Re: [dns-operations] question for DNS being attacked

On Thu, Jun 28, 2012 at 04:04:47AM +, Michael Hoskins (michoski) wrote a message of 61 lines which said: > or even firewall based rate limiting like iptables or dummynet. > > http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html Did you try this on a production DNS se

Re: [dns-operations] question for DNS being attacked

On Thu, Jun 28, 2012 at 09:41:03AM +0800, pangj wrote a message of 20 lines which said: > My named service got 1GB or more incoming traffic of attack > recently. One gigabyte/s is quite serious and I'm afraid no solution on your name server will help (it is too late). Can you ask your upstrea

Re: [dns-operations] register nameservers in different TLD's NS

On Mon, Jul 16, 2012 at 09:45:34PM +0800, ?? wrote a message of 17 lines which said: > But, a domain in other TLD, say example.com, can't use the > nameservers of nsbeta.info as its auth servers. Why? It should work. For instance, the name servers of linux.com are under ".org". > How can I r

Re: [dns-operations] register nameservers in different TLD's NS

On Mon, Jul 16, 2012 at 10:27:07AM -0400, Mark Jeftovic wrote a message of 40 lines which said: > I think what he means is that the other TLD ( ie .com ) does not yet > have a glue record in place for the .info nameserver Of course. There is no need for glue since the name server's names are

Re: [dns-operations] Google Public DNS and round robin records

On Sun, Jul 22, 2012 at 05:07:16PM +, Paul Vixie wrote a message of 12 lines which said: > this seems to be a call for a lightweight resolver that can live in > every laptop desktop It already exists. I highly recommend it. > and smartp

Re: [dns-operations] Google Public DNS and round robin records

On Sun, Jul 22, 2012 at 06:26:19PM +, Vernon Schryver wrote a message of 51 lines which said: > A problem with that might be the increased load on authoritative > servers due to caching disbursed among zillions of clients, [TLD operator hat on.] Yes, this is a problem. dnssec-trigger

Re: [dns-operations] Google Public DNS and round robin records

On Mon, Jul 23, 2012 at 08:45:21AM +, Paul Vixie wrote a message of 21 lines which said: > this is the right approach if you're running that server. There is currently no way to write a program which will work with any server because there is no standard to configure the server (see RFC 6

Re: [dns-operations] xt_dns (forked) - filtering ANY (and other) queries

On Fri, Aug 03, 2012 at 08:45:56AM +0100, Simon Munton wrote a message of 28 lines which said: > You can also do it with the standard module "u32", including EDNS0, No, you cannot. u32's mini-language is not Turing-complete (for good reasons) and, for instance, cannot parse the QNAME. http:/

Re: [dns-operations] xt_dns (forked) - filtering ANY (and other) queries

On Fri, Aug 03, 2012 at 01:43:10PM +0200, Peter van Dijk wrote a message of 25 lines which said: > because of the way IPv6 chains headers (of course, you can assume > this does not usually happen). Searching in today's queries received over IPv6 on AFNIC's name servers, I do not see even one

Re: [dns-operations] About open DNS resolvers

On Mon, Aug 20, 2012 at 07:12:47PM +0200, esolve esolve wrote a message of 104 lines which said: > Why can we just use "dig @target_ip www.example.com" and see whether > we can get a result? If you go through China, you get a response even if the target_ip is dead

Re: [dns-operations] dnsxss.

On Mon, Aug 27, 2012 at 09:05:05AM +, Dobbins, Roland wrote a message of 16 lines which said: > Funny but I'm not sure it is really useful for attacks in practice. Several technical errors in the article (such as

Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Tue, Sep 04, 2012 at 01:57:20PM -0700, Wessels, Duane wrote a message of 36 lines which said: > http://prefetch.validatorsearch.verisignlabs.com";> On my machines, I can resolve the name with BIND but not with Unbound (SERVFAIL, even with ). On OARC's ODVR both BIND and Unbound work. With

[dns-operations] Pinging the root name servers to check my connectivity?

