Re: Registrar that supports self-run domains and provides DNSSEC support

[Doug Barton]

GoDaddy supports everything you're looking for.

Doug
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Difference between multiple NS and NS having multiple A

[Shane Kerr]

Mark & Alexander,

On Monday, 2013-02-18 08:43:32 +1100, 
Mark Andrews  wrote:
> 
> In message
>  ,
> Alexander Gurvitz writes:
> > Is there any practical difference between the following two:
> > 
> > 1.
> > example.com. NS ns1.example.com.
> > example.com. NS ns2.example.com.
> > ns1.example.com. A 1.1.1.1
> > ns2.example.com. A 1.1.1.2
> > 
> > 2.
> > example.com. NS ns.example.com.
> > ns.example.com. A 1.1.1.1
> > ns.example.com. A 1.1.1.2
> 
> Yes.  It makes fault isolation harder.

I don't see much difference in the examples that Alexander submitted,
except resolvers tracking the TTL of each name server separately. So,
in the second case we may have the TTL of ns.example.com time out and
both 1.1.1.1 and 1.1.1.2 are no longer usable for example.com at the
same time.

I think this is better demonstrated by a setup something like this:

ns1.example.com. A 1.1.1.1
ns2.example.net. A 1.1.1.2

Versus:

ns1.example.com. A 1.1.1.1
 A 1.1.1.2

In the first case, since you're using different domains, you could get
some fault isolation.

> > Is there any possible difference in the resolvers behavior ?
> > How bind9(10?) threats that ?
> > 
> > If someone knows about not-bind DNS resolvers I'd be happy to know
> > that too.
> > 
> > Reason: We run a public DNS hosting. I think it would be more
> > user-friendly if once we add more nameservers, we would just add
> > them as A records under the same ns1/ns2, instead of advising each
> > user to add ns3..nsX to their parent zones.

This actually makes sense. Having to work with the parent can indeed
be a pain. (I recently renumbered at home and had to change NS RRSET
and glue with 3 different registrars... it must be horrible in any real
production environment.)

My own take on it would be that any extra redundancy beyond the normal
2 domain names is unlikely to outweigh the administrative hassle. So, I
think Alexander's approach makes sense. :)

> Add some  address as well.

Speaking of  addresses, in the interests of fault isolation, it
would seem to make sense to use different names for IPv6 servers:

   ns1.example.com. A 1.1.1.1
   ns2.example.net. A 1.1.1.2
   ns3.example.org.  1:2:3:4::1
   ns4.example.nl.   1:2:3:5::1

Cheers,

--
Shane
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Tony Finch]

On 19 Feb 2013, at 08:06, Doug Barton  wrote:

> GoDaddy supports everything you're looking for.

Though you might prefer to use a less repulsive provider.

http://kottke.org/11/12/the-internets-go-daddy-issues

Tony.
--
f.anthony.n.finchhttp://dotat.at/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: newstats XSL broken?

[Jan-Piet Mens]

Shane,

> Yes, we had discovered and fixed this in the master branch (patch
> attached). Apologies for the brokenness! 

I've applied that, and it does indeed look better, but not good enough :)
See screen shot [1]. No worries, though: I'll wait until you release
(and I'm more looking forward to your implementing the JSON suggestion I
sent over... ;-)

Regards,

-JP

[1] http://d.pr/i/MVo1
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

[G.W. Haywood]

Hi there,

On Mon, 18 Feb 2013, Vernon Schryver wrote:


...


Recently I moved this domain(lcrcomputer.net) to a registrar that 
suports DNSSEC and inserted the DS record for this domain.  I checked 
DNSSEC via  http://dnsviz.net and 
http://dnssec-debugger.verisignlabs.com.  Both show DNSSEC is working 
just fine for lcrcomputer.net.


However, shortly after that one of my customers stopped receiving email 
from one of their clients in China.  They just brought that to my 
attention and I tried to email the client in China and got this back:


For  , Site 
(x.com.cn/) said: 559 sorry , your helo/ehlo and 
domain in mail are invalid, you don't connect from there. (#5.5.9)


This looks like an SPF issue.  It isn't possible to say for sure as
you've removed the information that's needed.

Your SPF record needs to be fixed anyway.  Remove at least "mx" and
"ptr" and preferably "a" as well so that there are no unnecessary DNS
lookups when your SPF record is checked.  Ideally a recipient server
needs only to know that the IP of the mail server sending the mail is
permitted to send mail on behalf of the domain to which the sending
server claims to belong.  This is a very efficient means of detecting
mail forgery -- if only it is used correctly.

On Mon, 18 Feb 2013, Vernon Schryver wrote:


I've not tried p=none, but recent experiments with
  300  TXT  "v=spf1 mx -all"


Don't use 'mx' in SPF records.

