Re: IERS ponders reverse leapsecond...

Publications/Bulletins/bulletins.html analyzed by my program https://github.com/fanf2/bulletin-a/ My blog article from when this issue became more well known: https://dotat.at/@/2020-11-13-leap-second-hiatus.html My other collected links on this topic https://dotat.at/writing/time.html -- Tony Fi

Re: DNSSEC Best Practices

Arne Jensen wrote: > > RFC8624 "Algorithm Implementation Requirements and Usage Guidance for > DNSSEC" > > -> https://tools.ietf.org/html/rfc8624 > > > What algorithms do you typically sign with > > (RSASHA256, ECDSAP256SHA256, both, something other)? > > Those two mentioned are the ones that the

Re: login.authorize.net has A and CNAME records

Seth Mattinen wrote: > > I'm beginning to think this is a DNSSEC related problem, I'll ask on the > pdns-users list. I see it's asking for a DS record on > login.authorize.net.cdn.cloudflare.net when the nearest one appears to be at > cloudflare.net, so for some reason that's not being applied

Re: Famous operational issues

Patrick W. Gilmore wrote: > > Me: Did you order that EPO cover? > Her: Nope. There are apparently two kinds of EPO cover: - the kind that stops you from pressing the button by mistake; - and the kind that doesn't, and instead locks the button down to make sure it isn't un-pressed

Re: favorite network troubleshooting tools (online)

Mehmet Akcin wrote: > > what are your favorite network troubleshooting tools? If DNS counts then https://dnsviz.net/ and https://zonemaster.net/ Tony. -- f.anthony.n.finchhttp://dotat.at/ South Fitzroy: Northeasterly 5 to 7, occasionally gale 8 in south. Moderate or rough. Fair. Good.

Re: 60 ms cross-continent

Mel Beckman wrote: > An intriguing development in fiber optic media is hollow core optical > fiber, which achieves 99.7% of the speed of light in a vacuum. > >

Re: BGP over TLS

Joe Abley wrote: > > Well, TLS exists within a TCP session, and that TCP session could > incorporate the MD5 signature option. I guess. AIUI this might be useful to make it a bit harder to kill the TCP session, tho I think modern TCPs are less vulnerable to off-path RST injection than TCPs were

Re: worse than IPv6 Pain Experiment

b...@theworld.com wrote: > > Can I summarize the current round of objections to my admittedly > off-beat proposal (use basically URLs rather than IP addresses in IP > packet src/dest) as: [snip] This reminds me of the named data networking research project https://named-data.net/project/faq/

Re: dns cache beyond ttl - viasat / exede

William Herrin wrote: > > You may be looking at a web browser "feature" called "DNS pinning." This is > used to defeat the "DNS rebinding" attack on javascript that would allow a > web site to instruct a browser to scan the interior behind its user's > firewall by having an attacker rotate the IP

Re: Weekly Routing Table Report

Patrick W. Gilmore wrote: > > This time I waited for 768,000. (Everyone happy now?) I thought the magic number for breaking old Cisco gear was 786432 (768 * 1024) ... there was a panic about it earlier this year but growth slowed so it didn't happen as soon as they feared.

Re: Best ways to ensure redundancy with no terrestrial ISPs

Fred Baker wrote: > > On Aug 3, 2019, at 3:36 PM, Mehmet Akcin wrote: > > > > Feel free to open live.infrapedia.com on mobile. > Between overlaid ads and the thing trying to force an account, i’d > Describe it as a waste of time. Now, a page that delivered the data > advertised...

Re: Cost effective time servers

Denys Fedoryshchenko wrote: > On 2019-06-21 14:19, Niels Bakker wrote: > > > > Have you tried this? Because I have, and it's absolutely terrible. > > GPS doesn't give you the correct time, it's supposed to give you a > > good 1pps clock discipline against which you can measure your device's > >

Re: NTP for ASBRs?

Bryan Holloway wrote: > On 5/8/19 7:55 PM, Brian Kantor wrote: > > On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote: > > > > > > When a NOC-ling, in their own local timezone, says, "hey, what happened > > > two hours ago?", they have to make a calculation. > > > > Clocks are cheap.