Configuring a small network, I had the problem to test if the Internet connectivity is working [side note: so I can use the result in the test in the "parents" directive of Nagios/Icinga, to avoid alarms for every target when the outside link is simply down]. The problem is to find suitable targets

Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Wed, Sep 05, 2012 at 11:45:23AM +0100, Tony Finch wrote a message of 80 lines which said: > It's really weird. The name servers are serving two versions of the zone, > one signed and one unsigned, and they seem to be alternating between > them. I assume it is on purpose, part of the experi

[dns-operations] DoS with amplification: yet another funny Unix script

A friend sent me the script he uses against DNS DoS attacks by reflection+amplification. I reject any responsability for it but I found it cute and geeky :-) It uses tcpdump + typical Unix tools to automatically detect IP addresses used in such attacks and block them (not something I endorse). tc

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Wed, Sep 05, 2012 at 02:44:34PM +, Vernon Schryver wrote a message of 78 lines which said: > Why poke distant anchors when almost all "The Internet is down" > complaints have local causes, and when not local, are out of the > control Because the goal is not to fix them but to be aware

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Wed, Sep 05, 2012 at 04:50:02PM +, Paul Vixie wrote a message of 12 lines which said: > health checks should be to ping something you own, Or something you have an *explicit* right to use, may be because you paid for it. Actually, it could be a business plan, renting targets for monito

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Wed, Sep 05, 2012 at 12:43:46PM -0400, Paul Wouters wrote a message of 34 lines which said: > with the stubs doing more resolving/validating themselves, the root > servers are going to see a higher load. I think that's unavoidable. I cannot speak for the root name servers operators. But le

Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Wed, Sep 05, 2012 at 10:40:03AM -0700, Wessels, Duane wrote a message of 20 lines which said: > Yes, that is correct. OK, but the problem is that the official Web page is not visible if you have a validating resolver... (Unbound, in my case, I ha

Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Thu, Sep 06, 2012 at 10:43:12AM -0700, Wessels, Duane wrote a message of 39 lines which said: > We changed the RRSIG-remover so that it won't remove the signatures > from "validatorsearch.verisignlabs.com" itself. Hopefully that > allows you to view the page now. But we still have no sign

Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Thu, Sep 06, 2012 at 10:43:12AM -0700, Wessels, Duane wrote a message of 39 lines which said: > I wouldn't say our setup assumes only one recursive in the path, >From my colleague Kim Minh Kaplan: In the case where one of the forwarders is non validating, it will happily accept and cache

[dns-operations] Data about load increase on *resolvers* when enabling DNSSEC validation?

There are many published papers about the load created by DNSSEC on authoritative name servers. And a lot of practical experience as well, some of it publically documented. For the validating *resolvers*, I find on the Web a few tests in a lab environment (setting up BIND or Unbound with and witho

Re: [dns-operations] "best practices" for restaring internal DNS servers

On Sun, Sep 09, 2012 at 04:06:23PM +0100, Steven Carr wrote a message of 43 lines which said: > Is it really that much of an issue to have to start from an empty > cache? +1 (And I work for a TLD operator so I would not condone solutions which would increase the load on our authoritative name

Re: [dns-operations] Go Daddy is down

On Mon, Sep 10, 2012 at 08:20:45PM +0200, bert hubert wrote a message of 20 lines which said: > Go Daddy's servers appear to be down. http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/ ___ dns-operations mailing list dns-

Re: [dns-operations] Go Daddy is down

On Mon, Sep 10, 2012 at 02:43:18PM -0400, Mark Jeftovic wrote a message of 61 lines which said: > It looks regional (like USA). No, same problem in France. Still down at 1915 UTC. It looks like one of the biggest disturbances of the DNS ever... ___

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Mon, Sep 10, 2012 at 09:57:48PM +0200, Phil Regnauld wrote a message of 15 lines which said: > How is that different from ping the increasingly ubiquitious L > and F-root ? Root name servers are critical: if you disrupt them, many kittens will be killed. AS112 servers are very

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Mon, Sep 10, 2012 at 08:04:49PM +, paul vixie wrote a message of 25 lines which said: > anyone who wants reliable connectivity testing This leaves out the case of "Mom & Pop monitoring". Of course, my employer contracts for reliable monitoring targets. But the small SOHO? _

Re: [dns-operations] Pinging the root name servers to check my connectivity?

