Re: NXDomain remapping, DNSSEC, Layer 9, and you.

On May 28, 2012, at 22:59, bmann...@vacation.karoshi.com wrote: > On Tue, May 29, 2012 at 12:38:23PM +1000, Mark Andrews wrote: >> >> Putting it another way, the ISP doesn't want to be fooled even if >> it is fooling its customers. > >don't lie to us, but we lie to our customers. > >

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

In message <20120529055919.ga23...@vacation.karoshi.com.>, bmann...@vacation.ka roshi.com writes: > On Tue, May 29, 2012 at 12:38:23PM +1000, Mark Andrews wrote: > > > > Putting it another way, the ISP doesn't want to be fooled even if > > it is fooling its customers. > > don't lie to us

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

> It is more important that a domain registrar not refuse to register a > domain, or erroneously declare a valid listing invalid. > > The purpose of using a registrar is to establish DNS delegation, not > to validate your site's redundancy meets the absolute best possible > practices for fault tol

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

On Tue, May 29, 2012 at 12:38:23PM +1000, Mark Andrews wrote: > > Putting it another way, the ISP doesn't want to be fooled even if > it is fooling its customers. don't lie to us, but we lie to our customers. and you don't see a problem with this? /bill

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On 5/28/12, David Conrad wrote: > On May 28, 2012, at 11:51 AM, Anurag Bhatia wrote: >> I know few registry/registrars >> which do not accept both (or all) name servers of domain name on same >> subnet. They demand at least 1 DNS server should be on different subnet for >> failover reasons (old th

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

In message , Jimmy Hess writes: > On 5/28/12, Mark Andrews wrote: > > Until stub resolvers set DO=1 pretty much ubiquitously this won't > > be a problem for ISP's that want to do nxdomain redirection. There > > Yeah. > Right now current _server_ implementations don't even have it

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

In message <23491623.6382.1338256344974.javamail.r...@benjamin.baylink.com>, Jay Ashworth writ es: > - Original Message - > > From: "Mark Andrews" > > [ vix: ] > > > > meanwhile isc continues to push for ubiquitous dnssec, through to > > > > the stub, > > > > to take this issue off the

IPv6 security: New IETF I-Ds, slideware and videos of recent presentations, trainings, etc...

Folks, * We've published a new IETF I-D entitled "DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers", which is meant to provide RA-Guard-like protection against rogue DHCPv6 servers. The I-D is available at: Other IPv6 security

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

On 5/28/12, Mark Andrews wrote: > Until stub resolvers set DO=1 pretty much ubiquitously this won't > be a problem for ISP's that want to do nxdomain redirection. There Yeah. Right now current _server_ implementations don't even have it right, for properly implementing DNSSEC valida

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

> Jay Ashworth writes: please do not feed the troll > When your browers supports DANE and a billion home nats support dnssec :( randy

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

- Original Message - > From: "Mark Andrews" [ vix: ] > > > meanwhile isc continues to push for ubiquitous dnssec, through to > > > the stub, > > > to take this issue off the table for all people and all time. > > > (that's "the > > > real fix" for nxdomain remapping.) > > > > You really b

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

In message <5ebc0868-05d2-435e-a671-e957af72f...@one.com>, Mikkel Mondrup Krist ensen writes: > > On May 29, 2012, at 01:56 , Brett Frankenberger wrote: > > > On Mon, May 28, 2012 at 09:32:29PM +0200, Stephane Bortzmeyer wrote: > >> On Tue, May 29, 2012 at 12:21:10AM +0530, > >> Anurag Bhatia w

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

In message <1564718.6360.1338247007903.javamail.r...@benjamin.baylink.com>, Jay Ashworth writes: > - Original Message - > > From: "Paul Vixie" > > > > *Now*, you see, we no longer have a canonical Good Engineering > > > Example to > > > which we can point when yelling at people (and sof

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On May 29, 2012, at 01:56 , Brett Frankenberger wrote: > On Mon, May 28, 2012 at 09:32:29PM +0200, Stephane Bortzmeyer wrote: >> On Tue, May 29, 2012 at 12:21:10AM +0530, >> Anurag Bhatia wrote >> a message of 28 lines which said: >> >>> I know few registry/registrars which do not accept both

Re: isc - a good business

The code is DNSSEC aware, it doesn't perform redirection if the client can detect that redirection has occured. So sign your zones and use a validating client (or just one that sets DO=1). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742

Re: isc - a good business

On 5/28/12, Paul Vixie wrote: [snip] > if i thought there was even one isp anywhere who wanted to use nxdomain > remapping but didn't because bind didn't have that feature, i'd be ready to > argue the point. but all isc did by not supporting this feature was force Maybe they would think twice, if

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Mon, May 28, 2012 at 09:32:29PM +0200, Stephane Bortzmeyer wrote: > On Tue, May 29, 2012 at 12:21:10AM +0530, > Anurag Bhatia wrote > a message of 28 lines which said: > > > I know few registry/registrars which do not accept both (or all) > > name servers of domain name on same subnet. > >

RE: Comcast Service for Non-Cap Bandwidth

PC: Thank you for the reply. We will not encourage customers to disconnect cable TV service, think of it more like an add-on. I generate http test stream with DSCP code point 5 to match the Xbox service, however Comcast is rewriting the packets as CS 1, even when serving out a server at Soft

NXDomain remapping, DNSSEC, Layer 9, and you.

