Re: Colo space at Cermak

The company who has the worlds most played online multiplayer game moved their servers to Chicago back in late August. Maybe that affected prices? On Fri, Nov 13, 2015, 12:45 PM Greg Sowell wrote: > I would guess it has to do with competing with your landlord now. I know > it's starting to happ

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 8:28 PM, Roland Dobbins wrote: > On 14 Nov 2015, at 11:32, Owen DeLong wrote: > > Go out onto the street and ask a random number of people over 30 if they >> know what a URL is and how to enter one into a browser. >> > > They don't know what URIs are, nor do they enter th

Re: DNSSEC and ISPs faking DNS responses

On 2015-11-13 16:59, Stephane Bortzmeyer wrote: > On Fri, Nov 13, 2015 at 04:27:36AM -0500, > Jean-Francois Mezei wrote > a message of 34 lines which said: > >> I'll have to research how other countries tried to implement similar >> schemes > > https://www.afnic.fr/en/about-afnic/news/general

Re: DNSSEC and ISPs faking DNS responses

In message <20151114044614.ga4...@hezmatt.org>, Matt Palmer writes: > On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote: > > So what do we do? We currently point the blocked domains to addresses of > > a web server with a short explanation. But what if the domains were > > signed? We co

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 11:32, Owen DeLong wrote: Go out onto the street and ask a random number of people over 30 if they know what a URL is and how to enter one into a browser. They don't know what URIs are, nor do they enter them into browsers. They type words into a search engine and then cl

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote: > So what do we do? We currently point the blocked domains to addresses of > a web server with a short explanation. But what if the domains were > signed? We could let validating servers return SERVFAIL. But I'd > really prefer avoiding

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote: > > BTW, the proposed law, being done by lawyers, will have the list of > > you say law but this idea of blocking all competitors to the states > lotto sounds very unlawful and anti-competitive - yes, I can > understand

Re: DNSSEC and ISPs faking DNS responses

> On Nov 13, 2015, at 19:27 , Roland Dobbins wrote: > > On 14 Nov 2015, at 10:22, Owen DeLong wrote: > >> Surely time will tell, but I would not be so quick to dismiss this as a >> potential workaround after watching how quickly TOR was adopted to move >> video around during the Arab Spring.

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 10:22, Owen DeLong wrote: Surely time will tell, but I would not be so quick to dismiss this as a potential workaround after watching how quickly TOR was adopted to move video around during the Arab Spring. By a tiny minority of people. Selection bias. Most people do not

Re: DNSSEC and ISPs faking DNS responses

> On Nov 13, 2015, at 19:09 , Roland Dobbins wrote: > > On 14 Nov 2015, at 10:02, John Levine wrote: > >> People in New Zealand said differently. > > This is a corner-case, however. Is it really a corner-case, or, is it the first representation of a group of ordinary netizens sufficiently f

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 10:02, John Levine wrote: > People in New Zealand said differently. This is a corner-case, however. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

>> Civilians definitely use these. > >A very tiny percentage. The power of the default reigns supreme. People in New Zealand said differently. It's a small country, but I was impressed how everyone in the session (it was NetHui, not a bunch of geeks) took for granted that you'd use a VPN to get

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 7:49, David Conrad wrote: My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device. Correct. Most folks on this list can and will do it if they deem it necessary; but most folks on th

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 5:22, David Conrad wrote: Thank you. I was wondering if anyone would mention this. +1. This is done in some countries which are heavy-handed with Internet censorship. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 3:01, John Levine wrote: > Civilians definitely use these. A very tiny percentage. The power of the default reigns supreme. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

Mark, > On Nov 13, 2015, at 4:18 PM, Mark Andrews wrote: >> How many of the ISPs would continue to enable DNSSEC if the >> cops show up at their door and turning off DNSSEC is the only way the ISP >> has to implement the law's requirements? > > Why would the ISP's turn off DNSSEC? It doesn't pr

Re: DNSSEC and ISPs faking DNS responses

In message <9692ecc6-34ad-49c0-b310-10b8ef8c1...@virtualized.org>, David Conrad writes: > > On Nov 13, 2015, at 10:24 AM, Mark Milhollan wrote: > > On Thu, 13 Nov 2015, John Levine wrote: > > > >> At this point very few client resolvers check DNSSEC, so something > >> that stripped off all the D

Re: DNSSEC and ISPs faking DNS responses

On Fri, 13 Nov 2015 14:22:15 -0800, David Conrad said: > This may be an argument for folks to run their own validating resolvers, but > I'm not sure how you'd do that on your iPhone, iPad, or SmartTV. "There's an app for that". :) pgpKxb5_TtHXE.pgp Description: PGP signature

Re: DNSSEC and ISPs faking DNS responses

On Nov 13, 2015, at 10:24 AM, Mark Milhollan wrote: > On Thu, 13 Nov 2015, John Levine wrote: > >> At this point very few client resolvers check DNSSEC, so something >> that stripped off all the DNSSEC stuff and inserted lies where >> required would "work" for most clients. At least until they r

Re: DNSSEC and ISPs faking DNS responses

On 13/11/2015 22:10, Marco Davids wrote: > On 13/11/15 23:01, Stephane Bortzmeyer wrote: >> On Fri, Nov 13, 2015 at 09:54:28AM +, >> a.l.m.bu...@lboro.ac.uk wrote >> >>> well, in EU I dont think that would ever fly. >> >> It is done in France, for a long time > > And it is common practice i