On Wed, Sep 05, 2012 at 02:44:34PM +, Vernon Schryver wrote a message of 78 lines which said: > I've heard that 8.8.8.8 is not a useful DNS DoS tool, perhaps > because Google, like any competent, well known provider, must know > about rate limiting. I've tried using a Google Public DNS se

[dns-operations] TLD .td (Chad) again down

The TLD .td is down again, the two authoritative name servers are broken (one servfails and the other timeouts). Do not ask me if I know who to contact, the situation on the ground is... complicated. (SOTEL, the TLD manager, was bought by lybian business just before the Arab spring and it seems .t

[dns-operations] How to Launch a 65Gbps DDoS, and How to Stop One

http://blog.cloudflare.com/65gbps-ddos-no-problem ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] How to Launch a 65Gbps DDoS, and How to Stop One

On Tue, Sep 18, 2012 at 09:34:29AM +0200, Stephane Bortzmeyer wrote a message of 7 lines which said: > http://blog.cloudflare.com/65gbps-ddos-no-problem I specially appreciate the detailed responses of the CloudFlare engineer to the questions asked in the comme

Re: [dns-operations] dotless domains

On Fri, Sep 21, 2012 at 10:12:42AM +0200, Phil Regnauld wrote a message of 23 lines which said: > Surprised no one's brought up http://dk/ as an already existing scenario > that doesn't work (try it in various browsers). Worked fine with Chromium and lynx, despite the ICANN FUD. _

Re: [dns-operations] dotless domains

On Fri, Sep 21, 2012 at 10:29:35AM +0200, Phil Regnauld wrote a message of 18 lines which said: > I'm not particularly against the idea of using "dotless" > domains, but we know who's going to live with the support > questions when users start complaining. Paul's piece on >

Re: [dns-operations] dotless domains

On Fri, Sep 21, 2012 at 11:23:02AM -0700, David Conrad wrote a message of 38 lines which said: > I'm not sure how ICANN is supposed to do that without 'regulations'. I don't think I said that ICANN should regulate nothing. It is a regulator (even if it denies it, claiming it only has a "narro

Re: [dns-operations] dotless domains

On Fri, Sep 21, 2012 at 07:38:44PM -0700, P Vixie wrote a message of 77 lines which said: > To change the internet so that foo@Microsoft has universal not local > meaning would require action by many millions of parties not just by > Microsoft. Yes. It is also true for IPv6, DNSSEC and BCP38.

Re: [dns-operations] keeping ICANN busy

On Fri, Sep 21, 2012 at 06:32:01PM -0700, David Conrad wrote a message of 27 lines which said: > I understand and sympathize with this point of view, however, as a > counter-example: wildcards in .COM were outside of the root zone, > was that also none of ICANN's business? In a way, .COM is s

Re: [dns-operations] First experiments with DNS dampening to fight amplification attacks

On Mon, Sep 24, 2012 at 02:48:38PM +, Lutz Donnerhacke wrote a message of 16 lines which said: > Please have a look at http://lutz.donnerhacke.de/eng/Blog/DNS-Dampening The basic security issue of DNS-based DoS is that the IP address of the attacker is forged. There are therefore two clas

Re: [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

On Thu, Sep 27, 2012 at 12:23:12PM -0400, Olafur Gudmundsson wrote a message of 64 lines which said: > Usually when this happens in a debate that reflects a > partial/non-shared understanding of the problem. It may simply means there are inherent contradictions. This is common in security iss

Re: [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

On Thu, Sep 27, 2012 at 01:19:53PM -0400, Phil Pennock wrote a message of 69 lines which said: > Experiment to see if OS fingerprinting yields useful signal on DNS > UDP queries (I suspect not?). I'm not an expert in OS fingerprinting but, judging from the traffic of today's fingerprinting to

Re: [dns-operations] How many kinds of DNS DoS attacks are we trying to stop ?

