he 15 million open recursives would be good to see fixed.
at the moment most attacks are using authority servers, where it's far
easier to automatically tell attack flows from non-attack flows.
--
Paul Vixie
KI6YSY
, arguments from non-operators should and do carry less weight.)
--
Paul Vixie
KI6YSY
Randy Bush writes:
> > ...
> i have assiduously avoided gaining serious anti-spam fu. but it seems
> to me that ipv6 does not create/enable significantly more spam-bots.
the malware will generally have complete control over the bottom 64 bits
of an ipv6 address. there's no reason to expect to e
"Livingood, Jason" writes:
> In preparation for the World IPv6 Launch, inbound (SMTP) email to the
> comcast.net domain was IPv6-enabled today, June 5, 2012, at 9:34 UTC.
> Roughly one minute later, at 9:35:30 UTC we received our first
> inbound email over IPv6 from 2001:4ba0:fff4:1c::2. That fi
On 2012-05-30 12:53 AM, Nabil Sharma wrote:
> Paul:
>
> Where can we read details about the services ISC provided to the FBI,
> and how they were compensated?
it's in the AP News article published a few weeks ago. for an example:
http://www.foxnews.com/scitech/2012/04/23/hundreds-thousands-may-lo
is the effect of seeing one of those rrsets but not the
other? (here again we see the disadvantage of starting from incomplete
information.)
On 2012-05-30 4:24 AM, Shane Amante wrote:
> On May 29, 2012, at 8:44 PM, Paul Vixie wrote:
>> ...
>>
>> the problem is in time domain bo
On 2012-05-29 5:37 PM, Richard Barnes wrote:
>>> I agree with the person higher up the thread that ROVER seems like
>>> just another distribution mechanism for what is essentially RPKI data.
noting, that up-thread person also said "i havn't studied this in detail
so i'm probably wrong."
>> But do
On 5/29/2012 10:27 AM, Stephane Bortzmeyer wrote:
> On Mon, May 28, 2012 at 10:01:59PM +,
> paul vixie wrote
> a message of 37 lines which said:
>
>> i can tell more than that. rover is a system that only works at all
>> when everything everywhere is working well,
On 5/28/2012 9:42 PM, David Conrad wrote:
> On May 28, 2012, at 1:59 PM, Paul Vixie wrote:
>> third, rsync's dependencies on routing (as in the RPKI+ROA case) are not
>> circular (which i think was david conrad's point but i'll drag it to here.)
> Nope. My poin
(all caught up after this.)
Jay Ashworth writes:
> - Original Message -
>> From: "paul vixie"
>
>> On 5/28/2012 11:52 AM, Randy Bush wrote:
>> > ... maybe a bit too much layer ten for my taste. ...
>>
>> on that, we're trying to im
nt of need. that's
nuts for a lot of reasons, one of which is its potentially and unmanageably
circular dependency on the acceptance of a route you don't know how to
accept or reject yet.
my take-away from this thread is: very few people take RPKI seriously, but
even fewer take ROVER seriously.
--
Paul Vixie
KI6YSY
On 5/28/2012 11:52 AM, Randy Bush wrote:
> ... maybe a bit too much layer ten for my taste. ...
on that, we're trying to improve. for example, we used to forego
features that some of us found repugnant, such as nxdomain remapping /
ad insertion. since the result was that our software was less rele
greetings. i didn't notice this before, and i want to complete the record.
i'm paying more attention to the quoting this time, too.
> On Wed, May 23, 2012 at 04:33:28PM -0400, Christopher Morrow wrote:
> > On Wed, May 23, 2012 at 1:40 AM, wrote:
> > > Paul will be there to turn things off when
and they call it BIND as well,
it would be
a HUGE leap of faith to call Paul Vixie the father of
BIND - The Berkeley Internet Naming Daemon.
Methinks we're talking at cross purposes.
maybe... :) my comment was refering to the "father of bin
http://tech.slashdot.org/story/12/04/27/2039237/engineers-ponder-easier-fix-to-internet-problem
> "The problem: Border Gateway Protocol (BGP) enables routers to
> communicate about the best path to other networks, but routers don't
> verify the route 'announcements.' When routing problems erupt, '
increased member involvement, as well as broader
> involvement from the community. (For instance, policy petitions
> should include responses from the entire affected community, not just
> PPML.) But my criticisms should be interpreted as constructive, and
> are not an indictment of the whole approach.
thanks for saying so.
