Re: [dns-operations] Request To Clear Cache: NYTimes.com

On Tue, Aug 27, 2013 at 04:55:19PM -0500, da...@from525.com wrote a message of 22 lines which said: > I am a DNS Administrator at NYTimes.com. I regret there is no more authentification. I don't know from25.com... > Earlier today we had issues with > our registrar updating our NS records o

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 03:08:55PM +0200, Ondřej Surý wrote a message of 81 lines which said: > So what are the views of other people on this list? [Total noob just going back from holidays and therefore even less competent as usual.] Isn't is a good idea to limit the maximum size of the res

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 04:04:13PM +0200, Ondřej Surý wrote a message of 93 lines which said: > > Isn't is a good idea to limit the maximum size of the response, > > like .com/.net (and may be other TLD: examples welcome) do? This > > will make the attack more difficult. > > That could work,

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 11:01:43PM +0900, Yasuhiro Orange Morishita / 森下泰宏 wrote a message of 40 lines which said: > RELNOTES of NSD 3.2.9 describes the following, > we may separate max-udp-size value for IPv4 and for IPv6. This controls the size of the IP datagrame sent by the application (t

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 03:11:17PM +0100, Jim Reid wrote a message of 11 lines which said: > Don't fragment at all, set TC=1 on responses which would cause UDP > or lower layer fragmantation Not obvious to implement, the application (the name server) typically does not know the path MTU befo

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 10:45:42PM +0900, Yasuhiro Orange Morishita / 森下泰宏 wrote a message of 38 lines which said: > So, we might set max-udp-size to 1220 for preventing UDP > fragmentation. But, in IPv4, the attacker can send spoofed ICMP "packet too big" messages to decrease the size of t

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 06:02:20PM +0200, Jaroslav Benkovský wrote a message of 23 lines which said: > the authors mention that the recommendation for IP-ID on IPv6 is a > sequential value, IMHO, RFC 2460, section 4.5 is badly wrong, security-wise, because of that. As Francis said,

Re: [dns-operations] DNS Attack over UDP fragmentation

On Wed, Sep 04, 2013 at 05:01:47PM +, Dan York wrote a message of 32 lines which said: > My interest in understanding this attack is to understand how severe > it may be and whether or not it would be prevented by full > deployment of DNSSEC. My opinion is that, yes, it is a real and prac

Re: [dns-operations] DNS Attack over UDP fragmentation

On Thu, Sep 05, 2013 at 02:54:18PM -0700, Paul Vixie wrote a message of 68 lines which said: > Florian Weimer wrote: > > > > Because DNSSEC does not prevent cache poisoning, it only detects it. > > i do not understand this statement. The way I understand it: with Kaminsky and/or Shulman, you

Re: [dns-operations] DNS Attack over UDP fragmentation

On Fri, Sep 06, 2013 at 09:44:34PM +0300, Haya Shulman wrote a message of 232 lines which said: > We studied the IPID randomisation on the name servers (not the resolvers). Just a warning: it's IPID _unpredictability_ (for a blind attacker) which is important. Randomisation can be bad because

Re: [dns-operations] DNS Attack over UDP fragmentation

On Tue, Sep 10, 2013 at 07:14:04PM +0300, Haya Shulman wrote a message of 187 lines which said: > > the trouble with randomizing the IPID is that this would require > > kernel-level patches (as opposed to just DNS server software > > upgrade), I believe. This makes it somewhat harder to deplo

Re: [dns-operations] .ORG website experiences intermittent DNS failure

On Mon, Sep 30, 2013 at 03:25:51PM -0400, Catherine Burdon wrote a message of 122 lines which said: > Website www.newmarketstageco.org experiencing DNS failure > intermittently. For me, it is not intermittent, it is solidly broken. % check-soa newmarketstageco.org ns1.securehost.com.

