What Vláďa said - implementing RRL (e.g. return empty answer with TC bit),
requiring DNS COOKIE or perhaps at least just generating SERVFAIL would be much
better option.
Giving back NXDOMAIN is … misunderstanding DNS at best.
Ondrej
--
Ondřej Surý (He/Him)
> On 3. 4. 2025, at 15:57, Vladi
Could this be Chromium?
https://blog.verisign.com/domain-names/chromiums-impact-on-root-dns-traffic/
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 15. 3. 2025, at 18:12, Hans Mayer via dns-operations
> wrote:
>
>
> From: Hans Mayer
> Subject: random queries
> Date: 15 M
security of DNS
as the report rarely comes with a proposed fix.
Ondrej
--
Ondřej Surý (He/Him)
> On 29. 5. 2024, at 12:02, jab...@strandkip.nl wrote:
>
> On May 29, 2024, at 01:51, Geoff Huston wrote:
>
>> I tried to point out to the folk on the keytrap bandwagon that the
already mitigates the attack to a level that’s just enough. And that’s
described in length in the mentioned blogpost by Nicki.
I don’t know why are you trying to create rift where there’s really none.
Ondřej
--
Ondřej Surý (He/Him)
> On 27. 5. 2024, at 17:12, Stephane Bortzmeyer wr
Both salt and iterations have absolutely no value for NSEC3 security (see the
RFC you just quoted), so just always use empty salt and zero iterations.
There’s no added value in fiddling with salt to fit into the SHA1 block.
Ondrej
--
Ondřej Surý (He/Him)
> On 27. 3. 2024, at 20:17, Matt
; SHA-1 input blocks).
Amen to that!
Ondřej
--
Ondřej Surý (He/Him)
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
transparent?
- (bonus) Are the product developers involved in the DNS community? Are they
involved in the protocol development?
And FFS never ever ask Large Language Models (ChatGPT) if you want to know
truth. There are no shortcuts to knowledge.
Cheers,
Ondřej (with my ISC BIND 9 hat)
--
Ondřej
EY is not
from time to time, but it's not 100% reliable, so I suspect a "load-balancer"
is in play.
And ns2ke.dns.business is not responding to any queries.
Ondřej
--
Ondřej Surý (He/Him)
ond...@sury.org
___
dns-operations mailing list
Hey Jack,
this is most likely outdated version of dig. The query over TCP works fine with
latest
supported versions of BIND 9.
What version of dig are you running and where did you get it?
Ondřej
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 21. 8. 2023, at 16:56, Jacques Latour via
Thanks Mark for the clarification.
I just hate adding new knobs and exceptions in a scramble mode. If the knob is
already there then it’s already there.
There’s already too many knobs in DNS and we all know that.
--
Ondřej Surý (He/Him)
> On 19. 7. 2023, at 0:43, Mark Andrews wr
in so so so far future) and it doesn’t require any change in the protocol.
Ondrej
--
Ondřej Surý (He/Him)
> On 18. 7. 2023, at 21:39, Viktor Dukhovni wrote:
>
> On Tue, Jul 18, 2023 at 08:54:04PM +0200, Ondřej Surý wrote:
>
>> With my implementor’s hat on, I think this is
the original
incident, but now every resolver has to have it because people want it.
And operationally, it will just pamper over the issue which might then go
unnoticed for longer period of time rather than being fixed right away.
Ondrej
--
Ondřej Surý (He/Him)
> On 18. 7. 2023, at 20
g process.
Theoretically, as long as there is at least one working IP address in the
root.hints, any sane resolver should be able to recover and start using the
current IP address set of all the root servers. It just might take a while…
Ondrej
--
Ondřej Surý (He/Him)
__
What would really help here is (continuous) sharing the list of problematic
domains. That would really help the DNS community, we could talk to the people
running these services, and prepare the configuration with exception for
popular open-source implementations.
Ondřej
--
Ondřej Surý (He
implementations just
didn’t had enough differences between than because they adhered to standards
that fpdns just could not tell the difference.
