Re: [dns-operations] Apex ALIASES that re NOT flattened CNAMEs

--- Begin Message --- every few years the cdn world proposes something like an ALIAS RR. usually it fails at the problem-statement stage. afterward a few more innovators hack their own name servers to do what they need -- usually in a unique way and often in a way that blows chunks when other di

Re: [dns-operations] __p_rcode() deprecated? (glibc/Suse)

--- Begin Message --- if i contribute thread-safe versions of these functions, would they be uptaken? -- P Vixie On Saturday, October 5, 2024 10:50:26 AM PDT Florian Weimer wrote: > * Paul Vixie via dns-operations: > > Can someone from glibc (as experienced via Suse Leap 15.6) self

[dns-operations] __p_rcode() deprecated? (glibc/Suse)

--- Begin Message --- Can someone from glibc (as experienced via Suse Leap 15.6) self-identify so that we can discuss some changes to /usr/include/resolv.h ? > const char * p_class (int) __THROW __RESOLV_DEPRECATED; > const char * p_time (uint32_t) __THROW __RESOLV_DEPRECATED; > const char * p

Re: [dns-operations] Monitoring DNS Record Changes

--- Begin Message --- At Farsight Security which was sold to Domain Tools in late 2021, we had two services that could be used this way. There was DNSDB, which if combined with cron could make a data-at-rest query for each of your domains once per day and tell you of differences in the then-newe

Re: [dns-operations] NS1 updating codepoint for NXNAME

--- Begin Message --- on behalf of the security community let me thank each and every one who has specified, implemented, and deployed NXNAME. my original worry was that the difference between rcode=3 and ancount=0 might not matter to a web browser but it absolutely does matter to security analy

Re: [dns-operations] DNSbomb attack

--- Begin Message --- Apologies please. I meant all DNS responders not merely DNS full resolvers. p vixie On May 28, 2024 13:08, Paul Vixie via dns-operations wrote: ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https

Re: [dns-operations] DNSbomb attack

--- Begin Message --- This attack was predicted by DNS RRL in 2012 and as such is not novel. All full resolvers should make RRL the default, as BIND9 seems to have done. https://circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns I am in full support of ISC's position

Re: [dns-operations] Strange things at C root name server

--- Begin Message --- Yes. See: https://c.root-servers.org/ p vixie On May 24, 2024 13:31, Cameron Banowsky via dns-operations wrote: ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listi

[dns-operations] C-root incident

--- Begin Message --- News 2024‑05‑23 - On May 21 at 15:30 UTC the c-root team at Cogent Communications was informed that the root zone as served by c-root had ceased to track changes from the root zone publication server after May 18. Analysis showed this to have been caused by an unrelated r

Re: [dns-operations] DNS Operations

--- Begin Message --- Openwrt is fine. See also pihole. I just run bind9. Knot, powerDNS, and unbound are also great. p vixie On Mar 2, 2024 09:56, Lee wrote: On Sat, Mar 2, 2024 at 8:55 AM David Conrad wrote: > > Hi, > > On Mar 2, 2024, at 4:57 AM, Lee wrote: > > On Sat, Mar 2, 2024 at

Re: [dns-operations] Filtering policy: false positive rate

--- Begin Message --- I think the examples being used in this thread are too narrow. In RPZ a firewall rule might trigger on something other than the QNAME. For example the trigger could be one of the NSDNAMEs in the resolution path, or on the address (A or ) associated with some NSDNAME in

Re: [dns-operations] xn--mgbai9azgqp6j broken

--- Begin Message --- I think uptime has high correlation to utility. p vixie On Oct 23, 2023 11:39, Stephane Bortzmeyer wrote: On Thu, Oct 19, 2023 at 02:02:22PM +, Carr, Brett via dns-operations wrote a message of 265 lines which said: > This may have been mentioned before as I thi

Re: [dns-operations] DNS over TCP response fragmentation

--- Begin Message --- if the dns responder uses write() or send() or sendto() for the two octets of framing length, rather than writev() or sendmsg(), the kernel's default will be to "push" each buffer as a segment. that's where the one- or two-octet segments are probably coming from. this defa

Re: [dns-operations] Google Public DNS has enabled case randomization globally

--- Begin Message --- Paul Vixie via dns-operations wrote on 2023-07-29 17:35: back in the day, only one rdns server was downcasing on cache miss, and it was one of google's. dave presotto fixed it in about a day. apologies (obvious). it was an authority for l.google.com, not rdns.

Re: [dns-operations] Google Public DNS has enabled case randomization globally

--- Begin Message --- Evan Hunt wrote on 2023-07-29 13:58: (Resending because I accidentally replied privately.) likewise. Evan Hunt wrote on 2023-07-29 13:55: On Sat, Jul 29, 2023 at 09:07:21AM -0700, Paul Vixie wrote: ... would the google dns team be willing to contribute to this draft i

Re: [dns-operations] Google Public DNS has enabled case randomization globally

--- Begin Message --- > would the google dns team be willing to contribute to this draft in the ietf dns wg? we have not pressed the matter since 2008 simply because noone cared. w

Re: [dns-operations] Cache efficiency (was: Re: DNS .com/.net resolution problems in the Asia/Pacific region)

--- Begin Message --- Robert Edmonds wrote on 2023-07-20 14:50: Mark Andrews wrote: ... Yes, there are lookups that can take a long time to perform with a cold cache. By putting lots of users behind large, centralized caches we can insulate users from a lot of cold cache lookups, but these c

Re: [dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

--- Begin Message --- Ondřej Surý wrote on 2023-07-18 13:25: ... There’s already mechanism for not serving a stale RRSIGs. The EXPIRE field in the SOA record should be set to a value that’s lower than the RRSIG resigning interval (the minimal interval between now and shortest RRSIG expiry in

