I've wondered about this for years, but only this evening did I start
searching for details. And I really couldn't find any.
Can anyone point me at distant history about how 4.2.2.2 came to be, in my
estimation, the most famous DNS server on the planet?
I know that it was originally at BBN, what
On 14 Feb 2010, at 01:16, goe...@anime.net wrote:
This is a bit more accessible, and free:
http://www.hulu.com/watch/4163/saturday-night-live-ernestine
Not if you are outside of the USA as the OP is...
f
I think around 10 years ago Slashdot had a few stories (and still do,
actually) about how great these resolvers were. I think that propelled
quite a bit of their growth and popularity.
On 2/14/2010 1:16 AM, Sean Reifschneider wrote:
I've wondered about this for years, but only this evening di
Since I'm watching B5 again on DVD
I was there at the dawning of the age of 4.2.2.1 :)
We did it, and we I mean Brett McCoy and my self. But most of the
credit/blame goes to Brett... I helped him, but at the time I was mostly
working on getting out Mail relays working right. This was
On Sun, Feb 14, 2010 at 02:16:30AM -0700, Sean Reifschneider wrote:
> I've wondered about this for years, but only this evening did I start
> searching for details. And I really couldn't find any.
>
> Can anyone point me at distant history about how 4.2.2.2 came to be, in my
> estimation, the mos
>It was always pretty robust due to the BIND code, thanks to ISC, and
>the fact it was always IPV4 AnyCast.
$ asp 4.2.2.2 # look it up in routeviews
4.0.0.0/9 ASN 3356, path 3549 -> 3356
Wow, that's a heck of an anycast block.
R's,
John
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
> i am often on funky networks in funky places. e.g. the wireless in
> changi really sucked friday night. if i ssh tunneled, it would multiply
> the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... O
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
>> i am often on funky networks in funky places. e.g. the wireless in
>> changi really sucked friday night. if i ssh tunneled, it would multiply
>> the suckiness as tcp would have puked at the los
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
> How does that help? It still sends port 53 requests to the authorities,
> which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
problem the local resolvers?
Well, in either case, another
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
> On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
>> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
>>> i am often on funky networks in funky places. e.g. the wireless in
>>> changi really sucked friday night. if i ssh tunneled, it would multip
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote:
> On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
>> How does that help? It still sends port 53 requests to the authorities,
>> which will be intercepted.
>
> Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
I run openvpn on my linux box to do exactly that. Already running
apache/bind/postfix/xmpp with legacy Im bridges so adding openvpn was a logical
next step.
#protip run it on port 443. :) makes it much easier to get around firewalls.
Even with deep packet inspection, SSL traffic is expected o
4.2.2.2 is stunted just like any other resolvers that use only the USG root. A more useful resolver is ASLAN [199.5.157.128]
which is an inclusive namespace resolver which shows users a complete map of the internet, not just what ICANN wants them
to see.
- Original Message -
From: "Steve
Larry Sheldon(larryshel...@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600:
> On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
> > On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
> >> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
> >>> i am often on funky networks in funky places. e.g. the wir
On 14. feb. 2010, at 19.43, John Palmer (NANOG Acct) wrote:
> 4.2.2.2 is stunted just like any other resolvers that use only the USG root.
> A more useful resolver is ASLAN [199.5.157.128] which is an inclusive
> namespace resolver which shows users a complete map of the internet, not just
> wha
On 2/14/10 11:43 AM, John Palmer (NANOG Acct) wrote:
4.2.2.2 is stunted just like any other resolvers that use only the USG
root. A more useful resolver is ASLAN [199.5.157.128] which is an
inclusive namespace resolver which shows users a complete map of the
internet, not just what ICANN wants th
On Sun, Feb 14, 2010 at 12:43:12PM -0600,
John Palmer (NANOG Acct) wrote
a message of 42 lines which said:
> A more useful resolver is ASLAN [199.5.157.128] which is an
> inclusive namespace resolver which shows users a complete map of the
> internet,
There are many crooks which sell dummy TL
All:
I'm involved in a project where we are cutting over a WISP from being a
single broadcast domain into the grownup real world of routing between tower
nodes. Of course the equipment is all Mikrotik and the single broadcast
domain was easy to implement, so that's why it was done this way.
