Re: Famous operational issues

Patrick W. Gilmore wrote: > > Me: Did you order that EPO cover? > Her: Nope. There are apparently two kinds of EPO cover: - the kind that stops you from pressing the button by mistake; - and the kind that doesn't, and instead locks the button down to make sure it isn't un-pressed un

Re: login.authorize.net has A and CNAME records

Seth Mattinen wrote: > > I'm beginning to think this is a DNSSEC related problem, I'll ask on the > pdns-users list. I see it's asking for a DS record on > login.authorize.net.cdn.cloudflare.net when the nearest one appears to be at > cloudflare.net, so for some reason that's not being applied all

Re: DNSSEC Best Practices

Arne Jensen wrote: > > RFC8624 "Algorithm Implementation Requirements and Usage Guidance for > DNSSEC" > > -> https://tools.ietf.org/html/rfc8624 > > > What algorithms do you typically sign with > > (RSASHA256, ECDSAP256SHA256, both, something other)? > > Those two mentioned are the ones that the

Re: 60 ms cross-continent

Mel Beckman wrote: > An intriguing development in fiber optic media is hollow core optical > fiber, which achieves 99.7% of the speed of light in a vacuum. > > https://www.extremetech.com/computing/151498-researchers-create-fiber-network-that-operates-at-99-7-speed-of-light-smashes-speed-and-late

Re: favorite network troubleshooting tools (online)

Mehmet Akcin wrote: > > what are your favorite network troubleshooting tools? If DNS counts then https://dnsviz.net/ and https://zonemaster.net/ Tony. -- f.anthony.n.finchhttp://dotat.at/ South Fitzroy: Northeasterly 5 to 7, occasionally gale 8 in south. Moderate or rough. Fair. Good.

Re: IERS ponders reverse leapsecond...

rs.org/IERS/EN/Publications/Bulletins/bulletins.html analyzed by my program https://github.com/fanf2/bulletin-a/ My blog article from when this issue became more well known: https://dotat.at/@/2020-11-13-leap-second-hiatus.html My other collected links on this topic https://dotat.at/writing/time.ht

Re: NTP for ASBRs?

Bryan Holloway wrote: > On 5/8/19 7:55 PM, Brian Kantor wrote: > > On Wed, May 08, 2019 at 07:47:56PM -0500, Bryan Holloway wrote: > > > > > > When a NOC-ling, in their own local timezone, says, "hey, what happened > > > two hours ago?", they have to make a calculation. > > > > Clocks are cheap. >

Re: Cost effective time servers

Denys Fedoryshchenko wrote: > On 2019-06-21 14:19, Niels Bakker wrote: > > > > Have you tried this? Because I have, and it's absolutely terrible. > > GPS doesn't give you the correct time, it's supposed to give you a > > good 1pps clock discipline against which you can measure your device's > > i

Re: Best ways to ensure redundancy with no terrestrial ISPs

Fred Baker wrote: > > On Aug 3, 2019, at 3:36 PM, Mehmet Akcin wrote: > > > > Feel free to open live.infrapedia.com on mobile. > Between overlaid ads and the thing trying to force an account, i’d > Describe it as a waste of time. Now, a page that delivered the data > advertised... https://open

Re: Weekly Routing Table Report

Patrick W. Gilmore wrote: > > This time I waited for 768,000. (Everyone happy now?) I thought the magic number for breaking old Cisco gear was 786432 (768 * 1024) ... there was a panic about it earlier this year but growth slowed so it didn't happen as soon as they feared. https://www.zdnet.com/

Re: dns cache beyond ttl - viasat / exede

William Herrin wrote: > > You may be looking at a web browser "feature" called "DNS pinning." This is > used to defeat the "DNS rebinding" attack on javascript that would allow a > web site to instruct a browser to scan the interior behind its user's > firewall by having an attacker rotate the IP

Re: worse than IPv6 Pain Experiment

b...@theworld.com wrote: > > Can I summarize the current round of objections to my admittedly > off-beat proposal (use basically URLs rather than IP addresses in IP > packet src/dest) as: [snip] This reminds me of the named data networking research project https://named-data.net/project/faq/ T

Re: BGP over TLS

Joe Abley wrote: > > Well, TLS exists within a TCP session, and that TCP session could > incorporate the MD5 signature option. I guess. AIUI this might be useful to make it a bit harder to kill the TCP session, tho I think modern TCPs are less vulnerable to off-path RST injection than TCPs were w

