In article 537c1f17.6070...@digital-z.com you write:
On 5/20/14, 4:21 PM, Brandon Applegate wrote:
Is anyone using this and having failed login for a few days now ? I�ve been
mirroring the root
zone(s) for years and I just started getting failures in my logs. I emailed
an address I found on
That is, with CATV companies like HBO have to pay companies like
Comcast for access to their cable subscribers.
Well, no. According to Time-Warner's 2013 annual report, cable
companies paid T-W $4.89 billion for access to HBO and Cinemax. No
video provider pays for access to cable. The cruddy
In article cal9jlazjjppz7vzw2ue4qfqwrkcbu7cs1ed3uu1nhudhxxk...@mail.gmail.com
you write:
On Mon, Apr 14, 2014 at 4:10 PM, Scott Howard sc...@doc.net.au wrote:
Whilst I don't agree with the way that Yahoo has done this (particularly
around communication),
how could they have communicated this
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E
And we all know how well civic duty works as a motivator. If we really
want to do something
constructive, convince the corpro-takers to open their wallets to fund
those auditing functions.
For once, I agree with Mike. (Twice in one year?)
Considering how widely openssl is used, and how
In article 5345831b.4030...@dcrocker.net you write:
On 4/9/2014 10:13 AM, Royce Williams wrote:
Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?
Their
But I think it introduces all sorts of complexities for not much
gain. Needs more thinking, including is this really a problem that
needs to be solved?
Don't forget Vanquish was a complete failure, so why would this be
any different? and do I want Phil Raymond to sue me for violating
the patent
IF the overriding problem is due to an inability to identify and
authenticate the identification of the sender, then let us work on
establishing a protocol for identifying the sender and authenticating
the identification of the sender and permitting the receiver to accept
or deny acceptance
When people talked of virtual currency over the years, often arguing
that it's too hard a problem, how many described bitcoin with its
cryptographic mining etc?
None, but it shouldn't be hard to look at the way bitcoin works and
realize why it'd be phenomenally ill suited for e-postage, just for
Indeed. Having been deeply involved leading the technical side of our
transition at my organiati
Yeah, IPv6 can be like that.
Helpfully,
John
You say this like having a tax on running a botted computer on the internet
would be a bad thing.
I agree that it would provide a bit of profit to the spammers for a very short
period of time, but I bet it would get
a lot of bots fixed pretty quick.
What would actually happen is that the users
Actually, a variant on that that might be acceptable� Make e-postage a
deposit-based thing. If the recipient has
previously white-listed you or marks your particular message as �desired�,
then you get your postage back. If not,
then your postage is put into the recipients e-postage account to
What if Google, Apple, Sony or some other household brand, sold a TV with
local mail capabilities, instead of pushing
everyone to use their hosted services?
It would suck, because real users check their mail from their
desktops, their laptops, and their phones. Your TV would not have the
That way? Make e-mail cost; have e-postage.
Gee, I wondered how long it would take for this famous bad idea to
reappear.
I wrote a white paper ten years ago explaining why e-postage is a
bad idea, and there is no way to make it work. Nothing of any
importance has changed since then.
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
block, has more than 18 quintillion addresses
and there�s not a computer on the planet with enough memory (or probably not
even enough disk space) to store that
block list.
Sometimes scale is everything. host-based
It only takes a single entry if you do not store /128s but that /64. Yes,
RBL lookups do not currently know how to handle this, but there are a
couple of good proposals around on how to do it.
Sigh. See previous note on wny aggregating on /64 won't work.
This would also reduce the risks from
In article 911cec5c-2011-4c8d-9cc1-89df2b4cb...@heliacal.net you write:
Maybe you should focus on delivering email instead of refusing it
Since there is at least an order of magnitude more spam than real
mail, I'll just channel Randy Bush and encourage my competitors to
take your advice.
