Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Yes, our goal was to test out the asserting in RFC5966 that: "The majority of DNS server operators already support TCP" and we wanted to see if we could quantify what that "majority" actually was. What we found out was that of the DNS resolvers that were visible to the authoritative name server

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

> them aussies certainly know how to do a nice bit of wide-scale measurement. now we can descend into the religions un-asserted implications violate. randy ___ dns-operations mailing

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

http://www.circleid.com/posts/20130820_a_question_of_dns_protocols disappointed me with this characterization of RRL: There is a conversation thread that says that resolvers should implement response rate limiting (RRL), and silently discard repetitive queries that exceed some locally

[dns-operations] problems resolving army.mil and us.army.mil?

I'm seeing timeouts and SERVFAILs trying to resolve army.mil and us.army.mil from multiple locations on disjoint nets. Anyone else? -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin ___ dns-operations mailing list dns-operations@lists.dns-oa

Re: [dns-operations] problems resolving army.mil and us.army.mil?

Me too. From NIST and DNSViz: http://dnsviz.net/d/army.mil/dnssec/ Can't reach any of the servers listed. Scott === Scott Rose NIST scott.r...@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ https://www.had-pilot.com/ ==

Re: [dns-operations] problems resolving army.mil and us.army.mil?

http://dnssec-debugger.verisignlabs.com/army.mil  also shows several issues. - Original Message - > From: "Rose, Scott W." > To: Mike A ; DNS Operations > > Cc: > Sent: Wednesday, August 21, 2013 10:06 AM > Subject: Re: [dns-operations] problems resolving army.mil and us.army.mil? >

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On Wed, 21 Aug 2013, Dobbins, Roland wrote: I didn't even get far enough to get to the parts Vixie seems to object to. It was too painful to read. It's in desperate need of proof-reading and copy editing. Was this trans

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

> http://www.circleid.com/posts/20130820_a_question_of_dns_protocols > disappointed me with this characterization of RRL: > > There is a conversation thread that says that resolvers should > implement response rate limiting (RRL), and silently discard > repetitive queries that exceed s

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

> From: Geoff Huston > On the other hand its no more serious than any other form of small > TCP transaction based services that are subjected to massive volumes, > such as, say, a search engine front end. Isn't that why HTTP, SMTP, and other TCP transaction services have been changed to reduce t

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

BTW, The goal of OpenResolverProject was to have an inventory so folks could measure against attacks and determine what % of attacks utilized them. The list is available in weekly format to security teams to download in bulk so they can use tools like GrepCidr to perform this cross-reference. T

Re: [dns-operations] Implementation of negative trust anchors?

On Aug 21, 2013, at 1:33 AM, Ralf Weber wrote: > Moin! > > On 20.08.2013, at 20:14, Doug Barton wrote: >> Rumor has it that Nominum and Fortidns have implementations for NTAs. Any >> truth to those rumors? > It's not a rumor. Nominum Vantio had this feature for some time now. As > FortiDNS u

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On Wed, Aug 21, 2013 at 03:14:59PM +, Vernon Schryver wrote: > HTTP, SMTP, ando other TCP transaction applications? Could the gTLD > roots exist in anything like their current forms if DNS transactions > cost as many CPU and stable storage computrons as an HTTP GET of > a purely static page (

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Moin! On 21.08.2013, at 08:18, Jared Mauch wrote: > The unexpected results of the data were knowing that ~46% are just a broken > CPE device that does something weird with DNS packets. Well they mostly proxy that query to their ISPs resolver, who as it came from an address on his network answer

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Vernon Schryver wrote: > http://www.circleid.com/posts/20130820_a_question_of_dns_protocols > disappointed me with this characterization of RRL: > > There is a conversation thread that says that resolvers should > implement response rate limiting (RRL), and silently discard > repetiti

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

> From: Andrew Sullivan > > HTTP, SMTP, ando other TCP transaction applications? Could the gTLD > > roots exist in anything like their current forms if DNS transactions > > cost as many CPU and stable storage computrons as an HTTP GET of > > a purely static page (even without TLS)? > > Excellent

Re: [dns-operations] problems resolving army.mil and us.army.mil?

a question(s) from the peanut gallery... (I assumed some things...) if the operations work to maintain dnssec stuff for zones is not productionized and automated and tested failures like this army.mil (and most previous other zone problems elsewhere related to dnssec, most likely) issue happen...

Re: [dns-operations] problems resolving army.mil and us.army.mil?

>From appearances, the error is not DNSSEC related (army.mil is unsigned), but that no one can reach the army.mil servers. I see both SERVFAIL and "no servers could be reached" errors. As for requiring validation, the next version of the security controls for all Federal USG systems will require

Re: [dns-operations] problems resolving army.mil and us.army.mil?

On Wed, Aug 21, 2013 at 1:19 PM, Rose, Scott W. wrote: > >From appearances, the error is not DNSSEC related (army.mil is unsigned), > but that no one can reach the army.mil servers. I see both SERVFAIL and > "no servers could be reached" errors. > bummer, I thought i had seen dnssec problems :(

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

And furthermore, it is my understanding that in RRL no queries are ever discarded. Only the response is throttled. Alan V. Shackelford Senior Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On 22/08/2013, at 12:36 AM, Jon Lewis wrote: > On Wed, 21 Aug 2013, Dobbins, Roland wrote: > >> >> > > I didn't even get far enough to get to the parts Vixie seems to object to. It > was too painful to read. It's in despe

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On 22/08/2013, at 9:36 AM, Geoff Huston wrote: > > On 22/08/2013, at 12:36 AM, Jon Lewis wrote: > >> On Wed, 21 Aug 2013, Dobbins, Roland wrote: >> >>> >>> >> >> I didn't even get far enough to get to the parts Vixie see

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Geoff Huston wrote: > ... > So here is what I would say to this audience: > > ... thank you geoff, i understand it now. vixie ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Geoff, I personally think this is really interesting work. A question about methodology: On Aug 21, 2013, at 4:36 PM, Geoff Huston wrote: > - Our experiment used a modified DNS server that truncated all UDP at 512 > bytes, and over 10 days we enlisted some 2 million end clients to perform a >

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On 22/08/2013, at 10:32 AM, David Conrad wrote: > Geoff, > > I personally think this is really interesting work. A question about > methodology: > > On Aug 21, 2013, at 4:36 PM, Geoff Huston wrote: >> - Our experiment used a modified DNS server that truncated all UDP at 512 >> bytes, and ov

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

On Wed, 21 Aug 2013, Dobbins, Roland wrote: > While I'm not entirely sure I'm onboard with the conclusions, the study is really interesting and deserves a bookmark and will possibly be forewarded to people not on this list. ;-)