[dns-operations] DNS-OARC's Web-based DNS Randomness Test site

OK, but web version is better for plenty of users. % dig +short porttest.dns-oarc.net txt porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "xxx.xxx.xxx.xxx is GREAT: 26 queries in 2.7 seconds from 26 ports with std dev 17312"

Re: [dns-operations] .biz DNSSEC failure?

" links may provide the error state of specified name. Updated: 2013-06-22 20:15:00 UTC (a day ago) <http://dnsviz.net/d/biz/UcYFxQ/dnssec/> So, this means that we can not be black history our DNSSEC errors. :-( I learned this from Daisuke HIGASHI, thank you. -- Yasuhiro Orange Mo

Re: [dns-operations] DNS Attack over UDP fragmentation

Hello, I believe that it is another serious attack against DNS protocol, or it may be against UDP/IP (especially IPv4). So, we might set max-udp-size to 1220 for preventing UDP fragmentation. And I know anouther "IPv6 Fragment Header Deprecated" I-D at IETF 6man WG. BTW, sometimes I unofficial

Re: [dns-operations] DNS Attack over UDP fragmentation

From: Stephane Bortzmeyer Date: Wed, 4 Sep 2013 15:55:22 +0200 > On Wed, Sep 04, 2013 at 10:45:42PM +0900, > Yasuhiro Orange Morishita / 森下泰宏 wrote > a message of 38 lines which said: > > > So, we might set max-udp-size to 1220 for preventing UDP > > fragmentation

Re: [dns-operations] DNS Attack over UDP fragmentation

Hi, > Just a short update from our today meeting over PoC implementation. I think that the PoC for "Shulman-attack" is still effective even after applying DNSSEC. It's still DoS'able, different to the port randomization against Kaminsky's. -- Orange From: Ondřej Surý Date: Thu, 5 Sep 2013 13:

Re: [dns-operations] DNS Attack over UDP fragmentation

Aaron-san, Haya-san, and folks, I've found the following RFC, it's published in 2007. RFC 4963 - IPv4 Reassembly Errors at High Data Rates And I've cited "Security Considerations" of this RFC as below: BTW, When the RFC was I-D, it's titled "IPv4 Fragmen

Re: [dns-operations] dns-operations Digest, Vol 92, Issue 13

>> wrote: > > > > > > > > Message: 6 > > Date: Sun, 08 Sep 2013 17:30:57 +0900 (JST) > > From: Yasuhiro Orange Morishita / > <mailto:yasuh...@jprs.co.jp>> > > To: aa...@arbor.net <mailto:aa...@arbor.

Re: [dns-operations] dns-operations Digest, Vol 92, Issue 13

o 1280 -- Orange > in RFC 791. From: Yasuhiro Orange Morishita / 森下泰宏 Date: Wed, 11 Sep 2013 02:02:34 +0900 (JST) > Paul-san, > > > for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 > > max-udp-size of 512 is what's called for. > > I believe typical da

Re: [dns-operations] dns-operations Digest, Vol 92, Issue 13

4:30:49 +0300 > Yasuhiro-san :-) > > Nice find, thanks for sharing!! > I will add reference to it in our works. > > On Sun, Sep 8, 2013 at 3:00 PM, > wrote: > > > > > > > Message: 6 > > Date: Sun, 08 Sep 2013 17:30:57 +0900 (JST) > > From: Y

Re: [dns-operations] dns-operations Digest, Vol 92, Issue 13

the IP specification defines the minimal MTU size to 576. So, we may need a very short RFC for updating the definition of MTU, in RFC 791. -- Orange From: Paul Vixie Date: Mon, 09 Sep 2013 07:31:42 -0700 > ... > > Yasuhiro Orange Morishita / 森下泰宏 wrote: > > Paul-san, and folks

Re: [dns-operations] DNS-OARC's Web-based DNS Randomness Test site

Keith-san, Thank you for your reply and explanation. I hope that upcoming workshop is successfully held, and I will continue about this issue on . -- Orange -- Yasuhiro 'Orange' Morishita From: Keith Mitchell Date: Thu, 09 Oct 2014 08:59:56 -0400 > On 10/09/2014 07:32 AM, Ya

[dns-operations] Strange behavior of covid.cdc.gov

Hi, Now covid.cdc.gov seems to be DNSSEC validation error. Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL. e.g. dig covid.cdc.gov @8.8.8.8 But it seems to be a little bit strange. The auth servers of cdc.gov zone serve unneed (and unsigned) akam.cdc.gov zone. But they still

Re: [dns-operations] Strange behavior of covid.cdc.gov

get a valid referral rather than bogus (unsigned) > answers from ns[123].cdc.gov for akam.cdc.gov. > > Mark > >> On 1 Sep 2020, at 00:47, Stephane Bortzmeyer wrote: >> >> On Mon, Aug 31, 2020 at 10:12:04PM +0900, >> Yasuhiro Orange Morishita / 森下泰宏 wrote >

Re: [dns-operations] DNS Flag Day 2020 will become effective on 2020-10-01

Hi Petr-san, I tested some auth servers and resolvers by online checker in the official website. But I feel that both of them display "GO" even if EDNS buffer size is not set to 1232. Is this by design? -- Orange From: Petr Špaček Subject: [dns-operations] DNS Flag Day 2020 will become effect

Re: [dns-operations] DNS attacks against FR/BE/NL resolvers of Internet access providers

Hi Stephane-san, I've read the article. I am suspecting the attack vector is random subdomain attacks via bad CPEs, they acts open resolvers and forwarding queries to ISP's resolvers. Possibly, the real target domain name was exist and the attackers tried to down the auth servers of the domain.