Re: A Deep Dive on the Recent Widespread DNS Hijacking

valdis.kletni...@vt.edu wrote: > > Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" > level, it's going to be a tough start... Isn't this what Duo's business is based on? Usable TOTP? See also Google Authenticator, Authy, 1Password, etc. usw. Tony. --

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Mark Andrews wrote: > > An organisation can also deploy DLV for their own zones using their own > registry. While the current code DLV validating code is only invoked > when the response validates as insecure, there is nothing preventing a > policy which says that DLV trumps or must also

Re: Stupid Question maybe?

> On 18 Dec 2018, at 22:30, Joel Halpern wrote: > > History of non-contiguous network masks, as I observed it. [snip] > > When we were done, other folks looked at the work (I don't know if the > Internet Drafts are still in repositories, but they shoudl be.) And > concluded that while this

Re: Security issues based on post RIR allocation rules

Spurling, Shannon wrote: > When I call a health care organization, or a web hosting provider, the > first thing I get is that they think we are trying to pull one over on > them and all these ranges must be in Africa or Asia. I show them the > ARIN information for the specific /16, and sometimes

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > > From > > > "CA Terms & Conditions > > APNIC’s Certification Authority (CA) services are provided under the > following terms and conditions: ... > > • The recipient of any Digital

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > On 26 Sep 2018, at 2:09 AM, Christopher Morrow > mailto:morrowc.li...@gmail.com>> wrote: > > > > how is arin's problem here different from that which 'lets encrypt' is > > facing with their Cert things? > > The “Let’s encrypt” subscriber agreement (current version 1.2, 15

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

Jens Link wrote: > > jens@screen:~$ dig nanog.org @8.8.8.8 | grep "Query time" > ;; Query time: 16 msec > jens@screen:~$ dig nanog.org @1.1.1.1 | grep "Query time" > ;; Query time: 3 msec You can use dig -u to get microsecond resolution, e.g. $ dig -u @131.111.8.42 nanog.org | grep time: ;;

Re: Time to add 2002::/16 to bogon filters?

Jared Mauch wrote: > > There is also the problem noted by Wes George with 6to4 being used in > DNS amplification, which may be interesting.. > > http://iepg.org/2018-03-18-ietf101/wes.pdf I configure my DNS servers with a long-ish list of bogon addresses. For v6, the list includes Teredo and

Re: Yet another Quadruple DNS?

David Ulevitch wrote: > https://twitter.com/eastdakota/status/970214433598275584 > https://twitter.com/eastdakota/status/970359846548549632 Also the very amusing https://twitter.com/eastdakota/status/970359846548549632 Tony. -- f.anthony.n.finch

Re: Internet Governance Forum DNS

Joly MacFie wrote: > www.intgovforum.org’s server DNS address could not be found. One of its three name servers doesn't exist. ; <<>> DiG 9.11.0 <<>> +norec ns www.intgovforum.org @a0.org.afilias-nst.info. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,

Re: Avalanche botnet takedown

Ronald F. Guilmette wrote: > > P.P.S. I love this part of the press release, because it is so telling: > > "The successful takedown of this server infrastructure was supported > by ... Registrar of Last Resort, ICANN..." Note that these are the names of two

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

Ronald F. Guilmette wrote: > > You are correct. In this case, it would have been helpful if APNIC's WHOIS > server returned something, when queried about 103.11.67.105, that would > include an explicit referral to the ARIN WHOIS server. I mean they > obviously know all

Re: QWEST.NET can you fix your nameservers

Mark Andrews wrote: > > My bet is the DNS vendor has issued a update already and that it > hasn't been applied. $ fpdns sauthns1.qwest.net. fingerprint (sauthns1.qwest.net., 63.150.72.5): NLnetLabs NSD 3.1.0 -- 3.2.8 [New Rules] fingerprint (sauthns1.qwest.net.,

Re: Don't press the big red buttom on the wall!

Ken Chase wrote: > 3 of my internet-lifetimes/startups ago, we had this happen when one of the L2 > techs was doing their 'rounds' - but had a backpack on. They swung around and > hit the safety cover on the BRS - which got knocked off. They freaked > out a bit while putting the

Re: nxdomain rfc2308 type 2, but authority is incorrect

William Herrin wrote: > > Oh! I missed that. ns*.nameresolve.com, the authoratative name servers > for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea > what DNS server nameresolve.com uses? Because that's... wow. Er, me too, headdesk. NXDOMAIN with an answer?!

