Re: amazon.com multiple SPF records

2021-06-07 Thread Stephane Bortzmeyer
On Sat, Jun 05, 2021 at 07:59:40AM -0400, Brad Barnett wrote a message of 15 lines which said: > If anyone at Amazon is paying attention, you have duplicate spf1 records > for amazon.com: If so, it is now gone. Not one RIPE Atlas probe see this duplication: % blaeu-resolve -r 100 --ednssize

Re: RADb

2021-05-10 Thread Stephane Bortzmeyer
On Mon, May 10, 2021 at 09:25:36AM +0200, Marco Paesani wrote a message of 51 lines which said: > do you have news about the issue on RADb ? Note that it is discussed on the outages mailing list. No specific news, just that it is down.

Re: DoD IP Space

2021-04-26 Thread Stephane Bortzmeyer
On Sun, Apr 25, 2021 at 08:29:51AM -0400, Jean St-Laurent via NANOG wrote a message of 38 lines which said: > Let's see what will slowly appear in shodan.io and shadowserver.org My favorite (but remember it can be a gigantic honeypot) is the Ubiquiti router with the name

Re: Level3 DNS Issues

2020-09-10 Thread Stephane Bortzmeyer
On Thu, Sep 10, 2020 at 01:20:15PM +, Ryan O’Shea wrote a message of 41 lines which said: > Is anyone experiencing timeouts when querying 209.244.0.3? No, according to RIPE Atlas probes: % blaeu-resolve --nameserver 209.244.0.3 --requested 100 --type SOA . Nameserver 209.244.0.3

Re: BGP route hijack by AS10990

2020-07-30 Thread Stephane Bortzmeyer
On Thu, Jul 30, 2020 at 11:21:04AM +0300, Hank Nussbacher wrote a message of 48 lines which said: >See: And: https://stat.ripe.net/widget/bgp-update-activity#w.starttime=2020-07-16T05%3A00%3A00=2020-07-30T05%3A00%3A00=AS10990

Re: Comcast DNS Assistance?

2020-07-06 Thread Stephane Bortzmeyer
On Sun, Jul 05, 2020 at 09:30:27AM -0400, Dave Dechellis wrote a message of 15 lines which said: > Last night we made some changes to our DNS-SEC environment at Tufts > University and all changes seem to have propagated - but we're having > issues resolving against Comcast's DNS servers.

Re: ISC BIND 9 breakage?

2020-03-25 Thread Stephane Bortzmeyer
On Wed, Mar 25, 2020 at 05:18:49PM +, Drew Weaver wrote a message of 97 lines which said: > Did anyone else on CentOS 6 just have some DNS resolvers totally fall over? dlv.isc.org signatures just expired. > # NOTE: The ISC DLV zone is being phased out as of February >

Re: Rogue objects in routing databases

2020-01-27 Thread Stephane Bortzmeyer
On Sat, Jan 25, 2020 at 12:06:51AM +0100, Florian Brandstetter wrote a message of 53 lines which said: > Examples of affected networks are: > > 193.30.32.0/23 > 45.129.92.0/23 > 45.129.94.0/24 Note that 193.30.32.0/23 has also a ROA (announces by 42198). So, announces by AS8100 would be

Re: DoD IP Space

2019-11-04 Thread Stephane Bortzmeyer
On Mon, Nov 04, 2019 at 10:55:47AM +0200, Chris Knipe wrote a message of 35 lines which said: > We are experiencing a situation with a 3rd party (direct peer), > wanting to advertise DoD address space to us, and we need to confirm > whether they are allowed to do so or not. The US military

Re: Cogent & FDCServers: Knowingly aiding and abetting fraud and theft?

2019-10-11 Thread Stephane Bortzmeyer
On Fri, Oct 11, 2019 at 08:14:00PM +0900, Masataka Ohta wrote a message of 34 lines which said: > they said they have never transferred the block > So, RADB entry: ... > route: 146.51.0.0/16 > origin: AS174 ... > is confirmed to be registration fraud. I nitpick, but

Re: "Using Cloud Resources to Dramatically Improve Internet Routing"

2019-10-07 Thread Stephane Bortzmeyer
On Fri, Oct 04, 2019 at 03:52:26PM -0400, Phil Pishioneri wrote a message of 9 lines which said: > Using Cloud Resources to Dramatically Improve Internet Routing > UMass Amherst researchers to use cloud-based ‘logically centralized > control’ Executive summary: it's SDN for BGP. Centralizing