I do have experience of having a domain name used in forged mail, and I
can guarantee that you don't want the same experience.  Other than that
I'll avoid being drawn into an off-topic debate on the value of SPF.

--

73,
Ged.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: newstats XSL broken?

[Evan Hunt]

> I've applied that, and it does indeed look better, but not good enough :)
> See screen shot [1]. No worries, though: I'll wait until you release
> (and I'm more looking forward to your implementing the JSON suggestion I
> sent over... ;-)

That just means there's no data to graph yet. Send your server a few
queries and try it again.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

[Dave Warren]

On 2/18/2013 23:20, Matus UHLAR - fantomas wrote:

On 19.02.13 10:25, Noel Butler wrote:

One thing I need to point out, your SOA timings seem extreme...

refresh 86400  drop that to 3h
retry 3600, drop to 900


I don't see the reason for doing these, unless NOTIFY does not work, 
but in

such case it's the NOTIFY that should be fixed...


I agree in principle. However, the costs of having a low refresh 
probably aren't that significant, whereas all it takes for a NOTIFY to 
get missed is a packet or three getting dropped, and having zones out of 
sync might be more significant.


Or, put another way, dropping REFRESH from 24 hours to 3 hours is what, 
an additional 8 DNS queries per zone, per secondary, per day? Unless 
your zones normally receive only a few hundred queries a day, these 
numbers are so trivial that they probably don't matter, whereas having 
your secondaries return out of date responses is potentially more annoying.


Retry too seems like a good candidate to keep very low since it only 
applies when there is a problem.


But in an ideal world, we've probably just spent more time talking about 
it than will result in any savings from tweaking these numbers.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: broken ISP in china

[Sten Carlsen]

Just be sure that WHEN your master dies, the slaves will stay
authoritative for long enough that you can get the master up without
working night shift.

On 19/02/13 21:17, Dave Warren wrote:
> On 2/18/2013 23:20, Matus UHLAR - fantomas wrote:
>> On 19.02.13 10:25, Noel Butler wrote:
>>> One thing I need to point out, your SOA timings seem extreme...
>>>
>>> refresh 86400  drop that to 3h
>>> retry 3600, drop to 900
>>
>> I don't see the reason for doing these, unless NOTIFY does not work,
>> but in
>> such case it's the NOTIFY that should be fixed...
>
> I agree in principle. However, the costs of having a low refresh
> probably aren't that significant, whereas all it takes for a NOTIFY to
> get missed is a packet or three getting dropped, and having zones out
> of sync might be more significant.
>
> Or, put another way, dropping REFRESH from 24 hours to 3 hours is
> what, an additional 8 DNS queries per zone, per secondary, per day?
> Unless your zones normally receive only a few hundred queries a day,
> these numbers are so trivial that they probably don't matter, whereas
> having your secondaries return out of date responses is potentially
> more annoying.
>
> Retry too seems like a good candidate to keep very low since it only
> applies when there is a problem.
>
> But in an ideal world, we've probably just spent more time talking
> about it than will result in any savings from tweaking these numbers.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Vernon Schryver]

> From: Tony Finch 

> > GoDaddy supports everything you're looking for.
>
> Though you might prefer to use a less repulsive provider.
> http://kottke.org/11/12/the-internets-go-daddy-issues

Those issues seem at most secondary to the objections some people have
to how GoDaddy has dealt with the Internet and GoDaddy customers.
https://www.google.com/search?q=nodaddy.com
http://www.theregister.co.uk/2011/07/12/godaddy_shuts_down_nodaddy/

My experience wrestling the domains of relatives from GoDaddy was
not as bad as some of the stories, but it took more time, effort,
and sophistication than some people would care or be able to muster.
GoDaddy also likes to "up sell" many "protection" and other services
whose value I don't understand.  During our wrestling match, GoDaddy
started sending warnings that some sort of "mailbox" service would
not start without the replacement of an expired credit card.  The
credit card had been previously used for automatic renewal of the
domains.  I did not knowingly ask for the "mailbox" service, but
maybe I clicked the wrong link on a web page.

About 8 years ago I got stupid spam from GoDaddy's QuickSizzle bulk
mail advertising service.  Network Solutions is the only other major
registrar that won an entry in my personal email blacklist.  Network
Solutions was more persistent about trying to send me unsolicited
advertising, but it was always for Network Solutions instead of
random Internet entrepreneurs like GoDaddy's QuickSizzle service.
Never mind the spam support charges; half a decade is long enough
to want to forget the less clear cut issues.
https://www.google.com/search?q=godaddy+quicksizzle

It was not hard to escape Network Solutions when I did it.  (I didn't
choose Network Solutions after SRI; I think that was the DoC.)