- Original Message - > From: "Paul Vixie" > > *Now*, you see, we no longer have a canonical Good Engineering > > Example to > > which we can point when yelling at people (and software vendors) > > which > > *do* permit that, to say "see? You shouldn't be doing that; it's > > bad." > > > >

Re: Comcast Service for Non-Cap Bandwidth

On 27.05.2012 22:27, Nabil Sharma wrote: NANOG List, I am developing streaming video service, and seek your feedback... I would like to pay Comcast forward so that accessing our site does not count against user's bandwidth caps, similar to the arrangement made with Microsoft Xbox. http://ne

Re: Comcast Service for Non-Cap Bandwidth

While I still don't agree it's fair, that arrangement seems limited to the viewing of the Xfinity TV application via XBOX for subscribers who have both an internet and cable TV package via Comcast and not XBOX in general. None the less, the cap is 250gb at the moment, and only applies to residenti

Re: rpki vs. secure dns?

On 5/28/2012 9:42 PM, David Conrad wrote: > On May 28, 2012, at 1:59 PM, Paul Vixie wrote: >> third, rsync's dependencies on routing (as in the RPKI+ROA case) are not >> circular (which i think was david conrad's point but i'll drag it to here.) > Nope. My point was that anything that uses the Int

Re: Bogon list update for prefix for 5.1.0.0/19

On May 28, 2012, at 2:45 PM, Matthew Palmer wrote: > On Mon, May 28, 2012 at 04:31:34PM +0300, Evgeniy Aikashev wrote: >> We are AS21219 - PJSC Datagroup and owner of 5.1.0.0/19 block. Our >> customers have no access to some part of Internet if they use these IPs. >> Could you please update your bo

Re: Bogon list update for prefix for 5.1.0.0/19

On Mon, May 28, 2012 at 04:31:34PM +0300, Evgeniy Aikashev wrote: > We are AS21219 - PJSC Datagroup and owner of 5.1.0.0/19 block. Our > customers have no access to some part of Internet if they use these IPs. > Could you please update your bogon filters to permit this range. You're probably going

Re: rpki vs. secure dns?

On May 28, 2012, at 1:59 PM, Paul Vixie wrote: > third, rsync's dependencies on routing (as in the RPKI+ROA case) are not > circular (which i think was david conrad's point but i'll drag it to here.) Nope. My point was that anything that uses the Internet to fetch the data (including rsync) has

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

off topic. I have to do a better job to prevent my 5 year old daughter from touching my phone :) -M On Mon, May 28, 2012 at 4:17 PM, Randy Bush wrote: > maxlarson.he...@transversal.ht wrote: >> Q >> --Message d'origine-- >> De : Randy Bush >> À : Anurag Bhatia >> Cc : NANOG Mailing List

Re: Bogon list update for prefix for 5.1.0.0/19

On 5/28/12 6:31 AM, Evgeniy Aikashev wrote: > Dear all, > We are AS21219 - PJSC Datagroup and owner of 5.1.0.0/19 block. Our customers > have no access to some part of Internet if they use these IPs. > Could you please update your bogon filters to permit this range. > Do you have a test IP addr

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

maxlarson.he...@transversal.ht wrote: > Q > --Message d'origine-- > De : Randy Bush > À : Anurag Bhatia > Cc : NANOG Mailing List > Objet : Re: DNS anycasting - multiple DNS servers on same subnet Vs > registrar/registry policies > Envoyé : 28 mai, 2012 17:03 > ... > Envoyé par mon BlackBe

Re: isc - a good business

(all caught up after this.) Jay Ashworth writes: > - Original Message - >> From: "paul vixie" > >> On 5/28/2012 11:52 AM, Randy Bush wrote: >> > ... maybe a bit too much layer ten for my taste. ... >> >> on that, we're trying to improve. for example, we used to forego >> features that

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

Q --Message d'origine-- De : Randy Bush À : Anurag Bhatia Cc : NANOG Mailing List Objet : Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies Envoyé : 28 mai, 2012 17:03 > I am building redundancy within that setup. I mean it will be software > based BG

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

> I am building redundancy within that setup. I mean it will be software > based BGP so if hardware if fried up, it will break BGP session and pull > off routes anyway and for cases like DNS server (software) failure, I will > monitor it via simple bash script which can turn bgp daemon down. So onc

Re: rpki vs. secure dns?