Re: [dns-operations] .ORG website experiences intermittent DNS failure

On Mon, Sep 30, 2013 at 09:41:48PM +0200, Stephane Bortzmeyer wrote a message of 39 lines which said: > > have verified the DNS zone settings for the domain and all are > > correct. > > I do not think so. There are other errors: 1) the set of name servers at the parent

Re: [dns-operations] Ang.: ALERT: .QA CCTLD in wrong hands currently

On Sun, Oct 20, 2013 at 05:19:45PM +0100, Jim Reid wrote a message of 14 lines which said: > > https://twitter.com/Official_SEA16/status/391339315562688513 > > If it's on Twitter it must be true, right? :-) It has been discussed on this list more than 24 h ago so it is old news, and Twitter

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 10:48:52AM +0100, Tony Finch wrote a message of 43 lines which said: > Apart from avoiding fragments, are there other ways to mitigate this > attack? If I remember correctly, in her paper, Shulman mentioned possible rules at the registry: limiting the maximum number of

Re: [dns-operations] Ang.: ALERT: .QA CCTLD in wrong hands currently

On Tue, Oct 22, 2013 at 02:18:20PM +0200, Anne-Marie Eklund-Löwinder wrote a message of 64 lines which said: > Not necessarily, but it is the only information I've seen so far. :) With DNSDB and RIPE Atlas probes and all the monitoring systems that run day and night on the Internet, there is

Re: [dns-operations] It's begun...

On Wed, Oct 23, 2013 at 01:11:43PM -0700, Rick Wesson wrote a message of 100 lines which said: > Does ICANN have a root-zone announce list? Email lists are so last-century :-) IANA has Twitter ___ dns-operations ma

Re: [dns-operations] It's begun...

On Thu, Oct 24, 2013 at 02:12:10PM +0100, Chris Thompson wrote a message of 28 lines which said: > Neither dnssec-debugger.verisignlabs.com nor dnsviz.net are able to > analyse validations problems for NXDOMAIN responses, DNSviz does not do it by default but you can activate it ("DNSSEC optio

Re: [dns-operations] It's begun...

On Thu, Oct 24, 2013 at 04:33:52PM +0200, Anne-Marie Eklund-Löwinder wrote a message of 39 lines which said: > Twitter is so last year. IANA notifications over 4chan? Or am I so late I don't even know the trend of the day? ___ dns-operatio

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Thu, Oct 24, 2013 at 09:11:41AM +0300, Daniel Kalchev wrote a message of 247 lines which said: > This is not an attack on DNS, but an attack on IP reassembly > technology. Frankly, I do not share this way of seeing things. Since the DNS is, by far, the biggest user of UDP and since TCP is

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 11:59:04PM +, Vernon Schryver wrote a message of 50 lines which said: > Why would there be extra support calls? Wrong keys are no worse > than wrong delegations Of course, they are worse. In the vast majority of cases, lame delegations (or other mistakes) do not

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 01:28:15PM -0700, Paul Vixie wrote a message of 24 lines which said: > BIND9 V9.9 may surprise you. it has inline signing and automatic key > management. I don't think it is a fair description of BIND 9.9 abilities. It does not manage keys (which, IMHO, mean creating t

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 29, 2013 at 12:07:10AM -0200, Rubens Kuhl wrote a message of 30 lines which said: > Would DNSSHIM or Atomia DNS fit your description of DNSSEC > management ? [Warning, quick glance only] DNSSHIM claims to be able to "manage" DNSSEC keys but the documentation apparently does not

Re: [dns-operations] It's begun...

On Thu, Nov 14, 2013 at 06:02:23PM +0100, Phil Regnauld wrote a message of 25 lines which said: > I'm waiting for the first news articles reporting corporate > networks who've used .[insert new tld] as their private domain > and are now seeing strange things. "BigCo CIO decl

Re: [dns-operations] authority outage for ns[1-5].msft.net?

On Thu, Nov 21, 2013 at 06:17:24PM -0500, David Dagon wrote a message of 31 lines which said: > Trying from various locations, I can't seem to reach these > authorities: By the way, this is not the full list. The real one is larger (returned here by f.gtld-servers.net): ;; ADDITIONAL SECTI

Re: [dns-operations] authority outage for ns[1-5].msft.net?

On Sun, Nov 24, 2013 at 10:52:27AM -0500, Mark E. Jeftovic wrote a message of 16 lines which said: > > Now, if someone from Microsoft can explain why IPv4 was down on all > > these sites and not IPv6, I'm all ears... > > > DDoS? I have a lot of trouble trying to imagine a DoS that could brin

Re: [dns-operations] Are IANA GlueCoherencyCheck for authoritative name servers correct?