--
Paul Vixie
way that's bad?
ARIN's bylaws firmly place control of ARIN into the hands of its members.
if you think that's the wrong approach, i'm curious to hear your reasoning
and your proposed alternative.
--
Paul Vixie
KI6YSY
publically here, or privately, as you prefer.
--
Paul Vixie
KI6YSY
renew several expiring terms. candidates need not be ARIN members.
please see <https://www.arin.net/announcements/2011/20110725_elec.html>
and think about whether who you can nominate or whether you can self-
nominate.
paul vixie
chairman, 2011 arin nomcom
> Date: Sun, 19 Jun 2011 22:32:59 -0700
> From: Doug Barton
>
> ... the highly risk-averse folks who won't unconditionally enable IPv6
> on their web sites because it will cause problems for 1/2000 of their
> customers.
let me just say that if i was making millions of dollars a day and i had
the
> Date: Sun, 19 Jun 2011 19:22:46 -0700
> From: Michael Thomas
>
> > that's a good question. marka mentioned writing an RFC, but i expect
> > that ICANN could also have an impact on this by having applicants sign
> > something that says "i know that my single-label top level domain name
> > will
> From: David Conrad
> Date: Sun, 19 Jun 2011 16:04:09 -1000
>
> On Jun 19, 2011, at 3:24 PM, Paul Vixie wrote:
>
> > i think we have to just discourage lookups of single-token names,
> > universally.
>
> How?
that's a good question. marka mentioned w
> Date: Sun, 19 Jun 2011 19:30:58 -0500
> From: Jeremy
>
> "DK" may not be hierarchical, but "DK." is. If you try to resolve "DK"
> on it's own, many (most? all?) DNS clients will attach the search
> string/domain name of the local system in order to make it a FQDN. The
> same happens when you tr
then get burned by all of the local
"foobar.this.tld" and "foobar.that.tld" names that will get reached
instead of their TLD. i say inevitable; i don't know a way to avoid it
since there will be a lot of money and a lot of people involved.
--
Paul Vixie
KI6YSY
in a search list containing 'this' and 'that', where
the default search list is normally the parent domain name of your own
hostname (so for me on six.vix.com the search list would be vix.com and
so as long as dk.vix.com did not exist then http://dk/ would reach "dk.")
--
Paul Vixie
KI6YSY
, see:
http://www.icann.org/en/announcements/announcement-04jan08.htm
other rootops who have spoken about this have said similar/compatible things.
--
Paul Vixie
KI6YSY
g on whoever-owns-those-Supermicro-board's part.
> That's not to say there's a route back, by any means.
i'll bet i'm not alone in seeing traffic from this prefix. as a rootop
i can tell you that we see plenty of queries from ipv4 rfc1918 as well.
--
Paul Vixie
KI6YSY
it's been a while since i looked at the query stream still hitting
{rbl,dul}.maps.vix.com. this was the world's first RBL but it was
renamed from maps.vix.com to mail-abuse.org back in Y2K or so. i
have not sent anything but NXDOMAIN in response to one of these
queries for at least ten years, yet
> Date: Tue, 17 May 2011 11:49:47 -0400
> From: Steve Clark
>
> This is all very confusing to me. How are meaningful names going to assigned
> automatically?
It'll probably be a lot like Apple's and Xerox's various multicast naming
systems if we want it to work in non-globally connected networks
> Date: Tue, 17 May 2011 11:07:17 +0200
> From: Mans Nilsson
>
> > > ... It's not like you can even reach anything at home now, let alone
> > > reach it by name.
> >
> > that must and will change. let's be the generation who makes it possible.
>
> I'd like to respond to this by stating that I
> From: Owen DeLong
> Date: Mon, 16 May 2011 16:12:27 -0700
>
> ... It's not like you can even reach anything at home now, let alone
> reach it by name.
that must and will change. let's be the generation who makes it possible.
> Date: Mon, 16 May 2011 14:37:46 -0400
> From: Jim Gettys
>
> > perhaps i'm too close to the problem because that solution looks quite
> > viable to me. dns providers who don't keep up with the market (which
> > means ipv6+dnssec in this context) will lose business to those who do.