Re: [dns-operations] DNS Flag Day 2020 will become effective on 2020-10-01

[dns-operations] DNS Flag Day 2020 will become effective on 2020-10-01 Date: Wed, 9 Sep 2020 10:39:54 +0200 > Hi Orange-san, > > On 09. 09. 20 7:00, Yasuhiro Orange Morishita / 森下泰宏 wrote: >> Hi Petr-san, >> >> I tested some auth servers and resolvers by online checke

Re: [dns-operations] dnspooq

Hi, > fyi > https://www.jsof-tech.com/disclosures/dnspooq/ I've read a technical whitepaper of the DNSpooq[*1] from JSOF, and I have a question about response validation in DNS forwarders. [*1] DNSpooq - Cache Poisoning and RCE in Popular DNS Forwarder dnsmasq

Re: [dns-operations] dnspooq

of directly using the authoritative nameserver chain".. Anyway, I agree that no such description for the behavior of DNS forwarders. -- Orange From: "Ralf Weber" Subject: Re: [dns-operations] dnspooq Date: Thu, 21 Jan 2021 14:15:16 +0100 > Moin! > > On 21 Jan 2021, at 13:48, Yasu

[dns-operations] What is the reason of J-Root doesn't serve the arpa zone?

quot; domain directly on a subset of the root server infrastructure. Yes, it is "almost all", not "all". Currently, the "arpa" zone has been hosted on 12 root servers, except to J-Root. Probably, this is a part of the "Historically", but I want to know wh

Re: [dns-operations] What is the reason of J-Root doesn't serve the arpa zone?

apanese: <https://twitter.com/OrangeMorishita/status/1467525559807016960> And I heard from another person that J-Root holds the arpa zone, but not delegated. It is also interesting. -- Orange -- Yasuhiro 'Orange' Morishita From: "Wessels, Duane" Subject: Re: [dns-operati

Re: [dns-operations] Increase in DNS over TCP from Chrome Browser on Windows 11

port when connecting to that > DNS server. IMHO, this Windows 11 behavior seems to contain security risks... -- Yasuhiro 'Orange' Morishita From: Adam Casella Subject: Increase in DNS over TCP from Chrome Browser on Windows 11 Date: Tue, 14 Mar 2023 03:57:03 + > Hey Folks,

Re: [dns-operations] [DNSSEC] Venezuela ccTLD broken

It looks like one of the USGBKR cases... cf. https://lists.dns-oarc.net/pipermail/dns-operations/2014-March/011399.html Before: https://dnsviz.net/d/ve/ZLZ8ng/dnssec/ After: https://dnsviz.net/d/ve/ZLjinw/dnssec/ -- Yasuhiro Orange Morishita From: Stephane Bortzmeyer Subject: [dns-operations

[dns-operations] verisigninc.com

c.com DNSKEY RRset. -- Yasuhiro 'Orange' Morishita ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] Advisory — D-root is changing its IPv4 address on the 3rd of January.

Hello, Jason-san, This is Yasuhiro Orange Morishita at JPRS. Thank you for your advance notice. We will make an announcement the information for Japanese Internet community. And if you also publish the information at D-root webpage <http://d.root-servers.org/>, I would appreciate. -- Ya

[dns-operations] Question about L-Root IP address

y/044241.html> But its L-Root address is 198.32.64.12, I think it was used until 2007. If you know the information about it, please let me know. -- Yasuhiro 'Orange' Morishita Japan Registry Services Co., Ltd. (JPRS) Initializing a DNS Resolver with Priming Queries <http://t

Re: [dns-operations] Question about L-Root IP address

Peter-san: I remember the official debut date of M-Root is Aug 22, 1997. In the root hint file: Kato-san's thesis described the same date. (caution: it's written in Japanese)

Re: [dns-operations] .biz DNSSEC failure?

> So, this means that we can not be black history our DNSSEC errors. :-( Should be "dark history". My English is still poor. -- Yasuhiro Orange Morishita From: Yasuhiro Orange Morishita Date: Mon, 24 Jun 2013 19:22:25 +0900 (JST) > Hi Stephane; > > > A personal opi

Re: [dns-operations] Geoff Huston on DNS-over-TCP-only study.

Geoff's original article is here (in potaroo.net) A Question of DNS Protocols It also describes the open resolver project as a "name and shame" approach. (I have quoted below, and IMHO, certainly this approach is effective) > The open resolver

Re: [dns-operations] Delegation of amazonses.com

Certainly, admin(s) of awsdns-33.com need to add an IPv6 address in the host information. But, I think that is not a cause of the DMARC failures. Regards, -- Yasuhiro Orange Morishita [*1] According to Internic WHOIS (see below), it appears an IPv4 address only. ns-265.awsdns-33.com Server Nam