On Sat, Dec 21, 2013 at 12:52:06PM +0100, Klaus Darilion wrote a message of 72 lines which said: > Currently, the TLD name servers do not provide glue records for itself. ... > I think this i correct, because nic.wien is delegation: I don't know if it is correct :-) but it is the same for oth

[dns-operations] fcc.gov has two name servers with MTU issues

[Yes, problems should be reported to the zone manager first. In that case, the listed address gets a ": host dc-ip-2.fcc.gov[192.104.54.91] said: 550 #5.1.0 Address rejected. (in reply to RCPT TO command)"] ns3.fcc.gov and ns4.fcc.gov (but not the other two) time out when queried with the default

Re: [dns-operations] DNS namespace collisions and "controlled interruption"

On Wed, Jan 08, 2014 at 08:51:00PM +, Jeff Schmidt wrote a message of 110 lines which said: > Please look here: > > http://domainincite.com/15512-controlled-interruption-as-a-means-to-prevent-name-collisions-guest-post > Will serving localhost IPs cause the kind of visibility required to

Re: [dns-operations] DNS namespace collisions and "controlled interruption"

On Fri, Jan 10, 2014 at 03:56:56PM +, Jeff Schmidt wrote a message of 184 lines which said: > I'm not sure I understand this thinking precisely - if Joe Employee has a > problem accessing Acme's resources (the bookmarked web page) isn't he > likely to seek support from Acme? No, he will p

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

On Sat, Jan 11, 2014 at 06:32:00PM +0100, Peter Koch wrote a message of 21 lines which said: > Take a breath - or let the compliance jihad begin: These ICANN rules (against "dotless" domains) are meaningless and ridiculous, anyway. I agree that such a TXT or TYPE65534 does no harm and should

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

On Sat, Jan 11, 2014 at 09:41:51PM +0100, Jaap Akkerhuis wrote a message of 18 lines which said: > I vaguelt remember that the AFNIC.fr people also noticed these > popping up in some cases. https://www.dns-oarc.net/files/workshop-201103/DNSSEC_Key_Deletion_Issue-Vincent_Levigneron-afnic.pdf _

Re: [dns-operations] Is it illegal to query the .berlin TLD servers?

On Mon, Jan 13, 2014 at 01:16:43PM -0200, Rubens Kuhl wrote a message of 43 lines which said: > There's also been a dot less A record for .dk for ages, Many TLD have a A at the apex. .dk is the only one with a at the apex :-) See RFC 7085 ___

[dns-operations] DNSSEC at ICANN: still no check?

.red and .rich both have a nic.$TLD which is unsigned. The lack of DS is not validated, since only one NSEC3 is returned. It seems similar to the problem of .онлайн / .xn--80asehdb three months ago. % dig SOA nic.red ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> SOA nic.red ;; global options: +cmd ;; Go

Re: [dns-operations] DNSSEC at ICANN: still no check?

On Mon, Jan 20, 2014 at 05:10:13PM +0100, Stephane Bortzmeyer wrote a message of 41 lines which said: > 4iafiqi7pvouh4fbdvcmrap96fj3lefb.red. 82 IN NSEC3 1 1 1 D399EAAB > 6EIVIDT04UJLNSB9HA6K5QRIKLTRRA49 There is also an empty type bitmap, "proving" that the NS record set av

Re: [dns-operations] DNSSEC at ICANN: still no check?

On Mon, Jan 20, 2014 at 04:24:53PM +, ? Roy Arends wrote a message of 121 lines which said: > I don’t understand the problem. Do you expect nic.red to be > dnssec-signed? Not at all. I expect its non-signature to be validated, but it isn't. % dig SOA nic.red ; <<>> DiG 9.8.4-rpz2+rl005

[dns-operations] Anyone has more info on China DNS issue?

I know only what was published in: http://www.pcworld.com/article/2089760/mysterious-networking-error-stifles-internet-access-in-china.html The IP address 65.49.2.178 is known in DNSB but only for a few names (some in China) so there is not a lot of data.

Re: [dns-operations] Anyone has more info on China DNS issue?

