It is still hard to tell if c-root is worse than anybody else, because there
are a lot of probes that fail any of the IPv6 root. I guess probes without or
with broken IPv6 would have this behavior. (example probe 645 in Kyrgyzstan
appears to fail any IPv6)
What is really needed is a statistic
Hi DNS-ops,
c.root-servers.net is not reachable over v6 for everybody. There appears to be
some peering disputes between operators over v6 still. Additionally, Leen
Besselink told me on another mailing list (unbound) that it is advertized as a
/48 that might get filtered.
What are the reachabi
Hi Ondrej,
I don't have a solution for your Bind environment but I do have some more
information. You are experiencing what we internally named the "Chinese water
torture attack". It is not botnet C&C it is an attack on the authoritative
servers using your recursive DNS.
The attacker is using
>> Keep in mind that most cache system are using Least Recent Used
>> Algorithm for their cache without any removal of expired records.
>
> Doesn't BIND use an unbound cache by default?
As you point out, it looks like they don't have a max by default.
They are not doing periodically cleaning eit
Keep in mind that most cache system are using Least Recent Used
Algorithm for their cache without any removal of expired records.
So the reason that stuff gets thrown out is not because of TTL expiry,
but rather because the cache is full.
I don't know your exact test setup, but that might be w
Joe, Bob and others,
>> Date: Tue, 27 Aug 2013 11:27:56 -0400
>> From: Joe Abley
>> ...
>> Cc: dns-operations@lists.dns-oarc.net
>> Subject: Re: [dns-operations] Implementation of negative trust
>> anchors?
>>
>>...
>>
>>I've long wished for a more general facility where upon successful
Not sure about that.
I get the AD bit back but oddly enough, the Swedish deliberately broken site
trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 but it does on the
google dns v6 address:
stephan@pi:~$ dig @8.8.8.8 trasigdnssec.se +dnssec
; <<>> DiG 9.6-ESV-R1 <<>> @8.8.8.8 trasigdnss
I believe they have a similar option but you will have to ask the Bind
mailing list.
Thanks, S
From: McGhee, Karen (Evolver) [mailto:karen.mcg...@uspto.gov]
Sent: Wednesday, January 16, 2013 1:42 AM
To: Stephan Lagerholm; dns-operations@lists.dns-oarc.net
Subject: RE: [dns-operations] Can
Hi Karen,
There are a few vendors (disclaimer I work for one of them) that has
implemented a "disable--on-v4-transport" feature that might be able
to do what you are looking for.
You can google for 'yahoo dns hack' to get more info.
/Stephan
From: dns-operations-boun...@lists.dn
I'm getting NOERROR from Dallas, Texas and Stockholm, Sweden.
/S
-Original Message-
From: dns-operations-boun...@lists.dns-oarc.net
[mailto:dns-operations-boun...@lists.dns-oarc.net] On Behalf Of Adam
King
Sent: Tuesday, October 02, 2012 8:41 PM
To: dns-operations@lists.dns-oarc.net
Subje
10 matches
Mail list logo