R's,
And I also remember thinking at the time that you missed one very
important angle, and that is that the typical ISP has the technical
capability to bill based on volume of traffic already, and could easily
bill per-byte for any traffic with 'e-mail properties' like being on
certain ports or
How about something much simpler? We already are aware of bandwidth caps at
service providers, there could just as
well be email caps. How hard would it be to ask your customer how many emails
we should expect them to send in a day?
Once again, I encourage my competitors to follow your
To my knowledge, there are three impacts that IPv6 implementation makes on an
SMTP implementation. One is that the OS
interface to get the address of the next MUA or MTA needs to use getaddrinfo()
instead of gethostbyname() (and would
do well to observe RFC 6555�s considerations).
In practice
In article 5333970a.6070...@direcpath.com you write:
On 3/26/2014 10:16 PM, Franck Martin wrote:
and user@2001:db8::1.25 with user@192.0.2.1:25. Who had the good idea to use
: for IPv6 addresses while this is the
separator for the port in IPv4? A few MTA are confused by it.
At the network
If you want to do address-based reputations for v6 similar to v4, my guess is
that it will start to aggregate to at least the /64 boundary ...
It says a lot about the state of the art that people are still making
uninformed guesses like this, non ironically.
On the one hand /64 is too coarse,
In article 5331c054.8040...@2mbit.com you write:
On 3/25/14, 11:23 AM, John Levine wrote:
Large mail providers all agree that v6 senders need to follow good
mail discipline, but are far from agreeing what that means. It
certainly means proper rDNS, but does it mean SPF? DKIM on all the
mail
This seems like to sort of problem that Mailops or MAAWG should
be hammering out.
Of course MAAWG is working on it. But don't hold your breath.
R's,
John
In article 5331edab.8000...@2mbit.com you write:
On 3/25/14, 11:56 AM, John Levine wrote:
I think this would be a good time to fix your mail server setup.
You're never going to get much v6 mail delivered without rDNS, because
receivers won't even look at your mail to see if it's authenticated
In article 3d7d0845-cb25-4c05-8fab-f5728c860...@heliacal.net you write:
The OP doesn't have control over the reverse DNS on the ATT 6rd.
Ah, OK, you're saying that their IPv6 isn't ready for prime time.
One would hope that with IPv6 this would change, but the attitude of looking
down on end
I'm sure you are as vocal about outright rejecting messages for lack of
SPF (even if softfail) and lack of DKIM as you are about requiring rDNS?
Interesting guess, but completely wrong.
Or perhaps making TLS mandatory, outright rejecting cleartext.
Not until we have SMTP DANE.
Seems like the
3. Arguing about IPv6 in the context of requirements upon SMTP connections is
playing that uncomfortable game with
one�s own combat boots. And not particularly productive.
If you can figure out how to do effective spam filtering without
looking at the IP addresses from which mail arrives, you
But, as always, I'm not holding my breath.
Is spam fighting really about SMTP? Or is it about abuse of the
transport layer by (among other things) the SMTP?
I don't think that your typical spam recipient cares how the spam got
into her inbox. Anyone who has any familiarity with large scale
In such a case, where you are still pushing the case for
IPv4, how do you envisage things will look on your side when
everybody else you want to talk to is either on IPv6, or
frantically getting it turned up? Do you reckon anyone will
have time to help you troubleshoot patchy (for example)
It will be a long time
before the price of v4 rises high enough to make it
worth the risk of going v6 only.
New ISP's are born everyday.
Some of them will be able to have a Buy an ISP that has
IPv4 or Buy IPv4 space from known brokers line item in
their budget as part of their launch plans.
Let's hope you're right, but I note that the ITU isn't an
inter-governmental organization,
It was able to obtain a delegation for ITU.INT, so it's
inter-governmental enough in DNS terms.
Yes, it was delegated a month before TPC.INT was. Could you clarify
the point you're making?
R's,
John
Was I being a pollyanna?
I look forward to the ITU equitably allocating domain names and IP
addresses.
R's,
John
In article
ed78b1c68b84a14fa706d13a230d7b431e2b9...@its-mail02.campus.ad.csulb.edu you
write:
Apologies if I slept through prior discussions on the topic.