On Thu, Jan 23, 2014 at 09:16:07AM +0100, Stephane Bortzmeyer wrote a message of 13 lines which said: > I know only what was published in: More technical details (don't know if it's true) here: http://www.itproportal.com/2014/01/23/huge-internet-glitch-china-cause

[dns-operations] CloudNS

No opinion yet, just an interesting service. Public DNS resolver with DNSSEC validation + mandatory DNScrypt to reach it. Supports Namecoin. https://cloudns.com.au/ ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.

Re: [dns-operations] shunning malware-hosting registrars

On Tue, Jan 28, 2014 at 10:43:21AM -0500, Daniel Sterling wrote a message of 31 lines which said: > Would it be possible for the larger DNS community to blacklist and > stop serving domains from registrars that are known to be friendly > to malware authors? For example, the recent FileZilla ma

Re: [dns-operations] Atlas Probe - Result question hostname.bind = "clboh-dns-cac-307"

On Fri, Feb 07, 2014 at 07:04:02PM +0100, Matthäus Wander wrote a message of 163 lines which said: > A few probes are behind a transparent DNS proxy. Whatever > destination address you set, the query will go to a resolver in the > local network. Also, some IAP announces the prefixes of anycas

Re: [dns-operations] DNSSEC at ICANN: still no check?

On Mon, Jan 20, 2014 at 04:37:50PM +, ? Roy Arends wrote a message of 97 lines which said: > The problem is indeed the absence of type NS in the type bit maps, as you > (and Peter van > Dijk) showed in your previous mail. Experience being useless, nobody fixed the bug or the pre-delegati

Re: [dns-operations] DNSSEC at ICANN: still no check?

On Tue, Feb 18, 2014 at 09:18:48AM +0100, Stephane Bortzmeyer wrote a message of 61 lines which said: > Experience being useless, nobody fixed the bug or the pre-delegation > tests: .pink is now broken because of the same bug. Seems fixed now. (Still servfails when you have the wrong

Re: [dns-operations] nsf.gov DNS is broken

On Wed, Mar 12, 2014 at 02:10:01PM -0700, Michael Sinatra wrote a message of 16 lines which said: > nsf.gov's DNS is broken. NSF has apparently made the classic USGBKR > (US Government Botched KSK Rollover). Basically, the DS record in > the parent zone (.gov) points to a KSK that is in the

[dns-operations] New IETF work on DNS privacy

We'll talk more about that at the OARC workshop in Warsaw but, in case some people here are not aware of it, IETF now has a mailing list dedicated to DNS privacy. --- Begin Message --- A new IETF non-working group email list has been created. List address: dns-priv...@ietf.org Archive: http://www.

Re: [dns-operations] New IETF work on DNS privacy

On Thu, Mar 20, 2014 at 04:07:34PM +0100, Stephane Bortzmeyer wrote a message of 167 lines which said: > We'll talk more about that at the OARC workshop in Warsaw but, in case > some people here are not aware of it, IETF now has a mailing list > dedicated to DNS privacy. And

Re: [dns-operations] should recursors think there are only delegation data in tld name servers?

On Wed, Mar 26, 2014 at 08:22:03PM +0800, 刘明星 wrote a message of 59 lines which said: > if a recursor ask a tld server for A records of a domain name, > such as a.test.tld, the .tld server return a nxdomain response to > the recursor. Only if test.tld does not exist. > In this case, the recu

[dns-operations] Hijacking of Google Public DNS in Turkey documented

http://www.bortzmeyer.org/dns-routing-hijack-turkey.html (with the help of RIPE Atlas probes) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists

Re: [dns-operations] Hijacking of Google Public DNS in Turkey documented

> http://www.bortzmeyer.org/dns-routing-hijack-turkey.html The answer to your question is in the article: > if you try a little-known open DNS resolver, there is no problem, > even from Turkey, you get correct results (measurement #1605104). ___ dns-op

Re: [dns-operations] Hijacking of Google Public DNS in Turkey documented

> http://www.bortzmeyer.org/dns-routing-hijack-turkey.html Here is the result of a lookup of whoami.akamai.net from the ten turkish RIPE Atlas probes: [74.125.18.80] : 2 occurrences [195.175.255.66] : 8 occurrences 74.125.18.80 is Google, 195.175.255.66 Turkish Telecom. So, no, Google Public DNS