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Tue, Oct 01, 2019 at 12:11:32PM +0200, Jeroen Massar wrote a message of 101 lines which said: > - Using a centralized/forced-upon DNS service (be that over DoT/DoH > or even plain old Do53 Yes, but people using a public DNS resolver (of a big US corporation) over UDP is quite an old

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Tue, Oct 01, 2019 at 10:35:31AM +0200, Jeroen Massar wrote a message of 29 lines which said: > Correct: for the DoH protocol it is not that goal, there it solely > is "encryption". But DoT already solves that. DoT is fine, (and my own public resolver activates it) but, as you know, it is

Re: AWS issues with 172.0.0.0/12

2019-10-01 Thread Stephane Bortzmeyer
On Tue, Oct 01, 2019 at 09:09:38AM +0100, Christopher Morrow wrote a message of 27 lines which said: > possible that this is various AWS customers making iptables/firewall mistakes? > "block that pesky rfc1918 172/12 space!!" May be, but I used the same target as Mehmet.

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Tue, Oct 01, 2019 at 09:55:54AM +0200, Jeroen Massar wrote a message of 26 lines which said: > > (Because this canary domain contradicts DoH's goals, by allowing > > the very party you don't trust to remotely disable security.) > > The goal is centralization of DNS Hmmm, no, read RFC

Re: AWS issues with 172.0.0.0/12

2019-10-01 Thread Stephane Bortzmeyer
On Mon, Sep 30, 2019 at 11:38:25PM -0700, Mehmet Akcin wrote a message of 131 lines which said: > Here you go The two RIPE Atlas probes in the AT prefix seem able to reach AWS: % blaeu-traceroute --protocol TCP --size=0 --port=80 --first_hop=64 --format --prefix 172.0.0.0/12 --requested

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Tue, Oct 01, 2019 at 08:22:58AM +0100, Brandon Butterworth wrote a message of 37 lines which said: > Here are some UKNOF presentations on it - Note that the UK is probably the country in Europe with the biggest use of lying DNS resolvers for censorship. No wonder that the people who

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin wrote a message of 10 lines which said: > It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) > will go back to using your local DNS server list as per usual. Unless, I hope, the user explicitely overrides this. (Because

Re: This DNS over HTTP thing

2019-10-01 Thread Stephane Bortzmeyer
On Mon, Sep 30, 2019 at 11:46:04PM -0400, Fred Baker wrote a message of 28 lines which said: > > Is there an official name for it I should be searching for? > > The IETF calls it "DoH", pronounced like > "Dough". https://datatracker.ietf.org/wg/doh/about/ And it is standardized in RFC 8484,

Re: 44/8

2019-07-19 Thread Stephane Bortzmeyer
On Thu, Jul 18, 2019 at 11:13:24PM -0400, Majdi S. Abbas wrote a message of 26 lines which said: > Amusingly, they still seem to be advertising the covering > aggregate, Are you sure? RIPE stat shows it stopped one month ago

Re: who attacks the weather channel?

2019-04-18 Thread Stephane Bortzmeyer
On Thu, Apr 18, 2019 at 03:16:34PM +, Kain, Rebecca (.) wrote a message of 69 lines which said: > https://www.cnn.com/2019/04/18/media/weather-channel-hack/index.html May be these people? https://en.wikipedia.org/wiki/Weather_Underground

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

2019-02-23 Thread Stephane Bortzmeyer
Very good article, very detailed, with a lot of technical precisions, about the recent domain name hijackings (not using the DNS, just good old hijackings at registrar or hoster). https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Re: A Zero Spam Mail System [Feedback Request]

2019-02-17 Thread Stephane Bortzmeyer
On Mon, Feb 18, 2019 at 12:28:21PM +0530, Viruthagiri Thirumavalavan wrote a message of 111 lines which said: > Just gone through all your replies. And apparently you did not read them and did not take any lesson in it. > Literally everyone attacking me here. In the current thread, NOT ONE

Re: A Zero Spam Mail System [Feedback Request]

2019-02-17 Thread Stephane Bortzmeyer
On Mon, Feb 18, 2019 at 07:33:32AM +0530, Viruthagiri Thirumavalavan wrote a message of 515 lines which said: > My name is Viruthagiri Thirumavalavan. I'm the guy who proposed SMTP > over TLS on Port 26 Besides all the excellent remarks that were made here (and I seriously urge you to read

Re: 2019-01-11 ARIN.NET DNSSEC Outage – Post-Mortem (was: Re: ARIN NS down?)

