I'm not sure this discovery should be dated 2015
http://bugs.cacert.org/view.php?id=803
http://security.stackexchange.com/questions/10452/dns-zone-transfer-attack
http://www.iodigitalsec.com/dns-zone-transfer-axfr-vulnerability/
http://seclists.org/pen-test/2004/Feb/108
Stephane Bortzmeye
der-dns.html
https://www.chromium.org/developers/dns-over-https
That is, I don't think you'll be able to configure it
to use your local proxy or another DoH provider.
-Jan
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
http
Hello.
I'm looking for a list of public resolvers that utilize EDNS Client
Subnet when sending queries to authoritative servers. I'm especially
interested in the ones that require some kind of opt-in to enable the
feature. Is anyone aware of such a list?
Thank you. Regards
ite a burden.
This is exactly what I was looking for. I'm wondering if there are
more resolver operators with a similar policy.
Thank you for sharing the details, Brian.
--
Jan
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
Thank you all for sharing the ideas.
>> https://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns
This is very helpful! Thank you, Willem.
--
Jan
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/m
an 20 minutes (with additional time for questions).
**Workshop Milestones:**
* 9 Dec 2020 - Submissions open via Indico
* 4 Jan 2021 - Deadline for submission (23:59 UTC)
* 14 Jan 2021 - Initial Contribution list published
* 21 Jan 2021 - Full agenda published
* 28 Jan 2021 - Deadline for slides
Hello everyone.
We have extended the Call for Contributions for DNS-OARC 34 until 11
Jan 2021 23:59 UTC (next Monday). If you have a topic our community
might be interested in, please, send your proposal as soon as
possible. We haven't received a lot of proposals during holidays so
there is
efer to, before, during and after the meeting
* you will be expected to attend a rehearsal on April 22nd. It would
be very useful to have your slides (even if draft) ready for this.
If you have questions or concerns you can contact the Programme Committee:
https://www.dns-oarc.net/oarc/progr
milestones are:
* 25 Mar 2021 - Deadline for submission (23:59 UTC)
* 25 Mar 2021 - Initial Contribution list published
* 08 Apr 2021 - Full agenda published
* 22 Apr 2021 - Deadline for slideset submission and Rehearsal
* 06 May 2021 - OARC 35 Workshop
Jan Včelák
On Fri, Feb 19, 2021 at 3:51 PM Jan
ehearsal on August 24th. It would
be very useful to have your slides (even if draft) ready for this.
If you have questions or concerns you can contact the Programme Committee:
https://www.dns-oarc.net/oarc/programme
via
Jan Včelák, for the DNS-OARC Programme Committee
OARC depends on spo
estions or concerns you can contact the Programme Committee:
https://www.dns-oarc.net/oarc/programme
via
Jan Včelák, for the DNS-OARC Programme Committee
OARC depends on sponsorship to fund its workshops and associated
social events. Please contact if your
organization is interested in
* 29 & 30 November 2021 - OARC 36 Workshop
The details for presentation submission are published at the Workshop website:
https://www.dns-oarc.net/oarc36
If you have questions or concerns you can contact the Programme Committee:
https://www.dns-oarc.net/oarc/programme
via
Jan V
oarc.net/oarc36>.
Thank you and hope to see you soon.
Jan Včelák, for the DNS-OARC Programme Committee
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Hello,
my name is Jan Petto and I am currently studying computer science at TU
Darmstadt, Germany. During the research for my thesis, I have found some
odd behavior regarding DNS over TCP, which neither I nor my supervisor
can explain. I am hoping somebody here can tell me what I am observing
dated once the value for NXNAME is assigned.
Please, let me know if you have questions. We expect the change to be
deployed in the following weeks.
Best regards,
Jan Včelák (for NS1, an IBM Company)
___
dns-operations mailing list
dns-operations@list
currently planning to deploy the change in the following weeks.
Best regards,
Jan Včelák (for NS1, an IBM Company)
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> I hope we aren't going to see TXT records containing fatuous legal
> disclaimers added to DNS responses in the annoying way that they are
> too often used in e-mail... :-)
Too late, Chris:
$ dig 1.2.+.rp.secret-wg.org txt
;; ANSWER SECTION:
1.2.+.rp.secret-wg.org. 10 IN TXT "3"
1.
