Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

On 7/5/24 3:53 AM, Jeroen Massar via NANOG wrote: And... we all still have ICANN as an ultimate power, and the TLD itself, next to the above registrar. If you recall the facebook outage from last year, one of the interesting things from it was they are their own registrar for their domains.

Re: HE.net problem

On Thu 04 Jul 2024 18:16:28 GMT, Randy Bush wrote: > hak whacked me to add > http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html > to my nagios deployment. > > anyone have some known sick in various ways dns zones against which to > test? Those domains are bro

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

FWIW I think TLDs should cost much more, like millions, other than where they provide legitimate internationalization or specific community service functions (TBD.) 1. They're just polluting the name space, many seem frivolous like .RODEO or .FISHING (yeah those are real.) 2. Vanity corporate T

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

> If I have an LG TV and it wants to update to .LG and LG is > DNSSEC signing the whole chain, that sure seems more likely to be legit > than .lg.tv or some such. .lg and .he were mentioned as possible brand TLDs, but those are not allowed, because they are reserved for possible ccTLDs. gTLDs are

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

According to Bill Woodcock : >-=-=-=-=-=- > > > >> On Jul 6, 2024, at 22:41, Paul Ebersman wrote: >> I've been surprised that none of the folks that got TLDs seem to be >> leveraging the technical/security brand protection like they could. > >A few are. A very few. SNCF. A few banks. I can't h

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

It appears that Bill Woodcock said: >-=-=-=-=-=- > >> On Jul 6, 2024, at 22:11, John Von Essen wrote: >> I saw something online that said $250,000 but that didn’t make sense if its >> all paperwork. > >Heh. I see you are unfamiliar with ICANN. They’ve said that same paperwork >is likely to c

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

If you’re LG, you own the software, you do cert pinning. Also, realize many (most? almost all?) are going to outsource the management of their vanity TLD to one of the existing companies in that market. Think of a brand that sells, I don’t know, shoes. Running a TLD is not part of their core busi

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

> On Jul 6, 2024, at 22:41, Paul Ebersman wrote: > I've been surprised that none of the folks that got TLDs seem to be > leveraging the technical/security brand protection like they could. A few are. A very few. SNCF. A few banks. > If I have an LG TV and it wants to update to .LG and LG is

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

essen> I saw something online that said $250,000 but that didn't make essen> sense if its all paperwork. woody> Heh. I see you are unfamiliar with ICANN. They've said that woody> same paperwork is likely to cost $375k in ICANN staff time for woody> the next round. Because, you know, inflation o

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

> On Jul 6, 2024, at 22:11, John Von Essen wrote: > I saw something online that said $250,000 but that didn’t make sense if its > all paperwork. Heh. I see you are unfamiliar with ICANN. They’ve said that same paperwork is likely to cost $375k in ICANN staff time for the next round. Because

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

I've found this conversation hugely of interest… The below isn't really a question, more of a high level clarification/further thinking. First, what actually happened and the impact (correct me if any of this is wrong): A stupid phishing complaint to NetSol by a 3rd party got he.net put into cl

Re: getting the memo, Out-of-Bailiwick DNS? (Was: HE.net problem)

See how little it has been necessary for me to pay attention to them since my net handle was assigned back in the early 90s or maybe late 80s? ;-) Cheers, -- jra3 On July 6, 2024 11:11:50 AM EDT, John Levine wrote: >According to Jay R. Ashworth : >>data I heard that that *was* a registry-side

Re: getting the memo, Out-of-Bailiwick DNS? (Was: HE.net problem)

According to Jay R. Ashworth : >data I heard that that *was* a registry-side hold (and hence it didn't matter >that it was NetSol). Or perhaps that NetSol was still the registry for .net -- >that's out of date now, isn't it? Uh, yeah, Verisign spun off the NetSol registrar over 20 years ago in la

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

- Original Message - > From: "Robert L Mathews" > > However, if "example.com" uses "ns1.he.net" and "ns2.he.net" as its > nameservers, > having the second of those instead be "ns2.he.org" will keep "www.example.com" > reachable if he.net is placed on clientHold. > > That was presumably