more "threads from the crypt" as i catch up to 6000 missed nanog posts. "Dobbins, Roland" writes: > On Apr 28, 2012, at 5:17 PM, Saku Ytti wrote: > >> People might scared to rely on DNS on accepting routes, but is this >> really an issue? > > Yes, recursive dependencies are an issue. I'm really

Re: isc - a good business

It's past given that large entities that can forge the use of BIND; at that point, engineering aside, Paul's point that the market and code have spoken is hard to deny. Sucks when it works against us... George William Herbert Sent from my iPhone On May 28, 2012, at 12:52, Jay Ashworth wrote

Re: Vixie warns: DNS Changer ‘blackouts’ inevitable

[Dnschanger substitute server operations] > One thing is clear, Paul is able to tell a great story. PR for ISC is somewhat limited, it's often attributed to the FBI: | The effort, scheduled to begin this afternoon, is designed to let | those people know that their Internet connections will stop

Re: isc - a good business

- Original Message - > From: "paul vixie" > On 5/28/2012 11:52 AM, Randy Bush wrote: > > ... maybe a bit too much layer ten for my taste. ... > > on that, we're trying to improve. for example, we used to forego > features that some of us found repugnant, such as nxdomain remapping / > ad

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Tue, May 29, 2012 at 1:07 AM, Patrick W. Gilmore wrote: > On May 28, 2012, at 15:24 , Anurag Bhatia wrote: > > On Tue, May 29, 2012 at 12:50 AM, Tony Finch wrote: > >> Anurag Bhatia wrote: > >>> > >>> One small concern I wanted to discuss here. I know few > >>> registry/registrars which do no

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On May 28, 2012, at 15:24 , Anurag Bhatia wrote: > On Tue, May 29, 2012 at 12:50 AM, Tony Finch wrote: >> Anurag Bhatia wrote: >>> >>> One small concern I wanted to discuss here. I know few >>> registry/registrars which do not accept both (or all) name servers of >>> domain name on same subnet.

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Tue, May 29, 2012 at 12:21:10AM +0530, Anurag Bhatia wrote a message of 28 lines which said: > I know few registry/registrars which do not accept both (or all) > name servers of domain name on same subnet. Since my employer is one of these registries, let me mention that I fully agree with

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

On Tue, May 29, 2012 at 12:50 AM, Tony Finch wrote: > Anurag Bhatia wrote: > > > > One small concern I wanted to discuss here. I know few > > registry/registrars which do not accept both (or all) name servers of > > domain name on same subnet. They demand at least 1 DNS server should be > > on d

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

Anurag Bhatia wrote: > > One small concern I wanted to discuss here. I know few > registry/registrars which do not accept both (or all) name servers of > domain name on same subnet. They demand at least 1 DNS server should be > on different subnet for failover reasons (old thoughts). > > How one c

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

Anurag, On May 28, 2012, at 11:51 AM, Anurag Bhatia wrote: > I know few registry/registrars > which do not accept both (or all) name servers of domain name on same > subnet. They demand at least 1 DNS server should be on different subnet for > failover reasons (old thoughts). IMHO appropriately s

DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

Greetings everyone! One small concern I wanted to discuss here. I know few registry/registrars which do not accept both (or all) name servers of domain name on same subnet. They demand at least 1 DNS server should be on different subnet for failover reasons (old thoughts). How one can deal with

Re: isc - a good business

On Mon, May 28, 2012 at 6:32 AM, paul vixie wrote: > i'm paying more attention to the quoting this time, too. > >> On Wed, May 23, 2012 at 04:33:28PM -0400, Christopher Morrow wrote: >> > On Wed, May 23, 2012 at 1:40 AM,   wrote: >> > > Paul will be there to turn things off when >> > >        they

Re: isc - a good business

On 5/28/2012 11:52 AM, Randy Bush wrote: > ... maybe a bit too much layer ten for my taste. ... on that, we're trying to improve. for example, we used to forego features that some of us found repugnant, such as nxdomain remapping / ad insertion. since the result was that our software was less rele

Bogon list update for prefix for 5.1.0.0/19

Dear all, We are AS21219 - PJSC Datagroup and owner of 5.1.0.0/19 block. Our customers have no access to some part of Internet if they use these IPs. Could you please update your bogon filters to permit this range. Thanks. -- Best regards, Evgeniy Aikashev network engineer PJSC DATAGROUP

Re: isc - a good business

fwiw, i think isc and isc staff are very well intentioned and do a lot of good work for the community. i have doubts about isc's business model, but definitely not that it makes too much money or is greedy. maybe a bit too much layer ten for my taste. and i run and appreciate the software. randy

isc - a good business

greetings. i didn't notice this before, and i want to complete the record. i'm paying more attention to the quoting this time, too. > On Wed, May 23, 2012 at 04:33:28PM -0400, Christopher Morrow wrote: > > On Wed, May 23, 2012 at 1:40 AM, wrote: > > > Paul will be there to turn things off when