I cannot recommend the registrar reseller or the wholesaler that I've
used since NetSol to anyone who cares about IPv6 glue or DNSSEC.  They
couldn't handle my DS RRs in plain text mail (no MIME).  It wasn't
until I put the RRs on a private web page that they could cope.  I've
ducked IPv6 glue by using https://sns.isc.org/ for secondary DNS
services.  I'd recommend SNS@ISC, but you might think me insufficiently
disinterested.

There are registrars that people recommend generally and for IPv6
and DNSSEC, but I've not used them.  I could switch, but even when
the old registrar cooperates, switching costs some time and effort
and risks breakage.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Dave Warren]

On 2/19/2013 16:30, Vernon Schryver wrote:

My experience wrestling the domains of relatives from GoDaddy was
not as bad as some of the stories, but it took more time, effort,
and sophistication than some people would care or be able to muster.


They still use deceptive tricks to keep domains hostage. For example, 
when you change contact information they display a "Click here if you 
agree with our domain locking policy", which is actually optional, but 
if you enable it, the new owner of the domain is blocked from 
transferring it to any other provider for many weeks.


Such a joy when you're buying domains on behalf of a customer and can't 
actually finish the job for 2-3 months because the seller automatically 
clicked the "Yes, I agree" option.



GoDaddy also likes to "up sell" many "protection" and other services
whose value I don't understand.


GoDaddy wants your money. What more do you need to understand?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Doug Barton]

I started to prepend my statement with "Some people don't like GoDaddy, 
but ..." and then decided I would hope that it wouldn't be necessary at 
this point. Since this is unarguably off-topic, I will try to be brief.


First, a certain percentage of all customer service interactions with 
every company are going to be bad. Since GoDaddy is the largest 
registrar, numerically there are going to be more people who have had 
bad experiences with them. Second, they are unashamedly capitalist. They 
do offer many upsells, _just like every other registrar_. (Note, I used 
to be in that business, we did the same thing at Yahoo!) You can argue 
that their interface is more misleading/aggressive than others, but what 
they do is not only not unique, it's the common case.


Third, I've done business with them for over 10 years, I have 
transferred at least dozens (probably more, but I'm not going to take 
the time to count) of domains in and out of GoDaddy for clients, family 
members, and myself. My experience has been uniformly positive. Finally, 
while Bob is no longer running GoDaddy day to day, he was an early 
supporter both of ICANN generally, and of cleaning up the registrar 
business specifically (which for those of you who weren't on line around 
the turn of the century, was an even dodgier, shadier place than it is now).


Finally, GoDaddy was also an early supporter of things like IPv6 and 
DNSSEC. My domains are all registered there, and the ones that aren't 
just redirects all have IPv6 glue and DS records.


A little more below ...

On 02/19/2013 04:30 PM, Vernon Schryver wrote:

I wrote:
GoDaddy supports everything you're looking for.


Those issues seem at most secondary to the objections some people have
to how GoDaddy has dealt with the Internet and GoDaddy customers.
https://www.google.com/search?q=nodaddy.com
http://www.theregister.co.uk/2011/07/12/godaddy_shuts_down_nodaddy/


While I don't think anyone in the registrar business is blameless, it's 
worth looking at the source of a lot of those complaints, with an eye 
toward how many of them are generated by GoDaddy's competition. Not to 
mention the use of sensational-sounding accusations (Bob Parsons is an 
elephant killer!) which when examined more closely turn out to be 
completely without merit:


"Parsons has said he participated in the hunt because the elephants were 
a nuisance destroying crops the local population depended upon for 
sustenance and even threatening the lives of villagers.


Therefore, his hunt solved two problems, he suggested.

'First they have their crops,' he told ABC News Radio, 'and they get to 
eat the elephant.'"


http://abcnews.go.com/Business/daddy-ceo-bob-parsons-africa-elephant-hunt-video/story?id=13279206



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Registrar that supports self-run domains and provides DNSSEC support

[Chuck Peters]

Robert Moskowitz said:
> Delving further into my challenges.
> 
> But they don't seem to support DNSSEC protected domains, and even
> IPv6 glue records are special requests, it seems.

I would like to know how can I handle DNSSEC key rollovers without 
manually entering keys into one of those annoying web interfaces.  What 
methods do various registrars support?  Is it possible to submit the KSK 
directly to the root authority?  Does some standard RFC cover how 
registrars are supposed to support key rollovers?


Thanks,
Chuck






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: newstats XSL broken?

[Jan-Piet Mens]

> That just means there's no data to graph yet. Send your server a few
> queries and try it again.

Duh. Didn't occur to me, because I was looking for the list of
authoritative zones served by named. 

Other than that, the output looks very sexy.

(Are people really interested in the 'Tasks' list? I think that's a lot
of data which could be omitted from the stats...)

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users