>Hrm.. Maybe I misunderstood. Are the packets being intercepted, or
>is the problem the local resolvers?
Both, probably. Hotel networks often intercept all port 53 traffic not
out of malice, but so that they won't get support calls from people whose
PCs have poorly configured DNS often pointing
* John Levine:
>>It was always pretty robust due to the BIND code, thanks to ISC, and
>>the fact it was always IPV4 AnyCast.
>
> $ asp 4.2.2.2 # look it up in routeviews
> 4.0.0.0/9 ASN 3356, path 3549 -> 3356
>
> Wow, that's a heck of an anycast block.
You can do anycast with your IGP, too. 8-
We use Cisco WS-3560G-24-PS-S (Catalyst 3560G's with POE Ports). Provides POE on
each port too to eliminate having to use POE bricks to radios. We actually give
each AP it's own group. It's better to break them all up rather than keep them
in their own broadcast domain, because from subscriber to s
On 02/14/2010 07:41 AM, Joe Provo wrote:
> I don't think anyone else can help you determine your estimaation...
Sorry, I was being kind of flippant and paying homage to the "Peggy Hill"
character in _King_of_the_Hill_.
> That is a question for folks at L3. Any publicly-sharable data might
> be
On 02/14/2010 07:16 AM, John Orthoefer wrote:
> Since I'm watching B5 again on DVD
Awesome. Thanks for taking the time to reply, I really enjoyed the story.
Have fun with the B5. The only time I watched it was on a VHS borrowed
from a friend. It was a 3'x3' cabinet full of them. :-)
Sean
On Sun, Feb 14, 2010 at 1:19 PM, Sean Reifschneider wrote:
>> Why "conjecture"? Examining the /32s from inside and outside of 3356
>
> I said conjecture because every person I found in my searches said things
> like "I think it might be anycasted" or "they could be using anycast".
> Until this th
In message <182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com>, John Orthoefer
writes:
> Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that =
> was simple to remember, I think 4.4.4.4 was in use by neteng already. =
> But it was picked to be easy to remember, I think jhawk had
On Feb 14, 2010, at 5:17 PM, Mark Andrews wrote:
> In message <182e6e76-f12a-41d9-800a-e5e40f3c3...@direwolf.com>, John
> Orthoefer
> writes:
>> Genuity/GTEI/Planet/BBN owned 4/8. Brett went looking for an IP that =
>> was simple to remember, I think 4.4.4.4 was in use by neteng already. =
>> B
On 2010-02-14, at 17:17, Mark Andrews wrote:
> I don't care what internal routing tricks are used, they are still
> under the *one* external route and as such subject to single points
> of failure and as such don't have enough independence.
Are you asserting architectural control over what Level
On Sun, 2010-02-14 at 17:20 -0500, Patrick W. Gilmore wrote:
> Besides, it is quicker / better to use your local ISP's RNS. If
> something goes wrong, you can fall back to OpenDNS or L3, and, of
> course, yell at the _company_you_are_paying_ when their stuff doesn't
> work. :)
The best ad
In message <10be7b64-46ff-46d8-a428-268897413...@hopcount.ca>, Joe Abley writes
:
> On 2010-02-14, at 17:17, Mark Andrews wrote:
>
> > I don't care what internal routing tricks are used, they are still
> > under the *one* external route and as such subject to single points
> > of failure and as s
On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote:
> 1 - AP network (need suggestion for cost effective gig-e switch)
>
> 2 to 4 - back haul ports
>
> 1 - internet port (on one out of every 4 towers or so) (and most likely
> fiber instead of copper)
>
>
>
> Does anyone have any
On Sun, Feb 14, 2010 at 2:17 PM, Mark Andrews wrote:
> I don't care what internal routing tricks are used, they are still
> under the *one* external route and as such subject to single points
> of failure and as such don't have enough independence.