Re: Latency, TCP ACKs and upload needs

Leo Bicknell wrote: > > 1460 byte payloads down, maybe 64 byte acks on the return, and with SACK > which is widely deployed an ACK every 2-4 packets. You would see about > 2,140 packets/sec downstream (25Mbps/1460), and perhaps send 1070 ACKs > back upstream, at 64 bytes each, or about 68Kbps. W

Re: NIST NTP servers

Jean-Francois Mezei wrote: > > Today, if someone were to jam the GPS signal in an areas in USA, you'd > likely hear about large number of car accidents in the news before > noticing your systems canMt get time from the GPS-NTP and went to a > backup ip address (nist etc). The USA and the UK gover

RE: IPv4 Legacy assignment frustration

Spurling, Shannon wrote: > It’s a problem with the miss-use of the RIR delegation of a legacy > block. > > The assumption that because a block is assigned to a particular RIR, all > users in that block have to be in that RIR’s territory, without actually > running a query against that RIR’s Whois

Re: Yahoo Postmaster or Email Admin

For this kind of question you might hav emore luck on the mailop list, https://chilli.nosignal.org/mailman/listinfo/mailop Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode North Fitzroy, Sole, Lundy, Fastnet: Westerly 5 or 6. Moderate, occasionally rough later. Rain or drizz

Re: nxdomain rfc2308 type 2, but authority is incorrect

Joe Maimon wrote: > www.kissimmee.org > > Windows appears to believe the rfc2308 type 2 response, RFC 2308 isn't relevant to this domain. The responses aren't NXDOMAIN, so section 2.1 doesn't apply, and the response includes answers, so section 2.2 doens't apply. Tony. -- f.anthony.n.finch

Re: nxdomain rfc2308 type 2, but authority is incorrect

William Herrin wrote: > > Oh! I missed that. ns*.nameresolve.com, the authoratative name servers > for kissimmee.org, are saying NXDOMAIN for www.kissimmee.org. Any idea > what DNS server nameresolve.com uses? Because that's... wow. Er, me too, headdesk. NXDOMAIN with an answer?! $ fpdns ns2.you

Re: Don't press the big red buttom on the wall!

Ken Chase wrote: > 3 of my internet-lifetimes/startups ago, we had this happen when one of the L2 > techs was doing their 'rounds' - but had a backpack on. They swung around and > hit the safety cover on the BRS - which got knocked off. They freaked > out a bit while putting the cover back on...

Re: QWEST.NET can you fix your nameservers

Mark Andrews wrote: > > My bet is the DNS vendor has issued a update already and that it > hasn't been applied. $ fpdns sauthns1.qwest.net. fingerprint (sauthns1.qwest.net., 63.150.72.5): NLnetLabs NSD 3.1.0 -- 3.2.8 [New Rules] fingerprint (sauthns1.qwest.net., 2001:428:0:0:0:0:0:7): NLnetLabs

Re: Another day, another illicit SQUAT - WebNX (AS18450) 103.11.67.0/24

Ronald F. Guilmette wrote: > > You are correct. In this case, it would have been helpful if APNIC's WHOIS > server returned something, when queried about 103.11.67.105, that would > include an explicit referral to the ARIN WHOIS server. I mean they > obviously know all the transfers they've made

Re: Avalanche botnet takedown

Ronald F. Guilmette wrote: > > P.P.S. I love this part of the press release, because it is so telling: > > "The successful takedown of this server infrastructure was supported > by ... Registrar of Last Resort, ICANN..." Note that these are the names of two different organizations - th

Re: Internet Governance Forum DNS

Joly MacFie wrote: > www.intgovforum.org’s server DNS address could not be found. One of its three name servers doesn't exist. ; <<>> DiG 9.11.0 <<>> +norec ns www.intgovforum.org @a0.org.afilias-nst.info. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id

Re: Time to add 2002::/16 to bogon filters?

Jared Mauch wrote: > > There is also the problem noted by Wes George with 6to4 being used in > DNS amplification, which may be interesting.. > > http://iepg.org/2018-03-18-ietf101/wes.pdf I configure my DNS servers with a long-ish list of bogon addresses. For v6, the list includes Teredo and 6to4

Re: CloudFlare D.N.S. Resolvers... (1.1.1.1 & 1.0.0.1)

Jens Link wrote: > > jens@screen:~$ dig nanog.org @8.8.8.8 | grep "Query time" > ;; Query time: 16 msec > jens@screen:~$ dig nanog.org @1.1.1.1 | grep "Query time" > ;; Query time: 3 msec You can use dig -u to get microsecond resolution, e.g. $ dig -u @131.111.8.42 nanog.org | grep time: ;; Quer