On Fri, Sep 28, 2012 at 08:11:25AM +1200, Sebastian Castro wrote a message of 37 lines which said: > I tested that while at CAIDA in order to qualify the sources of > traffic hitting the root servers. Most of the OS fingerprinting is > based on variations of the TCP handshake flags + other TCP

[dns-operations] Apple and bogusapple.com

A big fail, I'm afraid. Apple's software tried to contact bogusapple.com (presumably to have a "known to failed" test) but someone registered the domain yesterday : https://discussions.apple.com/thread/4380270?tstart=0 ___ dns-operations mailing list dns

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Mon, Nov 07, 2011 at 02:01:14PM +0100, Stephane Bortzmeyer wrote a message of 17 lines which said: > http://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil > > A long article about "DNS poisoning" without even a dig output, bad. > >

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Tue, Oct 02, 2012 at 08:07:09PM +, Paul Vixie wrote a message of 30 lines which said: > has the ssl format been submitted as an internet-draft, or is this a > "private standard"? AFAIK, no, but it is very simple and build over the existing DNS: it is the same format as DNS-over-TCP, ju

Re: [dns-operations] Massive DNS poisoning attacks in Brazil

On Tue, Oct 02, 2012 at 08:34:36PM +, Paul Vixie wrote a message of 19 lines which said: > i don't think so. too many middleboxes unpack the tcp/443 stream using a > wildcard certificate, ??? If you are on a network where the router/proxy/middlebox managed to obtain a wildcard certificat

Re: [dns-operations] Strange goings on with two domains

On Thu, Oct 18, 2012 at 05:19:28PM -0400, Bill Owens wrote a message of 70 lines which said: > And WHOIS still shows the correct servers for both domains: The registrar's whois. The registry's whois show nameservers which are consistent with the DNS. __

Re: [dns-operations] Strange goings on with two domains

On Thu, Oct 18, 2012 at 06:06:13PM -0400, Bill Owens wrote a message of 16 lines which said: > So the registry-NetSol NetSol (Network Solutions) is not the registry of .com for... how many... ten years? ___ dns-operations mailing list dns-operatio

Re: [dns-operations] a question about the nameservers

On Fri, Oct 26, 2012 at 10:11:33AM +, Lutz Donnerhacke wrote a message of 65 lines which said: > For the first query the glue data will be used (NS in the parent zone). > For later queries the resolver should requery the NS from the authorititve > servers. And, at the expiration of the da

Re: [dns-operations] a question about the nameservers

On Fri, Oct 26, 2012 at 10:11:33AM +, Lutz Donnerhacke wrote a message of 65 lines which said: > > tel.im. 259200 IN NS ans.amchina.net. > > tel.im. 259200 IN NS bns.amchina.net. > > tel.im. 259200 IN NS cns.a

Re: [dns-operations] AT&T DNS Cache Poisoning?

On Sun, Oct 28, 2012 at 02:22:04AM -0400, Paul Wouters wrote a message of 20 lines which said: > You missed the announcement of the 450 million downloads by iOS6 of > the IANA root key? Poisoning the cache of an one-user iPhone is fun but less useful than poisoning the caches of AT&T, Verizon

Re: [dns-operations] First experiments with DNS dampening to fight amplification attacks

On Mon, Oct 29, 2012 at 10:13:55AM +, Dobbins, Roland wrote a message of 20 lines which said: > > We apply iptables based rate-limiting on ANY queries with RD bit set. > > The problem with fronting your DNS servers with a stateful firewall ? iptables != stateful firewalling. Some peopl

Re: [dns-operations] First experiments with DNS dampening to fight amplification attacks

On Mon, Oct 29, 2012 at 10:21:46AM +, Dobbins, Roland wrote a message of 20 lines which said: > I've only ever seen it deployed with connection tracking - i.e., > statefully. Several TLD use iptables for rate-limiting ANY amplification attacks. They typically use the hashlimit module, wh

Re: [dns-operations] using different DNS providers together

On Mon, Nov 05, 2012 at 07:28:48PM -0800, Clarence Beeks wrote a message of 77 lines which said: > All have problems. > You should use officaily provided dns at : > > 58.22.96.66=China Unicom Fuzhou CN I assume it is a joke but I do not get it. __