Cheers,
--
Ondřej Surý (He/Him)
> On 30. 7. 2022, at 19:37, Puneet Sood wrote:
>
>
>
>
>> On Sat, Jul 30, 2022 at 10:26 AM
I am betting on “load balancers”…
--
Ondřej Surý (He/Him)
> On 30. 7. 2022, at 16:39, Dave Lawrence wrote:
>
> Greg Choules via dns-operations writes:
>> I am including in this mail the RNAME from the SOA (same for both
>> zones) in the hope that someone who is respon
reached end-of-life, so you should be really asking the vendor who provided
you with the package. Or upgrade to a supported version of BIND 9 - at least
the latest 9.16 version and preferably latest 9.18 release.
Ondrej
--
Ondřej Surý (He/Him)
> On 26. 5. 2022, at 22:56, Wes Hardaker wr
I’m with Victor on this one. Disabling RSASHA1 signing in DNS software would be
perfectly fine, crippling the validation is counterproductive and actively
harmful.
Ondřej
--
Ondřej Surý (He/Him)
> On 13. 4. 2022, at 20:10, Viktor Dukhovni wrote:
>
> On Wed, Apr 13, 2022 at 0
DNSCurve on Haiku
DNSSEC
See this list of DNSSEC Outages
Ondřej
--
Ondřej Surý (He/Him)
> On 12. 4. 2022, at 3:39, Paul Wouters wrote:
>
> On Mon, 28 Mar 2022, Warren Kumari wrote:
>
>> This is now at least listed on the Ianix website
>> (https://ianix.com/pub/dnssec-outages
> On 10. 2. 2022, at 17:55, Subramanian, Karthikeyan via dns-operations
> wrote:
>
> Records are not vulnerable or any Stale record.
That doesn’t make any sense on the DNS layer. All the stuff you mentioned are
in the upper layers of the stack.
Ondrej
--
Ondřej Surý
Yes, the non-signing KSK could be offline disaster recovery key. There’s
nothing wrong about having more keys in DS than used because the change process
for DS is more complicated than swapping the active key in the zone.
Ondřej
--
Ondřej Surý (He/Him)
> On 14. 1. 2022, at 11:31, Matt
.
Perhaps somebody here has better contact?
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
right now?
- is anybody planning to gather the data before the next RZ KSK rollover?
Thanks,
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns
setting the DF bit right now, so I am interested whether
you have numbers (or you could measure them) what would be the impact
if both parties (client and server) also set the DF bit on outgoing and what
would be the increased drop rate?
Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 9.
beneficial for the DNS ecosystem.
Sending multiple shouts to mailing lists, issue tracker, etc... because you
have different opinion is not helpful to the DNS community nor to the cause. We
are as much DNS experts as you are.
Ondřej
--
Ondřej Surý (He/Him)
> On 11. 9. 2020, at 4:42, Paul Vi
should be, but I would suggest to
just go with what has been provided now and evaluate the choice after we all
have experience using Mattermost for a while.
Ondřej
--
Ondřej Surý (He/Him)
> On 25. 8. 2020, at 17:12, Warren Kumari wrote:
>
> On Tue, Aug 25, 2020 at 10:44 AM Ondřej Su
ice
of tools by the OARC team, so we should not start doing so now. This
is a rathole that nobody really wants to go in.
Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.
.
Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 25. 8. 2020, at 8:19, Doug Barton wrote:
>
> Is this something that OARC is operating and maintaining, or is it something
> that you're acting as a conduit for? The former would be included in my
> definition of "rol
channels when working on Internet Drafts.
Internally, the various OARC teams, program committee and board use the
platform to talk to each other.
It’s not required to use the chat platform, but it certainly has its use.
Ondrej
--
Ondřej Surý (He/Him)
> On 25. 8. 2020, at 4:59, Fred Mor
(like Slack) can’t
offer. Mattermost is a solid competitor on the market and I am glad that OARC
moved away from Jabber both as a board member and OARC member.
Ondrej
--
Ondřej Surý (He/Him)
> On 25. 8. 2020, at 1:43, Doug Barton wrote:
>
> On 8/20/20 1:54 PM, Matthew Pouns
Most probably it is the load-balancer. I’ve seen this before.