>
> I don't
dns providers who don't keep up with the market (which means
ipv6 and dnssec in this context) will lose business to those who do.
--
Paul Vixie
KI6YSY
> From: Marshall Eubanks
> Date: Sat, 14 May 2011 13:02:16 -0400
>
> I think that the real question is, when will people who are running
> IPv4 only not be on the Internet by this definition ?
is there an online betting mechanism we could use, that we all think will
still be in business decades
an IP
packet from'". Seth Breidbart
by which definition, matthew's observation would be correct. folks who want
to run V6 only and still be "on the internet" will need proxies for a long
while. folks who want to run V6 only *today* and not have any proxies *tod
controlled by infectable pc's means
we'll be blackholing by /64 when we blackhole in ipv6. it's no big deal.
--
Paul Vixie
KI6YSY
so because your post looks like trolling to me. if
you ask again with a real domain name and a real meatspace signature, i'll
be happy to say what i think about ntt as a service provider in the US.
--
Paul Vixie
KI6YSY
> Date: Thu, 10 Feb 2011 01:13:49 -0600
> From: Jimmy Hess
>
> With them not requiring a /8 in the first place (after CIDR); one
> begins to wonder how much of their /8 allocations they actually
> touched in any meaningful way.
i expect that after final depletion there will be some paid transfer
size of the global
routing table... what whacky kids we all were. hint: i had hair back then.)
--
Paul Vixie
KI6YSY
e. i think the "neutral and commercial" model is very well
established and that verizon will not want to be the only carrier in
those facilities nor have their circuit-holders be the only customers
for the real estate. it's an awful lot of space to use just as colo,
and it's bot
Jeffrey Lyon writes:
> One cannot be owned by a carrier and remain carrier neutral.
>
> My two cents,
my experience running PAIX when it was owned by MFN was not like you're saying.
--
Paul Vixie
KI6YSY
if so what mode to deploy in. on the ARIN BoT i
have likewise been very interested in and supportive of RPKI and i'm
happy to repeat john curran's words which were, ARIN is looking at the
risks and benefits of various RPKI deployment scenarios, and we expect
to do more public and member outrea
nce he needs on this question. i
hope to see many of you at the upcoming ARIN public policy meeting in
san juan PR where this is sure to be discussed both at the podium and in
the hallways and bar rooms.
Paul Vixie
Chairman and Chief Scientist, ISC
Member, ARIN BoT
> Date: Sat, 08 Jan 2011 18:17:55 +0900
> From: Randy Bush
>
> let me be a bit more clear on this
thanks.
> o you affect the operational community, you talk with (not to) the
> operational community where the operational community talks
i think arin does this today. certainly that is th
> From: David Conrad
> Date: Fri, 7 Jan 2011 23:11:32 -1000
>
> On Jan 7, 2011, at 10:24 PM, Paul Vixie wrote:
> > the price of changing what ARIN does is, at a minimum: participation.
>
> Another view is that ARIN's whole and sole reason for being is to
>
> From: David Conrad
> Date: Fri, 7 Jan 2011 21:01:52 -1000
>
> > do you have a specific proposal? i've noted in the past that arin tries
> > hard to stick to its knitting, which is allocation and allocation policy.
>
> Yes. This is a positive (IMHO), however it seems that occasionally,
> ARIN's
> Date: Sat, 08 Jan 2011 15:47:51 +0900
> From: Randy Bush
> ...
> more recent rumors, and john's posting here, seem to indicate that
> ...
even to the extent that i know what's really happened or happening, i'd
be loathe to comment on rumours. i have high confidence in arin's board
and staff, a
ity wanted arin to run SIGs or WGs
on things like routing policy arin could do it but that a lot of folks would
say that's mission creep and that it would be arin poaching on nanog lands.
--
Paul Vixie
Chairman and Chief Scientist, ISC
Trustee, ARIN
> From: "Robert Glover"
> Date: Thu, 25 Nov 2010 15:02:42 -0800
>
> Try calling 1-800-332-1321. It is a general repair number for POTS
> and DSX circuits. They are clueful, and if they aren't the right
> people to call, they will likely be able to point you in the right
> direction.
thanks, tha
there's a pacific telephone j-box at the edge of a parking lot in san mateo
california that's been hit by a car hard enough to spring the door open. the
copper punchdowns are now freely and publically accessible. i think it's not
pac tel or pac bell or sbc any more, so what i need is to know how
John Jason Brzozowski writes:
> This does not alter our plans for our native dual stack trials, in fact, I
> hope to have more news on this front soon.
comcast native dual stack is working fine at my house.