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > On 26 Sep 2018, at 2:09 AM, Christopher Morrow > mailto:morrowc.li...@gmail.com>> wrote: > > > > how is arin's problem here different from that which 'lets encrypt' is > > facing with their Cert things? > > The “Let’s encrypt” subscriber agreement (current version 1.2, 15 Nov

Re: ARIN RPKI TAL deployment issues

John Curran wrote: > > From > > > "CA Terms & Conditions > > APNIC’s Certification Authority (CA) services are provided under the > following terms and conditions: ... > > • The recipient of any Digital Certificat

Re: Security issues based on post RIR allocation rules

Spurling, Shannon wrote: > When I call a health care organization, or a web hosting provider, the > first thing I get is that they think we are trying to pull one over on > them and all these ranges must be in Africa or Asia. I show them the > ARIN information for the specific /16, and sometimes

Re: Stupid Question maybe?

> On 18 Dec 2018, at 22:30, Joel Halpern wrote: > > History of non-contiguous network masks, as I observed it. [snip] > > When we were done, other folks looked at the work (I don't know if the > Internet Drafts are still in repositories, but they shoudl be.) And > concluded that while this w

Re: A Deep Dive on the Recent Widespread DNS Hijacking

Mark Andrews wrote: > > An organisation can also deploy DLV for their own zones using their own > registry. While the current code DLV validating code is only invoked > when the response validates as insecure, there is nothing preventing a > policy which says that DLV trumps or must also validate

Re: A Deep Dive on the Recent Widespread DNS Hijacking

valdis.kletni...@vt.edu wrote: > > Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" > level, it's going to be a tough start... Isn't this what Duo's business is based on? Usable TOTP? See also Google Authenticator, Authy, 1Password, etc. usw. Tony. -- f.anthony.n.

Re: Yet another Quadruple DNS?

David Ulevitch wrote: > https://twitter.com/eastdakota/status/970214433598275584 > https://twitter.com/eastdakota/status/970359846548549632 Also the very amusing https://twitter.com/eastdakota/status/970359846548549632 Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Heb

Re: do you use SPF TXT RRs? (RFC4408)

On Mon, 4 Oct 2010, Greg Whynott wrote: > > A partner had a security audit done on their site. The report said they > were at risk of a DoS due to the fact they didn't have a SPF record. Bullshit. > I commented to his team that the SPF idea has yet to see anything near > mass deployment and of t

Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)

On Tue, 5 Oct 2010, Michael Sinatra wrote: > > Hence the question: How should I provision authoritative DNS servers, > given that the prefix information is provided via DNS--including the > prefix information for the DNS servers themselves--leading to a > chicken-and-egg problem. In addition, I wo

Re: ILNP and DNS (from 2010.10.04 NANOG50 day 1 morning notes)

On Tue, 5 Oct 2010, Michael Sinatra wrote: > > Which then implies that parent zones must use DDNS, and must enable secure > updates from the child (from wherever the child's DDNS updates are sourced). Yes, well if the authentication can be sorted out this would be much better than having to mess a

Re: network name 101100010100110.net

On Mon, 18 Oct 2010, bmann...@vacation.karoshi.com wrote: > On Sun, Oct 17, 2010 at 09:16:04PM -0500, James Hess wrote: > > > > Which goes back to one of the standard-provided definitions of domain > > name syntax used by RFC 821 page 29: RFC 821 defines the syntax for mail domains, not domain nam

Re: Definitive Guide to IPv6 adoption

On Tue, 19 Oct 2010, Owen DeLong wrote: > > There are advantages to being able to use 16 bits to build various forms > of hierarchical topology on a dynamic basis within a SOHO environment. > If we reduce that to 8 bits, we will block innovations that are > currently underway in this space. Can yo

RE: network name 101100010100110.net

On Tue, 19 Oct 2010, Nathan Eisenberg wrote: > > I'm assuming we aren't making jokes here, but 3com.com was created in > > 1986: > > I'm confused. 3com.com would not appear to be entirely numerical. Or > maybe someone spiked my coffee this morning. Once leading digits became permitted, the synt

Re: NTP Server

On 24 Oct 2010, at 18:28, Christopher Morrow wrote: > On Sun, Oct 24, 2010 at 1:24 PM, Joel Jaeggli wrote: >> On 10/24/10 10:20 AM, Christopher Morrow wrote: >>> On Sun, Oct 24, 2010 at 10:44 AM, Peter Lothberg wrote: > How do you knew that your local NTP server knew what time it is? (for

