bits of information into the
numbering system is a mistake. But then, I would. I think you look
those sorts of things up (in the DNS, of course ;-) )
A
--
Andrew Sullivan
Dyn
asulli...@dyn.com
numbered too) would be more useful. Then you could always refer to
BCOP 1234 for Carrier Pigeon Operational Practices, and wouldn't
need to update references and so on.
Best regards,
A
--
Andrew Sullivan
Dyn, Inc.
email: asulli...@dyn.com
voicemail: +1 603 663 0448
in the
event you asked that.
Also, you probably want to look at RFC 4592, which considerably
expands the treatment of wildcards in the DNS.
Best regards,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
is the obvious example here).
So, now we have an encroaching monoculture, and no real option to do
anything about it. Maybe this is just the way the Internet is, now.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
to the Linux world! But as I
suggested, the network security implications of all that stuff hidden
in one critical system sure seem to require some thinking.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
are going to get a lot worse before they get worse.
Best regards,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
On Mon, Oct 20, 2014 at 01:07:13PM -0400, John Orthoefer wrote:
People don’t use in-addr.arpa anymore? ;)
Hadn't you noticed how bad the reverse mapping maintenance is?
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
the QTYPE is A, ,
or MX, and not everything else? Presumably you don't want to do
negative caching?
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
thing as what was being proposed,
which is all I was commenting on.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
. It's worth keeping that in one's calculus.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
that
there's any experience outside that realm, in my opinion, generalizing
inappropriately. I think responsible Internet deployment ought to
point that out. I'm sure there will be those who disagree.
Best regards,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
' reverse maps is probably an
excellent way to attract ducks to nibble you to death.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
On Wed, Feb 05, 2014 at 02:17:27PM -0500, Jeffrey Haas wrote:
It's IETF stuff. Operator sanity check would probably be appreciated. :-)
Speaking as a member of the IAB but not for the IAB, I would certainly
appreciate that review.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603
consumption. I have never observed this. Certainly, the wire format
is not dotted-quad, of course.
(None of this is to disagree that anything other than a 32 bit
Internet address would be ill-formed RDATA for an A record.)
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
EDNS0
universally deployed in under 10 years. Right?
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
that firewall rules on TCP/53 are
perfectly reasonable, even though DNS _always_ used TCP.
People who believe there are going to be easy fixes to the issues
coming from DNS are deluding themselves.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
... what other options are there to solve the larger problem […]
If I knew, I'd run out an implement it rather than talk about it!
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
off DNS using UDP over IPv4 in your network and report back to us all
on how that works out. You may not be able to do it by email,
however.
Best regards,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
.
You could also (and for most cases, I recommend you do) enable the
Response Rate Limiting patches available on most of the open-source
authoritative servers. Sorry I didn't think to mention it earlier. I
thought everyone already knew that. But it does appear to help.
A
--
Andrew Sullivan
Dyn
Business Bureau. I've never seen them intervene in an
individual domain name case.
I have, but usually you can contact the registry before going to ICANN
if you're having this problem. Registries will lean on the registrars
to behave if there's a problem of this sort.
A
--
Andrew Sullivan
Dyn
mechanisms are awful enough,
it will encourage moving things to v6 for real so that we can get rid
of the kludges. Perhaps this is wishful thinking, however.
In any case, I'm sorry to have contributed in some little way to this
headache of yours.
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
I think every major residential ISP in the US has been doing this for 5+
years now.
Comcast doesn't, because it breaks DNSSEC.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
of forward names at the same IP address.
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
is engaged in wishful thinking,
particularly if the lookup isn't validated with DNSSEC. (But yes,
that's waht the TCP wrappers package was supposed to be doing.)
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
to
maintain the reverse; but it's a pretty important reason!
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
for matching reverse. As I've already suggested
in this thread more than once, it is by no means an uncontroversial
claim.
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
in the reverse tree is
not supported by operational evidence.
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
On Thu, Jul 11, 2013 at 9:23 PM, Jimmy Hess mysi...@gmail.com wrote:
Domain names can be presented with a trailing dot.A fully
qualified domain always contains at least one explicit dot.
But not always at the end, which is why there's a problem. RFC1123, in my
opinion, contains a remark
If the definition of FQDN in some RFCs (Informational or not) always
included the trailing dot, I'd be inclined to agree with you. But that's
not the case, so protocol slots have been established for FQDNs that are
actually domains qualified relative to the root. Since this ambiguity has
been
On Wed, Jul 3, 2013 at 12:15 AM, Larry Sheldon larryshel...@cox.net wrote:
Makes me wonder if concern for routing table size is worrying about the
right thing.
Because obviously, the problems of scaling router memory and scaling DNS
servers are the same kind?
