Re: [dns-operations] Mozilla Firefox and ANY queries

- - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 "I am tormented with an everlasting itch for things remote. I love to sail forbidden seas." - Herman Melville -BEGIN PGP SI

Re: [dns-operations] Hearing first complains about failing internal resolving due to .prod TLD

ought to be able to see contrails >>> from gTLD collisions. >>> >>> if anybody has a proposal for a (not-for-fee) experiment, or >>> (not-for-fee) continuous monitoring, i'm all ears. >>> >>> vixie >> >> that offer is generally

Re: [dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 5/6/2014 11:05 AM, Evan Hunt wrote: > On Tue, May 06, 2014 at 10:56:03AM -0700, Paul Ferguson wrote: >> "ISC plans to address this deficiency by reimplementing the SRTT >> algorithm in future maintenance releases of the BIND

Re: [dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Peter, On 5/6/2014 10:50 AM, Peter Losher wrote: > On 6 May 2014, at 9:09, Paul Ferguson wrote: > >> Can anyone from ISC (bind maintainer) comment on this >> vulnerability, especially regarding what versions are affected

[dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

same? http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html Thanks, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http

[dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

same? http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html Thanks, - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http

Re: [dns-operations] Hijacking of Google Public DNS in Turkey documented

gt; why these two are spared.] > > > > ___ dns-operations > mailing list dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs > mailing list https://lists.dns-oarc.net/mailman/listinf

Re: [dns-operations] authority outage for ns[1-5].msft.net?

evelopment. Is there someone on list who can contact Microsoft? (Surely they know about this.) -- Paul Ferguson PGP Public Key ID: 0x63546533 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/li

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

e they can be used to facilitate DNS amplification attacks. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.0 (Build 2317) Charset: utf-8 wj8DBQFSXv3jq1pz9mNUZTMRAtqnAKCP+X8u6KY7bM8tcRbE4OqR3vdFSgCfUFsP lYcnCGhTPGDYZ2Z1atVB6/8= =VvXW -END PGP SIGNATURE- --

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

On 10/14/2013 12:43 PM, Suzanne Woolf wrote: I'm wondering what motivated the question, particularly in such a generic form. Maybe this? http://openresolverproject.org/ - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID -->

Re: [dns-operations] Should medium-sized companies run their own recursive resolver?

wo imaginary IT staff members could be setting themselves up for an embarrassing outage. Or leaving the recursive resolvers open to the entire Internet for abuse. - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "

Re: [dns-operations] DNS Attack over UDP fragmentation

e had found out some way to enforce BCP38 before spoofing became a problem:( Believe me, no one wishes that more than do I. :-/ - ferg -- Paul Ferguson Vice President, Threat Intelligence Internet Identity, Tacoma, Washington USA IID --> "Connect and Collaborate"

Re: [dns-operations] Registration Open for DNS OARC Spring 2013 Workshop - Dublin, 12th/13th May

oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ dns-operations ma

Re: [dns-operations] Defending against DNS reflection amplification attacks

the Internet. And it's not all about BCP38 either. There are tens of millions of open DNS recursive resolvers out there... - ferg -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ dns-operations mailing list dns-oper

Re: [dns-operations] Defending against DNS reflection amplification attacks

we should have some hard stats on who has deployed these measures, and how it impacted them. Please speak up if you have any data. I can say, however, that we *do* have data on who has *not* deployed it, and how they are virtually criminally negligent for doing so. And don't get me wrong -- there

Re: [dns-operations] Defending against DNS reflection amplification attacks

I have to type that.) > Are you willing to also help us do the hard work to do the right thing? I'm pretty sure the answer is "Yes". So let's get busy, and stop finding reasons not to do the Right Thing. - ferg -- "Fergie", a.k.a. Paul Ferguson fergdawgster

Re: [dns-operations] universal deployment of BCP38 and won't/can't semantics

idea and we still need to push on this. And with regards to DNS amplification attacks I have a new way to do things I would prefer not to do -- spend more time flying around the world explaining to people how to stop being bad stewards in the basic hygiene of the Internet. If anyone can find some fa