in-addr.arpa server problems for europe?

I see constant issues where I can't resolve PTR's in Europe. I see no reason for this except that a bunch of servers are either dropping my packets or are permanently f**ked... any other clues gratefully accepted. miche...@enigma:~/dultools$ dig +trace -x 213.219.184.23 ; <<>> DiG 9.3.3 <<>> +tr

Re: in-addr.arpa server problems for europe?

On Mon, Feb 15, 2010 at 10:22:17AM +0100, Michelle Sullivan wrote a message of 185 lines which said: > 213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. > 213.in-addr.arpa. 86400 IN NS NS3.NIC.FR. > 213.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE

Re: in-addr.arpa server problems for europe?

Stephane Bortzmeyer wrote: > On Mon, Feb 15, 2010 at 10:22:17AM +0100, > Michelle Sullivan wrote > a message of 185 lines which said: > > >> 213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. >> 213.in-addr.arpa. 86400 IN NS NS3.NIC.FR. >> 213.in-addr.arpa.

RE: in-addr.arpa server problems for europe?

> -Original Message- > From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] > Sent: Monday, February 15, 2010 12:58 PM > To: Michelle Sullivan > Cc: NANOG list > Subject: Re: in-addr.arpa server problems for europe? > > On Mon, Feb 15, 2010 at 10:22:17AM +0100, > Michelle Sullivan wrot

Re: in-addr.arpa server problems for europe?

Michelle Sullivan wrote: > Stephane Bortzmeyer wrote: > >> On Mon, Feb 15, 2010 at 10:22:17AM +0100, >> Michelle Sullivan wrote >> a message of 185 lines which said: >> >> >> >>> 213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. >>> 213.in-addr.arpa. 86400 IN

Re: in-addr.arpa server problems for europe? [SEC=UNCLASSIFIED]

0n Mon, Feb 15, 2010 at 01:40:31PM +0100, Michelle Sullivan wrote: >Michelle Sullivan wrote: >miche...@enigma:~$ dig +trace +bufsize=512 -x 81.255.164.225 >miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR Curious, why did you modify 'bufsize' ? -Alex IMPO

Re: in-addr.arpa server problems for europe?

On Mon, Feb 15, 2010 at 01:40:31PM +0100, Michelle Sullivan wrote a message of 298 lines which said: > miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR Bad test: the response is too small to exercice real size problems. Try adding "+dnssec" to the dig command-line (that's wh

Re: in-addr.arpa server problems for europe?

On Mon, Feb 15, 2010 at 08:30:43PM +0800, Wilkinson, Alex wrote a message of 14 lines which said: > Curious, why did you modify 'bufsize' ? To test response size issues, probably. Broken middleboxes are the scourge of the Internet. http://labs.ripe.net/content/preparing-k-root-signed-root-zo

Re: in-addr.arpa server problems for europe?

On Mon, Feb 15, 2010 at 01:12:55PM +0100, Mark Scholten wrote a message of 36 lines which said: > Solution: stop using DNSSEC or checking for DNSSEC. In 2010, it is a bit backward...

Re: in-addr.arpa server problems for europe? [SEC=UNCLASSIFIED]

Wilkinson, Alex wrote: > 0n Mon, Feb 15, 2010 at 01:40:31PM +0100, Michelle Sullivan wrote: > > >Michelle Sullivan wrote: > > >miche...@enigma:~$ dig +trace +bufsize=512 -x 81.255.164.225 > >miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR > > Curious, why did you

RE: in-addr.arpa server problems for europe?

> -Original Message- > From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] > Sent: Monday, February 15, 2010 2:01 PM > To: Mark Scholten > Cc: nanog@nanog.org > Subject: Re: in-addr.arpa server problems for europe? > > On Mon, Feb 15, 2010 at 01:12:55PM +0100, > Mark Scholten wrote >

Re: in-addr.arpa server problems for europe?

Stephane Bortzmeyer wrote: > On Mon, Feb 15, 2010 at 01:40:31PM +0100, > Michelle Sullivan wrote > a message of 298 lines which said: > > >> miche...@enigma:~$ dig +bufsize=4096 -x 81.255.164.225 @NS3.NIC.FR >> > > Bad test: the response is too small to exercice real size > problems. Tr

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote: > > If you can't get native IPv6 then use a tunneled service like > Hurricane Electric's (HE.NET). It is qualitatively better than > 6to4 as it doesn't require random nodes on the net to be performing > translation services for you whi

Noise (was Re: in-addr.arpa server problems for europe?)