Yes, having many many new TLDs
I am not speaking officially, but the evidence so far is that this was not
DNS poisoning, but domain name hijacking. My colleagues will have more to
say later today.
On Thu, Jun 20, 2013 at 1:19 AM, John Levine jo...@iecc.com wrote:
Reaching out to DNS operators around the globe. Linkedin.com
in that
are able to be terminated with a dot. Or at least that's how I read
it when I looked it up the other day.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
it or you get what you deserve), or an actually
fully-qualified domain name (final dot). The second of these is about
to get harder to distinguish from the third, because of the new gTLD
programme at ICANN.
I wish there were a neat answer to the problem. There isn't.
A
--
Andrew Sullivan
Dyn
these things unambiguously. I have no idea how
to solve that: the different terms have an established use, and fixing
ambiguities in established use is a problem far beyond the bounds of
networking.
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
complication can always
be solved by another layer of misdirection.)
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
to implement this stuff are
confused, when the stnadards development organization in question
can't figure out how the terminology works!
A
--
Andrew Sullivan
Dyn
asulli...@dyn.com
).
Regards,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
v: +1 603 663 0448
of a barrier for a real
attacker. A poor trade-off.
Best,
A
--
Andrew Sullivan
Dyn, Inc.
asulli...@dyn.com
design goal, and we are increasingly ditching it in favour of just
using a CAPTCHA because they're what we think works.
(Of course, this is really just a special case of the usual problems in
HCI when security becomes an issue. We have this kind of problem with
passwords too.)
A
--
Andrew
cannot bother to
publish an Internet-Draft describing CARP, it's pretty hard to take
CARP seriously as anything like a protocol. It's just rude
behaviour on someone else's well-defined port.
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
tested, cause it works for everybody.
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
, and
they need to be more responsible, I would like to know your company's
stock symbol so I may bet against you.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
On Mon, Oct 22, 2012 at 03:18:52PM +1100, Mark Andrews wrote:
records are consistent. It is however good practice that these exist and
are consistent.
I will note that the IETF DNSOP WG was unable to agree even on that
latter claim.
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
there.
Should the CNAME just get nuked in all of these cases?
Probably.
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
in an
experiment, came out in 1996. SRV was moved to the standards track in
2000. I've never heard an argument why it won't work, and we know
that SRV records are sometimes in use. Why couldn't that mechanism be
used more widely?
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
be an excellent time to start thinking about how to make usable
all those nice features we already have in the DNS. Maybe by the time
I die, we'll have a useful system!
Best,
Andrew living in constant, foolish, failed hope Sullivan
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
might be in use already.)
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
are getting
used more often, why do you want to put your thumb on that scale? The
other queries are presumably benefitting just as much from the caching.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
. If the problem is
that there's some other record in there that might be queried again,
but that doesn't get queried often enough to keep it alive, then the
additional cost of the recursive lookup is just not that big a deal.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
On Wed, Aug 08, 2012 at 11:10:41AM -0500, Naslund, Steve wrote:
We are getting a bit off the NANOG subject
You think?
A
, absolutely, so if you have 10 years to go and you pay for a
transfer you lose the additional year's payment.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
for you, but it's not a
requirement to use our service for this. (I'm delighted to hear that
people say it's good.)
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
). If you're right that the
primary issue is the fundamental security of the target, then perhaps
we will not see that pattern emerge.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
variable.)
We have an engineering challenge here, and the PKI we have so far
doesn't work. No, I have no magic answers. I'm not that smart.
Michael Thomas is still right about this.
Best,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
,
A
--
Andrew Sullivan
Dyn Labs
asulli...@dyn.com
:
; DiG 9.7.3-P3 @NS15.IXWEBHOSTING.COM -t DNSKEY dot-secure.co +dnssec
+norec +noall +comment
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 27872
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
Best,
A
--
Andrew
On Fri, Jan 04, 2008 at 10:27:47AM -0600, Joe Greco wrote:
That particular philosophy has done great wonders for e-mail and the spam
problem,
I completely agree. If it weren't for that philosophy, we wouldn't
have an email problem at all.
A
--
Andrew Sullivan 204
registrar grace periods, which
is a significant part of making tasting profitable. But I don't think
the registrars would allow such a change.
A
--
Andrew Sullivan 204-4141 Yonge Street
Afilias CanadaToronto, Ontario Canada
[EMAIL PROTECTED
don't want inter-networking, then it will work
fine. But if you want the benefits, you have to pay the cost of
complying with the rules, even when you don't understand or care how
they affect you or everybody else.
Best regards,
A
Andrew Sullivan 204-4141 Yonge Street
60 matches
Mail list logo