2019-01-14 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 08:59:10PM +, John Curran wrote a message of 125 lines which said: > Our monitoring systems reported being green until the signatures > expired as they presently check that the SOA's match on the internal > and external nameservers. For checking of DNSSEC

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

2019-01-11 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 07:58:25AM -0800, Ca By wrote a message of 488 lines which said: > No your threats and deploy wisely Say no to the threats :-)

Re: ARIN NS down?

2019-01-11 Thread Stephane Bortzmeyer
On Fri, Jan 11, 2019 at 07:57:25PM +0530, Suresh Ramasubramanian wrote a message of 56 lines which said: > couldn't get address for 'ns1.arin.net': not found DNSSEC issue, they let the signatures expire

Re: CenturyLink

2018-12-28 Thread Stephane Bortzmeyer
On Fri, Dec 28, 2018 at 07:07:42AM +, Erik Sundberg wrote a message of 131 lines which said: > CenturyLink will be conducting an extensive post-incident > investigation and root cause analysis to provide follow-up > information to our customers Is this problem also responsible for the

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

2018-09-26 Thread Stephane Bortzmeyer
On Wed, Sep 26, 2018 at 11:28:06AM +0200, Jens Link wrote a message of 14 lines which said: > quick and dirty: Indeed. For instance, the delay depends wether the cache it hot or cold (measuring response time for an authoritative server is easier).

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

2018-09-26 Thread Stephane Bortzmeyer
On Wed, Sep 26, 2018 at 09:21:21AM +0100, Colin Johnston wrote a message of 16 lines which said: > also could use ripe atlas Which embeds clients for ICMP Echo, DNS, NTP, TLS, arbitrary TCP (with some hacks), and, with serious limitations, HTTP.

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

2018-09-26 Thread Stephane Bortzmeyer
On Wed, Sep 26, 2018 at 10:59:02AM +0300, Michael Bullut wrote a message of 192 lines which said: > How would you gauge good DNS performance? To test {XXX} performance, you use a {XXX} client, where XXX = DNS, HTTP, SSH, LDAP, etc.

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

2018-09-26 Thread Stephane Bortzmeyer
On Wed, Sep 26, 2018 at 10:52:07AM +0300, Michael Bullut wrote a message of 162 lines which said: > Has anyone deployed the aforementioned in your individual networks? > A quick test suggests it is quite fast compared with Google's > D.N.S. resolvers: Well, you don't test a DNS service with

Re: Bogon prefix c0f:f618::/32 announced via Cogent

2018-07-16 Thread Stephane Bortzmeyer
On Sat, Jul 14, 2018 at 08:18:25AM +0800, Siyuan Miao wrote a message of 27 lines which said: > c0f:f618::/32 originated from AS327814 is announcing via Cogent for several > weeks. Apparently withdrawn 2018-07-14 around 16:00:00 UTC. Your mail to NANOG was effective :-)

Re: broken DNS

2018-06-07 Thread Stephane Bortzmeyer
On Thu, Jun 07, 2018 at 11:31:15AM -0400, harbor235 wrote a message of 5 lines which said: > I was hoping for some DNS wisdom, Then this is more a dns-operations mailing list issue. > would a change in a SOA record cause a > DNSSEC broken trust chain? incorrect RRSIG? No. The SOA record

Re: The story about MyEtherWallet.com hijack or how to become a millionare in 2 hours.

2018-04-24 Thread Stephane Bortzmeyer
On Tue, Apr 24, 2018 at 08:35:17PM +0200, Fredrik Korsbäck wrote a message of 28 lines which said: > Surprised this hasnt "made the news" over at this list yet. It may be also because NANOG email is handled by Google, who broke its antispam: : host

Re: Yet another Quadruple DNS?

2018-04-03 Thread Stephane Bortzmeyer
On Tue, Apr 03, 2018 at 10:54:34AM -0400, Rich Kulawiec wrote a message of 10 lines which said: > Watch what you wish for: you might get it. The number of > attack/abuse vectors (and the severity of their consequences for > security and privacy) involved in doing auto-update

Re: Yet another Quadruple DNS?

2018-04-03 Thread Stephane Bortzmeyer
On Tue, Apr 03, 2018 at 03:01:19AM -0700, Brian Kantor wrote a message of 12 lines which said: > > That would be a terrible violation of network neutrality. I hope > > that such ISP will go bankrupt. > > On the contrary: it will enable them to collect more usage > statistics

Re: Yet another Quadruple DNS?