Re: nxdomain rfc2308 type 2, but authority is incorrect

Joe Maimon wrote: > www.kissimmee.org > > Windows appears to believe the rfc2308 type 2 response, RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't apply. Tony. --

Re: Yahoo Postmaster or Email Admin

For this kind of question you might hav emore luck on the mailop list, https://chilli.nosignal.org/mailman/listinfo/mailop Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode North Fitzroy, Sole, Lundy, Fastnet: Westerly 5 or 6. Moderate, occasionally rough

RE: IPv4 Legacy assignment frustration

Spurling, Shannon wrote: > It’s a problem with the miss-use of the RIR delegation of a legacy > block. > > The assumption that because a block is assigned to a particular RIR, all > users in that block have to be in that RIR’s territory, without actually > running a query

Re: NIST NTP servers

Jean-Francois Mezei wrote: > > Today, if someone were to jam the GPS signal in an areas in USA, you'd > likely hear about large number of car accidents in the news before > noticing your systems canMt get time from the GPS-NTP and went to a > backup ip address (nist

Re: Latency, TCP ACKs and upload needs

Leo Bicknell wrote: > > 1460 byte payloads down, maybe 64 byte acks on the return, and with SACK > which is widely deployed an ACK every 2-4 packets. You would see about > 2,140 packets/sec downstream (25Mbps/1460), and perhaps send 1070 ACKs > back upstream, at 64 bytes each,

Re: Oh dear, we've all been made redundant...

Warren Kumari wrote: > Found on Staple's website: > http://www.staples.com/NetReset-Automated-Power-Cycler-for-Modems-and-Routers/product_1985686 http://thedailywtf.com/articles/ITAPPMONROBOT Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h

Re: finding whois servers, was .pro whois registry down?

John Levine wrote: > > I've set up .ws.sp.am (that's ws for Whois Server) which is > updated every day from a variety of sources so it's pretty accurate. > It's had the right server for pro.ws.sp.am all along. It would be extra super helpful if every entry were a wildcard, so you

Re: FW: [tld-admin-poc] Fwd: Re: .pro whois registry down?

Mark Andrews wrote: > > Additionally 'whois' is free form text. Whois doesn't include a > AI to workout what this free form text means so, no, there isn't a > actual referral for a whois application to use. Yes, the whois data format is bullshit, but there are only a few simple

Re: .pro whois registry down?

Doug Barton wrote: > On 03/09/2016 01:24 PM, Bryan Holloway wrote: > > Anyone else noticing that the .pro TLD is failing for some things, and > > their WHOIS registry appears to be unavailable? > > The address records for whois.dotproregistry.net are missing. Well, it

Re: Binge On! - get your umbrellas out, stuff's hitting the fan.

Alan Buxey wrote: > > Bulk data and background update processes are things that could possibly > by throttled - after all, that's pretty much what QoS does. Most of my > phone data is google play software updates and on woes phone ios and > itunes store updates - it

RE: Nat

Alan Buxey wrote: > Most people don't need the devices to talk to each other A lot of home networking uses mDNS - partitioning off devices will break things like printing and chromecast and using your phone as a remote control for your media players, etc. ad nauseam.

Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

Jim Shankland wrote: > Also, this jumped out at me: > > "The problem with the recent attack is that the originating IP addresses were > evenly distributed within the IPV4 universe," McAfee says. "This is virtually > impossible using spoofing." > > Am I missing something, or

Re: bad announcement taxonomy

Randy Bush wrote: > > leak - i receive P and send it on to folk to whom i should not send >it for business reasons (transit, peer, ...) > > 7007 - i receive P (or some sub/superset), process it in some way >(likely through my igp), and re-originate it, or part of

Re: DNSSEC and ISPs faking DNS responses

Owen DeLong wrote: > Again, if you’re the only resolver the clients are using, you can claim that > nothing from the root down is signed without ever providing any cryptographic > anything. If the client is validating it will know the root is signed and the ISP resolver will

RE: DNSSEC and ISPs faking DNS responses

eric-l...@truenet.com wrote: > Actually, how are other places implementing these lists? I would have > thought to use RPZ, but as far as I know if the blocked DNS domain is > using DNSSEC it wouldn't work. You can configure RPZ with the "break-dnssec" option which means

Re: DNSSEC broken for login.microsoftonline.com

Bruce Curtis wrote: > Drill run on one of our name servers shows that the error is > > Existence denied: microsoftonline.com No, drill just says there are no DS records which means the domain is insecure so any problems with it should be unrelated to DNSSEC. >