Regardless of what various aging web pages and un-upgraded mail
software might say, Domainkeys is as dead as a doornail, even at
Yahoo. Use
If your LISTSERV
-- gets mail from somebody with a domain that requires their mail to be
validly signed (for instance, via DMARC)
-- leaves that sender's address in the From: line
-- and breaks the DKIM signature
Ah, that problem.
I'd strongly suggest a shim in front of
If just three of the transit-free networks rewrote their peering
contracts such that there was a $10k per day penalty for sending
packets with source addresses the peer should reasonably have known
were forged, this problem would go away in a matter of weeks.
Won't work because no one will
Why does it have to be hard? Restricting the filter to addresses which
(A) the customer asserts are theirs
How does the customer do that in a way that scales?
I don't think any of this is rocket science, but it apparently is a
real block to BCP38/84 implementatin.
R's,
John
In regards to anti-spoofing measures - I think there a couple of vectors about
the latest NTP attack
where more rigorous client-side anti-spoofing could help but will not solve it
overall.
Most NTP servers only send legitimate traffic to a handful of masters,
often in the ntp.org pool, and to
In article 20140202163313.gf24...@hijacked.us you write:
The provider has kindly acknowledged that there is an issue, and are
working on a resolution. Heads up, it may be more than just my region.
I'm a Time-Warner cable customer in the Syracuse region, and both of
the NTP servers on my home LAN
. Anyone who buys a /27 without an arrangement
for backup routing from whoever routes the surrounding /24 is a fool.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly
PS: Yes, I know you
No, and they haven't been for many years. You're thinking of
Verisign. It owned NetSol at one time, but sold the registrar end
(which is what's still called Network Solutions) in 2003.
Well, it's sort of metaphysical to ask which company is which, but...
NetSol and Verisign have been
I suppose they COULD move their domain to a registrar that does
registrar-lock for 'free', but that's a cost too, right? man power,
configuration mistakes, other billing things to setup... 1800 might be
'ok' for someone who's making a bunch of money/day. right?
That is the only plausible reason
I had some problems with incoming mail that I tracked down to a
configuration bug, two hosts on the same LAN configured to respond to
the IP address of the MX. It's fixed now.
While it was broken, attempts to send mail on some other systems got
421 Downstream server error. That is not a message
In article 030101cf0e0e$71088af0$5319a0d0$@truenet.com you write:
Looks like a bug, if you stick a 1 in total email users:
Per Year: $504.00
No, that's right. If you're a tiny little network, you can
use the public DNS servers for the BL lookups, and you can
FTP the text version of DROP and
It occurs to me, you may have sent a bounce, where the envelope from is empty,
therefore SPF would work on the domain in the helo/ehlo. People often
forget to put a SPF record there... So there may be no SPF in fact...
Nope. In this case, Google was just messed up.
R's,
John
In article alpine.deb.2.00.1401141859270.4...@orbital.burn.net you write:
Just saw this in a message tonight. No idea if this is a transient error
or not.
I saw the same thing, on an IP that has forward and reverse DNS and
mail that passes SPF. Burp, I guess.
, or are there screwed up NTP servers?
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly
MX, PTR, and SPF are really all you need.
So far so good, noting that a host name that doesn't look generic is
better than one that does.
I would recommend you go a
step further and use DKIM, ADSP, and DMARC.
Using DKIM is a good idea. Do *not* use ADSP. It is a failed
experiment which will
In article ee045d19-797d-4346-8793-b854e528f...@email.android.com you write:
The balkanizing of the Net?
http://www.washingtonpost.com/blogs/worldviews/wp/2013/11/01/how-anti-nsa-backlash-could-fracture-the-internet-along-national-borders/
I expect we'll hear lots of pontification, quietly
Mail admins wanting matching forward/reverse DNS and hostnames that
don't look dynamically generated is probably more of a human than an
RFC thing:
Right. Spam filtering depends on heuristics. Mail from hosts without
matching forward/reverse DNS is overwhelmingly bot spam, so checking
for it
In the last few hours it has picked off multiple messages from each of these:
caro...@8447.com
jef...@3550.com
ronal...@0785.com
kevi...@2691.com
debora...@3585.com
kimberl...@5864.com
sara...@0858.com
zav...@131.com
qgmklyy...@163.com
pjp...@163.com
fahu...@163.com
danie...@4704.com
Is there any reason other than email where clients might demand RDNS?