Re: TLD jingle mail, Out-of-Bailiwick DNS? (Was: HE.net problem)

On Fri, Jul 5, 2024 at 6:25 PM John Levine wrote: > > Also, getting your own TLD doesn't necessarily make your risks less, it just > makes them different. You now have a direct relationship with the registry > back end provider that you have to not screw up, and due to ICANN's rules, > there is

Re: TLD jingle mail, Out-of-Bailiwick DNS? (Was: HE.net problem)

It appears that Bill Woodcock said: >ICANN’s going to open another round of TLD applications, and I expect a lot of >companies to go into that with their eyes more >open than last time, knowing why they’re doing it. It’s not about brand >protection, it’s about disintermediating the root >of tru

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

On Jul 5, 2024, at 12:53 AM, Jeroen Massar via NANOG wrote: > Thus one only increases the risk by having multiple TLDs. That's not the case if you provide DNS servers for others, though. It is true that if he.net has nameservers of "ns1.he.net" and "ns2.he.net", making the second of those be

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

ebersman> - don't have all your business critical domains under the same ebersman> registrar (unless it's of the CSC/markmonitor class) jeroen> There is always going to be single point of failures in a jeroen> hierarchical tree like that. Everything in internet/infrastructure is risk tradeoffs

Re: Out-of-Bailiwick DNS? (Was: HE.net problem)

> On Jul 5, 2024, at 09:53, Jeroen Massar via NANOG wrote: > Please note that: > - Markmonitor is owned by Newfold Digital / Endurance International [1] > - Network Solutions is owned by Web.com [2] > - Web.com is... owned by Newfold Digital [3] > > And... we

Out-of-Bailiwick DNS? (Was: HE.net problem)

> On 4 Jul 2024, at 23:22, Paul Ebersman wrote: > > cjc> On the other side of this, we all may be learning the value of not > cjc> having all of you NS records in a single zone with a domain under a > cjc> single registrar. > > From some trainings I did on how to be sure your DNS was robust:

Re: HE.net problem

>> what foss dns monitoring tools do folk use to alert of >> - iminent delegation expiry >> - inconsistent service (lame, soa mismatches, ...) >> - dnssec signing and timer issues >> - etc. > https://github.com/berthubert/simplomon thanks. may play hak whacked me to add http://dns.measur

Re: HE.net problem

On Fri, 5 Jul 2024 at 06:59, Randy Bush wrote: > not to distract from everyone diagnosing someone else's problem, but ... > > what foss dns monitoring tools do folk use to alert of > - iminent delegation expiry > - inconsistent service (lame, soa mismatches, ...) > - dnssec signing and time

Re: HE.net problem

.  Ryan Hamel From: Mel Beckman <m...@beckman.org> Sent: Thursday, July 4, 2024 12:20 PM To: Jay Ashworth <j...@baylink.com> Cc: Ryan Hamel <r...@rkhtech.org>; nanog@nanog.org <nanog@nanog.org> Subject: Re: HE.net problem   Caution: This is an external em

Re: HE.net problem

aylink.com>> Cc: Ryan Hamel mailto:r...@rkhtech.org>>; nanog@nanog.org<mailto:nanog@nanog.org> mailto:nanog@nanog.org>> Subject: Re: HE.net problem Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. Ou

Re: HE.net problem

> On 4 Jul 2024, at 21:53, Crist Clark wrote: > >  > On the other side of this, we all may be learning the value of not having all > of you NS records in a single zone with a domain under a single registrar. The majority of real large DNS hosting providers have their authoritative under mul

Re: HE.net problem

not to distract from everyone diagnosing someone else's problem, but ... what foss dns monitoring tools do folk use to alert of - iminent delegation expiry - inconsistent service (lame, soa mismatches, ...) - dnssec signing and timer issues - etc. randy

Re: HE.net problem

After a metric ton of screaming, we did get the issue solved. Thanks everyone, and we WILL be following up with the powers that be. Reid On Thu, Jul 4, 2024, 3:31 PM Reid Fishler wrote: > Network Solutions has decided to put our domain name on Client Hold due to > a single phishing complaint ab