Re: [dns-operations] using different DNS providers together

On Tue, Nov 06, 2012 at 03:20:51PM +0800, zhanglikun wrote a message of 187 lines which said: > Bad point is: you have to keep the data be consistent by hand > without some automated tools Why "by hand"? NOTIFY + IXFR is implemented in every name server software, and is standard (.fr has sev

Re: [dns-operations] using different DNS providers together

On Tue, Nov 06, 2012 at 10:12:42AM +0800, Feng He wrote a message of 87 lines which said: > It inclouds godaddy, cloudflare, dnsbedand dnspod. Does this have > any hidden problem for resolving? No. ___ dns-operations mailing list dns-operations@li

Re: [dns-operations] Looks like .us has a FAIL

On Fri, Nov 09, 2012 at 01:28:32AM -0700, Fred Morris wrote a message of 37 lines which said: > ;; connection timed out; no servers could be reached Works for me, from several places: % check-soa us c.cctld.us. : 156.154.127.70 (2008314055) k.cctld.us. : 156.154.128.70 (2008314055) 2001:5

Re: [dns-operations] Upgrade to 9.9.1-p3 and zone transfer problem

On Thu, Nov 08, 2012 at 02:29:38PM +, Ayca Taskin (Garanti Teknoloji) wrote a message of 181 lines which said: > is it possible any problem between primary and secondarys like zone > transfer etc.? As Nicolas and Keith said, it is very unlikely. That's the power of standards: once somethi

Re: [dns-operations] Google Public DNS

On Thu, Nov 15, 2012 at 04:00:03PM +0100, Stefan Schmidt wrote a message of 77 lines which said: > Also it should be easy to write something up that returns the > recursive Server IP that queried for a certain qname as a TXT record > or even automatically the matches from that list. No need t

[dns-operations] Beware of the cosmic rays

http://dinaburg.org/bitsquatting.html Bitsquatting refers to the registration of a domain names one bit different than a popular domain. [...] Bitsquatting frequently resolved domain names makes it possible to exploit computer hardware errors via DNS. [...] The causes of these errors range from ma

Re: [dns-operations] DNS hijack?

On Tue, Nov 20, 2012 at 06:25:48PM +0800, Feng He wrote a message of 59 lines which said: > >;; ADDITIONAL SECTION: > >ASPMX.L.GOOGLE.COM.2626IN A 1.2.3.4 > >ALT1.ASPMX.L.GOOGLE.COM.2626IN A 5.6.7.8 > >ALT2.ASPMX.L.GOOGLE.COM.2626IN A 1.

Re: [dns-operations] DNSSEC validation failures for reverse delegations?

On Sat, Dec 08, 2012 at 03:26:43PM +0100, Sebastian Wiesinger wrote a message of 55 lines which said: > since last night around 0:30 CET I'm getting sporadic validation > failures for a hand full of reverse delegation. Not many but a few > each hour, from seemingly unrelated delegations: They

Re: [dns-operations] underline in TXT's host

On Fri, Dec 14, 2012 at 04:37:05PM +0800, Feng He wrote a message of 17 lines which said: > does the TXT record allow a underline in its hostname? 1) What is on the left side is not always a host name, far from it (if you have learned in a book that DNS is here to "map host names to IP addres

Re: [dns-operations] underline in TXT's host

On Fri, Dec 14, 2012 at 04:50:48PM +0800, Feng He wrote a message of 23 lines which said: > From RFC 952 It's old, it was not even for the DNS! As I said, read the RFCs about the DNS (RFC 1035, section 2.3.1 and RFC 2181, section 11). And pay attention to the difference between host names an

Re: [dns-operations] underline in TXT's host

On Fri, Dec 14, 2012 at 01:36:05PM +0100, Florian Streibelt wrote a message of 14 lines which said: > May I quote you wherever possible, especially at some special > university Professor who teaches such nonsense? OK, if you provide the gasoline, I will bring the matches :-)

Re: [dns-operations] DNS ANY requests from Amazon?