Ondřej
--
Ondřej Surý
> On 30 May 2020, at 21:09, dagon wrote:
>
> How can you even load
> such a zone in a modern authority server? All modern auth
> servers would
Hi Tessa,
welcome to the wonderful world of DNS and to this mailing list.
No, the `A` rrtype query is specifically IPv4 address. The IPv6 addresses
are stored in `` rrtype records.
When `` rrtype does not exist, but the other rrtypes does exist, the
answer is NOERROR + SOA record.
This i
Hi,
the DNS Flag Days initiative focus on protocol issues, and neither forward or
reverse zones are in the focus.
If you have anything specific you could bring this up here. How is the .arpa
neglected?
Ondrej
--
Ondřej Surý
> On 14 Feb 2020, at 18:22, Pirawat WATANAPONGSE wr
> On 28 Nov 2019, at 08:09, Florian Weimer wrote:
>
> * Ondřej Surý:
>
>>> On 27 Nov 2019, at 23:08, Florian Weimer wrote:
>>> * Mark Allman:
>>>
>>>> Let me try to get away from what is or is not "big" and ask two
>>&
> On 27 Nov 2019, at 23:08, Florian Weimer wrote:
>
> What's the change rate for the root zone?
https://twitter.com/diffroot
O.
--
Ondřej Surý
ond...@sury.org
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
htt
there is getting better, we will
still be stuck with
old codebase for foreseeable future
What we can do is to make the load on RZ servers lighter, but we can’t make
them just go.
Ondrej
--
Ondřej Surý
ond...@sury.org
> On 26 Nov 2019, at 14:41, Mark Allman wrote:
>
>
> Let m
the TCP.
Personally, I propose to set the date to 31. October 2020, but I would like
to hear other people’s opinions.
It’s fine to discuss here, but ultimately, your opinion should be recorded
in aforementioned issue for a permanent record.
Thanks,
Ondrej
--
Ondřej Surý
ond...@sury.org
To all prospective users of DoT and DoH:
Please consider funding the development work for your favourite open-source
DNS server. :)
No really, this is going to take a significant amount of a development time to
do it
properly (and not just slap something on top of existing DNS), so please tal
ponse rate while the
server is updating the records in the zone?
Cheers,
Ondrej
--
Ondřej Surý -- Chief Science Officer
---
CZ.NIC, z.s.p.o.--Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.s...@nic.czhttp://n
Just a short notice - the RFC 882 and 883 has been published in November 1983,
so we are celebrating 30 years of DNS this November.
O.
P.S.: I would be interested if anybody can dig up the exact date when the first
DNS RFCs were published.
--
Ondřej Surý -- Chief Science Officer
e.g 26 occurences.
I think it should be quite safe to cap the maximum EDNS0 to 1280 (the minimum
IPv6 MTU) and set DF flag in all responses. What do you think?
JFTR for the cap 1400 this would hit 359 queries. (Still a very small number)
O.
--
Ondřej Surý -- Chief Science Officer
rewrite
RCODE in the packet).
O.
On 4. 9. 2013, at 15:08, Ondřej Surý wrote:
> Hi all,
>
> for all those who haven't been on saag WG at IETF 88...
>
> Amir Herzbert and Haya Shulman has presented a quite interesting attack on
> UDP fragmentation that allows Kaminsky-s
On 4. 9. 2013, at 16:33, Stephane Bortzmeyer wrote:
> On Wed, Sep 04, 2013 at 04:04:13PM +0200,
> Ondřej Surý wrote
> a message of 93 lines which said:
>
>>> Isn't is a good idea to limit the maximum size of the response,
>>> like .com/.net (and may be ot
> On 4. 9. 2013, at 16:50, Jim Reid wrote:
>
> On 4 Sep 2013, at 15:40, Ondřej Surý wrote:
>
>>> Check also ICMP "packet too big" coming in with ridiculous sizes, they
>>> might be the sign that someone is trying the Shulman attack.