Re: DNSSEC broken for login.microsoftonline.com

Bruce Curtis wrote: > > FYI our DNS requests to resolve login.microsoftonline.com are failing > because of a DNSSEC error. There's no DS record for microsoftonline.com so you shouldn't have any DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't show any

Re: ARIN Region IPv4 Free Pool Reaches Zero

valdis.kletni...@vt.edu wrote: > > I wonder if a sudden exodus of customers whose iOS app got axed > because it can't contact an aws-hosted server from an IPv6-only > network will be enough to get their attention Maybe they'll just proxy via CloudFlare to AWS. Tony.

Re: outlook.com outgoing blacklists?

Todd K Grand wrote: > Interesting, however those ipv6 addresses were dropped from our dns > almost 2 weeks ago. No quad A records should exist anylonger, as it has > been more than 48 hours. You need to update the glue in your delegation. ; <<>> DiG 9.11.0pre-alpha <<>>

Re: outlook.com outgoing blacklists?

Todd K Grand wrote: > Content-Type: message/delivery-status > > Reporting-MTA: dns;COL004-OMC2S2.hotmail.com > Received-From-MTA: dns;COL129-W41 > Arrival-Date: Wed, 9 Sep 2015 02:13:28 -0700 > > Final-Recipient: rfc822;supp...@qkstream.com > Action: failed > Status: 5.5.0 >

Re: Dual stack IPv6 for IPv4 depletion

Ricky Beam jfb...@gmail.com wrote: Talking about IPv6, we aren't carving a limit in granite. 99.9% of home networks currently have no need for multiple networks, and thus, don't ask for anything more; they get a single /64 prefix. Personal-area networks already exist. Phone/watch/laptop

RE: Dual stack IPv6 for IPv4 depletion

Matthew Huff mh...@ox.com wrote: When I see a car that needs a /56 subnet then I’ll take your use case seriously. Cars need partitions between their automotive network, their entertainment network, and their passenger wifi. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/

Re: REMINDER: LEAP SECOND

Damian Menscher via NANOG nanog@nanog.org wrote: http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html comes dangerously close to your modest proposal. Also http://developerblog.redhat.com/2015/06/01/five-different-ways-handle-leap-seconds-ntp/ Tony. --

Re: REMINDER: LEAP SECOND

Philip Homburg pch-na...@u-1.phicoh.com wrote: For UTC the analog approach would be to keep time in TAI internally and convert to UTC when required. This is much less of a solution than you might hope, because most APIs, protocols, and data formats require UT. (Usually not UTC but a

Re: REMINDER: LEAP SECOND

Harlan Stenn st...@ntp.org wrote: It's a problem with POSIX, not UTC. UTC is monotonic. The problems are that UTC is unpredictable, and it breaks the standard labelling of points in time that was used for hundreds (arguably thousands) of years before 1972. Tony. -- f.anthony.n.finch

Re: REMINDER: LEAP SECOND

Stephane Bortzmeyer bortzme...@nic.fr wrote: That's because the earth rotation is unpredictable. Any time based on this buggy planet's movements will be unpredictable. Let's patch it now! http://mm.icann.org/pipermail/tz/2015-May/022280.html

Re: REMINDER: LEAP SECOND

shawn wilson ag4ve...@gmail.com wrote: So, what we should do is make clocks move. 9 slower half of the year (and then speed back up) so that we're really in line with earth's rotational time. That's how UTC worked in the 1960s. ftp://maia.usno.navy.mil/ser7/tai-utc.dat It causes problems

Re: Anycast provider for SMTP?

James Hartig fastest...@gmail.com wrote: Just curious, how does DNS load balancing work if people are using 8.8.8.8/208.67.222.222 or basically any public resolvers that cache and have a significant (relatively speaking) user-base? http://www.afasterinternet.com/ietfdraft.htm Tony. --

Re: DNS Lookup - Filter localhost

Radke, Justin jra...@canbytel.com wrote: 2. Do you have an actual localhost zone that issues 127.0.0.1? Yes. I think this is best practice though it isn't required by RFC 6303 and isn't set up by default in BIND like the empty reverse DNS zones. 3. Do you block 512 Bytes DNS requests? 512

Re: Bare TLD resolutions

David Conrad d...@virtualized.org wrote: To be clear, generic TLDs (gTLDs) can’t have bare (dotless) TLDs (or wildcards). Wildcards are being used for the name collision gubbins. ; DiG 9.11.0pre-alpha *.prod ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR,

Re: Anyone running Knot?

