Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Not replying to anyone in particular Wouldn't it be possible to pick an address on your own network (perhaps in your DMZ) and then create rules on any firewall in front of that address that simply drops all packets? If a public address were announced, why not have an outbound firewall rule

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 27/11/2014 15:38, Warren Kumari wrote: >> That seems to be a much different use case (drop >> the traffic as quickly and universally as possible, minimizing >> collateral damage) from routing the traffic to something like a >> community sinkhole. > > Yes -- and the whole point of this plan wo

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

In message <20141127171135.ga30...@mycre.ws>, Robert Edmonds writes: > Mark Andrews wrote: > > I would say CNAME/DNAME with a week long ttl to one of the non RFC > > 1918 or ULA default local zones but IANA has been tardy about getting > > the insecure delegations in place to break the DNSSEC chai

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Mark Andrews wrote: > I would say CNAME/DNAME with a week long ttl to one of the non RFC > 1918 or ULA default local zones but IANA has been tardy about getting > the insecure delegations in place to break the DNSSEC chains of > trust. That way default local zone aware recursive servers would > an

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 7:12 PM, Robert Edmonds wrote: > Warren Kumari wrote: >> This thingie has many aspects that look a bunch like AS112 -- I'm >> wondering if it makes sense to also request an AS number for this. >> It's not strictly needed, but having fewer inconsistent origin routes >> is al

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, 26 Nov 2014, Stephane Bortzmeyer wrote: I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. Sometime on this list or on as112-ops, it was pointed out that an operator in Germany did that for a domain - they made it the NS

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

In message <547691e9.1080...@redbarn.org>, Paul Vixie writes: > > > Robert Edmonds > > Wednesday, November 26, 2014 4:59 PM > > > > What about specifying *no* nameservers? That is, delegating the domain > > name to a nonexistent nameserver name within an intentionally em

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

> Robert Edmonds > Wednesday, November 26, 2014 4:59 PM > > What about specifying *no* nameservers? That is, delegating the domain > name to a nonexistent nameserver name within an intentionally empty > sacrificial zone with a lengthy negative TTL. experience and observ

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Stephane Bortzmeyer wrote: > The idea is to delegate some domain names to unresponsive name servers > (deleting the domain name is less efficient, since the negative TTL is > smaller than the delegation TTL). What about specifying *no* nameservers? That is, delegating the domain name to a nonexis

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

If someone wanted to dispose of that volume of requests they could get assistance if they asked the right people. Jared Mauch > On Nov 26, 2014, at 7:12 PM, Robert Edmonds wrote: > > Warren Kumari wrote: >> This thingie has many aspects that look a bunch like AS112 -- I'm >> wondering if it m

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Warren Kumari wrote: > This thingie has many aspects that look a bunch like AS112 -- I'm > wondering if it makes sense to also request an AS number for this. > It's not strictly needed, but having fewer inconsistent origin routes > is always nice. > > It also seems that (also like AS112), networks

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Joe Abley wrote: > On 26 Nov 2014, at 14:06, Warren Kumari wrote: > > > What's wrong with 127.0.0.1? It makes it clear what the intent is, and > > you don't get a much more distributed sinkhole than that... > > I'm always wary of using 127.0.0.1 for anything that doesn't really mean "you > shou

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 4:10 PM, Joe Abley wrote: > > On 26 Nov 2014, at 14:06, Warren Kumari wrote: > >> What's wrong with 127.0.0.1? It makes it clear what the intent is, and >> you don't get a much more distributed sinkhole than that... > > I'm always wary of using 127.0.0.1 for anything that

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 26 Nov 2014, at 17:05, Florian Lohoff wrote: > On Wed, Nov 26, 2014 at 04:10:07PM -0500, Joe Abley wrote: > >> On 26 Nov 2014, at 14:06, Warren Kumari wrote: >> >>> What's wrong with 127.0.0.1? It makes it clear what the intent is, and >>> you don't get a much more distributed sinkhole tha

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 04:10:07PM -0500, Joe Abley wrote: > > On 26 Nov 2014, at 14:06, Warren Kumari wrote: > > > What's wrong with 127.0.0.1? It makes it clear what the intent is, and > > you don't get a much more distributed sinkhole than that... > > I'm always wary of using 127.0.0.1 for a