2018-04-03 Thread Stephane Bortzmeyer
On Sun, Apr 01, 2018 at 02:03:41PM -0600, Paul Ebersman wrote a message of 38 lines which said: > And EDNS client subnet mostly works. It is awful, privacy-wise, complicates the cache a lot and seriously decreases hit rate in cache (since the key to a cached resource

Re: Yet another Quadruple DNS?

2018-04-03 Thread Stephane Bortzmeyer
On Sun, Apr 01, 2018 at 09:22:10AM -0700, Stephen Satchell wrote a message of 39 lines which said: > Recursive lookups take bandwidth and wall time. The closer you can > get your recursive DNS server to the core of the internet, the > faster the lookups. I think the exact

Re: Yet another Quadruple DNS?

2018-03-30 Thread Stephane Bortzmeyer
On Fri, Mar 30, 2018 at 03:57:24PM +0100, William Waites wrote a message of 48 lines which said: > > 77.77.77.77 - Dadeh Gostar Asr Novin P.J.S. Co. (Iran) | 77.77.64/19 | > > recursion-yes > > Well, that one's a little odd: I think that, for the government of this

Re: Yet another Quadruple DNS?

2018-03-30 Thread Stephane Bortzmeyer
On Fri, Mar 30, 2018 at 06:46:19AM -0800, Royce Williams wrote a message of 19 lines which said: > Full survey - with owners of the largest bit-boundary-aligned blocks > that contain them - here: > >

Re: Yet another Quadruple DNS?

2018-03-30 Thread Stephane Bortzmeyer
On Thu, Mar 29, 2018 at 08:29:57AM -0700, Bill Woodcock wrote a message of 53 lines which said: > there are ISPs who are internally capturing 8.8.8.8, and who try to > do the same with 9.9.9.9. Which is why it’s so important to do > cryptographic validation of the server and

Re: Yet another Quadruple DNS?

2018-03-29 Thread Stephane Bortzmeyer
On Thu, Mar 29, 2018 at 09:08:38AM -0500, Chris Adams wrote a message of 12 lines which said: > I've never really understood this - if you don't trust your ISP's > DNS, why would you trust them not to transparently intercept any > well-known third-party DNS? Technically,

Re: Yet another Quadruple DNS?

2018-03-29 Thread Stephane Bortzmeyer
On Thu, Mar 29, 2018 at 07:01:59AM -0700, Brian Kantor wrote a message of 20 lines which said: > I believe that centralized DNS resolvers such as 8.8.8.8 are of > benefit to those folks who can't run their own recursive resolver > because of OS, hardware, Hardware is not a

Re: Yet another Quadruple DNS?

2018-03-29 Thread Stephane Bortzmeyer
On Thu, Mar 29, 2018 at 07:33:08AM -0400, Matt Hoppes wrote a message of 7 lines which said: > We already have 8.8.8.8 and 8.8.4.4. And 9.9.9.9 and several others public DNS resolvers. > And any reputable company or ISP should be running their own. I

Re: Yet another Quadruple DNS?

2018-03-29 Thread Stephane Bortzmeyer
On Thu, Mar 29, 2018 at 12:16:48PM +0100, Tony Finch wrote a message of 15 lines which said: > Also the very amusing > > https://twitter.com/eastdakota/status/970359846548549632 Less amusing, for a DNS service, the brokenness of reverse service: % dig -x 1.1.1.1 ; <<>> DiG

Re: Yet another Quadruple DNS?

2018-03-29 Thread Stephane Bortzmeyer
On Wed, Mar 28, 2018 at 11:16:15PM +0300, DaKnOb wrote a message of 25 lines which said: > Out of 1,000 RIPE Atlas Probes, only 34 report it as unreachable. It's still a lot for IPv4. And it measures ony filtering, not hijacking (which seems to exist, some probes get a

Re: Spectre/Meltdown impact on network devices

2018-01-08 Thread Stephane Bortzmeyer
On Mon, Jan 08, 2018 at 11:41:04AM +0100, Stephane Bortzmeyer <bortzme...@nic.fr> wrote a message of 20 lines which said: > > I'm curious to hear the impact on network devices of this new hardware > > flaws that everybody talk about. Yes, the Meltdown/Spectre

Re: Spectre/Meltdown impact on network devices

2018-01-08 Thread Stephane Bortzmeyer
On Sun, Jan 07, 2018 at 02:02:24PM -0500, Jean | ddostest.me via NANOG wrote a message of 21 lines which said: > I'm curious to hear the impact on network devices of this new hardware > flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.