Re: RINA - scott whaps at the nanog hornets nest :-)

On Sun, 7 Nov 2010, William Herrin wrote: > > > http://www.ionary.com/PSOC-MovingBeyondTCP.pdf > > The last time this was discussed in the Routing Research Group, none > of the proponents were able to adequately describe how to build a > translation/forwarding table in the routers or whatever passe

Re: RINA - scott whaps at the nanog hornets nest :-)

On Mon, 8 Nov 2010, Scott Weeks wrote: > From: Tony Finch > > : I note that he doesn't actually describe how to implement > : a large-scale addressing and routing architecture. It's all > : handwaving. > > There is more discussed in the book. I have bought and rea

Re: RINA - scott whaps at the nanog hornets nest :-)

On Mon, 8 Nov 2010, Scott Weeks wrote: > > The mapping server idea that several proposals use do not appear to keep > the smartness at the edges, rather they seem try to make a smarter core > network. Is a DNS server core or edge? ILNP aims to use the DNS as its mapping service. Tony. -- f.antho

Re: .gov DNSSEC operational message - picking a fight

On 28 Dec 2010, at 22:46, bmann...@vacation.karoshi.com wrote: > >IMHO, key management should be able to use an OOB channel >when the in-band is corrupted or overlaoded. Reliance on >strictly the IB channel presumes there will be no problems >with that channel. EVER. For me, I

Re: .gov DNSSEC operational message

On 29 Dec 2010, at 03:27, Jay Ashworth wrote: > > If you do not, then your clients have little hope of spotting insider > malfeasance changes, no? No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a cor

Re: .gov DNSSEC operational message

On 29 Dec 2010, at 16:56, bmann...@vacation.karoshi.com wrote: > >presuposes the attack was server directed. the DNS-sniper will take >out your locally configured root KSK &/or replace it w/ their own. If they can do that then you have MUCH bigger problems than authenticity of DNS repli

Re: Last of ipv4 /8's allocated

On Tue, 1 Feb 2011, Brian Christopher Raaen wrote: > > Not quite, I still show 102/8, 103/8, 104/8, 179/8, and 185/8 as > "UNALLOCATED". I don't know when the hand out the last 5 /8's policy takes > affect, but they haven't handed them out yet. I expect it'll happen on Thursday. http://www.nro.ne

Re: quietly....

On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote: > > Example: if you give administrators the option of putting a router > address in a DHCP option, they will do so and some fraction of the time, > this will be the wrong address and things don't work. If you let routers > announce their presence, the

Re: quietly....

On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote: > > But there's so much wrong with DHCPv6 that trying to fix it is pretty > much useless, we need to abandon DHCP and start from scratch. Good thing > IPv6 works just fine without DHCPv6. Yeah, no-one needs to dynamically find out their local recursi

Re: quietly....

On Wed, 2 Feb 2011, Tim Franklin wrote: > > You could always run your own recursive server on your laptop, instead > of a stub, and remove your dependancy on anyone but the roots. *ducks* Especially because this is the only secure way to do DNSSEC validation. Tony. -- f.anthony.n.finchhttp:

Re: why IPv6 isn't ready for prime time, SMTP edition

Laszlo Hanyecz wrote: > The usefulness of reverse DNS in IPv6 is dubious. For most systems yes, but you might as well have it if you are manually allocating server addresses. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes: Variable 4, becoming southeast 5 or 6. Moderate or rough. Fair.

Re: misunderstanding scale, SMTP edition

John Levine wrote: > > If I were a spammer or an ESP who wanted to listwash, I could easily use > a different IP addres for every single message I sent. Until mail servers start rate-limiting the number of different addresses that are used :-) You can do something like the following in Exim, whic

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen wrote: > the typical ISP has the technical capability to bill based on volume of > traffic already, and could easily bill per-byte for any traffic with > 'e-mail properties' like being on certain ports or having certain > characteristics. Who do I send the bill to for mail traffic fro

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen wrote: > > The entity with whom they already have a business relationship. Basically, if > I'm an ISP I would bill each of my customers, with whom I already have a > business relationship, for e-mail traffic. Do this as close to the edge as > possible. Ooh, excellent, so I can deliver