On 2/15/2010 7:00 AM, Stephane Bortzmeyer wrote: >> If you have received this email in error, you are requested to >> contact the sender and delete the email. > > Done. I also erased the hard disk and reinstalled the OS. Given that many Network Operator managers require that that crap be appende

Re: dns interceptors [SEC=UNCLASSIFIED]

I like Ben Goldacre's take on stupid email disclaimers: "READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, c

RE: in-addr.arpa server problems for europe?

On Mon, 15 Feb 2010, Mark Scholten wrote: > > I've seen problems that are only there because of DNSSEC, so if there is a > problem starting with trying to disable DNSSEC could be a good idea. As long > as not all rootzones are signed I don't see a good reason to use DNSSEC at > the moment. You rea

Re: Noise (was Re: in-addr.arpa server problems for europe?)

Larry Sheldon wrote: On 2/15/2010 7:00 AM, Stephane Bortzmeyer wrote: If you have received this email in error, you are requested to contact the sender and delete the email. Done. I also erased the hard disk and reinstalled the OS. Given that many Network Operator managers req

Re: Noise (was Re: in-addr.arpa server problems for europe?)

On Mon, Feb 15, 2010 at 12:51 PM, JC Dill wrote: > Larry Sheldon wrote: > IMHO, if your organization appends crap to your outbound messages then you > should maintain a separate crap-free email account for your personal email or... we could all be adults and just forget these things exist, since

Re: in-addr.arpa server problems for europe?

On 2/15/10 9:21 AM, Tony Finch wrote: > On Mon, 15 Feb 2010, Mark Scholten wrote: >> >> I've seen problems that are only there because of DNSSEC, so if there is a >> problem starting with trying to disable DNSSEC could be a good idea. As long >> as not all rootzones are signed I don't see a good re

RE: in-addr.arpa server problems for europe?

> -Original Message- > From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony > Finch > Sent: Monday, February 15, 2010 6:21 PM > To: Mark Scholten > Cc: nanog@nanog.org > Subject: RE: in-addr.arpa server problems for europe? > > On Mon, 15 Feb 2010, Mark Scholten wrote: > >

Re: Noise (was Re: in-addr.arpa server problems for europe?)

On 2/15/2010 11:51 AM, JC Dill wrote: > Larry Sheldon wrote: >> On 2/15/2010 7:00 AM, Stephane Bortzmeyer wrote: >> >> If you have received this email in error, you are requested to contact the sender and delete the email. >>> Done. I also erased the hard disk and reinstall

Re: in-addr.arpa server problems for europe?

On Feb 15, 2010, at 1:01 PM, Seth Mattinen wrote: > On 2/15/10 9:21 AM, Tony Finch wrote: >> On Mon, 15 Feb 2010, Mark Scholten wrote: >>> >>> I've seen problems that are only there because of DNSSEC, so if there is a >>> problem starting with trying to disable DNSSEC could be a good idea. As lo

DNSSEC Readiness

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using? It seems like this is something that will become a front and center issue for help desks everywhere pretty quick

Re: dns interceptors

On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said: > Yes -- and as a reward for your expertise, you get to explain the > problem with a transparent DNS proxy to the judge. For bonus points, > explain it to a jury The transparent DNS proxies aren't the problem. It's the translucent ones

Re: DNSSEC Readiness

On Mon, 15 Feb 2010, Charles N Wyble wrote: > > How are folks verifying DNSSEC readiness of their environments? Any > existing testing methodologies / resources that folks are using? Here's my summary of the situation (as of a couple of months ago) with links to a few key resources: http://fanf.li

Re: in-addr.arpa server problems for europe?