Re: Google DNS intermittent ServFail for Disney subdomain

2017-10-20 Thread Stephane Bortzmeyer
On Fri, Oct 20, 2017 at 03:29:15PM +0200, Filip Hruska wrote a message of 49 lines which said: > Would be great if makers of home routers would implement full recursive DNS > resolvers The good ones do

Re: Google DNS --- Figuring out which DNS Cluster you are using

2017-08-24 Thread Stephane Bortzmeyer
On Thu, Aug 24, 2017 at 10:53:58AM +1000, Mark Andrews wrote a message of 39 lines which said: > If Google was being sensible the servers would just return the > information along with the answer. They all support EDNS. I fully agree with you that NSID (RFC 5001) is great and

Re: loc.gov

2017-07-09 Thread Stephane Bortzmeyer
On Sat, Jul 08, 2017 at 09:41:29PM -0400, Nicholas Oas wrote a message of 37 lines which said: > Have isitdownorjustme sites simply superceded the need for such > lists? isitdownorjustme-type sites are very limited: one vantage point, and few (or none) indication of

Re: IP Hijacking For Dummies

2017-06-11 Thread Stephane Bortzmeyer
On Mon, Jun 05, 2017 at 04:46:04PM -0700, Ronald F. Guilmette wrote a message of 85 lines which said: > Late last night, I put together the following simple annotated listing of > the routes being announced by AS34991. Note that they apparently stopped on 7 june.

Re: IP Hijacking For Dummies

2017-06-09 Thread Stephane Bortzmeyer
On Mon, Jun 05, 2017 at 04:46:04PM -0700, Ronald F. Guilmette wrote a message of 85 lines which said: > I just think that by now, in 2017, we should have a somewhat more > skilled class of frauds, rogues, criminals and spies on the > Internet. "This city deserves a

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer
On Mon, May 15, 2017 at 07:55:41AM -0700, Damian Menscher wrote a message of 82 lines which said: > Can you point to published studies where the root and .com server > operators analyzed Todd's questions? For the root, the most comprehensive one is probably SAC 18 A good

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer
On Mon, May 15, 2017 at 09:20:17AM -0400, Todd Underwood wrote a message of 66 lines which said: > so implications that this is somehow related to Google dragging > their feet are silly. Implying that the root name server operators, or Verisign (manager of the .com name

Re: Question to Google

2017-05-15 Thread Stephane Bortzmeyer
> Unfortunately, every time we've looked at the data, the > conclusion has been that it would cause unwarranted user > impact. IIRC the most recent blocker was a major US ISP whose > clients would experience breakage if even just one NS record > was dual-stacked.

Re: Financial services BGP hijack last week?

2017-05-02 Thread Stephane Bortzmeyer
On Tue, May 02, 2017 at 01:49:04AM -0400, valdis.kletni...@vt.edu wrote a message of 29 lines which said: > I didn't see any mention of this here. You should susbcribe to @bgpstream on Twitter, and read BGPmon blog :-) https://twitter.com/bgpstream

Re: ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations

2017-03-17 Thread Stephane Bortzmeyer
On Fri, Mar 17, 2017 at 12:03:58PM +0300, Eygene Ryabinkin wrote a message of 71 lines which said: > We (at Kurchatov Insitute) still use 144.206.0.0/16, the legacy > block, and seeing the breakage rooted at ARIN since this night, > {{{ > $ dig +trace -t soa

Re: ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations

2017-03-17 Thread Stephane Bortzmeyer
On Fri, Mar 17, 2017 at 12:03:58PM +0300, Eygene Ryabinkin wrote a message of 71 lines which said: > Seems like the other /16 from 144.in-addr.arpa are affected too > (at least). Also in 164.in-addr.arpa, it seems?

Re: Internet Governance Forum DNS

2016-12-09 Thread Stephane Bortzmeyer
On Thu, Dec 08, 2016 at 03:36:03AM -0500, Joly MacFie wrote a message of 13 lines which said: > "www.intgovforum.org’s server DNS address could not be found." Welcome to the UN... Updated Date: 2016-12-08T14:33:28Z It expired and was renewed yesterday (source: Internet

Re: Lawsuits for falsyfying DNS responses ?