> I'm looking for resources discussing the pros and cons of sharing
> DNSSEC keys between zones.
Surfnet published a paper in 2012 which discusses a few drawbacks; I
don't recall the exact details, but maybe there's something useful there
for you.
-JP
[1]
https://dnssec.surfnet.nl/wp-co
> We have since resolved the issue and domains should be available now.
So the issue's resolution consisted in going insecure? I'm not sure I
would call that a 'resolution'...
> To ensure this does not happen in future we have disable Auto-DNSSec
> maintenance and we we will be maintaining DNSS
> $ dig +noall +answer +multi DNSKEY $zone |
> > sed -n '/KSK/s/^.*= //p'
> if you only want to see the key id of the KSK.
If it *has* a KSK; try co.uk. ;-)
-JP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https:
Hey,
is someone from Spotify on this list ?
If so, please contact me off list. Your nameservers refusing some PTR
lookups.
Best,
Jan-Philipp
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo
Yes. I imagine they’ll make an announcement at some point.
Two months later I'm still curious; KE. remains insecure [1].
-JP
[1] https://dnsviz.net/d/ke/Y5TQvQ/dnssec/
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https:/
Reported to Cogent (ticket HD303751898) but they do not seem to
understand that they manage a root name server.
Time is fleeting: "GOV zone operational update: DNSSEC transition to algorithm
13" [1]
-JP
[1] https://lists.dns-oarc.net/pipermail/dns-operations/2024-May/022554.html
_
> can i interest you in an experimental (thus far) patch to implement
> per-{client,response} rate limiting in bind?
Tony Finch has been working on query-rate limiting for BIND [1]:
> This version of BIND has been modified by Tony Finch at the University
> of Cambridge Computing Service to add p
> If that's it, then would asking djb to change its behavior
ROFL. Ask DJB to change its behavior? Good luck with that. ;-)
-JP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-op
> Chancellor Merkel hasn't returned my calls even though I offered her
> $100tn to fix the Euro crisis.
She hangs out at https://twitter.com/Queen_Europe if you want to try
again... ;-)
-JP
___
dns-operations mailing list
dns-operations@lists.dn
noticed and
stopped answering the queries. There were also several addresses targeted at
that time. Here's a sample query:
fd 35 01 00 00 01 00 00 00 00 00 01 08 62 61 63
0010 6f 6e 64 6e 73 03 62 69 7a 00 00 ff 00 01 00 00
0020 29 23 28 00 00 00 00 00 00
Jan Inge
__
> Is it possible to determine the home gateway device (CPE) make and model
> via SNMP? If they have open DNS proxies they probably have SNMP as well.
The CPE I use (Fritzbox -- quite popular in .DE) has no SNMP agent on it
(at least not on the not-jailbroken versions :)
-JP
__
> Can we PLEASE stop forwarding those two PNGs totalling 1.8 MB
... particularly since they're not PNG but BMP, which adds insult to
injury.
-JP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailma
> Looking at it further, it does seem like the source IPs of these queries
> are actually fake... as most seem to be consecutive IPs, like such:
>
> 74.125.126.86
> 74.125.126.85
> 74.125.126.84
> 74.125.126.83
> ...
That netblock belongs to Google:
NetRange: 74.125.0.0 - 74.125.25
> Actually named does do SOA queries over TCP before AXFR.
Zone transfer from BIND 9.9.1 to BIND 9.9.1; logs on master:
view internal: query: ww.mens.de IN SOA -E (192.168.1.20)
view internal: query: ww.mens.de IN IXFR -T (192.168.1.20)
view internal: transfer of 'ww.mens.de/IN': AXFR-style IX
> How does a prospective customer check a registrar's interface without
> doing something approaching reality like registering a throw-away name?
He or she may have the bright idea of checking at the TLD. A really
marvelous example is to be seen [1] at DENIC, responsible for .DE:
Q: "How do I fin
> > A registrar that does not have DS records for its main domain names
> > might lack experience dealing with DNSSEC registrations.
