Yes, I understand the technical issues. And yes it's ugly. But do you have a
better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no
solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware
websites. I would like them to be
Try http://195.186.208.193/
Daniel
On 23.04.2024 08:40, Marc Balmer wrote:
Swisscom returns this IP address for blocked domain names most likely because
it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to
Swisscom returns this IP address for blocked domain names most likely
because it assumes this website is compromised (phishing, malware).
If you visit this IP address in a web browser you are redirected to
https://www.swisscom.ch/abuse-info
This website has a form to report false positive.
at least one delegation is broken:
ns1.init7.net:
200-30.135.144.213.in-addr.arpa. 86400 IN NSdns.nazgul.ch.
200-30.135.144.213.in-addr.arpa. 86400 IN NSdns.swill.org.
dig dns.swill.org
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16024
;; flags: qr rd ra; QUERY: 1, ANSWER: 0,
or notice any anomalies
related to this transition, please don't hesitate to contact us.
[1] https://www.nic.ch/statistics/dnssec/
[2] https://zonedata.switch.ch/
[3] https://datatracker.ietf.org/doc/html/rfc8198
--
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Hi Adrian,
On 07.06.23 21:33, Adrian Ulrich via swinog wrote:
I'm pretty surprised that of the 1.7M domains with an MX record, only 57% have
DKIM
I don't see how one could reliability gather this data from DNS:
DKIM allows you to specify a selector in the header of the mail: This mail for
On 01.05.23 15:48, Benoît Panizzon via swinog wrote:
It looks like Gandi at least messed up their Registrar UI.
From their point of view, my 'algo 5' .ch domains have still DNSSEC
active but deleting DS or disabling DNSSEC hangs forever and upon
reloading my old algo 5 keys are back. I guess
I wasn't a part of this procedure so I cannot answer anything related to
that. I can, however, respond to questions for which we make information
available online.
If you want specific information about the procedure I suggest you ask
your registrar or you can contact SWITCH at
Hi Benoit
Not sure what the original problem was on the 27th of Dec but the
current problem is as follow:
numberportability.ch has an NSEC negative proof at the zone apex which
states that there are no other hostnames then numberportability.ch itself.
dig @dns1.swizzonic.ch
Hello Swinog,
The TLD zones .ch/.li make use of the RcodeZero Anycast DNS service of
nic.at since a few weeks (The nameserver letters d.nic.ch/d.nic.li to be
precise). Nic.at has now added an anycast node at SwissIX. In order to
get the best possible RTT and increased resiliency against potential
The domain name zimbox.ch seems to be listed on some phishing blocklists
[1]. I found entries at G-Data (VT) and at SURBL:
http://www.surbl.org/surbl-analysis
-> zimbox.ch is listed in PH
A ticket for list removal of this domain is already in our queue
It looks like that the affected domain names have not been updated to
the (new) MX hosts:
mx01.mailsecurity.swisscom.com.
mx02.mailsecurity.swisscom.com.
So, I guess its a domain owner problem and not a Swisscom problem.
For example, spital-lachen.ch used to have
The pointers have been given before. This is your problem:
https://www.spamhaus.org/query/ip/79.134.251.203
Daniel
On 11.07.19 14:25, Andreas Fink wrote:
> Except that this is not applicable. In my case my mailserver is not
> hosted at Swisscom but on my own infrastructure, is on the same IP
understands
RSA but not ECDSA, then it will answer to ch. or li. queries as if they
were not DNSSEC signed.
You can test which DNSSEC algorithms are supported by the DNS
resolver(s) configured on your system by visiting:
https://rootcanary.org/test.html
Best regards,
Daniel Stirnimann, SWITCH
--
SWITCH
Hello Greg,
> It seems like Salt is no longer supplying their own DNS servers when
> establishing an LTE connection. Instead, the network responds with Google DNS
> servers (8.8.8.8 8.8.4.4).
They seem to use a mix of Google Public DNS and own resolvers.
I noticed this a year ago as well:
looks like the authoritative nameservers cannot handle EDNS(0) queries
(standardized in 1999, rfc2671). While this is not a problem per see,
the FORMERR response is not according RFC. For more details see:
https://ednscomp.isc.org/ednscomp/17c95198e4#edns
Name resolution therefore relies on
> Since you seem to like quotes, Jon Postel had one for you:
>
> "Be liberal in what you accept, and conservative in what you send"
I thought this mindset is outdated:
https://tools.ietf.org/html/draft-thomson-postel-was-wrong-02
Daniel
___
swinog
Hello Benoit,
I have just tested the Migros Banking App on Android on a WiFi network
with an IPv4 only address. The dns resolver is validating and has an
IPv4 and IPv6 address to resolve names.
If I start the App on my smartphone it resolves the following domain names:
secure.migrosbank.ch. A
Das Problem ist weniger 20min als der AD-Server von Tamedia. Aktuell
kommt der Schadcode halt nur via 20min.ch. Aber in der Vergangenheit
waren auch andere Tamedia Seiten betroffen. Siehe auch:
http://securityblog.switch.ch/2016/02/10/attack-of-the-killer-ads/
mind, please send me the name of the registrar
directly.
We are also in the process of implementing a DNSSEC test procedure which
registrars have do before they can send/receive DNSSEC data over EPP.
Maybe we should have done this earlier.
Daniel
--
SWITCH
Daniel Stirnimann, SWITCH-CERT
-
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnim...@switch.ch, http://www.switch.ch
The mentioned problem turned out to be a bug in whois.nic.ch when
handling IPv6 requests. The bug only appears in rare events. We will of
course fix it.
Daniel
On 27.04.15 10:38, Daniel Stirnimann wrote:
Hello Benoît
I'm not sure at what time and from which IPv6 address you tried.
I just
Hi Benoit,
I have no recommendation but the following might still be of interest.
ICANN publishes a list of registrars which support DNSSEC (last updated
March 2014)
https://www.icann.org/resources/pages/deployment-2012-02-25-en
I randomly picked one in Europe joker.com. They seem to support
nic.ch is in the ch zone itself. So it's not a zone of its own.
You will find it in whois so that people see that it's not available
anymore.
btw. SOA record reveals that:
dig nic.ch soa
; DiG 9.8.5-P1 nic.ch soa
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status:
24 matches
Mail list logo