2016-09-13 Thread Stephane Bortzmeyer
On Tue, Sep 13, 2016 at 07:12:59AM +0200, JÁKÓ András wrote a message of 18 lines which said: > Blocking for that purpose usually means redirecting in > practive. You'll redirect to a page that explains why the original > site is not available. It has practical

Re: Chinese root CA issues rogue/fake certificates

2016-09-01 Thread Stephane Bortzmeyer
On Thu, Sep 01, 2016 at 11:36:57AM +1000, Matt Palmer wrote a message of 45 lines which said: > I'd be surprised if most business continuity people could even name > their cert provider, And they're right because it would be a useless information: without DANE, *any* CA

Re: number of characters in a domain?

2016-07-23 Thread Stephane Bortzmeyer
On Sat, Jul 23, 2016 at 08:35:57AM -0400, Jared Mauch wrote a message of 12 lines which said: > I would consult RFC1035 for the label sizes, but the total length > can include multiple labels up to 255 in length. Check section 2.3.4 On another mailing list, Marc

Re: NANOG is five days late?

2016-07-18 Thread Stephane Bortzmeyer
On Mon, Jul 18, 2016 at 08:53:02AM -0500, Andy Koch wrote a message of 15 lines which said: > The NANOG mailing list has a policy to hold the first post from all > new subscribers and those who have not posted in a long time (one > year+). So, the batch of messages which has

NANOG is five days late?

2016-07-18 Thread Stephane Bortzmeyer
This message just arrived... Received: from mail.nanog.org (localhost [127.0.0.1]) by mail.nanog.org (Postfix) with ESMTP id 96AA42D47BB; Mon, 18 Jul 2016 13:15:14 + (UTC) X-Original-To: nanog@nanog.org Delivered-To: nanog@nanog.org Received: from mail-it0-x245.google.com

Re: NIST NTP servers

2016-05-10 Thread Stephane Bortzmeyer
On Tue, May 10, 2016 at 10:52:28AM -0400, valdis.kletni...@vt.edu wrote a message of 37 lines which said: > Note that they *do* have motivation to keep it working, simply > because so much of their *own* gear (from gear for individual > soldiers all the way to

Re: NIST NTP servers

2016-05-10 Thread Stephane Bortzmeyer
On Tue, May 10, 2016 at 06:48:52AM -0400, Steven Miano wrote a message of 41 lines which said: > Going with an internal GPS/GLONASS/RADIO based S1 allows you to > restrict incoming traffic and not rely on volunteers or external > entities (which may undergo maintenance or

Re: www.cisco.com no resolve?

2016-03-19 Thread Stephane Bortzmeyer
On Sat, Mar 19, 2016 at 05:38:03AM +, Dmitry Sherman wrote a message of 13 lines which said: > dig www.cisco.com @8.8.8.8 Better to test through the authoritative name servers. The problem was there, as documented in

Re: www.cisco.com no resolve?

2016-03-19 Thread Stephane Bortzmeyer
On Fri, Mar 18, 2016 at 10:53:15PM -0700, John Kinsella wrote a message of 49 lines which said: > Confirmed in Northern California, on all 3 primary NS servers. A > little Friday night maintenance window, maybe? Isn't it simply because the alias chain is awfully long

Re: Level3 DNS not resolving for our domains

2015-12-30 Thread Stephane Bortzmeyer
On Wed, Dec 30, 2015 at 11:12:29PM +0100, Alarig Le Lay wrote a message of 35 lines which said: > Both are in the same AS, perhaps a routing issue? Indeed. This is a warning in ZoneMaster and I observe also that 10-15 % of

Re: Level3 DNS not resolving for our domains

2015-12-30 Thread Stephane Bortzmeyer
On Wed, Dec 30, 2015 at 03:02:39PM -0600, Otto Monnig wrote a message of 24 lines which said: > Sorry for not providing domains - I did so intentionally, as I > believe this is a policy change at L3, rather than a technical > issue. And how are we supposed to debug,

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-21 Thread Stephane Bortzmeyer
On Fri, Dec 18, 2015 at 09:28:11AM +0100, Stephane Bortzmeyer <bortzme...@nic.fr> wrote a message of 6 lines which said: > http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 The password for the first backdoor (the one regardi

[CVE-2015-7755] Backdoor in Juniper/ScreenOS

2015-12-18 Thread Stephane Bortzmeyer
http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554 https://kb.juniper.net/InfoCenter/index?page=content=JSA10713=SIRT_1=LIST Should we blame Juniper for letting a git repository open to "unauthorized code" or should we congratulate them for