> Apologies if this is an obvious thing, but what is the benefit of
> publishing a DS record within the zone itself? Shouldn't they be
> published within the paren
> It is more complicated, specially with DNSSEC validation. Did anyone
> try running that on his Android?
SIDN Labs experimented with LDNS on iOS and got libUnbound working
with validation. [1]
-JP
[1] http://open.nlnetlabs.nl/pipermail/ldns-users/2012-April/000487.html
_
> "Dnssec-trigger reconfigures the local unbound DNS server."
DNSSEC-Trigger is bundled with Unbound.
What it does it to verify that DHCP-obtained forwarders do DNSSEC,
updating /etc/resolv.conf to point to the validating Unbound on
localhost if not. If neither work, DNSSEC-Trigger attempts to qu
>From [1]:
"Authoritative Name Server
The Authoritative Name Server (ANS) is high-end commercial
authority-only DNS server software product from Nominum, a
company founded by Paul Mockapetris, the inventor of the DNS.
ANS was designed to meet the ne
> $ORIGIN foo.com.
> @ IN NS ns.nsservers.com.
> IN MX 1 my.email.com.
> IN CNAME mysite.hostingprovider.com.
No CNAME and other data -- that is illegal. (c.f. [1] :-)
-JP
[1]: https://twitter.com/dns_borat/status/141872826536837121
___
dns
I only just discovered GADS (Gnu Alternative Domain System):
"a decentralized, secure name system providing an alternative to
the Domain Name System (DNS) for the Internet using memorable
names. The system builds on ideas from Rivest's Simple
Distributed Security In
> For mime BIND is always my choice, running BIND 9.7 on debian 6 OS.
Time to upgrade then: 9.7 is EOL since a few days ... ;-) [1]
> I am just curious what nameservers software have you been using?
I think you'll find people here use all sorts of nameserver brands. ISC
BIND is one of them, but
FYI, a paper (Feb 2013) titled "Defending against DNS reflection
amplification attacks" at [1].
-JP
[1]
http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
___
dns-operations mailing list
dns-operations@lists.dns-oa
> the dot com DNS got corrupted for several domains
What exactly does that mean? How did it get corrupted, and what was
corrupted? Any details?
-JP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mail
> (don't translate, nsfw)
Two perfectly harmless words, at least in a lot of anglo-saxon companies ;)
-JP
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs maili
Warren,
In theory this should be sim… Oh, actually it looks like Jan-Piet has
already done this as well:
you are digging up histerical^W historical artifacts ... ;-)
Beware, that the Action plugin today would likely not run as Ansible has
restructured the plugin interface.
-JP
-dns.info/nameservers.txt. 219
resolvers still had DS records:
https://pastebin.com/USxsL3g0
(638 said "NO RECORD", 34 SERVFAIL, 1131 timed out.)
-Jan
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https:/
o have the
best support (but is still lacking in some parts).
On the server side, I did an analysis of use of HTTPS
records by domain last year that, if a tangent, may be
of interest here, too:
https://www.netmeister.org/blog/https-rrs.html
-Jan
--- End Message ---
_
adding it to /etc/hosts :-), but I
wouldn't assume that this actually gets to somebody
able to fix things.
-Jan
[1] https://mstdn.social/@rysiek/114089755401568345
[2] https://cyberplace.social/@GossiTheDog/114089601659176174
--- End Message ---
___
--- Begin Message ---
Stephane Bortzmeyer wrote:
> On Sat, Mar 01, 2025 at 08:44:56PM -0500,
> Jan Schaumann via dns-operations wrote
> a message of 86 lines which said:
>
> > It looks like currently the NS for nih.gov only
> > respond to TCP queries.
>
> I
--- Begin Message ---
Out of curiousity, does anybody know why .KE went insecure just after
2022-09-15 18:37Z [1]? They appear to have removed all DNSSEC related data
meanwhile [2].
-JP
[1] https://dnsviz.net/d/ke/YyNw8w/dnssec/
[2] https://dnsviz.net/d/ke/Yy3YYw/dnssec/
--- End Messag
48 matches
Mail list logo