[dns-operations] Introducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root

[Warning: sloppy terminology, for instance, "root" is not used in the usual DNS meaning.] http://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root Funny idea but it works only if your DNS is hosted at CloudFlare. I was not able to find a real example: all th

Re: [dns-operations] DNSKEY RRSIGs expired on xn--3bst00m & xn--6qq986b3xl

On Thu, Apr 10, 2014 at 07:48:09PM +0100, Chris Thompson wrote a message of 23 lines which said: > The signatures on the DNSKEY RRsets for two of the new generic TLDs have > expired I seize the opportunity to recommend an automatic monitoring of signature expiration (of course, we all do it

Re: [dns-operations] Uptick in number of domains losing delegation recently

On Tue, Apr 22, 2014 at 12:01:39PM -0700, Todd Lyons wrote a message of 31 lines which said: > the expiration date is still a ways off, and whois is delegated to > the correct DNS. But when we do a dig +trace for that domain, the > GTLD servers don't return any NS glue. Do they return NXDOMA

Re: [dns-operations] Best practices for Linux/UNIX stub resolver failover

On Tue, Apr 22, 2014 at 03:04:27PM -0400, Chuck Anderson wrote a message of 51 lines which said: > Because the failover behavior in libc is atrocious--each new or > existing process has to re-do the failover after timing out, and > even long-running processes have to call res_init() to re-read

Re: [dns-operations] AAAA record for c.root-servers.net

On Mon, Apr 21, 2014 at 10:33:42AM +0300, Daniel Kalchev wrote a message of 165 lines which said: > This is apparently an bug in the RIPE Atlas probe management > software — it needs to make sure the probe can generally reach it’s > own measurement targets, before assigning it to do any public

Re: [dns-operations] about the rName with dot

On Mon, Apr 28, 2014 at 10:43:35PM +0800, Ken Peng wrote a message of 13 lines which said: > Is there a live example for this kind of rName? fdupont.fr ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mai

Re: [dns-operations] rdata out of range

On Wed, Apr 30, 2014 at 06:03:58PM +0800, Ken Peng wrote a message of 22 lines which said: > 800099 is the serial I setup. RFC 1035 says: SERIAL The unsigned 32 bit version number [...] So, its maximum value is 4294967295 ___ dns-oper

Re: [dns-operations] rdata out of range

On Wed, Apr 30, 2014 at 12:09:42PM +0200, Petr Spacek wrote a message of 28 lines which said: > It has to be in range [0,2^31-1]. I disagree, [0,2^32-1]. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 01:48:59AM +0900, T.Suzuki wrote a message of 20 lines which said: > Opened Pandora's box of Cache Poisoning > http://www.e-ontap.com/dns/endofdns-e.html > > Conclusions of this report: I'm confused. I expected a scientific/technical paper/report and I find only one W

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 02:52:16AM +0900, T.Suzuki wrote a message of 26 lines which said: > For expert, the page shows enough hints. I must conclude that I am not an expert (something I managed to hide from my employer until now). ___ dns-operatio

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Fri, May 02, 2014 at 02:52:16AM +0900, T.Suzuki wrote a message of 26 lines which said: > And they already issued the waring. (in Japanese) > http://jprs.jp/tech/security/2014-04-15-portrandomization.html That's unrelated: the JPRS text was about the fact that, six years after Kaminsky, th

Re: [dns-operations] Opened Pandora's box of Cache Poisoning

On Sun, May 04, 2014 at 01:43:06AM +0900, Daisuke Kotani wrote a message of 66 lines which said: > One thing that should be noted in the "Additional Page" is that the > jp. name servers directly delegate example.ac.jp to the > authoritative servers of it, and no RR of QNAME "ac.jp." Yes, it h

Re: [dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

On Tue, May 06, 2014 at 09:09:47AM -0700, Paul Ferguson wrote a message of 36 lines which said: > http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html A good debunking: http://fanf.livejournal.com/127748.html ___ dns-operat