"traceroute6 -q1 mol.redbarn.org" shows details.
iling lists for years.
> I recommend blacklisting them permanently.
domains and/or cidrs, plz?
--
Paul Vixie
KI6YSY
d...@bungi.com (Dave Rand) writes:
> ...
> With more than 100,000,000 compromised computers out there, it's really
> time for us to step up to the plate, and make this happen.
+1.
--
Paul Vixie
KI6YSY
miscreant VIA PRIVATE EMAIL or a note tied to
> a brick, but do not prate incessantly about it on the list.
+1.
--
Paul Vixie
KI6YSY
> From: David Conrad
> Date: Sun, 11 Apr 2010 13:52:24 -1000
>
> On Apr 11, 2010, at 10:57 AM, Paul Vixie wrote:
> > ... i'd like to pick the easiest problem and for that reason i'm urging
> > dual-stack ipv4/ipv6 for all networks new or old.
>
> Is anyon
f.root-servers.net. IN 2001:500:2f::14:0
f.root-servers.net. IN 2001:510:2f::f
f.root-servers.net. IN 2101:500:2f::f
f.root-servers.net. IN 2109:500:2f::f
f.root-servers.net. IN LOC \# 16 20 01 05 00 00 2f 00 00 00 00 00 00 00 00 00
0f
--
Paul Vixie
KI6YSY
pulation and serves a
global economy. if the rate of endpoint growth does not continue beyond
ipv4 pool exhaustion we'll have a problem. if it does, we'll also have a
problem but a different problem. i'd like to pick the easiest problem and
for that reason i'm urging dual-stack ipv4/ipv6 for all networks new or old.
--
Paul Vixie
Chairman, ARIN BoT
e nature and location of that tipping point amount to reading tea leaves.
nevertheless if everybody who can deploy dual-stack does so, we'll reach
that tipping point sooner and it'll be less spectacular.
--
Paul Vixie
Chairman, ARIN BoT
g the "chicken little dance". however, for many
networks, growth is life, and for them, free pool depletion is a problem.
--
Paul Vixie
Chairman, ARIN BoT
seems like i saw an Apple I at that show, and also a SOL, which i remember
thinking very highly of since it had an S-100 bus. the PET was there but
with the itty bitty keyboard the machine was a bit of a head-scratcher for
the crowd.
--
Paul Vixie
KI6YSY
ical intent
because china-vs-google's been in the news a lot today?
i'm more inclined to blame the heavy solar wind this month and to assume
that chinanet's routers don't use ECC on the RAM containing their RIBs and
that chinanet's router jockeys are in quite a sweat about this bad publicity.
--
Paul Vixie
KI6YSY
d don't tune anything,
so there's no advantage to silent discard or to asynchronous filtering.
everything that can be rejected synchronously, should be. there's a
small chance that the rejection notice will go to a nonbot nonspammer
who can correct their mistake and retry. that chance is worth taking.
--
Paul Vixie
KI6YSY
ed to ISC DLV, see <http://dlv.isc.org/>. Most server hosts
here run FreeBSD on AMD64/EM64T or else i386.
--
Paul Vixie
KI6YSY
published SPF records evaluated as if "~all" and "?all"
are "-all"
i think if RFC 2821 is to be updated to address the backscatter problem, it
ought to be along those lines, rather than "everything must be synchronous."
--
Paul Vixie
KI6YSY
ameserver" they are using. (is the same recursive nameserver used in all
four tests?)
> I cant seem to find any online information regarding this difference of
> behavior.
>
> Enlightenment appreciated.
i suggest re-asking this over on dns-operati...@lists.dns-oarc.net, since it
a bit deep in the DNS bits for a general purpose list like NANOG.
--
Paul Vixie
KI6YSY
> Date: Fri, 1 Jan 2010 22:16:31 +
> From: bmann...@vacation.karoshi.com
>
> It would help if the BIND EDNS0 negotiation would not fall back to
> the 512 byte limit - perhaps you could talk with the ISC developers
> about that.
i don't agree that your proposed change would h
oing to be another game of chicken -- will the people who build and/or
deploy such crapware lose their jobs, or will ICANN back down from DNSSEC?