Re: why IPv6 isn't ready for prime time, SMTP edition

Lamar Owen wrote: > On 03/26/2014 01:38 PM, Tony Finch wrote: > > Who do I send the bill to for mail traffic from 41.0.0.0/8 ? Tony. > > You don't. Their upstream(s) in South Africa would bill them for outgoing > e-mail. You mean Nigeria. So how do I get compensated fo

Re: IPv6 isn't SMTP

John Levine wrote: > > There are also some odd things in the spec. For example, according to > RFC 5321 this is not a syntactically valid e-mail address: > > mailbox@[IPv6:2001:12:34:56::78:ab:cd] You aren't allowed to use :: to abbreviate one zero hexadectet according to RFC 5952. http://www.r

Re: IPv6 isn't SMTP

Owen DeLong wrote: > > Two errors, actually… As an RFC-821 address, it should be user@[IP]:port > in both cases (user@[192.0.2.1]:25 and user@[2001:db8::1]:25). You have never been able to specify a port number in an email address. Tony. -- f.anthony.n.finchhttp://dotat.at/ Lundy, Fastnet:

Re: Owning a name

John Levine wrote: > > The US has a long policy of not messing with ccTLDs, even of countries > that we don't like such as .kp, .cu, and .iq (back in the day). The latter had a fairly messy history: http://www.iana.org/reports/2005/iq-report-05aug2005.pdf Tony. -- f.anthony.n.finchhttp://d

Re: TCP Window Scaling issue

Zach Hill wrote: > What's interesting is this is only affecting a single server and only > when traffic is going over the WAN circuit. Testing from Server A to any > server on it's network shows it is negotiating window scaling just fine. Check your firewall isn't buggering about with TCP option

Re: The stupidity of trying to "fix" DHCPv6

Ricky Beam wrote: > > And IPv6 has been designed (poorly, it would now appear) for huge "LAN"s > -- LANs are supposed to be /64, after all. Ethernet is not designed for huge LANs. If you want that you need to make significant changes - http://www.cl.cam.ac.uk/~mas90/MOOSE/ Tony. -- f.anthony.n.

Re: So... is it time to do IPv6 day monthy yet?

On 18 Jun 2011, at 19:35, Owen DeLong wrote: > > Note, none of these came with glue. No, you used dig +trace which does not show the additional section. If they had not included glue then resolution would have failed. Tony. -- f.anthony.n.finchhttp://dotat.at/

Re: ICANN to allow commercial gTLDs

On 18 Jun 2011, at 09:22, Owen DeLong wrote: > > In . lives a pointer to apple. consisting of one or more NS records and > possibly some A/ glue for those nameservers if they are within apple. Don't forget the DS records containing the hash of Apple's DNSSEC KSK. Tony. -- f.anthony.n.finch

Re: unqualified domains, was ICANN to allow commercial gTLDs

On 20 Jun 2011, at 02:24, Paul Vixie wrote: > > furthermore, the internet has more in it than just the web, and i know that > "foo@sony." will not have its RHS ("sony.") treated as a hierarchical name. Trailing dots are not permitted on mail domains. There has been an ongoing argument about the

Re: unqualified domains, was ICANN to allow commercial gTLDs

On 20 Jun 2011, at 08:43, Mark Andrews wrote: > > There is also no such thing as "in-bailiwick glue for the TLD’s DNS servers". > The root zone contains glue for TLDs. No TLD zone contains glue for TLDs. "In-bailiwick" means that the nameservers for a zone are under the apex of that zone. So

Re: Address Assignment Question

On 20 Jun 2011, at 16:26, Jérôme Nicolle wrote: > > But most RBL managers are shitheads anyway, so help them evade, that'll be > one more proof of spamhaus &co. uselessness and negative impact on the > Internet's best practices. An organization that blocks 90% of spam with no false positives i

Re: Address Assignment Question

On 20 Jun 2011, at 23:09, Jérôme Nicolle wrote: > > But if you can point me to any serious organisation > providing a real value-added service maintained by real professionals, > those who performs thorough checks _before_ putting a legitimaite mail > server in a blacklist, then i'd enjoy benchm

Re: unqualified domains, was ICANN to allow commercial gTLDs

On 21 Jun 2011, at 00:29, Mark Andrews wrote: > > I will repeat my assertion. There is no such thing as glue records > for the nameservers at the top of the zone within the zone itself > be they in-baliwick or not. Glue records live in the parent zone > and are there to avoid the catch 22 situa

Re: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)

Mikael Abrahamsson wrote: > > Well, then you run into the nice problem of the RNCs only having 400 kilobytes > of buffers per session and will drop packets if they receive more packets than > that, or sometimes even just because they receive a burst of a few tens of > packets at GigE linerate (bec