Re: HE.net problem

cjc> On the other side of this, we all may be learning the value of not cjc> having all of you NS records in a single zone with a domain under a cjc> single registrar. >From some trainings I did on how to be sure your DNS was robust: - don't have all your business critical domains under the sam

Re: HE.net problem

It appears that Reid Fishler via NANOG said: >-=-=-=-=-=- > >Network Solutions has decided to put our domain name on Client Hold due to >a single phishing complaint about a web page, which happens to just be a >page of information about another domain from bgp.he.net. Network Solutions >has been c

Re: HE.net problem

anog@nanog.org > Sent: Thursday, July 4, 2024 4:52:14 PM > Subject: Re: HE.net problem > On the other side of this, we all may be learning the value of not having > all of you NS records in a single zone with a domain under a single > registrar. > > (From someone who has personal

Re: HE.net problem

*Sent:* Thursday, July 4, 2024 12:20 PM > *To:* Jay Ashworth > *Cc:* Ryan Hamel ; nanog@nanog.org > *Subject:* Re: HE.net problem > > Caution: This is an external email and may be malicious. Please take care > when clicking links or opening attachments. > > Our he.net dns a

Re: HE.net problem

jra> We have a report on outages that he.net has been placed in ICANN jra> client hold, and people's DNS service is falling over on this jra> Independence day. Seems to have had hold removed 20:20 zulu, according to whois. Domain back in .net and working again.

Re: HE.net problem

anything for that domain. At the moment, a simple DNS trace (dig he.net +trace) cannot complete fully. Ryan Hamel From: Mel Beckman Sent: Thursday, July 4, 2024 12:20 PM To: Jay Ashworth Cc: Ryan Hamel ; nanog@nanog.org Subject: Re: HE.net problem Caution: This is

Re: HE.net problem

Network Solutions has decided to put our domain name on Client Hold due to a single phishing complaint about a web page, which happens to just be a page of information about another domain from bgp.he.net. Network Solutions has been contacted, and refuses to handle this issue in ANY expedited manne

Re: HE.net problem

fully. Ryan Hamel From: Mel Beckman Sent: Thursday, July 4, 2024 12:20 PM To: Jay Ashworth Cc: Ryan Hamel ; nanog@nanog.org Subject: Re: HE.net problem Caution: This is an external email and may be malicious. Please take care when clicking links or opening

Re: HE.net problem

. At the moment, a simple DNS trace (dig he.net +trace) cannot complete fully. Ryan Hamel From: Mel Beckman Sent: Thursday, July 4, 2024 12:20 PM To: Jay Ashworth Cc: Ryan Hamel ; nanog@nanog.org Subject: Re: HE.net problem Caution: This is an external email

Re: HE.net problem

I've been informed that the CEO of HE is on this as of 1512EDT. I approve of the scale of this response. :-) Cheers, -- jra On July 4, 2024 2:55:34 PM EDT, Jay Ashworth wrote: >We have a report on outages that he.net has been placed in ICANN client hold, >and people's DNS service is falling ov

Re: HE.net problem

M To: nanog@nanog.org Subject: HE.net problem Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments. We have a report on outages that he.net has been placed in ICANN client hold, and people's DNS service is falling over on this Inde

Re: HE.net problem

eir support when that outage thread came in, they're already aware >and taking a look now. > >Ryan Hamel > > >From: NANOG on behalf of Jay >Ashworth >Sent: Thursday, July 4, 2024 11:55 AM >To: nanog@nanog.org >Subject: HE.net problem

Re: HE.net problem

I called their support when that outage thread came in, they're already aware and taking a look now. Ryan Hamel From: NANOG on behalf of Jay Ashworth Sent: Thursday, July 4, 2024 11:55 AM To: nanog@nanog.org Subject: HE.net problem Caution: This

HE.net problem

We have a report on outages that he.net has been placed in ICANN client hold, and people's DNS service is falling over on this Independence day. If you work in DNS for HE, you might want to look into this. I have double checked the report, and I am seeing the status as well. Hurricane serves lo