Re: [dns-operations] Subverting BIND's SRTT Algorithm Derandomizing NS Selection

On Tue, May 06, 2014 at 09:09:47AM -0700, Paul Ferguson wrote a message of 36 lines which said: > http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html One of the authors of the original article distanced himself from the marketing buzz: http://roeehay.blogspot.co.il/

[dns-operations] A funny DNS vulnerability

--- Begin Message --- CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability Date Published: 05-08-2014 Class: Design error Remotely Exploitable: yes Vulnerability Description: Foscam IP camera vendor provides a Dynamic DNS (DynDNS) service. Every Foscam camera has a preassigne

[dns-operations] Tor and the answers > 512 bytes

It appears that Tor is still limited to 512 bytes / no TCP :-( https://trac.torproject.org/projects/tor/ticket/4734 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mail

Re: [dns-operations] 172.in-addr.arpa DNSSEC broken

On Tue, May 20, 2014 at 04:14:27PM -0400, Jared Mauch wrote a message of 20 lines which said: > > http://dnsviz.net/d/16.172.in-addr.arpa > > Is this perhaps related to AS112 project as well or 172.16 zones > being built-in to some resolvers? The OP made a small typo in the URL. The problem

Re: [dns-operations] alidns

On Fri, Jun 06, 2014 at 11:48:03AM +0100, Tony Finch wrote a message of 33 lines which said: > ANY queries seem to trigger SERVFAIL. Works for me. (Awfully slow, as noticed here.) % dig @223.5.5.5 ANY www.bortzmeyer.org ; <<>> DiG 9.9.5-4-Debian <<>> @223.5.5.5 ANY www.bortzmeyer.org ; (1 s

Re: [dns-operations] alidns

On Fri, Jun 06, 2014 at 06:07:59PM +0800, hua peng wrote a message of 11 lines which said: > anybody give a test and review on alidns.com? Lying resolver. (The real addresses are in 173.252.96.0/19) % dig @223.5.5.5 A facebook.com ; <<>> DiG 9.9.5-4-Debian <<>> @223.5.5.5 A facebook.co

Re: [dns-operations] alidns

On Tue, Jun 17, 2014 at 09:29:54AM +0800, hua peng wrote a message of 6 lines which said: > >Lying resolver. (The real addresses are in 173.252.96.0/19) > > > > HOw do you know that? You just query DNS resolvers that are outside of the reach of the chinese government. _

Re: [dns-operations] alidns

On Tue, Jun 17, 2014 at 10:43:04AM -0700, Matthew Ghali wrote a message of 133 lines which said: > Your methodology may have been sufficient 20 years ago, but just > about any CDN complicates the issue. How do you propose > distinguishing between deliberate traffic engineering and lies, Heur

Re: [dns-operations] validation failure

On Fri, Jun 27, 2014 at 11:37:38AM +0100, Billy Glynn wrote a message of 64 lines which said: > Jun 27 11:27:49 rhel65-esxi unbound: [4761:3] info: 83.71.193.115 ietf.org. A > IN > Jun 27 11:27:51 rhel65-esxi unbound: [4761:3] info: validation failure > : No DNSKEY record from 173.245.58.108

Re: [dns-operations] What's wrong with my domain?

On Wed, Jul 02, 2014 at 06:29:22AM -0400, Mohamed Lrhazi wrote a message of 82 lines which said: > Some DNS > servers, notably Google's, return SERVFAIL, When using a validating resolver, like Google's, always test *also* with +cd (Checking Disabled). If it works with +cd and servfails witho

Re: [dns-operations] What's wrong with my domain?

On Wed, Jul 02, 2014 at 12:08:36PM +0100, Tony Finch wrote a message of 25 lines which said: > Your DS record doesn't match your DNSKEY records. The OP could also use the excellent DNSviz: http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/ which rightly says: gu.edu/DNSKEY:DS RRs exist for algorith

Re: [dns-operations] Need contacts

On Wed, Jul 02, 2014 at 10:47:33AM -0700, Dan Durrer wrote a message of 57 lines which said: > I can’t get into the specifics but a glue change may occur shortly > for the No-IP zones. We know how to use dig and whois :-) The No-IP zones are all back to No-IP (from Microsoft) and seem to work

Re: [dns-operations] Prevalence of query/response logging?