On Mon, Dec 17, 2012 at 02:57:28PM -0500, Patrick, Robert (CONTR) wrote a message of 36 lines which said: > mitigation is available at the O/S and network layer. As an > example, there are connection limits that can be enforced with > iptables on Linux. The attached mini-HOWTO may be inter

Re: [dns-operations] DNS ANY requests from Amazon?

On Mon, Dec 17, 2012 at 09:08:09PM +, Vernon Schryver wrote a message of 47 lines which said: > Per-client rate limiting is generally the best that can be done with > simple firewall rules or access control lists, but has limitations > and can cause harm. While rate limiting by client IP

Re: [dns-operations] DNS ANY requests from Amazon?

On Mon, Dec 17, 2012 at 08:17:18PM +, Paul Vixie wrote a message of 33 lines which said: > if you limit your request flows rather than your response flows, > then your only choice is: too low, where a legitimate client asking > a legitimately diverse set of questions, does not get reliable

Re: [dns-operations] BIND 9.7 was Re: what nameserver software have you been using?

On Tue, Dec 18, 2012 at 10:21:03AM +0800, Feng He wrote a message of 12 lines which said: > >The next(!) stable version of Debian (wheezy) will have bind 9.8(!). > > How to make debian 6 to apt-get install BIND 9.8? It's not a DNS question but a Debian-specific system administration questio

Re: [dns-operations] DNS ANY requests from Amazon?

On Tue, Dec 18, 2012 at 08:51:18AM +0100, Stephane Bortzmeyer wrote a message of 80 lines which said: > [Not public] Actually, it was the censored version, the not-public one has more details, useful for the attacker. ___ dns-operations mail

[dns-operations] ID of IPv4 fragments and DNS and the future RFC

The future RFC 6864, currently in AUTH48 state, talks about the unicity of the ID (datagram identifier) field for IPv4. Its section 5.2 is of interest to us: basically, it says that senders of "non-atomic packets" (a non-atomic packet is an IPv4 packet which is fragmented or will possibly be, since

Re: [dns-operations] ID of IPv4 fragments and DNS and the future RFC

On Sun, Jan 13, 2013 at 08:59:39PM +0100, Florian Weimer wrote a message of 30 lines which said: > A typical initial TTL is 64, so the packet lives for at most 64 > seconds. (Originally, the TTL was measured in seconds, It was a very long time ago. RFC 1122, in 1989, already said that the TT

Re: [dns-operations] Enom's name server broken?

On Tue, Jan 15, 2013 at 11:10:51AM +, Michele Neylon :: Blacknight wrote a message of 62 lines which said: > (or maybe I need more coffee) I think it is the case. > Or are you expecting eNom to purge DNS records for domains for which > they aren't currently authoritative? dns1.name-serv

Re: [dns-operations] Enom's name server broken?

On Wed, Jan 16, 2013 at 12:46:30AM +1100, Mark Andrews wrote a message of 126 lines which said: > For clean transfers of zones from one provider to the next the > losing provide should slave the zones from the new provider. This > ensures that caches only see current content regardless of whe

Re: [dns-operations] .mm off the air for anyone who validates

On Fri, Jan 18, 2013 at 09:08:37AM +1100, Mark Andrews wrote a message of 38 lines which said: > .mm failed to re-sign their DNSKEY RRset. Note that, because Unbound is tolerant by default ("10 % rule"), Unbound users will see the problem only on Sunday: # BIND % dig @149.20.64.20 DNSKEY mm

Re: [dns-operations] getting .CW recognised in the Google ccTLD tables/databases ...

On Sun, Jan 20, 2013 at 06:55:44PM -0400, .CW Registry Curacao wrote a message of 187 lines which said: > Several Internet services sites cannot be used by our customers, > because the .CW is not recognized. To synthetize the many good answers you received: 1) Pragmatically, if you can convi

Re: [dns-operations] What's a "suffix"?

On Sun, Jan 20, 2013 at 11:17:16PM -0800, SM wrote a message of 17 lines which said: > See RFC 6265. Its section 5.3 defines a "public suffix" and it is a sensible and useful definition. A "suffix" is any string ending a domain name. So, in www.cam.ac.uk, uk is a TLD, ac.uk a public suffix,

Re: [dns-operations] What's a "suffix"?