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 26 Nov 2014, at 14:06, Warren Kumari wrote: > What's wrong with 127.0.0.1? It makes it clear what the intent is, and > you don't get a much more distributed sinkhole than that... I'm always wary of using 127.0.0.1 for anything that doesn't really mean "you should talk to yourself". Without

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 11/26/14 6:25 AM, Stephane Bortzmeyer wrote: The idea is to delegate some domain names to unresponsive name servers (deleting the domain name is less efficient, since the negative TTL is smaller than the delegation TTL). What problem are you actually trying to solve here? Is this an AFNIC th

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 12:46 PM, Jared Mauch wrote: > >> On Nov 26, 2014, at 10:13 AM, Paul Wouters wrote: >> >> http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10 >> >> Packets with Shared Address Space source or destination addresses >> MUST NOT be forwarded across Service Provider b

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 26 Nov 2014, at 09:25, Stephane Bortzmeyer wrote: > I'm trying to find out if it exists a public IP address which is a > black hole, swallowing every packet sent to it. > > I can do that on my network but I'm wondering if it already exists > somewhere, may be as an anycasted service (AS112-st

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

> On Nov 26, 2014, at 10:13 AM, Paul Wouters wrote: > > http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10 > > Packets with Shared Address Space source or destination addresses > MUST NOT be forwarded across Service Provider boundaries. Service > Providers MUST filter such packets

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 2014-11-26 16:42, Stephane Bortzmeyer wrote: > On Wed, Nov 26, 2014 at 04:33:37PM +0100, > Jeroen Massar wrote > a message of 15 lines which said: > >> What about putting those zones/nameservers in DNS RPZ? > > I don't get it. RPZ is for resolvers. Your first line: > The idea is to delega

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

Stephane Bortzmeyer wrote: > I was thinking of non-routed addresses like 198.18.0.0/15 or > 203.0.113.0/24 but it's not their normal use. AFAIK, there are no > "public sinkholes" IPv4 addresses. For IPv6, there is 100::/64 but it > is only internal, there is no public 100::/64 service. There is so

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 03:25:47PM +0100, Stephane Bortzmeyer wrote a message of 25 lines which said: > I'm trying to find out if it exists a public IP address which is a > black hole, swallowing every packet sent to it. A possible example is blackhole.webpagetest.org/72.66.115.13

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 04:33:37PM +0100, Jeroen Massar wrote a message of 15 lines which said: > What about putting those zones/nameservers in DNS RPZ? I don't get it. RPZ is for resolvers. ___ dns-operations mailing list dns-operations@lists.dns-o

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On 2014-11-26 15:25, Stephane Bortzmeyer wrote: > I'm trying to find out if it exists a public IP address which is a > black hole, swallowing every packet sent to it. > > I can do that on my network but I'm wondering if it already exists > somewhere, may be as an anycasted service (AS112-style). >

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, 26 Nov 2014, Stephane Bortzmeyer wrote: I'm trying to find out if it exists a public IP address which is a black hole, swallowing every packet sent to it. I was thinking of non-routed addresses like 198.18.0.0/15 or 203.0.113.0/24 but it's not their normal use. AFAIK, there are no "pu

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, Nov 26, 2014 at 03:25:47PM +0100, Stephane Bortzmeyer wrote a message of 25 lines which said: > The idea is to delegate some domain names to unresponsive name servers > (deleting the domain name is less efficient, since the negative TTL is > smaller than the delegation TTL). And, of c

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

We have such an IP address in our backbone but don't publish it. I suppose someone could ask for an allocation for this purpose from a local RIR and this could be done for that whole range. Jared Mauch > On Nov 26, 2014, at 9:25 AM, Stephane Bortzmeyer wrote: > > I'm trying to find out if i

Re: [dns-operations] Looking for a public blackhole/sinkhole IP address

On Wed, 26 Nov 2014 15:25:47 +0100 Stephane Bortzmeyer wrote: > I was thinking of non-routed addresses like 198.18.0.0/15 or > 203.0.113.0/24 but it's not their normal use. AFAIK, there are no > "public sinkholes" IPv4 addresses. For IPv6, there is 100::/64 but it > is only internal, there is no