Re: DNSSEC and ISPs faking DNS responses

2015-12-17 Thread Stephane Bortzmeyer
On Thu, Nov 12, 2015 at 10:27:01PM -0500, Jean-Francois Mezei wrote a message of 66 lines which said: > The Québec government is wanting to pass a law that will force ISPs > to block and/or redirect certain sites it doesn't like. (namely > sites that offer

Re: Bluehost.com

2015-11-25 Thread Stephane Bortzmeyer
On Wed, Nov 25, 2015 at 08:41:55AM -0800, JoeSox wrote a message of 9 lines which said: > Anyone have the scope on the outage for Bluehost? > https://twitter.com/search?q=%23bluehostdown=tyah The two name servers ns1.bluehost.com and ns2.bluehost.com are awfully slow to

Re: Is there a DNS lookup, traceroute, ping and HTTP GET as a service?

2015-11-18 Thread Stephane Bortzmeyer
On Wed, Nov 18, 2015 at 02:38:28PM -0200, Kurt Kraut via NANOG wrote a message of 45 lines which said: > About RIPE ATLAS, I already have one of their boxes and it never > worked. Simply doesn't appear as online. Their support just barely > gave me some tips but with no

Re: DNSSEC and ISPs faking DNS responses

2015-11-14 Thread Stephane Bortzmeyer
On Sat, Nov 14, 2015 at 01:36:06AM -0500, Jean-Francois Mezei wrote a message of 71 lines which said: > Loto Québec is supposed to be testing for compliance, and I am not > sure how they will do that short of having a subscription to every > ISP that sells

Re: DNSSEC and ISPs faking DNS responses

2015-11-13 Thread Stephane Bortzmeyer
On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei wrote a message of 34 lines which said: > I'll have to research how other countries tried to implement similar > schemes

Re: DNSSEC and ISPs faking DNS responses

2015-11-13 Thread Stephane Bortzmeyer
On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote a message of 20 lines which said: > well, in EU I dont think that would ever fly. It is done in France, for a long time .

Re: DNSSEC and ISPs faking DNS responses

2015-11-13 Thread Stephane Bortzmeyer
On Fri, Nov 13, 2015 at 10:24:27AM -0800, Mark Milhollan wrote a message of 30 lines which said: > Would the masses ever replace their stub with a full resolver? > Doubtful, unless their OS vendor does it for them. Fedora already does it, apparently, with the excellent

Re: Chile Status?

2015-09-17 Thread Stephane Bortzmeyer
On Thu, Sep 17, 2015 at 09:58:54AM -0400, Jared Mauch wrote a message of 11 lines which said: > If someone wants ripe ATLAS credits please send me a request > off-list with your e-mail address registered for RIPE Atlas. Even without credits, and an anonymous access,

Re: Chile Status?

2015-09-17 Thread Stephane Bortzmeyer
On Thu, Sep 17, 2015 at 10:00:46AM -0400, Marshall Eubanks wrote a message of 34 lines which said: > shows green dots, but if you mouseover you see that the last > connects are all old (pre-Earthquake). You're right, I forgot to check that but the 17 RIPE Atlas

Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica

2015-08-04 Thread Stephane Bortzmeyer
On Tue, Aug 04, 2015 at 10:03:33AM -0400, Jay Ashworth j...@baylink.com wrote a message of 6 lines which said: Everyone got BIND updated? For instance by replacing it with NSD or Unbound?

Re: Speaking of NTP...

2015-07-13 Thread Stephane Bortzmeyer
On Mon, Jul 13, 2015 at 01:17:01PM +, Matthew Huff mh...@ox.com wrote a message of 14 lines which said: We have 5 NTP server: 2 x stratum 1 rubidium oscillator time servers with GPS sync, and 3 servers running NTP 4.2.6p5-3 synced to external internet based NTP stratum 1 servers. We

Re: REMINDER: LEAP SECOND

2015-06-22 Thread Stephane Bortzmeyer
On Mon, Jun 22, 2015 at 01:15:41PM +0100, Tony Finch d...@dotat.at wrote a message of 15 lines which said: The problems are that UTC is unpredictable, That's because the earth rotation is unpredictable. Any time based on this buggy planet's movements will be unpredictable. Let's patch it

Re: REMINDER: LEAP SECOND

2015-06-22 Thread Stephane Bortzmeyer
On Mon, Jun 22, 2015 at 12:38:28PM +, Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote a message of 17 lines which said: So we need a new center of the universe and switch to stardate and thus solve the 32bit UNIX time problem for real this time? Or simply use TAI which is the

Re: AS4788 Telecom Malaysia major route leak?