On Mon, Jan 21, 2013 at 09:25:03AM +0100, Stephane Bortzmeyer wrote a message of 21 lines which said: > A "suffix" is any string ending a domain name. A reader even more nazi than I am suggested a definition closer to the DNS semantics: A suffix is any sequence of labels en

[dns-operations] Monday rant againt the uses of the Public Suffix List

On Mon, Jan 21, 2013 at 03:45:36AM -0800, Jothan Frakes wrote a message of 171 lines which said: > understanding what might be valid on the rightmost side of > addresses. Email addresses? If so, that's an extremely bad example. If you want to test the *syntax* of an email address, just do lik

[dns-operations] Why allow-query-cache (for BIND) is important

allow-recursion is not enough: http://304geeks.blogspot.co.uk/2013/01/dns-scraping-for-corporate-av-detection.html ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs maili

Re: [dns-operations] getting .CW recognised in the Google ccTLD tables/databases ...

On Sun, Jan 20, 2013 at 06:55:44PM -0400, .CW Registry Curacao wrote a message of 187 lines which said: > We need some help with getting our ccTLD registered worldwide. You're in the news :-) http://domainincite.com/11673-apple-google-and-microsoft-still-dont-understand-new-tlds

[dns-operations] CloudShield advices against dDoS

http://www.cloudshield.com/applications/dns-control-traffic-load.asp My first reaction was "These solutions are incredibly stupid" and my second one "But let's check among the experts at the dns-operations ML before trolling". ___ dns-operations mailing

Re: [dns-operations] Defending against DNS reflection amplification attacks

On Wed, Feb 20, 2013 at 08:48:19AM +0100, Jan-Piet Mens wrote a message of 12 lines which said: > FYI, a paper (Feb 2013) titled "Defending against DNS reflection > amplification attacks" at [1]. Very good paper, highly recommended. I was surprised they did not test NSD+RRL (or other solutio

Re: [dns-operations] Another whitepaper on DDOS

On Thu, Feb 21, 2013 at 12:29:10PM -0500, Jeff Wright wrote a message of 15 lines which said: > http://docs.media.bitpipe.com/io_10x/io_106675/item_584633/Gartner%20and%20Arbor%20Focus%20on%20DDoS%20FINAL.PDF Wrong on the facts: they keep pretending that the DNS attack in Brazil was cache poi

[dns-operations] ICANN explains how to do DNS security disclosure

http://blog.icann.org/2013/03/icann-coordinated-disclosure-guidelines/ The Security Team has prepared a set of guidelines to explain ICANN’s Coordinated Vulnerability Disclosure Reporting. The guidelines serve two purposes. They define the role ICANN will perform in circumstances where vulnerabili

[dns-operations] Fighting the Open Recursive Nameserver or not?

I thought that everyone was convinced of the need to close ORN (RFC 5358) but apparently not: https://twitter.com/marshray/status/317525001072963584 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/list

Re: [dns-operations] Force TCP for external quereis to Open Resolvers?

On Sun, Mar 31, 2013 at 01:32:13PM +0100, Jim Reid wrote a message of 23 lines which said: > Keeping state for bazillions of DNS TCP connections to a resolving > server will present further challenges. Only the DNS people think that. The HTTP people are used to many TCP connections to manage

Re: [dns-operations] Force TCP for external quereis to Open Resolvers?

On Sun, Mar 31, 2013 at 02:30:50AM -0700, Xun Fan wrote a message of 90 lines which said: > Instead of closing the open resolvers, can we just force queries > from external networks to use TCP? A very good idea, IMHO. > Say reply to queires from external networks with a short truncate > UDP

Re: [dns-operations] Force TCP for external queries to Open Resolvers?

On Sun, Mar 31, 2013 at 12:27:05PM -0400, Paul Wouters wrote a message of 18 lines which said: > Not all open resolvers are run by brainless admins. And I > believe open resolvers are crucial to the open nature of the > internet. There are two categories of open resolvers. The vast majori

Re: [dns-operations] Force TCP for external quereis to Open Resolvers?