Re: [dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

--- Begin Message --- i have two comments here. Ondřej Surý wrote on 2023-07-18 11:54: With my implementor’s hat on, I think this is wrong approach. It (again) adds a complexity to the resolvers and yet again based (mostly) on isolated incident. I really don’t want yet another “serve-stale” in

Re: [dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

--- Begin Message --- On Thu Jul 13, 2023 at 7:16 PM UTC, Gavin McCullagh wrote: > ... > > I assume lots of us on this mailing list operate authoritative dns > servers. When one of our PoPs or nameservers is unresponsive, most of us > rely on retries against other nameservers (aka PoPs) to ensure

Re: [dns-operations] Ani Piracy - RPZ Feed

--- Begin Message --- if such is found, please submit it for inclusion here: https://dnsrpz.info/ re: Renyk de'Vandre wrote on 2023-05-26 05:11: Hi All, Can anyone recommend a good quality anti-piracy RPZ feed?   Looking to block access to video/music piracy websites. Many Thanks! -- P V

[dns-operations] why DNS can't have nice things

--- Begin Message --- once an embedded dns recursive server works well enough, it ships, is widely deployed, and becomes abandonware. the apps which don't work are found (by others) later. there is no complaint path. ; <<>> DiG 9.16.33 <<>> api.dnsdb.info ;; global options: +cmd ;; Got answer:

Re: [dns-operations] [Ext] Re: Cloudflare TYPE65283

--- Begin Message --- <8, RSA-SHA1 vs RSA-SHA1-NSEC3). But a new on-the-fly denial of existence might prove to be worth it in operations.>> Well, we are overdue for starting over on dnssec, which we used to do every two years or so. But does the next generation have the will to do so? p vixi

Re: [dns-operations] [DNSOP] bind fails to continue recursing on one specific query

--- Begin Message --- i think there's language slippage in this thread. Peter DeVries wrote on 2023-03-29 03:51: On Tue, Mar 28, 2023, 9:23 PM Dave Lawrence > wrote: ... It is very poor form for nameservers to intentionally not respond to queries under normal

Re: [dns-operations] Resolvers seeing repeated bursts of identical queries

--- Begin Message --- if the same IP is asking the same qname over and over, then you might want to look into DNS RRL, which was originally a BIND thing but which all open source name servers now possess in some form. it was crafted for authority (really, root and TLD) servers, but does also wor

Re: [dns-operations] Browser Public suffixes list

--- Begin Message --- Viktor Dukhovni wrote on 2022-08-27 11:06: On Sat, Aug 27, 2022 at 10:48:46AM -0700, Paul Vixie wrote: ... see: https://www.ietf.org/mailman/listinfo/dbound Another aspect of the problem, is that the browsers unified the address bar and the search bar in order to "impr

Re: [dns-operations] Browser Public suffixes list

--- Begin Message --- this... Meir Kraushar via dns-operations wrote on 2022-08-27 02:56: 2) The need to maintain a list dedicated to browser issues is out of our scope. I'm sure there are good reasons to have it, like you said, there is gap between the worlds. ...is why the IETF DBOUND (doma

Re: [dns-operations] mail.protection.outlook.com has EDNS issues

--- Begin Message --- Matthew Richardson wrote on 2022-07-06 07:52: ... Alternatively, is this the sort of issue in which DNS-OARC could become involved by way of outreach to MS about the problems? The lack of EDNS0 will probably become an increasing problem over time. This DNS setup is used

Re: [dns-operations] [Ext] How should work name resolution on a modern system?

--- Begin Message --- David Conrad wrote on 2022-06-16 08:26: ... What ISC defined as “views" in BIND 9 is simply an implementation of an independent namespace. The fact that it is (now) most frequently used in the context of an independent address space is irrelevant. when considering BIND9

Re: [dns-operations] How should work name resolution on a modern system?

--- Begin Message --- Dave Lawrence wrote on 2022-06-15 10:33: Viktor Dukhovni writes: Single label names passed to getaddrinfo(3) should not result in single label "A" or "" DNS queries. http://ai./ https://www.icann.org/en/system/files/files/sac-053-en.pdf -- P Vixie --- End Messag

Re: [dns-operations] CNAME at the apex breaks DNSSEC DS lookups from caches

--- Begin Message --- Evan Hunt wrote on 2022-04-17 02:58: ... I was the original author of the ANAME draft, and I thought it was a terrible idea, and said so at the time. The only reason I wrote it was that I believed browser vendors would remain unwilling to adopt a more sensible alternative

[dns-operations] DMV.CA.GOV to WCP please?

--- Begin Message --- the name servers are: dmv.ca.gov. 604763 IN NS ns7.net.ca.gov. dmv.ca.gov. 604763 IN NS infohqp5.ad.dmv.ca.gov. dmv.ca.gov. 604763 IN NS ns6.net.ca.gov. dmv.ca.gov. 604763 IN NS info

Re: [dns-operations] [Ext] What is the reason of J-Root doesn't serve the arpa zone?

--- Begin Message --- Paul Hoffman wrote on 2021-12-03 19:28: On Dec 3, 2021, at 7:05 PM, Paul Vixie via dns-operations wrote: 2870 was wrong in this respect, and should be revised to allow ARPA. Why that, instead of the direction taken by RFC 9120? RFC 9120 was sponsored by the IAB

Re: [dns-operations] What is the reason of J-Root doesn't serve the arpa zone?

--- Begin Message --- Wessels, Duane via dns-operations wrote on 2021-12-03 15:39: In November 2002 K, L, and M were added to the NS list for arpa, but J was not. We can't speak to decisions made by the other operators, but Verisign chose not to put j.root-servers.net in the NS set based on th