RIPE have an interesting setup. They are load-balancing their name servers across BIND, NSD, and Knot. $ for i in `seq 10`; do dig +norec +noall +answer version.bind ch txt @ns.ripe.net.; done | sort -u version.bind. 0 CH TXT 9.9.5 version.bind. 0 CH

Re: TCP Window Scaling issue

Zach Hill zach.reb...@gmail.com wrote: What's interesting is this is only affecting a single server and only when traffic is going over the WAN circuit. Testing from Server A to any server on it's network shows it is negotiating window scaling just fine. Check your firewall isn't buggering

Re: Owning a name

John Levine jo...@iecc.com wrote: The US has a long policy of not messing with ccTLDs, even of countries that we don't like such as .kp, .cu, and .iq (back in the day). The latter had a fairly messy history: http://www.iana.org/reports/2005/iq-report-05aug2005.pdf Tony. -- f.anthony.n.finch

Re: IPv6 isn't SMTP

John Levine jo...@iecc.com wrote: There are also some odd things in the spec. For example, according to RFC 5321 this is not a syntactically valid e-mail address: mailbox@[IPv6:2001:12:34:56::78:ab:cd] You aren't allowed to use :: to abbreviate one zero hexadectet according to RFC 5952.

Re: IPv6 isn't SMTP

Owen DeLong o...@delong.com wrote: Two errors, actually… As an RFC-821 address, it should be user@[IP]:port in both cases (user@[192.0.2.1]:25 and user@[2001:db8::1]:25). You have never been able to specify a port number in an email address. Tony. -- f.anthony.n.finch d...@dotat.at

Re: why IPv6 isn't ready for prime time, SMTP edition

Laszlo Hanyecz las...@heliacal.net wrote: The usefulness of reverse DNS in IPv6 is dubious. For most systems yes, but you might as well have it if you are manually allocating server addresses. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Faeroes: Variable 4, becoming southeast

Re: misunderstanding scale, SMTP edition

John Levine jo...@iecc.com wrote: If I were a spammer or an ESP who wanted to listwash, I could easily use a different IP addres for every single message I sent. Until mail servers start rate-limiting the number of different addresses that are used :-) You can do something like the following

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen lo...@pari.edu wrote: the typical ISP has the technical capability to bill based on volume of traffic already, and could easily bill per-byte for any traffic with 'e-mail properties' like being on certain ports or having certain characteristics. Who do I send the bill to for mail

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen lo...@pari.edu wrote: The entity with whom they already have a business relationship. Basically, if I'm an ISP I would bill each of my customers, with whom I already have a business relationship, for e-mail traffic. Do this as close to the edge as possible. Ooh, excellent, so I

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen lo...@pari.edu wrote: On 03/26/2014 01:38 PM, Tony Finch wrote: Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. You don't. Their upstream(s) in South Africa would bill them for outgoing e-mail. You mean Nigeria. So how do I get compensated for dealing

Re: trivial changes to DNS (was: OpenNTPProject.org)

Jared Mauch ja...@puck.nether.net wrote: I can point anyone interested to the place in the bind source to force it to reply to all UDP queries with TC=1 to force TCP. should be safe on any authority servers, as a recursive server should be able to do outbound TCP. However see

Re: OpenNTPProject.org

Jared Mauch ja...@puck.nether.net wrote: 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ or ‘restrict’ lines or both. (I defer to someone else to be an expert in this area, but am willing to learn :) ) There is useful guidance for Cisco, Juniper, and Unix here:

Re: Best practice on TCP replies for ANY queries

Anurag Bhatia m...@anuragbhatia.com wrote: Now I see presence of some (legitimate) DNS forwarders and hence I don't wish to limit queries. You are going to have to change your mind about this one. Open recursive resolvers are a really bad idea, unless you can afford a lot of time and

Re: IP Fragmentation - Not reliable over the Internet?

Christopher Palmer christopher.pal...@microsoft.com wrote: What is the probability that a random path between two Internet hosts will traverse a middlebox that drops or otherwise barfs on fragmented IPv4 packets? This question is important for large EDNS packets so you'll find some recent

Re: Google's QUIC

Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/

Re: Google Public DNS Problems?