There's a few other protocols that want rDNS on the servers. IRC maybe.
Doing rDNS on random hosts in IPv6 would be very hard. Servers are
configured with static addresses which you can put in the DNS and
rDNS, but normal
it's a lot of work for example.com to return something like:
2001-0db8-85a3-0042-1000-8a2e-0370-7334.example.com
Add some NSEC3 records and, yeah, it's a lot of work. And for what?
If people really want to use generic reverse names and have realised
that the v6 address space is much too big for $GENERATE, one approach is
to delegate the appropriate zones to a custom nameserver that can
auto-generate PTRs on demand. There are scaling problems here, but
probably nothing that
I was talking to a bunch of people who run ISPs and other networks in
LDCs (yes, including Nigeria) and someone asked about monitoring tools
to watch traffic on his network so he can get advance warning of dodgy
customers and prevent complaints and blacklisting.
These people are plenty smart, but
This is pathetic. ARIN is supposed to be working as a steward of this
IP space. When you have policies that make it more difficult to use the
IP space this isn't even remotely close to stewardship. It's pathetic,
Unfortunately, a surprising number of new IP space owners turn out
to be the
I heard back, seems like I found someone at the FBI who was able to
explain the problem to Neustar (DNS software provider) who say they
will fix it.
Seems to be fixed now. Here's the formerly broken query, via unbound:
; DiG 9.8.3-P4 mail.ic.fbi.gov +dnssec
;; global options: +cmd
;;
In article m2mwnt84po.wl%ra...@psg.com you write:
To their (partial) credit they are also supporting a new email header :
Require-Recipient-Valid-Since:
with no X- before it?
Well, yes:
draft-wmills-rrvs-header-field-01.txt
R's,
John
In article 52265aa4.6000...@free.fr you write:
Le 03/09/2013 23:28, John Levine a écrit :
On Fri, Aug 30, 2013 at 10:27:36PM +, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain
wrong to me, and unbound agrees, turning it into a SERVFAIL.
I heard back
On Fri, Aug 30, 2013 at 10:27:36PM +, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain
wrong to me, and unbound agrees, turning it into a SERVFAIL.
I heard back, seems like I found someone at the FBI who was able to
explain the problem to Neustar (DNS
I don't claim to be a big DNSSEC expert, but this looks just plain wrong
to me, and unbound agrees, turning it into a SERVFAIL.
Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
;; -HEADER- opcode: QUERY, status: NOERROR, id: 7222
;;
I suspect the problem is the (offsite) hotel that Mark and I are at was not
really prepared for a full house of folks interested in viewing streams,
downloading documents, etc. (despite attempts to inform the hotel of the
impending tsunami). I imagine folks involved in setting up NANOG-related
No seems US company.
http://www.helixsolutions.net/
They're registered at internet.bs with a private registration in
Panama.
What more do you need, a big flashing skull and crossbones?
As of July 2, 2013, .nyc has been approved by ICANN as a
city-level top-level domain (TLD) for New York City
Do they have DNSSEC from inception? It would seem a sensible thing to do
for a virgin TLD.
Yes. See the AGB, to which I sent a link a few messages back.
Anyone care to advance evidence that either zone has been, not will
someday be, significantly improved by the adoption of DS records?
Evidence, not rhetoric, please.
I dunno. Can you point to parts of your house that have been
significantly improved by fire insurance?
I'll bite. What's the *actual* additional cost for dnssec and ipv6
support for a greenfield rollout? It's greenfield, so there's no
our older gear/software/admins need upgrading issues.
