On Tue, Aug 4, 2009 at 9:25 PM, Paul Vixievi...@isc.org wrote:
i didn't pay any special heed to it since there was no way to get enough
bites at the apple due to negative caching. when i saw djb's announcement
(i think in 1999 or 2000, so, seven years after schuba's paper came out) i
said,
Hello all,in the last two weeks or so providers in East Africa, particularly
in Kenya where I am, have been moving from Satellite to Fibre for the
internet Back bone connectivity. From where I am I have seen an upsurge of
about 100Mbps in the last two days from my users. It would be interesting to
That is very much to be expected, if nothing else due to pent-up
demand. The existing vsat infrastructure tends to be pretty saturated,
meaning that users experience a lot of loss as well as delay. What if
they stop losing traffic?
War story: in 1995 I found myself sharing a podium with
In a message written on Tue, Aug 04, 2009 at 11:32:46AM -0700, Kevin Oberman
wrote:
There is NO fix. There never will be as the problem is architectural
to the most fundamental operation of DNS. Other than replacing DNS (not
feasible), the only way to prevent this form of attack is DNSSEC. The
* Leo Bicknell:
In a message written on Tue, Aug 04, 2009 at 11:32:46AM -0700, Kevin Oberman
wrote:
There is NO fix. There never will be as the problem is architectural
to the most fundamental operation of DNS. Other than replacing DNS (not
feasible), the only way to prevent this form of
On 05/08/2009 15:18, Leo Bicknell wrote:
I don't understand why replacing DNS is not feasible.
I'd be happy to think about replacing the DNS as soon as we've finished
off migrating to an ipv6-only internet in a year or two.
Shall we set up a committee to try to make it happen faster?
Nick
On Aug 5, 2009, at 9:32 PM, Florian Weimer wrote:
We might have an alternative one day, but it's going to happen by
accident, through generalization of an internal naming service
employed by a widely-used application.
Or even more likely, IMHO, that more and more applications will have
In message 825c8ac7-c01e-4934-92fd-e7b9e8091...@arbor.net, Roland Dobbins wri
tes:
On Aug 5, 2009, at 9:32 PM, Florian Weimer wrote:
We might have an alternative one day, but it's going to happen by
accident, through generalization of an internal naming service
employed by a
Multiple systems end up with problems. Even standard DNS blows up when
some company (Apple) decides that an extension (.local) should not be
forwarded to the DNS servers on some device (iPhone) because their
service (Bonjour) uses it.
Thanks,
Erik
-Original Message-
From: Roland Dobbins
On Aug 5, 2009, at 10:11 PM, Mark Andrews wrote:
For all it's short comings the DNS and the single namespace it
brings is much better than
having a multitude of namespaces.
I agree with you, but I don't think this approach is going to persist
as the standard model.
Increasingly,
On Aug 5, 2009, at 10:20 PM, Erik Soosalu wrote:
Multiple systems end up with problems.
Yes, and again, I'm not advocating this approach. I just think it's
most likely where we're going to end up, long-term.
---
Roland
You are right the 100Mbps is pure network dynamics. right now we are
adapting a wait and see but your added war story means we have to do more
watching as well
Raymond Macharia
On Wed, Aug 5, 2009 at 4:52 PM, Fred Baker f...@cisco.com wrote:
That is very much to be expected, if nothing else
Hi all,
Any Sprint BGP admins on this list can offer any thoughts on why Sprint
connected networks are preferring my Sprint connection when they should be
preferring my Verizon?
I (Healthy Directions) am AS16387, two blocks 63.73.158.0/24 and
63.78.31.0/24, being announced by sprint and
They will almost always prefer their IBGP to any learned routes. Why send
traffic to a transit network and skew their I/O peering numbers when you can
handle it yourself. I doubt you will change their mind.
Robert D. Scott rob...@ufl.edu
Senior Network Engineer
On Wed, Aug 5, 2009 at 11:39 AM, Robert D. Scottrob...@ufl.edu wrote:
They will almost always prefer their IBGP to any learned routes. Why send
traffic to a transit network and skew their I/O peering numbers when you can
handle it yourself. I doubt you will change their mind.