Where has Level 3 ever claimed that these server
On Feb 14, 2010, at 5:43 PM, Mark Andrews wrote:
> In message <10be7b64-46ff-46d8-a428-268897413...@hopcount.ca>, Joe Abley
> writes
> :
>> On 2010-02-14, at 17:17, Mark Andrews wrote:
>>
>>> I don't care what internal routing tricks are used, they are still
>>> under the *one* external route and
On Sun, Feb 14, 2010 at 2:37 PM, Richard Golodner
wrote:
> Cisco tech support tells their customers (us) to use it when testing.
> Perhaps this is not such a good practice.
No doubt because they are easier to remember than Cisco's own two
"public" DNS resolvers :
64.102.255.44
128.107.241.
In message , Scott
Howard writes:
> I'd also be interested in knowing where you consider the "single
> points of failure" for their announcement of 4/8 is, but that's
> probably for another thread...
You mean you have never seen traffic following a route annuncement
go into a black hole. :-)
>
Chuck Anderson wrote:
On Sun, Feb 14, 2010 at 02:41:51PM -0600, Lorell Hathcock wrote:
1 - AP network (need suggestion for cost effective gig-e switch)
2 to 4 - back haul ports
1 - internet port (on one out of every 4 towers or so) (and most likely
fiber instead of copper)
Does anyone h
On 2010-02-14, at 17:43, Mark Andrews wrote:
Using three consecutive addresses doesn't remove
single points of failure in the routing system.
That depends on how the routes for those destinations are chosen, and
what routing system you're talking about.
For distribution of a service using
On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
smb whacked me that i should use n
I'll add to what Johno writes. I worked on the anycast routing side to
the server side which he describes.
The 4.2.0.0/16 prefix was set aside by John Hawkinson in our reservation
system under the label "Numerology" since he had the wisdom to see that
the numbers in themselves could be valuable.
In message , Sean Donel
an writes:
> On Sun, 14 Feb 2010, Randy Bush wrote:
> >> ssh tunnels to IP address
> > i am often on funky networks in funky places. e.g. the wireless in
> > changi really sucked friday night. if i ssh tunneled, it would multiply
> > the suckiness as tcp would have puked
At the time I was involved it did have an SLA, and was considered critical
infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1, we
gave customers time to swap over, but we started turning off our existing DNS
servers.
One reason we did it was that we kept having to depl
On Feb 14, 2010, at 6:54 PM, Mark Andrews wrote:
>
> In message , Sean
> Donel
> an writes:
>> On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address
>>> i am often on funky networks in funky places. e.g. the wireless in
>>> changi really sucked friday night. if i ssh tunneled,
I thought I understood but from recent contexts here it is clear that I
do not.
I thought a resolver was code in your local machine that provide
hostname (FQDN?), given address; or address, given host name (with
assists to build FQDN).
And I thought a "server" was a separate program, might be on
On Feb 14, 2010, at 6:55 PM, John Orthoefer wrote:
> At the time I was involved it did have an SLA, and was considered critical
> infrastructure for Genuitity customers. Once we started to deploy 4.2.2.1,
> we gave customers time to swap over, but we started turning off our existing
> DNS ser
At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote:
>
> I thought I understood but from recent contexts here it is clear that I
> do not.
>
> I thought a resolver was code in your local machine that provide
> hostname (FQDN?), given address; or address, given host name (with
> assi
A "resolver" is basically a client.
There's two types of resolvers - recursive resolvers (that look after
doing the full resolution themselves - starting at the root servers
and working down), and "stub resolvers" which are only smart enough
pass the entire request onto another server to handle.
On Feb 11, 2010, at 6:45 PM, James Hess wrote:
> That said, XML makes a terrible data interchange format for
> communications where humans are supposed to understand the message,
> using standard software (such as a legacy e-mail client).
Exactly what we said when developing ARF.
--
J.D. Falk
On 2/14/2010 6:10 PM, Rob Austein wrote:
> At Sun, 14 Feb 2010 18:02:48 -0600, Laurence F Sheldon, Jr wrote:
>>
>> I thought I understood but from recent contexts here it is clear that I
>> do not.
>>
>> I thought a resolver was code in your local machine that provide
>> hostname (FQDN?), given ad
On 2/14/2010 6:21 PM, Scott Howard wrote:
> A "resolver" is basically a client.