I've read the IPv6 and DNSSEC parts of a lot of the applications,
including the ones that aren't backed by
Why are the people who don't follow the shitty process so full of
confidence they have all the clue necessary?
Probably because they don't think that new TLDs are particularly
useful or valuable.
R's,
John
I haven't read enough, but what's to stop speculators
paying the $186,000 then ...
Rather than asking random strangers, you can read the applicant
guidebook and find out what the actual rules are:
http://newgtlds.icann.org/en/applicants/agb
Rather than asking random strangers, you can read the applicant
guidebook and find out what the actual rules are:
http://newgtlds.icann.org/en/applicants/agb
Ok, you're correct. I need to add that to my list of reading.
I am just thinking about the digital divide getting larger
(not smaller)
Registrar Primary and Registrar Auditor
There are certainly registrars who are more security oriented than
Netsol. If you haven't followed all of the corporate buying and
selling, Netsol is now part of web.com, so their business is more to
support web hosting than to be a registrar.
I expect
In article 001a01ce6ef9$bf74d4a0$3e5e7de0$@iname.com you write:
It's 120M if you add the .COM and the .NET's together, both of which NetSol
is responsible for.
http://www.verisigninc.com/en_US/products-and-services/domain-name-services/
registry-products/tld-zone-access/index.xhtml
In late
The forwarding hardware is generally going to be the limit, and
that's going to be painful enough as we approach a half million
prefixes.
I would expect that we might finally see some pushback against
networks that announce lots of disaggregated prefixes. The current
CIDR report notes
Reaching out to DNS operators around the globe. Linkedin.com has had some
issues with DNS
and would like DNS operators to flush their DNS. If you see www.linkedin.com
resolving NS to
ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
2. I have yet to see any evidence this century that Yahoo cares in
the slightest about the unceasing flood of spam/phish/abuse flowing
outbound from its operation. After all, if they did, we would not
be having this conversation.
wasn't yahoo's abuse team disbanded years ago?
It was cut way
In article 51794abf.5040...@mtcc.com you write:
So here is the question I have: when we run out, is there *anything* that
will reasonably allow an ISP to *not* deploy carrier grade NAT? Assuming
that it's death for the ISP to just say no to the long tail of legacy v4-only
sites?
Sure. Enough
I don't imagine they will be open to paying extortion prices for IPs
that other people never bothered to use.
You know, sometimes life is just unfair. If they need the space,
they'll have to figure out how to buy it.
If the DS record identifies a different signer, then you have an
administrative split,
or if the e-mail address field in the SOA fields of the parent zone
are different, then you have an administrative split, OR if one of the
two zones has RP (responsible party records), and the list of RP
As a white-hat attempting to find problems to address through legitimate
means, how
do you �
You make friends with people with busy authoritative servers and see
who's querying them.
I suppose you could justify one probe per client and see if they appear to be
open.
R's,
John
The benefits, if any, of supporting IPv6 now really depend on what
kind of use your organization makes of the Internet. Despite all of
the huffing and puffing, it will be a very long time before there are
interesting bits of the net not visible over IPv4 for common
applications like http and
Yes.
In article 215377.1362329...@turing-police.cc.vt.edu you write:
-=-=-=-=-=-
On Sun, 03 Mar 2013 00:24:07 +, Mike Jones said:
Inline Reply
On 2 March 2013 21:58, Constantine A. Murenin muren...@gmail.com wrote:
Dear NANOG@,
Have we *really* sunk so low that inline replies need to
As another reference point, I really liked the sipura atas, they were my
personal favorite as far as the gear we used. I don't know how well that
translates to after the linksys takeover though, as I haven't done voice
gear in a few years.
Got a Sipura SPA-1001, can't get it to work, similar
I'm in the midst of what would be a comedy of errors if it weren't so
annoying. I bought a new Grandstream HT701 VoIP terminal adapter from
a guy on eBay who is apparently an official Grandstream reseller. It
doesn't work. The guy I bought it from (whose support ends at nobody
else has that
The other thing I find interesting about this entire thread is the
assumption by most that a government entity would do a good job as a
layer-1 or -2 provider and would be more efficient than a private company.