Blair Trosper blair.tros...@gmail.com wrote: Goes all the way up to the A root server before failing spectacularly. That is an extremely weird response. Are you sure your queries are not being intercepted by a middlebox? What happens if you use dig +vc ? Do you get a similar round-trip time

Re: What do people use public suffix for?

Joe Abley jab...@hopcount.ca wrote: If the rule was just the nameservers need to be the same and the SOA RDATA needs to be the same, for some well-documented meaning of 'same' then gaming that rule (e.g. for purposes of cookie injection) as a miscreant is unpleasantly straightforward. To

Re: ICMP Redirect on Resolvers

On 6 Apr 2013, at 06:36, Shahab Vahabzadeh sh.vahabza...@gmail.com wrote: I have two DNS Server (resolver) running on FreeBSD 9.0, I always see in console messages like this: icmp redirect from 192.168.140.36: 192.168.179.80 = 192.168.140.254 You probably configured the wrong default router

Re: Open Resolver Problems

On 1 Apr 2013, at 14:44, Jared Mauch ja...@puck.nether.net wrote: On Mar 31, 2013, at 11:16 PM, valdis.kletni...@vt.edu wrote: Anybody who is looking at this as an IPv4 issue is woefully misinformed about the nature of the problem. :) IPv4 it's easy to collect an inventory (the math

Re: Open Resolver Problems

Joe Abley jab...@hopcount.ca wrote: My assessment is that the implementations I have seen are ready for production use, but I think it's understandable given the moving goalpoasts that some vendors have not yet promoted the code to be included in stable releases. It is in the current stable

Re: Open Resolver Problems

Jack Bates jba...@brightok.net wrote: Tracking the clients would be a huge dataset and be especially complicated in clusters. The memory usage is guite manageable: for the BIND patch it is at most 40-80 bytes (for 32 or 64 bit machines) per request per second. You're doing well if you need a

Re: Open Resolver Problems

Jack Bates jba...@brightok.net wrote: You'll also find that [DNS RRL] serves little purpose. In my experience it works extremely well. Yes it is possible to work around it, but you still need to stop the attacks that are happening now. It is good to make the attacker's job harder. 1) tcp RRL

Re: Open Resolver Problems

Jack Bates jba...@brightok.net wrote: If BCP38 was properly deployed, what would be the purpose of RRL outside of misbehaving clients or direct attacks against that one server? If fictional scenario, irrelevant answer. Given the current situation, efforts to deploy both RRL and BCP38 in

Re: Google's Public DNS does DNSSEC validation

Mick O'Rourke mkorourke+na...@gmail.com wrote: In the potentially interestingly and perhaps not so positive - one of the common EDNS tests via Google pub DNS fails. Google Public DNS's upstream behaviour is different depending on whether its client demonstrate knowledge of DNSSEC: Large EDNS

Re: [SHAME] Spam Rats

John Levine jo...@iecc.com wrote: *.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se. ...will work just fine, for instance. Since there is no record for a.node.on.vlan344.namn.se., this won't work fine in any rDNS check I'm aware of. I believe it's relatively

Re: why haven't ethernet connectors changed?

Tom Morris bluen...@gmail.com wrote: Boy would I ever love an ethernet connector that works like Apple's MagSafe... I guess a magsafe ethernet connector would have too much noise (owing to poor quality connection) to provide decently high bandwidth. This thread reminds me of

Re: why haven't ethernet connectors changed?

Michael Thomas m...@mtcc.com wrote: I'd turn this back the other way though: in this day and age, why do we have any interconnection/bus that isn't just ethernet/IP? The need for isochronous transmission and more bandwidth. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties,

Re: btw, the itu imploded

Bill Woodcock wo...@pch.net wrote: The main unfortunate outcome is that the ITU has managed to get Study Group 3 approved to try to figure out how to override peering agreements with government-imposed settlements. Do you have any citations for that? I thought they had given up on trying to

Re: btw, the itu imploded

Nick Hilliard n...@foobar.org wrote: On 19/12/2012 14:25, Tony Finch wrote: Do you have any citations for that? I thought they had given up on trying to interfere with Internet peering and settlement. http://www.itu.int/net/ITU-T/lists/questions.aspx?Group=03Period=15 Looks vaguely