On Wed, 5 Aug 2009, Edward Brookhouse wrote:
Any Sprint BGP admins on this list can offer any thoughts on why Sprint
connected networks are preferring my Sprint connection when they should be
preferring my Verizon?
I (Healthy Directions) am AS16387, two blocks 63.73.158.0/24 and
63.78.31.0/24,
In a message written on Wed, Aug 05, 2009 at 02:32:27PM +, Florian Weimer
wrote:
The transport protocol is a separate issue. It is feasible to change
it, but the IETF has a special working group which is currently tasked
to prevent any such changes.
My interest was in replacing the
Other than DNSSEC, I'm aware of these relatively simple hacks to add
entropy to DNS queries.
1) Random query ID
2) Random source port
3) Random case in queries, e.g. GooGLe.CoM
4) Ask twice (with different values for the first three hacks) and
compare the answers
I presume everyone is doing
On Wed, Aug 5, 2009 at 6:48 PM, John Levinejo...@iecc.com wrote:
3) Random case in queries, e.g. GooGLe.CoM
4) Ask twice (with different values for the first three hacks) and
compare the answers
I presume everyone is doing the first two. Any experience with the
other two to report?
3
Jorge Amodio (jmamodio) writes:
It may sound too futuristic and inspired from science fiction, but I never saw
Captain Piccard typing a URL on the Enterprise.
That's ok, I've never seen the Enterprise at the airport.
Sooner or later, we or the new generation of ietfers and nanogers,
Once upon a time, Phil Regnauld regna...@catpipe.net said:
Jorge Amodio (jmamodio) writes:
It may sound too futuristic and inspired from science fiction, but I never
saw
Captain Piccard typing a URL on the Enterprise.
That's ok, I've never seen the Enterprise at the airport.
I
It may sound too futuristic and inspired from science fiction, but I never
saw
Captain Piccard typing a URL on the Enterprise.
That's ok, I've never seen the Enterprise at the airport.
Don't confuse sight with vision.
Sooner or later, we or the new generation of ietfers and
That's ok, I've never seen the Enterprise at the airport.
I have, but not that Enterprise (I saw the space shuttle orbiter
Enterprise on a 747 land here).
There is one docked at Pier 26 in New York City :-)
bert hubert (bert.hubert) writes:
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
I'm surprised you failed to mention
On 8/5/09 9:48 AM, John Levine wrote:
Other than DNSSEC, I'm aware of these relatively simple hacks to add
entropy to DNS queries.
1) Random query ID
2) Random source port
3) Random case in queries, e.g. GooGLe.CoM
4) Ask twice (with different values for the first three hacks) and
compare
On Aug 5, 2009, at 1:30 PM, Jorge Amodio wrote:
It may sound too futuristic and inspired from science fiction, but
I never saw
Captain Piccard typing a URL on the Enterprise.
That's ok, I've never seen the Enterprise at the airport.
Go to Dulles Airport. She used to be on the
On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
Having major providers support the SCTP option will mitigate
disruptions caused by DNS DDoS attacks using less resources.
Can you elaborate on this (or are you referring to removing the
spoofing vector?)?
That is, of course, assuming that SCTP implementations someday clean up their
act a bit. I'm not so sure I'd suggest that they're really ready for prime
time at this point.
- S
-Original Message-
From: Douglas Otis do...@mail-abuse.org
Sent: Wednesday, August 05, 2009 11:13
To: John
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
I'm surprised you failed to mention http://dnscurve.org/crypto.html,
which is
3 works, but offers zero protection against 'kaminsky spoofing the
root' since you can't fold the case of 123456789.. And the root is
the goal.
Good point.
5) Download your own copy of the root zone every few days from
http://www.internic.net/domain/, check the signature if you can find the
--- jmamo...@gmail.com wrote:
From: Jorge Amodio jmamo...@gmail.com
Sooner or later, we or the new generation of ietfers and nanogers, will need to
start thinking about a new naming paradigm and design the services and protocols
associated with it.