Governments, including municipalities, are notorious for corruption, fraud,
waste - you
There'd have to be some organization to negotiate and oversee
international settlements and other, similar, regulations.
Why? The internet has operated just fine without such for quite some time
now.
The Internet is held together with spit and duct tape, and sucks for
connections that need a
not worth the trivial amount of money
involved.
--
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly
*.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se.
...will work just fine, for instance.
Since there is no record for a.node.on.vlan344.namn.se., this
won't work fine in any rDNS check I'm aware of.
You are aware that useful rDNS has to have matching forward DNs,
IMHO mail is one of the easiest first things to turn on for IPv6.
You can certainly turn it on, and it will work at the current toy
scale, but nobody has a clue how we're going to scale IPv4 spam
management up for large scale IPv6. Anything that's obvious won't
work.
Neustar has been successful in getting RFC1480-style domain names
effectively discontinued as of maybe a decade ago (we're responsible
for mil.wi.us here) and so any locality stuff under .fl.us is probably
legacy stuff. They'd much rather sell people foo.us ...
If you're wondering about
Any moron can run a DNSBL. Many morons do. But that doesn't mean
that anyone actually uses them.
They are yes. Emails are being blocked due to the listing on spamrats.
Please show us a copy of one of the failure messages. Feel free to
redact any private information, but please leave the IP
No point. address - name - address doesn't work with wildcards.
(Still an IPv6 implementation virgin, just curious :) )
If you want to do generic IPv6 rDNS for all your hosts, you're
stuck with a variety of less than great possibilities.
One is a stunt rDNS server that synthesizes the
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of proof to show that it is no
less likely for an attempted forger to be able to obtain a false
bought certificate from a
Can someone explain me how can I get an block of DID (Telephony numbers)?
As I think recent messages have shown, it's not possible to provide a
useful answer unless you give us some hint about what you want to do
with the traffic from those numbers.
If you want to deliver it via SIP over the
What's anyone really going to do with more than a few IP addresses on a VPS
anyway?
Give every web site its own IP address, rather than using virtual
hosts, I expect.
On the other hand, I suppose if someone has more than a a few dozen web sites
on a single VPS, more likely than not something
-- SHAREDBAND EMAIL DISCLAIMER --
This e-mail and any attachments are confidential, are intended solely for the
use of the individual to
whom it is addressed and may also be privileged. If you are not the named
recipient, please notify the
sender immediately and do not disclose the contents to
,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment before reading this e-mail. http://jl.ly
Look at TextMagic.
They're in the UK. You might take a look at Aerialink
who are in the US:
http://www.aerialink.com/gateway/options/outbound-sms/
Getting your own cellular modem may well end up being
more reliable and cheaper in the long run, since you are
less at the mercy of other people's
In article 20592.28334.622769.539...@world.std.com you write:
It's occured to you that FQDNs contain some structured information,
no?
Hey, I've got a great idea. Let's lose this silly phone number
portability nonsense and use phone numbers as routes.
I mean, anyone who moves and takes his cell
Does the best practise switch to now using one IPv6 per site, or still
the same one IPv6 for multi-sites?
As I've been migrating my sites to IPv6, each site gets its own IP.
Works great. I did find that I needed to improve my tools so I could
track the individual IP addresses and assign the
In article 450916d8-fa1d-4d43-be8f-451d50dd6...@privaterra.org you write:
Am I correct in assuming that the unused IP block would not be sold as
is mentioned in the article, but instead be returned to RIPE to be
reallocated?
Since there is no chance of either one happening, no.
R's,
John
So 6-8 years to try and rehabilitate 240/4 was not even enough to try?
Since it would require upgrading the IP stack on every host on the
internet, uh, no. If you're planning to do that, you might as well
make the upgrade handle IPv6.
and no quantity of pixie dust is going to
cause new space
401 - 500 of 668 matches
Mail list logo