* Stephane Bortzmeyer: > It is highly improbable that all these name servers are unreachable > from you. Therefore, I suspect that *content* is the issue. RIPE-NCC > zones are signed with DNSSEC. Are you sure you do not have a broken > middlebox which deletes DNSSEC-signed answers? Ahem. dig's +t

Re: DNSSEC Readiness

* Charles N. Wyble: > How are folks verifying DNSSEC readiness of their environments? Any > existing testing methodologies / resources that folks are using? For now, running (with a real resolver address instead of 192.0.2.1) dig @192.0.2.1 $RANDOM. +dnssec and checking if a certain percentag

Re: DNSSEC Readiness

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tony Finch wrote: > On Mon, 15 Feb 2010, Charles N Wyble wrote: >> How are folks verifying DNSSEC readiness of their environments? Any >> existing testing methodologies / resources that folks are using? > > Here's my summary of the situation (as of a

Re: DNSSEC Readiness

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Florian Weimer wrote: > * Charles N. Wyble: > > >> It seems like this is something that will become a front and center >> issue for help desks everywhere pretty quick. :) > > Why do you think so? Would you even notice if your webmail provider > swi

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

* Igor Ybema: > We know we should push our provider to support native IPv6, and we do. > But this should not stop us using IPv6 6to4. You should complain to the DENIC member you use, or perhaps the DENIC ops team. Perhaps it's a simple mistake. NANOG isn't the right forum for this.

Re: Noise (was Re: in-addr.arpa server problems for europe?)

On 2/15/2010 1:19 PM, JC Dill wrote: > I don't see the point you are trying to make in this discussion. I can see that. I don't have a clue bat big enough for the task. Are > you saying Troll skat. I'm out. -- "Government big enough to supply everything you need is big enough to take eve

Re: DNSSEC Readiness

* Charles N. Wyble: > However they will certainly start complaining when DNS stops working. Of > course they won't know that's what the issue is, but they will call > saying the internet is down. Okay, then the first way I mentioned for checking should be sufficient. Well, perhaps make it dig

Re: DNSSEC Readiness

Charles N Wyble wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using? It seems like this is something that will become a front and center issue for help desk

Re: DNSSEC Readiness

FWIW - .se did some consumer research during their > DNSSec launch. I belive there will be a new study. > > Tests of Consumer Broadband Routers in Sweden (DNSSEC) > in 2008: > http://www.iis.se/docs/Routertester_en.pdf Seriously, who puts recursive DNS resolvers behind consumer broadband routers?

AS16387 leaking routes

. Here's an example. We have several pages worth of this. 20100215|15:17:58|1266268678678|164.128.32.11|3303|ORIGIN_CHANGE|95.79.192/19|34533|16387 20100215|15:18:58|1266268738707|164.128.32.11|3303|BGPMON

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On 16/02/2010, at 5:03 AM, Tim Chown wrote: > On Fri, Feb 12, 2010 at 08:16:56AM +1100, Mark Andrews wrote: >> >> If you can't get native IPv6 then use a tunneled service like >> Hurricane Electric's (HE.NET). It is qualitatively better than >> 6to4 as it doesn't require random nodes on the net

Re: AS16387 leaking routes

On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn) wrote: > Has anyone seen the strange activity from AS16387?  Did they leak their > entire table?  Our route collectors are showing AS16387 originating large > numbers of prefixes.  It looks like we caught the tail end of this ac

Re: in-addr.arpa server problems for europe?

In message <87iq9ys512@mid.deneb.enyo.de>, Florian Weimer writes: > * Stephane Bortzmeyer: > > > It is highly improbable that all these name servers are unreachable > > from you. Therefore, I suspect that *content* is the issue. RIPE-NCC > > zones are signed with DNSSEC. Are you sure you do n

RE: AS16387 leaking routes

There are other ASN changes as well as from other peers. Here are some just a few minutes old. Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS 20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387 20100215|17:11:13|1266275473309

Re: in-addr.arpa server problems for europe?

In message <201002152312.o1fncfq8098...@drugs.dv.isc.org>, Mark Andrews writes: > > In message <87iq9ys512@mid.deneb.enyo.de>, Florian Weimer writes: > > * Stephane Bortzmeyer: > > > > > It is highly improbable that all these name servers are unreachable > > > from you. Therefore, I suspect

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

* Nathan Ward > You are very unlikely to get traffic from Teredo, because: > 1) Windows only asks for if it has non-Teredo IPv6 connectivity > 2) When Windows has non-Teredo IPv6 connectivity and so can ask for > , preference for reaching your web content is going to be > non-Teredo IPv6

Re: in-addr.arpa server problems for europe?