--
Paul Vixie
KI6YSY
ook for mission
creep opportunities. ARIN will go on doing what the community asks, no
less, no more. ARIN has no mechanism, as a company, for "[paying]
attention to [your] collective work product". our members, and the public
at large who participates in ARIN's policy development process, do that.
--
Paul Vixie
Chairman, ARIN BoT
KI6YSY
er to verify that a piece of e-mail had come from us using
some kind of semi-opaque H(message-id) scheme, but in studying it i
found that as usual with spam the economic incentives are all backwards.
--
Paul Vixie
KI6YSY
974 today
(since i see a lot of them come to my A RR rather than an MX RR, or
in the wrong order). any well known pattern that says "don't try
to deliver e-mail here" will only be honoured by friend people who
don't want us to get e-mail we don't want to get.
--
Paul Vixie
KI6YSY
> Date: Tue, 8 Dec 2009 15:21:30 -0600
> From: Jorge Amodio
>
> Among the many wonderful things Internet has created in the past 2+
> decades, it gave birth to a countless number of "Internet Experts" ...
for example, some of us got a chance to witness the following. i've
removed all identifyin
for people who know how to do that, then we'd all still be
using Usenet over modems. we're trying to build digital infrastructure for
all of humanity, and that means stuff like the above has to be unnecessary.
--
Paul Vixie
KI6YSY
> From: David Conrad
> Date: Thu, 26 Nov 2009 13:25:39 -0800
>
> At some point, we may as well bite the bullet and redefine http{,s} as IPv7.
since products and services designed to look inside encrypted streams and
inspect, modify, or redirect them are illegal in most parts of the world:
"yes,
> From: David Conrad
> Date: Thu, 26 Nov 2009 07:42:15 -0800
>
> As you know, as long as people rely on their ISPs for resolution
> services, DNSSEC isn't going to help. Where things get really offensive
> if when the ISPs _require_ customers (through port 53 blocking, T-Mobile
> Hotspot, I'm lo
of its technical suckitude i'm working on DNSSEC.)
<http://queue.acm.org/detail.cfm?id=1647302> lays out this case.
--
Paul Vixie
KI6YSY
wildcard. You were right, and I listened. Probably I forgot to
thank you until now. Thanks.
--
Paul Vixie
KI6YSY
way based on the identity of
the querier. perhaps my language in the ACM Queue article was imprecise
("delivering facts rather than policy") and i should have stuck with the
longer formulation ("incoherent responses crafted based on the identity of
the querier rather than on the authoritative data").
--
Paul Vixie
KI6YSY
webmail systems should take a look.
<http://www-uxsup.csx.cam.ac.uk/~dpc22/prayer/> is the home page. though i
found it in freebsd .
--
Paul Vixie
KI6YSY
note, i went off-topic in my previous note, and i'll be answering florian
on namedroppers@ since it's not operational. chris's note was operational:
> Date: Thu, 6 Aug 2009 10:18:11 -0400
> From: Christopher Morrow
>
> awesome, how does that work with devices in the f-root-anycast design?
> (bo
r with associations open to
millions of clients at the same time is actually no big deal.
--
Paul Vixie
KI6YSY
his solutions for it. and i think openbsd may
have had source port randomization first, since they do it in their kernel
when you try to bind(2) to port 0. most kernels are still very predictable
when they're assigning a UDP port to an outbound socket.
--
Paul Vixie
KI6YSY
re a lawsuit could recover some losses and firing someone usually won't.
digital security is getting a lot of investor attention right now. i wonder
if this will ever consolidate or if pandora's box is just broken for all time.
--
Paul Vixie
KI6YSY
e infantry, or so i am told. this is rocket
> science.
to me "wisely" means backfilling 80% of what the Good Guys do that isn't
rocket science. (most A's are not doing only what only A's can do.)
--
Paul Vixie
KI6YSY
Guys all know this -- the difference
is that the Good Guys try not to think about this whereas the Bad Guys think
about it all the time.