The key question is, when we start?
Thanks All - problem resolved.
From: Bhavini Mehta [mailto:bhavi...@gmail.com]
Sent: Wednesday, August 05, 2009 3:01 PM
To: eb...@setuidzero.org
Subject: Re: Sprint/Verizon BGP
Hello,
Are you still seeing the problem?? I see the route changed in our routing
table 30 mins back and now we
On 8/5/09 11:38 AM, Skywing wrote:
That is, of course, assuming that SCTP implementations someday clean up their act a bit.
I'm not so sure I'd suggest that they're really ready for prime time at this
point.
SCTP DNS would be intended for ISPs validating DNS where there would be
fewer
Read Patterns in Network Architecture by John Day.
A Return to Fundamentals, great book.
the Internet today is more like DOS, but what we need should be more like Unix
Great thing he didn't say Windows :-)
Cheers
Changed the subject line...
--- jmamo...@gmail.com wrote:
Read Patterns in Network Architecture by John Day.
A Return to Fundamentals, great book.
the Internet today is more like DOS, but what we need should be more like Unix
Great thing he didn't say Windows :-)
On 8/5/09 11:31 AM, Roland Dobbins wrote:
On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
Having major providers support the SCTP option will mitigate disruptions caused
by DNS DDoS attacks using less resources.
Can you elaborate on this (or are you referring to removing the spoofing
Chapters 5-8 are the meat of naming and addressing and he has a LOT to say on
the subjects... :-)
Yup.
Did I ever tell you that Mrs. McCave
had twenty three sons and she named them all Dave?
well, she did. And that wasn't a smart thing to do.
You see, when she wants one and calls out
On Wed, Aug 5, 2009 at 5:24 PM, Douglas Otisdo...@mail-abuse.org wrote:
On 8/5/09 11:31 AM, Roland Dobbins wrote:
On Aug 6, 2009, at 1:12 AM, Douglas Otis wrote:
Having major providers support the SCTP option will mitigate disruptions
caused by DNS DDoS attacks using less resources.
Can
On Wed, 5 Aug 2009 15:07:30 -0400 (EDT)
John R. Levine jo...@iecc.com wrote:
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
I'm
On Wed, Aug 5, 2009 at 12:49 PM, Jorge Amodio jmamo...@gmail.com wrote:
At some time in the future and when a new paradigm for the user interface is
conceived, we may not longer have the end user “typing” a URL, the DNS or
something similar will still be in the background providing name to
On Aug 5, 2009, at 6:26 PM, Ben Scott wrote:
On Wed, Aug 5, 2009 at 12:49 PM, Jorge Amodio jmamo...@gmail.com
wrote:
At some time in the future and when a new paradigm for the user
interface is
conceived, we may not longer have the end user “typing” a URL, the
DNS or
something similar
Once upon a time, Ben Scott mailvor...@gmail.com said:
In the the vast majority of cases I have seen, people don't type
domain names, they search the web. When they do type a domain name,
they usually type it into the Google search box.
Web != Internet. DNS is used for much more than web
On 8/5/09 2:49 PM, Christopher Morrow wrote:
and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to
reflected attacks, fragmentation related congestion, or packet loss.
When
On Wed, Aug 5, 2009 at 6:37 PM, Chris Adamscmad...@hiwaay.net wrote:
... we may not longer have the end user “typing” a URL, the DNS or
something similar will still be in the background providing name to address
mapping ...
In the the vast majority of cases I have seen, people don't type
At some time in the future and when a new paradigm for the user interface is
conceived, we may not longer have the end user “typing” a URL, the DNS or
something similar will still be in the background providing name to address
mapping but there will be no more monetary value associated with it
On Wed, Aug 5, 2009 at 7:06 PM, Jorge Amodiojmamo...@gmail.com wrote:
Talking about the subject with a friend during the past few days, most of
the conversation ended being around the User Interface.