On Fri, Jul 04, 2014 at 06:00:48PM +0700, Roland Dobbins wrote a message of 23 lines which said: > I know that some DNS operators disable logging of queries/responses > due to the overhead of doing so Logging in the name server itself is typically very slow, take resources and, more seriously

Re: [dns-operations] Need contacts

On Wed, Jul 02, 2014 at 10:28:31PM +0200, bert hubert wrote a message of 7 lines which said: > On Wed, Jul 02, 2014 at 09:36:38PM +0200, Stephane Bortzmeyer wrote: > > We know how to use dig and whois :-) The No-IP zones are all back to > > No-IP (from Microsoft) and seem to

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 03:45:18PM +0200, sth...@nethelp.no wrote a message of 30 lines which said: > But according to the name servers for .fr, > > gmail.fr. 172800 IN NS dns1.emarkmonitor.com. > gmail.fr. 172800 IN NS dns2.emarkmonitor.com.

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 05:10:29PM +0200, Emmanuel Thierry wrote a message of 45 lines which said: > Contrarily to dnsN.emarkmonitor.com, nsN.markmonitor.com replies to queries. > But the answer is still different from google servers : It does not matter what server X or server Y says, even i

Re: [dns-operations] What's the story on gmail.fr?

On Sun, Jul 06, 2014 at 05:14:10PM +0200, Emmanuel Thierry wrote a message of 52 lines which said: > By the way, as far as i know french people use gmail.com in place of > gmail.fr. They won't even notice ! ;) Indeed, I've never seen gmail.fr advertised by Google and I'm surprised to learn it

Re: [dns-operations] dnssec ecc

On Fri, Jul 11, 2014 at 06:46:16PM -0400, James Cloos wrote a message of 6 lines which said: > Are enough current verifiers capable of verifying ecdsa to make is > reasonable to deploy ECDSAP256SHA256 or ECDSAP384SHA384 keys? I'm not aware of any published survey (Geoff Huston's style: send a

[dns-operations] Another public DNS resolver, this time with DNSSEC

Note that they are validators: https://dns.watch/ Unlike what they claim, I find them quite slow, specially outside of Europe. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Another public DNS resolver, this time with DNSSEC

On Sun, Jul 20, 2014 at 08:11:43PM +, Evan Hunt wrote a message of 19 lines which said: > I wish I knew who they were, though: it's not obvious from the > website, and dns.watch doesn't have an MX record. It's harder to > evaluate claims of neutrality and data privacy when I don't know wh

Re: [dns-operations] ISC Network Issue affecting OARC services

On Mon, Jul 21, 2014 at 01:57:48PM -0400, Keith Mitchell wrote a message of 30 lines which said: > a significant DDoS attack against ISC https://twitter.com/ISCdotORG/status/491641920582844417 ___ dns-operations mailing list dns-operations@lists.dn

Re: [dns-operations] difference between several NS with several glue

On Thu, Jul 24, 2014 at 10:44:29AM -0700, Dave Warren wrote a message of 29 lines which said: > From what I understand, when 1.1.1.1 fails to respond, all of > a.example.net will be considered bad, so 2.2.2.2 and 3.3.3.3 won't > be queried at all, and a resolver will return a SERVFAIL. Is the

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of "mm" ?

On Wed, Jul 30, 2014 at 01:55:19PM +0800, Zheng Wang wrote a message of 104 lines which said: > @mm.cctld.authdns.ripe.net. The referral is bad. Yes, net.mm has a lame delegation: % check-soa -i net.mm mm.cctld.authdns.ripe.net. 2001:67c:e0::96: ERROR:

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of "mm" ?

On Wed, Jul 30, 2014 at 09:10:12AM +0200, Stephane Bortzmeyer wrote a message of 28 lines which said: > I often see these problems with "deep" TLD (those with registration in > a SLD). TLD managers ask for a secondary hosting and wrongly assume > that it will work for all t

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of "mm" ?