>>
>>
> Check also ICMP "packet too big" coming in with ridiculous sizes, they
> might be the sign that someone is trying the Shulman attack.
JFTR It's one ICMP packet per the fragmentation cache timeout and the unique
destination IP.
I wish we had found out some way to enforce BCP38 before spoofing
BTW just to complete my question in first email - is there a agreement that
this is serious and needs to be addressed?
I am still wondering why this have slipped under the radar for so long (the
original paper was published last year).
Ondřej Surý
> On 4. 9. 2013, at 15:47, Steph
om badly managed transfers,
and that set of workarounds fixed most of it.
So our view is that it's more an operational problem on the parent side than on
resolver side.
O.
--
Ondřej Surý -- Chief Science Officer
---
CZ.NIC, z.s.p.o.--Laboratoř
On 4. 9. 2013, at 15:47, Stephane Bortzmeyer wrote:
> On Wed, Sep 04, 2013 at 03:08:55PM +0200,
> Ondřej Surý wrote
> a message of 81 lines which said:
>
>> So what are the views of other people on this list?
>
> [Total noob just going back from holidays and therefo
On 4. 9. 2013, at 16:11, Jim Reid wrote:
>
> On 4 Sep 2013, at 15:04, Ondřej Surý wrote:
>
>>> A possible solution is simply to deploy IPv6 faster :-)
>
>> Yeah :), but what should we do in the eternity meanwhile?
>
> Don't fragment at all, set TC=1
ar?hl=en&q=Amir+Herzberg%2C+Haya+Shulman+++dnssec&btnG=&as_sdt=1%2C5&as_sdtp=
We gave it some thoughts here at CZ.NIC Labs and we think that the threat is
real and we are now trying to write a PoC code to prove the theoretical concept.
So what are the views of other people on this lis
), you can reply to this email
(the Reply-To is set to knot-dns-us...@lists.nic.cz), or just send the feedback
back to me.
Thank you very much,
Ondrej
--
Ondřej Surý -- Chief Science Officer
---
CZ.NIC, z.s.p.o.--Laboratoře CZ.NIC
Americka 23, 120
>
> On 10/14/12 3:10 PM, Ondřej Surý wrote:
>> Just a question - would anyone would be interested in joining a project to
>> build an OpenHardware FPGA-based HSM with focus on DNSSEC?
>>
>> O.
>>
>> On 16. 8. 2012, at 2:24, George Michaelson
>>
Here's the paper Dave mentioned (if you are interested):
http://www.caida.org/publications/papers/2003/dnsspectroscopy/dnsspectroscopy.pdf
And thanks for the feedback,
--
Ondřej Surý -- Chief Science Officer
---
CZ.NIC, z.s.p.o.--Labor
ations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Ondřej Surý -- Chief Science Officer
---
invest in that, they will not magically
appear out of the thin air.
O.
--
Ondřej Surý -- Chief Science Officer
---
CZ.NIC, z.s.p.o.--Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.s...@nic.cz
merged back upstream soon, which can understand
and filter EDNS0 packets[2][*].
1. http://software.klolik.org/xt_dns/
2. https://github.com/oskar456/xt_dns
* - You won't believe that, but this fork was made by 'Ondrej'
not related to any other Ondrej you might already know:)
es in their respective registry
> configuration panel (which also enables the DNSSEC EPP extensions for their
> provisioning account)
Roughly same here at .CZ:
http://www.nic.cz/whois/registrars/list/1/
O.
--
Ondřej Surý -- Chief Science Officer
---
C
.
O.
On 13. 4. 2012, at 15:13, Ondřej Surý wrote:
> Hi all,
>
> as you might (or might not) know we now have our own authoritative
> DNS server implementation - Knot DNS.
>
> We often need to have nice graphs in slides, so we do performance
> benchmarks of our DNS server an
As I know that DNS-OARC lacks resources I propose that we can start
by preparing some kickstart document and then make this as a collaborative
effort to prepare methodology which would be objective.
Thoughts?
O.
--
Ondřej Surý
vedoucí výzkumu/Head of R&D department
--
59 matches
Mail list logo