A popular idiom is where the rubber meets the road. It comes from
cars, of course. The
I think it would be nice if we had some nicely designed, elegant,
centralized protocol to do all this, but I suspect that won't happen.
s/centralized/distributed/
them on their iPhone via some other damn thing. Yes, it'll be a mess.
Have you seen the iphone decoding bar code into urls ?
(2) Saying type our name into $SERVICE, where $SERVICE is some
popular website that most people trust (like Facebook or whatever),
and has come up with a workable system for disambiguation.
You might want to talk to AOL about that.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee,
In message 59f980d60908051602y1fe364devfb5f590a8c795...@mail.gmail.com, Ben S
cott writes:
On Wed, Aug 5, 2009 at 6:37 PM, Chris Adamscmad...@hiwaay.net wrote:
... we may not longer have the end user =93typing=94 a URL, the DNS or
something similar will still be in the background providing
On Wed, Aug 5, 2009 at 7:30 PM, Mark Andrews ma...@isc.org wrote:
Which requires that people type addresses in in the first
place.
As I wrote, we're already part of the way towards people not having
to do even that.
No they make finding a unique id easy by leveraging a
Hi all,
I hope most people on the list look at the routing table analysis reports.
Excerpt from last week show about 292961 prefixes which after maximum
aggregation can be reduced to 138493.
I wonder how many of you do actually aggregate?
If so, do you aggregate manually or using some
http://dnscurve.org/crypto.html, which is always brought up, but
never seems to solve the problems mentioned.
As I understand it, dnscurve protects transmissions, not objects.
That's not the way DNS operates today, what with N levels of cache. It
may or may not be better, but it's a much
On Wed, Aug 5, 2009 at 8:40 PM, James R.
Cutlerjames.cut...@consultant.com wrote:
(2) Saying type our name into $SERVICE, where $SERVICE is some
popular website that most people trust (like Facebook or whatever),
and has come up with a workable system for disambiguation.
I can only hope that
In message alpine.bsf.2.00.0908051952480.3...@simone.lan, John R. Levine
writes:
http://dnscurve.org/crypto.html, which is always brought up, but
never seems to solve the problems mentioned.
As I understand it, dnscurve protects transmissions, not objects.
That's not the way DNS
On Wed, Aug 5, 2009 at 6:53 PM, Douglas Otisdo...@mail-abuse.org wrote:
On 8/5/09 2:49 PM, Christopher Morrow wrote:
and state-management seems like it won't be too much of a problem on
that dns server... wait, yes it will.
DNSSEC UDP will likely become problematic. This might be due to
On Wed, Aug 05, 2009 at 09:17:01PM -0400, John R. Levine wrote:
...
It seems to me that the situation is no worse than DNSSEC, since in both
cases the software at each hop needs to be aware of the security stuff, or
you fall back to plain unsigned DNS.
I might misunderstand how dnscurve
-- Ben @ 209.85.221.52
Really?
farside.isc.org:marka {2} % telnet 209.85.221.52 25
Trying 209.85.221.52...
Connected to mail-qy0-f52.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP 26si8920387qyk.119
helo farside.isc.org
250 mx.google.com at your service
mail from: ma...@isc.org
On Wed, Aug 5, 2009 at 10:05 PM, Naveen Nathannav...@calpop.com wrote:
I might misunderstand how dnscurve works, but it appears that dnscurve
is far easier to deploy and get running.
My understanding:
They really do different things. They also have different behaviors.
DNSCurve aims to
Ben,
Thanks for the cogent comparison between the two security systems
for DNS.
DNSCurve requires more CPU power on nameservers (for the more
extensive crypto); DNSSEC requires more memory (for the additional
DNSSEC payload).
This is only true for the initial (Elliptic Curve)
I'm having a few troubles with L3 on this fine, dreadfully humid evening.
HOST: max Loss% Snt Last Avg Best Wrst StDev
1. mph 0.0%100.7 0.6 0.5 0.8 0.1
2. 10.1.41.890.0%101.7 1.9 1.7
60 matches
Mail list logo