On Sun, Mar 31, 2013 at 12:54:23PM -0400, Paul Wouters wrote a message of 34 lines which said: > Not true. unbound allows you to only accept clients using TCP. Ah, thanks, I should read the documentation more closely. OK, I've set up an open resolver (best effort only) with this configuratio

Re: [dns-operations] N-Root

On Mon, Apr 01, 2013 at 04:17:36PM -0400, Robert Edmonds wrote a message of 182 lines which said: > so that just leaves the decision of who gets to operate the new > N-root DNS server. Congratulations: you've solved the easy problem, the technical one, and left open the really hard one, findi

Re: [dns-operations] public consultation on root zone KSK rollover

On Wed, Apr 03, 2013 at 10:11:16AM -0400, Joe Abley wrote a message of 23 lines which said: > As advised a month or so ago, the following public comment period is open: > > > http://www.icann.org/en/news/public-comment/root-zone-consultation-08mar13-en.htm https://twitter.com/dnsreaction

Re: [dns-operations] open resolver versio.bind responses

On Tue, Apr 16, 2013 at 08:21:14AM -0400, Jared Mauch wrote a message of 15 lines which said: > You can view the results here: > > http://openresolverproject.org/version.bind.report.txt 'BIND 8.3.3' If it's true, it's a collector's edition... ___

Re: [dns-operations] open resolver versio.bind responses

On Tue, Apr 16, 2013 at 08:43:33AM -0400, Joe Abley wrote a message of 13 lines which said: > 'The name is Bind, James Bind' Slightly better, in the same list, "My named is Bind, James Bind" ___ dns-operations mailing list dns-operations@lists.dns-o

Re: [dns-operations] open resolver version.bind responses

On Tue, Apr 16, 2013 at 08:52:39AM -0400, Jared Mauch wrote a message of 36 lines which said: > Ok, I didn't expect everyone to post this to twitter/facebook so fast :) Welcome to the Internet :-) ___ dns-operations mailing list dns-operations@lists

[dns-operations] DNSSEC problem at one.com

Anyone has more technical and factual information about this problem? Error in .SE, in one.com or in Telia? http://www.one.com/en/info/profile Update - April 27, 2013 12:52 PM CET Telenor have solved the issues, but unfortunately some customers using Telia and Bredbandsbolaget as internet provi

[dns-operations] DNS amplification attacks in draft-ietf-savi-threat-scope-08

IETF document (approved by IESG and currently in the RFC Editor Queue) contains: > DNS is one of the common targets of such attacks. The > amplification factor observed for attacks targeting DNS root and > othe

Re: [dns-operations] http://www.intodns.com/ no go for tlds

On Tue, May 21, 2013 at 09:01:08PM +0700, Randy Bush wrote a message of 9 lines which said: > http://www.intodns.com/ does not seem to work for cctlds I would say it does not work for any TLD. For .COM, I get: Invalid request! ___ dns-operations ma

Re: [dns-operations] Querying version.bind illegal?

On Thu, May 23, 2013 at 04:39:13PM +0300, Vitalie Cherpec wrote a message of 73 lines which said: > After 5 years of running it without any issues, I've received today > a compliant through my ISP from a big company in a foreign country. It is a common problem with active measurements. I note

[dns-operations] Answer both Truncated and Authentic?

Is it reasonable/legal to have both tc and ad? % dig +noignore @8.8.8.8 ANY fr ; <<>> DiG 9.7.3 <<>> +noignore @8.8.8.8 ANY fr ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46304 ;; flags: qr tc rd ra ad; QUERY: 1, ANSWER: 0, AUTHOR

[dns-operations] Debugging Google Public DNS

Some instances of Google Public DNS cannot resolve ripe.net : % dig @8.8.8.8 MX ripe.net ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 MX ripe.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6005 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHO

Re: [dns-operations] OARC website down ?

On Fri, Jun 14, 2013 at 12:55:27PM +0100, Billy Glynn wrote a message of 52 lines which said: > The DNS-OARC website appears to be down... Down from 1150 UTC to 1205 UTC for maintenance. ODVR did not restart yet :-( ___ dns-operations mailing list d

<    1   2   3   4   5   >