2015-06-12 Thread Stephane Bortzmeyer
On Fri, Jun 12, 2015 at 11:09:34AM +0200, Tore Anderson t...@fud.no wrote a message of 10 lines which said: I see tons of bogus routes show up with AS4788 in the path, and at least AS3549 is acceping them. E.g. for the RIPE NCC (193.0.0.0/21): [BGP/170] 00:20:29,

Re: AS4788 Telecom Malaysia major route leak?

2015-06-12 Thread Stephane Bortzmeyer
On Fri, Jun 12, 2015 at 09:58:55AM -0500, Charles van Niman char...@phukish.com wrote a message of 25 lines which said: Does anyone at Level3 care to comment here about this event, https://twitter.com/Level3/status/609353696787496960

Re: macomnet weird dns record

2015-04-14 Thread Stephane Bortzmeyer
On Tue, Apr 14, 2015 at 02:26:48PM +0100, Colin Johnston col...@gt86car.org.uk wrote a message of 19 lines which said: Best practice says avoid such info in records as does not aid debug since mix of dec and hex No. Pure imagination on your side. There is no such best practice. And it's not

Re: macomnet weird dns record

2015-04-14 Thread Stephane Bortzmeyer
On Tue, Apr 14, 2015 at 04:09:42PM +0300, Nikolay Shopik sho...@inblock.ru wrote a message of 10 lines which said: How its weird? All these chars allowed in DNS records. And they probably encode the netmask, which may be useful.

Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

2014-12-07 Thread Stephane Bortzmeyer
On Sun, Dec 07, 2014 at 12:01:40PM -0500, Erik Levinson erik.levin...@uberflip.com wrote a message of 25 lines which said: I'm getting SERVFAIL when trying to resolve any record in any domain whose NSs are

Re: How to track DNS resolution sources

2014-12-03 Thread Stephane Bortzmeyer
On Wed, Dec 03, 2014 at 05:22:58PM +0100, Notify Me notify.s...@gmail.com wrote a message of 13 lines which said: I hope I'm wording this correctly. Not really :-) I had a incident at a client site where a DNS record was being spoofed. How do you know? What steps did you use to assert

Re: How to track DNS resolution sources

2014-12-03 Thread Stephane Bortzmeyer
On Wed, Dec 03, 2014 at 11:32:08AM -0500, TR Shaw ts...@oitc.com wrote a message of 20 lines which said: On the command line: host spoofed.host.name.com Excuse me but it is useless. It tests only the local resolver (which may be unpoisoned). It provides no details that could help to debug

BGP hijacking to steal bitcoins

2014-08-08 Thread Stephane Bortzmeyer
Good report (although I do not understand why they hide the name of the offending ISP since anyone can see it in RouteViews, or in its own BGP traffic). It's ordinary BGP hijacking but the goal is new: stealing bitcoins since the connections inside the mining pool are not authenticated.

Re: BGP Session

2014-07-16 Thread Stephane Bortzmeyer
I love the From: field :-)

Re: RIPE Atlas data parsing

2014-05-27 Thread Stephane Bortzmeyer
On Tue, May 27, 2014 at 12:28:30PM -0700, Ca By cb.li...@gmail.com wrote a message of 9 lines which said: Is there dummy tool for summarizing this JSON data and possibly visualizing it? On Atlas Web site, there is the Seismograph (an interactive tool). I don't use it myself. There are many

Re: All of .mil tld is down

2014-05-20 Thread Stephane Bortzmeyer
On Tue, May 20, 2014 at 02:35:49PM -0400, Brian Henson marin...@gmail.com wrote a message of 107 lines which said: Looks like it has been corrected now Not from everywhere. From two different networks in France, I get: % check-soa -i nipr.mil CON1.nipr.mil. 199.252.157.234: ERROR:

Re: Anternet

2014-04-07 Thread Stephane Bortzmeyer
On Sat, Apr 05, 2014 at 12:44:05AM -0500, Larry Sheldon larryshel...@cox.net wrote a message of 9 lines which said: http://kottke.org/14/04/the-anternet But what is the equivalent of 3-way handshake? And of ECN (ants carrying back messages I still bring food but it won't last)? And the

Re: Blocking of domain strings in iptables

2014-02-08 Thread Stephane Bortzmeyer
On Sat, Feb 08, 2014 at 12:34:45AM -0800, Jonathan Lassoff j...@thejof.com wrote a message of 88 lines which said: This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression Apprently, the OP

  1   2   >