--
Paul Vixie
KI6YSY
C's, if wisely deployed, could bridge that gap. the
key to all this is therefore not really "neurons" but rather "wiselyness".
i promise to, um, mention this, or maybe more, in my nanog-philly keynote.
--
Paul Vixie
KI6YSY
Pshem Kowalczyk writes:
> (answers can be off-list)
See <http://www.vix.com/personalcolo/>. (updates still welcomed, btw.)
--
Paul Vixie
KI6YSY
20V
but for $50 NRC it can be replaced with an LCD. everything else that's
still worth plugging in (that is, having a power/heat cost per performance
better than that of a blow dryer) doesn't care what voltage it lives on.
--
Paul Vixie
KI6YSY
, software, and legal people, many of whom have never questioned
their own assumptions nor those of their certification boards, state and
county governments, or teachers/mentors. they don't have to live with the
results ... but i do ... thus my willingness to dive deep.)
YMMV.
--
Paul Vixie
KI6YSY
ftp.isc.org/isc/rtty/ \
ftp://gatekeeper.research.compaq.com/pub/misc/vixie/
since the ftp server mentioned here in 1996
http://www.merit.edu/mail.archives/nanog/1996-08/msg00223.html
is dead.
--
Paul Vixie
KI6YSY
meone starting from scratch, and when
starting an IXP from scratch, a shared subnet would be just crazy talk.
--
Paul Vixie
> Date: Sat, 18 Apr 2009 13:17:11 -0400
> From: "Steven M. Bellovin"
>
> On Sat, 18 Apr 2009 16:58:24 +
> bmann...@vacation.karoshi.com wrote:
>
> > i make the claim that simple, clean design and execution is
> > best. even the security goofs will agree.
>
> "Even"? *Especially* -- o
> Date: Sat, 18 Apr 2009 16:35:51 +0100
> From: Nick Hilliard
>
> ... i just don't care if people use L2 connectivity to get to an exchange
> from a router somewhere else on their LAN. They have one mac address to
> play around with, and if they start leaking mac addresses towards the
> exchange
> Date: Sat, 18 Apr 2009 10:09:00 +
> From: bmann...@vacation.karoshi.com
>
> ... well... while there is a certain childlike obession with the
> byzantine, rube-goldburg, lots of bells, knobs, whistles type
> machines... for solid, predictable performance, simple clean
>
stephen, any idea why this hasn't hit the nanog mailing list yet?
it's been hours, and things that others have sent on this thread
has appeared. is it stuck in a mail queue? --paul
re:
> To: Deepak Jain
> cc: Matthew Moyle-Croft ,
> Arnold Nipper , Paul Vi
Nathan Ward writes:
> On 18/04/2009, at 12:08 PM, Paul Vixie wrote:
>> ... Q in Q is not how i'd build this... cisco and juniper both have
>> hardware tunnelling capabilities that support this stuff... ...
>
> On Alcatel-Lucent 7x50 gear, VLAN IDs are only relevant to
> From: Paul Vixie
> Date: Sat, 18 Apr 2009 00:08:04 +
> ...
> i should answer something said earlier: yes there's only 14 bits of tag and
> yes 2**14 is 4096. in the sparsest and most wasteful allocation scheme,
> tags would be assigned 7:7 so there'd be a ma
ersonal server on the west coast, and it seems like
> the economy has taken out most of the old personal colo offers. Even the
> old web page on www.vix.com/personalcolo is gone.
>
>
>
--
Paul Vixie
Arnold Nipper writes:
> On 18.04.2009 00:04 Paul Vixie wrote
>
>> ... has anybody ever run out of 1Q tags in an IXP context?
>
> Why? You only need 1 ;-)
really? 1? at PAIX we started with three, two unicast (wrongheadedness)
and one multicast, then added another unicast
> > the 300-peer IXP's i've been associated with weren't quite full mesh
> > in terms of who actually wanted to peer with whom, so, no.
>
> Much depends on your definition of "quite". Would 30% qualify?
30% would be an over-the-top success. has anybody ever run out of 1Q tags
in an IXP context?
> The construct also doesn't scale well for multicast traffic exchange if
> there's a significant number of multicast peers even though the traffic
> might be low for individual source ASNs. On the other hand, if the IXP
> doesn't use IGMP/MLD snooping capable switches, then I suppose it doesn't
>
1 - 100 of 173 matches
Mail list logo
