacements $bar.mail-abuse.org some years ago, i had the
foresight to ensure that no mail would be blocked by people who failed to
put in the configuration change. now you can all see why that was nec'y.
--
Paul Vixie
Someone has suggested 'anycasting' what do people (particually you
Paul) think of using anycasting for a DNSbl? (- AS112 anyone?)
unowned anycast, such as that used in as112, is only possible when the
replies have no value (and thus need not be synchronized or centrally
authorized.)
[EMAIL PROTECTED] (Bil Herd) writes:
Anyone have positive or negative experiences with XO as a 'tier1'
provider? We are re-evaluating orur backbone connections.
xo seems to have pretty good splay and we've seen no congestion or instability.
--
Paul Vixie
i'm getting spammed from there...
[sa:i386] ./find-spam.pl 209.251.0.0/19
SELECT HOST(s.relay) AS relay, s.entered, s.md5, s.body_md5,
LENGTH(s.header)+LENGTH(b.body)+1 AS size, s.header
FROM spam s LEFT JOIN bodies b ON
[EMAIL PROTECTED] (Petri Helenius) writes:
I´m constantly seeing responses to queries for AOL servers which come
in from different IP addresses than the query was sent to.
due to the weakness of the 16-bit query id field, bind will throw that
stuff away. the source address and port has to
squid-era cache now! thing.)
--
Paul Vixie
as a stub host
and your upstream routers will dtrt wrt flow hashing for udp or tcp traffic
(that is, the udp/tcp port number will figure into the hash function, so
you won't multipath your tcp sessions.)
This is how f-root has worked for years. Look ma, no appliances.
--
Paul Vixie
?
See http://www.rls.com/. Randy Sparks and Associates, in San Francisco.
--
Paul Vixie
I don't believe I ever said that the edges shouldn't filter... did I?
nope. but you said that backbones couldn't/wouldn't/shouldn't, and i
showed that transitivity = laundering, which means backbones MUST
filter, to within the best capabilities of current technology.
How would the spoofing program, or its user, be able to tell if
it was successful? Unless I'm very confused, the definition of
spoofing is that the return packets aren't going to come back to you.
the whole thing would have to take place during a tcp control session
which used d-h to
port number will figure into the hash function, so
you won't multipath your tcp sessions.)
This is how f-root has worked for years. Look ma, no appliances.
--
Paul Vixie
list
the kinds of rpf you know of and why none can be used on a backbone.
--
Paul Vixie
[EMAIL PROTECTED] writes:
And so we should do nothing?
of course not. but the first thing to do is ignore naysayers. anybody
who tells you something can't be done should be suspected of extreme and
pervasive laziness until either they or you prove otherwise.
--
Paul Vixie
, either. to get the attention of the
people who make this kind of decision in a company like ebay, you'd have to
go to the better business bureau, or congress. good luck storming the
castle, boys.
--
Paul Vixie
firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
--
Paul Vixie
However, since improvements are always welcome, please recommend tools
which would allow us to progress above and beyond C and it's deficencies.
I've never been able to program a buffer overrun vulnerability in Modula 3,
or Perl, or any version of Lisp or Scheme. It's possible that the
Private deployment of software written in C is very different from a
major public release, especially so when included with source code.
you're right. when i've been involved in non-opensource products which
were written in C and then shipped as binaries, i was scared to death
about the lack
consent of the recipients.
watching the growth of the anti-ddos and anti-spam industries makes the
internet look like a grade school science fair project run amok.
--
Paul Vixie
501 - 600 of 738 matches
Mail list logo