Re: DNSSEC and ISPs faking DNS responses

On 13/11/15 23:01, Stephane Bortzmeyer wrote: > On Fri, Nov 13, 2015 at 09:54:28AM +, > a.l.m.bu...@lboro.ac.uk wrote > >> well, in EU I dont think that would ever fly. > > It is done in France, for a long time And it is common practice in Belgium as well. http://networkmsg.telenet.be/blo

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 10:24:27AM -0800, Mark Milhollan wrote a message of 30 lines which said: > Would the masses ever replace their stub with a full resolver? > Doubtful, unless their OS vendor does it for them. Fedora already does it, apparently, with the excellent dnssec-trigger. > Woul

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote a message of 20 lines which said: > well, in EU I dont think that would ever fly. It is done in France, for a long time .

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei wrote a message of 34 lines which said: > I'll have to research how other countries tried to implement similar > schemes https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report

Re: DNSSEC and ISPs faking DNS responses

>Would the masses setup a VPN to a service provider in a jurisdiction not >subject to such foolishness so their resolver, whether stub or full, >would have a chance at unfaked answers? Again, I'm thinking most would >be entirely ignorant of the issue, and in any case would be hard pressed >to

Re: Another puck.nether.net Outage?

Thank you for reaching out. Will update outages wiki so people can reach admins directly for future reference. Sorry for any inconvenience this may have caused. regards, outages team > On Nov 13, 2015, at 7:25 AM, Hugo Slabbert wrote: > > The problem seems to have been with mailman. I ping

Re: Colo space at Cermak

I would guess it has to do with competing with your landlord now. I know it's starting to happen more and more. On Thu, Nov 12, 2015 at 8:32 PM, Mike Hammett wrote: > Has something happened the past couple months to cause a quick shortage of > space at Cermak? I had an offer sent a few months a

Re: DNSSEC and ISPs faking DNS responses

On Thu, 13 Nov 2015, John Levine wrote: >At this point very few client resolvers check DNSSEC, so something >that stripped off all the DNSSEC stuff and inserted lies where >required would "work" for most clients. At least until they realized >they couldn't get to PokerStars and switched their DNS

RE: DNSSEC and ISPs faking DNS responses

Actually, how are other places implementing these lists? I would have thought to use RPZ, but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -Original Message- From: NANOG [mailto:na

Re: DNSSEC and ISPs faking DNS responses

At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8. If the ISPs don’t start block

Re: DNSSEC and ISPs faking DNS responses

> On Nov 12, 2015, at 21:29 , John Levine wrote: > >>> Redirecting is much harder -- ... > >> If you know that the client is using ONLY your resolver(s), couldn’t you >> simply fake the entire chain and sign everything yourself? > > I suppose, although doing that at scale in a large provider l

Re: DNSSEC and ISPs faking DNS responses

>> BTW, the proposed law, being done by lawyers, will have the list of > >you say law but this idea of blocking all competitors to the states >lotto sounds very unlawful and anti-competitive This is Qu�bec, where the rules are not the same as in the UK. The provincial lottery is the only lega

Re: Another puck.nether.net Outage?

The problem seems to have been with mailman. I pinged Jared OOB and he responded this that it's fixed. I'd sent something to outages-request prior to test, and that came through this morning. -- Hugo h...@slabnet.com: email, xmpp/jabber also on Signal From: Christopher Morrow -- Sent: 2015

Contact for Open Resolver Project?

Hi there, If anyone from the Open Resolver Project is on-list, would love to get in touch re. getting a feed of open resolver data for our ASN. I have not been receiving response to the email address listed on the project's web site. Andrew White Desk: 314.394-9594 | Cell: 314.308-7730 NetOp

Re: Another puck.nether.net Outage?

Received: from puck.nether.net (localhost [IPv6:::1]) by puck.nether.net (Postfix) with ESMTP id 25969540762; Fri, 13 Nov 2015 07:05:01 -0500 (EST) puck seems to be processing mail... $ w 09:45:28 up 2 days, 11:30, 2 users, $ mailq | grep cisco-nsp | wc -l 174 $ mailq | grep pumpk | wc -l 0

Re: DNSSEC and ISPs faking DNS responses

On Fri Nov 13 04:27:36 2015, Jean-Francois Mezei wrote: > I'll have to research how other countries tried to implement similar > schemes (I believe the UK has with some of the popular torrent sites. > > I know the Australian attempt to filter porn failed miserably. We also have some torrent sites

Re: DNSSEC and ISPs faking DNS responses

Hi, > BTW, the proposed law, being done by lawyers, will have the list of you say law but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive - yes, I can understand states or countries blocking ALL gambling , thats a simple 'we dont allow it h

Re: DNSSEC and ISPs faking DNS responses

Jean-Francois Mezei writes: > The Québec government is wanting to pass a law that will force ISPs to > block and/or redirect certain sites it doesn't like. BTDT. See https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-court-rules-150902/ (yes, we could discuss the point

Re: DNSSEC and ISPs faking DNS responses

On 2015-11-12 23:07, Mark Andrews wrote: > They make the same queries and verify the answers the same way. > It asks for the DNSKEY records and RRSIGs. Verifies them against the DS > records whick it asks for. Repeat all the way to the root. Is it correct to state that clients, instead of is