RE: Dns sometimes fails using Google DNS / automatic dnssec

Jay Ford jay-f...@uiowa.edu wrote: It looks like if the server has the RRSIG RR, it returns it. For example, a query with +dnssec will cause it to cache the RRSIG, after which it returns it even if +dnssec not specified. It's weird. If you repeatedly query 8.8.4.4 without the DO bit, you get

Re: hotmail.com live.com admin needed

Suresh Ramasubramanian ops.li...@gmail.com wrote: authentication required is a bizzarre error to return. It's fairly normal error from an Exchange server when the client is trying to relay to a domain that the server doesn't host and when the server doesn't allow the client to relay. Sounds

Re: DNS hostnames with a duplicate CNAME and A record - which should be removed?

Landon Stewart lstew...@superb.net wrote: The problem is that we have some zones that have records with the same hostname that have both a CNAME as well as an A record, MX record, SOA record and/or NS record. Is there an easy answer for what should be removed? You can never have a CNAME

Re: Google opens Web Window on their Data Centers

Tony Patti t...@swalter.com wrote: http://www.google.com/about/datacenters/gallery/#/ Also worth seeing is this article which explains how their hot aisles work: http://www.datacenterknowledge.com/archives/2012/10/17/how-google-cools-its-armada-of-servers/ And this longer and fluffier piece in

Re: IPv4 address length technical design

On 7 Oct 2012, at 18:17, William Herrin b...@herrin.us wrote: Intentionally crashing the moon into the earth is a new idea. How far should we run with it before concluding that it not only isn't a very good one, considering it hasn't taught us anything we didn't already know?

Re: IPv4 address length technical design

On 6 Oct 2012, at 02:11, Michael Thomas m...@mtcc.com wrote: Wasn't David Cheriton proposing something like this? http://www-dsg.stanford.edu/triad/ CCNx basically routes on URLs http://conferences.sigcomm.org/co-next/2009/papers/Jacobson.pdf Tony. -- f.anthony.n.finch d...@dotat.at

Re: IPv4 address length technical design

Owen DeLong o...@delong.com wrote: Once host identifiers are no longer dependent on or related to topology, there's no reason a reasonable fixed-length cannot suffice. Host identities should be cryptographic hashes of public keys, so you have to support algorithm agility, which probably

Re: IPv6 Address allocation best practises for sites.

William Herrin b...@herrin.us wrote: but I also can't imagine hosting more than 65,000 sites on a single server. Demon's homepages service was based on IPv4 virtual hosting and had IIRC a /16 and two /18s allocated to it. It was a single web server with a few reverse proxies that took most of

Re: Google / Gmail SSL write errors

Paul Kelly :: Blacknight p...@blacknight.com wrote: Are any of you (that use Exim as their MTA) having SSL write errors in your exim logs when delivering e-mail to Gmail or Google addresses? I suggest asking this question on the exim-users mailing list. Phil Pennock has done a fair amount of

Re: Blocking MX query

Ibrahim ibrah...@gmail.com wrote: We are thinking to block MX queries on our DNS server, so only spammer that use their own SMTP server will got affected. [...] Any best practice to block MX query? Don't do this. It won't hinder spammers and it'll cause problems for legit users. Tony. --

Re: DNS caches that support partitioning ?

Raymond Dijkxhoorn raym...@prolocation.net wrote: When you use forwarding it doesnt cache the entry. ('forward only' option in bind for example). That's incorrect. Try configuring a forwarded zone and observe the TTLs you get in responses. The forward only option disables recursion but not

Re: Return two locations or low TTL [was: DNS caches that support partitioning ?]

Patrick W. Gilmore patr...@ianai.net wrote: On Aug 20, 2012, at 08:47 , Chris Adams cmad...@hiwaay.net wrote: Most anything that supports IPv6 should handle this correctly, since getaddrinfo() will return a list of addresses to try. Ah, the amazing new call which destroys any possibility

Re: Return two locations or low TTL [was: DNS caches that support partitioning ?]

Shumon Huque shu...@upenn.edu wrote: On 8/20/12 10:11 AM, Tony Finch wrote: The problem is RFC 3484 address selection; getaddrinfo is just the usual place this is implemented. I had believed that there was work in progress to fix this problem with the specs but it seems to have stalled

  1   2   3   >