On Wed, Jul 30, 2014 at 07:45:10PM +, Phil Regnauld wrote a message of 28 lines which said: > (v6 is not reachable from here, Then, use the -4 option of check-soa > ... but looks ok to me otherwise. Strange. dig agrees with check-soa: % dig @193.0.9.96 SOA net.mm ; <<>> DiG 9.8.4-rpz

Re: [dns-operations] BAD (HORIZONTAL) REFERRAL in one nameserver of "mm" ?

On Thu, Jul 31, 2014 at 09:48:07AM +, Phil Regnauld wrote a message of 46 lines which said: > Not what I'm seeing, and it was like this already yesterday... Have more coffee and retry with the same domain as me (which is not .mm) :-) ___

[dns-operations] A report on a DNS issue that was causing page redirections

Long and technically detailed story of a big DNS blunder, with unexpected consequences: http://blog.qbaka.com/post/94537269389/a-report-on-a-dns-issue-that-was-causing-page The author says "your domain name registrar can introduce an error to the root domain database and match your domain to an i

Re: [dns-operations] A report on a DNS issue that was causing page redirections

On Tue, Aug 12, 2014 at 06:59:37PM +0200, Stephane Bortzmeyer wrote a message of 14 lines which said: > The author says "your domain name registrar can introduce an error to > the root domain database and match your domain to an incorrect DNS > servers (this actually happe

[dns-operations] Validating or not validating (ICANN controlled interruption)

BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit set. Unbound gives back the answer but without the AD bit. [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka'] In some cases (difficult to pinpoin

Re: [dns-operations] Validating or not validating (ICANN controlled interruption)

On Wed, Sep 03, 2014 at 10:19:29AM +0200, Ralf Weber wrote a message of 23 lines which said: > > In some cases (difficult to pinpoint, depending on the resolver's > > state), both BIND and Unbound return SERVFAIL. > Could you be more specific. % dig @relay1 A nimportequoi.otsuka ; <<>> DiG

Re: [dns-operations] Botnets, botnets everywhere

On Thu, Sep 11, 2014 at 04:38:25PM +0400, Peter Andreev wrote a message of 29 lines which said: > a lot of very weird queries, like the following: > > 16:11:41.450794 IP 217.195.66.253.37426 > 62.76.76.62.53: 42580+ A? > swfjwvtkhqx.www.feile.com. (47) > 16:11:41.450796 IP 91.209.124.75.5

Re: [dns-operations] Botnets, botnets everywhere

On Thu, Sep 11, 2014 at 09:00:37PM +0800, Roland Dobbins wrote a message of 29 lines which said: > FYI, most of these queries seem to be reflected through abusable CPE > devices which are misconfigured by default as open recursors or DNS > forwarders. It may be worth considering investigating

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

On Thu, Sep 11, 2014 at 07:52:31AM -0700, Colm MacCárthaigh wrote a message of 26 lines which said: > So why is it that name servers need to be registered? What's the > benefit of doing it? As an employee of a registry which does not require name server registration, I wonder, too :-) ___

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

On Thu, Sep 11, 2014 at 03:06:11PM +, Michele Neylon - Blacknight wrote a message of 66 lines which said: > For gTLDs the nameservers have to be registered via a registrar Indeed. For most registries (those with a ICANN TLD), the most common answer is probably "because ICANN requires so a

Re: [dns-operations] is there a diagnostic tool to obtain delegated ns?

On Fri, Sep 12, 2014 at 12:13:00PM +1000, Mark Andrews wrote a message of 57 lines which said: > The following will work for any zone w/o a embedded period in a > label. Loops endlessly for names like ssi.gouv.fr > parent=`expr "X$zone" : '^[^.]*.\(.*\)'` Should it be parent=`expr "

Re: [dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

On Fri, Sep 12, 2014 at 12:46:29PM +0100, Tony Finch wrote a message of 27 lines which said: > they have switched to a more standard EPP implementation. This is absolutely NOT "more standard". EPP allows both models (in other words, you do not have to implement RFC 5732).

Re: [dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)

On Sat, Sep 13, 2014 at 09:37:52AM +, Franck Martin wrote a message of 61 lines which said: > -limit size to <1500? on both IPv4 and IPv6? It may be interesting against amplification attacks (although it seems everyone moved to NTP amplification attacks, abandoning the DNS). For fragmenta

  1   2   3   4   5   >