>
> There's two types of resolvers - recursive resolvers (that look after
> doing the full resolution themselves - starting at the root servers
> and working down), and "stub resolvers" which are only smart enough
> pa
I have found the MRV OS906 (6 port 10/100/1000/SFP + Eth OBM) to be a
very cost effective and an extremely flexible device. It's a linux based
device with a router shell but all forwarding is done in hardware
(ASICs). It has a very flexible implementation of many L2 features (QnQ,
inner or outer ta
On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon wrote:
>> It is possibly to run both Authoritative and Recursive server on the
>> same IP, but it's generally not recommended for many reasons (the most
>> simple being that of stale data if your server is no longer the
>> correct nameserver for a dom
The OS906 may be different than the OS912, but be warned that I had
major issues with OS912 relating to LDP and OSPF. Constant crashes of
both LDP and OSPF made the device totally unusable. We had to ship
all 20 back to them. It was really messy. This was about 6 months
ago, and their c
On 2/14/2010 7:48 PM, Scott Howard wrote:
> On Sun, Feb 14, 2010 at 5:19 PM, Larry Sheldon wrote:
>>> It is possibly to run both Authoritative and Recursive server on the
>>> same IP, but it's generally not recommended for many reasons (the most
>>> simple being that of stale data if your server i
I actually think the 912 is different then the 904 and 906, as I was
discouraged from buying the 912, and I REALLY wanted the extra ports.
That's not to say that the 904/906 doesn't have the same problems. I use
it for a router with a bunch of connected networks, DHCP relay, and BGP.
Other then the
On Sun, 14 Feb 2010, Larry Sheldon wrote:
I understand that--but it the TTL is being managed correctly the server
answering authoritatively ought to stop doing so when the TTL runs out,
since it will not have had its authority renewed.
That's not how things work. If you configure bind to be a
On Sun, Feb 14, 2010 at 7:55 PM, Larry Sheldon wrote:
> I understand that--but it the TTL is being managed correctly the server
> answering authoritatively ought to stop doing so when the TTL runs out,
> since it will not have had its authority renewed.
The TTL can never "run out" on an author
On 2/14/2010 8:14 PM, Jon Lewis wrote:
>> The glue and all of that stuff won't expire at TTL=0?
>
> No. Authoratative data on your server (a locally configured zone) doesn't
> require glue.
I really should have scrapped that reply and started over--by the time I
got to this part I realized tha
> I run openvpn on my linux box to do exactly that.
i am in the midst of setting up some openvpn servers now, westin,
ashburn, tokyo, but westin first. having problems sorting in what
--outform it wants the bleeping certs.
randy
Not familiar with --outform argument. Will have to look into it.
Presume you are doing site to site/network to network? Or are you setting this
up for end users to terminate to?
I've done the latter many many times, but not net to net. Happy to provide docs
if you/nanog like.
I think that e
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files in
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all
In message <6eb799ab1002141824s652c4f31od02cb750912a0...@mail.gmail.com>, James
Hess writes:
>
> Also, BIND implements the EXPIRE value in the SOA.
> But other DNS server software applications widely ignore this value,
> and the zone stays authoritative on all servers, no matter how much
>
Yes. Easy rsa is the way to go.
They are normal certs. Check the scripts if you want to roll your own openssl
wrapper scripts.
--Original Message--
From: Larry Brower
To: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:44 PM
Randy Bush wrote:
> end user to network
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush wrote:
> end user to network
>
> having probs with certs, i.e. what --outform it wants. not finding in
> docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
http://openvp
>> having probs with certs, i.e. what --outform it wants. not finding in
>> docs. tried raw, but now guessing pem. same for client and server
> Use the easy-rsa stuff and it will do all the hard work for you.
> http://openvpn.net/index.php/open-source/documentation/howto.html
we have a pki we k
>> having probs with certs, i.e. what --outform it wants.
> They are just normal cert's
just normal certs can be text, pem, der, ...
randy
Randy Bush wrote:
just normal certs can be text, pem, der, ...
randy
Randy,
pem format.
Am 15.02.2010 um 04:29 schrieb Randy Bush:
> and i presume i have to dump all client.crt files in the server's
> ../openvpn dir, but under what names? or does it just wantonly trust
> anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are
acceptable,
67 matches
Mail list logo