In message <017901caae69$5d9e8770$18db96...@nl>, "Mark Scholten" writes: > > > > -Original Message- > > From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony > > Finch > > Sent: Monday, February 15, 2010 6:21 PM > > To: Mark Scholten > > Cc: nanog@nanog.org > > Subject: RE:

Re: DNSSEC Readiness

In message <4b798f1e.6080...@knownelement.com>, Charles N Wyble writes: > All, > > How are folks verifying DNSSEC readiness of their environments? Any > existing testing methodologies / resources that folks are using? > > It seems like this is something that will become a front and center > issu

RE: in-addr.arpa server problems for europe?

> -Original Message- > From: ma...@isc.org [mailto:ma...@isc.org] > Sent: Tuesday, February 16, 2010 12:37 AM > To: Mark Scholten > Cc: 'Tony Finch'; nanog@nanog.org > Subject: Re: in-addr.arpa server problems for europe? > > > In message <017901caae69$5d9e8770$18db96...@nl>, "Mark Scho

Re: AS16387 leaking routes

On Mon, Feb 15, 2010 at 6:13 PM, Ernest Andrew McCracken (emccrckn) wrote: > There are other ASN changes as well as from other peers. Here are some just a > few minutes old. > > Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS > > 20100215|17:1

Re: AS16387 leaking routes

mestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS >> >> 20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387 > > don't know what to tell ya... I only see 2 routes from 16387 in > routeviews or other places I can view routing info

Re: in-addr.arpa server problems for europe?

In message <01c201caaead$b115eda0$1341c8...@nl>, "Mark Scholten" writes: > > > > -Original Message- > > From: ma...@isc.org [mailto:ma...@isc.org] > > Sent: Tuesday, February 16, 2010 12:37 AM > > To: Mark Scholten > > Cc: 'Tony Finch'; nanog@nanog.org > > Subject: Re: in-addr.arpa serve

Re: in-addr.arpa server problems for europe?

I don't know if it's material as most DNS stuff is over my head, but Geoff Houston has written about the in-addr.arpa situation in the most recent edition of his Internet Society ISP Column http://isoc.org/wp/ispcolumn/?p=246 -- --- Jo

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On Tue, 16 Feb 2010, Nathan Ward wrote: You are very unlikely to get traffic from Teredo, because: 1) Windows only asks for if it has non-Teredo IPv6 connectivity Please don't just say "windows" as the different versions of windows behave differently, as we've already discussed in the th

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On 16/02/2010, at 7:34 PM, Mikael Abrahamsson wrote: > On Tue, 16 Feb 2010, Nathan Ward wrote: > >> You are very unlikely to get traffic from Teredo, because: >> 1) Windows only asks for if it has non-Teredo IPv6 connectivity > > Please don't just say "windows" as the different versions of

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On Tue, 16 Feb 2010, Nathan Ward wrote: XP won't ask for unless it has non-Teredo connectivity though I don't think. That doesn't compute considering all the XP machines with Teredo addresses that asked for my only content.

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On 16/02/2010, at 7:47 PM, Mikael Abrahamsson wrote: > On Tue, 16 Feb 2010, Nathan Ward wrote: > >> XP won't ask for unless it has non-Teredo connectivity though I don't >> think. > > That doesn't compute considering all the XP machines with Teredo addresses > that asked for my only

Re: Denic (.de) blocking 6to4 nameservers (since begin feb 2010)

On Tue, 16 Feb 2010, Nathan Ward wrote: Perhaps they have Teredo and 6to4, and could not reach you via 6to4 so instead used Teredo, or, any number of scenarios. I think their only IPv6 connectivity was Teredo (for instance, they're behind NAT), and thus they used it to get the IPv6 only conte

Re: in-addr.arpa server problems for europe?

Mark Andrews wrote: > In message <87iq9ys512@mid.deneb.enyo.de>, Florian Weimer writes: > >> * Stephane Bortzmeyer: >> >> >>> It is highly improbable that all these name servers are unreachable >>> from you. Therefore, I suspect that *content* is the issue. RIPE-NCC >>> zones are signed

Re: DNSSEC Readiness

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Andrews wrote: > In message <4b798f1e.6080...@knownelement.com>, Charles N Wyble writes: >> All, >> >> How are folks verifying DNSSEC readiness of their environments? Any >> existing testing methodologies / resources that folks are using? >> >> It