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

Mike Jones wrote: > > DNSSEC deployment is advanced enough now to do that automatically at the > client. Sadly not quite. DNSSEC does have the potential to provide an alternative public key infrastructure, and I'm keen to see that happen. But although it works well between authoritative servers a

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases

fredrik danerklint wrote: > > and how about a end user, who doesn't understand a computer at all, to > be able verify the signatures, correctly? The current trust model for DNSSEC relies on the vendor of the validator to bootstrap trust in the root key. This is partly a matter of pragmatism since

Re: Why are we still using the CA model? (Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates)

> > > > with dane, i trust whoever runs dns for citibank to identify the cert > > > > for citibank. this seems much more reasonable than other approaches, > > > > though i admit to not having dived deeply into them all. > > > If the root DNS keys were compromised in an all DNS rooted world... > >

Re: F.ROOT-SERVERS.NET moved to Beijing?

Todd Underwood wrote: > > sure, but DNSSEC is still basically unused. If you are running BIND 9.8 there is really no reason not to turn on DNSSEC validation, then you won't have to worry about anycast routes leaking from behind the great firewall. dnssec-validation auto; dnssec-l

Re: btw, the itu imploded

Bill Woodcock wrote: > > The main unfortunate outcome is that the ITU has managed to get Study > Group 3 approved to try to figure out how to override peering agreements > with government-imposed settlements. Do you have any citations for that? I thought they had given up on trying to interfere w

Re: btw, the itu imploded

Nick Hilliard wrote: > On 19/12/2012 14:25, Tony Finch wrote: > > > > Do you have any citations for that? I thought they had given up on trying > > to interfere with Internet peering and settlement. > > http://www.itu.int/net/ITU-T/lists/questions.aspx?Group=03&P

Re: why haven't ethernet connectors changed?

Tom Morris wrote: > > Boy would I ever love an ethernet connector that works like Apple's > MagSafe... I guess a magsafe ethernet connector would have too much noise (owing to poor quality connection) to provide decently high bandwidth. This thread reminds me of http://fanf.livejournal.com/96172

Re: why haven't ethernet connectors changed?

Michael Thomas wrote: > > I'd turn this back the other way though: in this day and age, why do we > have any interconnection/bus that isn't just ethernet/IP? The need for isochronous transmission and more bandwidth. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering

Re: [SHAME] Spam Rats

John Levine wrote: > >*.4.4.3.0.5.a.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR a.node.on.vlan344.namn.se. > >...will work just fine, for instance. > > Since there is no record for a.node.on.vlan344.namn.se., this > won't work fine in any rDNS check I'm aware of. I believe it's relatively common for

Re: Google's Public DNS does DNSSEC validation

Mick O'Rourke wrote: > In the potentially interestingly and perhaps not so positive - one of the > common EDNS tests via Google pub DNS fails. Google Public DNS's upstream behaviour is different depending on whether its client demonstrate knowledge of DNSSEC: Large EDNS buffer size with client

Re: Why are there no GeoDNS solutions anywhere in sight?

bmann...@vacation.karoshi.com wrote: > > peice of cake. add loc records to your rrset. You need something more sophisticated than that because for a single domain name you can't say which LOC records correspond to which address records. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties,

Re: Open Resolver Problems

Joe Abley wrote: > > My assessment is that the implementations I have seen are ready for > production use, but I think it's understandable given the moving > goalpoasts that some vendors have not yet promoted the code to be > included in stable releases. It is in the current stable release of NSD

Re: Open Resolver Problems

Jack Bates wrote: > > Tracking the clients would be a huge dataset and be especially complicated in > clusters. The memory usage is guite manageable: for the BIND patch it is at most 40-80 bytes (for 32 or 64 bit machines) per request per second. You're doing well if you need a megabyte. There's

Re: Open Resolver Problems

Jack Bates wrote: > You'll also find that [DNS RRL] serves little purpose. In my experience it works extremely well. Yes it is possible to work around it, but you still need to stop the attacks that are happening now. It is good to make the attacker's job harder. > 1) tcp RRL pushes legitimate

Re: Open Resolver Problems

Jack Bates wrote: > > If BCP38 was properly deployed, what would be the purpose of RRL outside of > misbehaving clients or direct attacks against that one server? If fictional scenario, irrelevant answer. Given the current situation, efforts to deploy both RRL and BCP38 in parallel will reduce th

Re: Open Resolver Problems

On 1 Apr 2013, at 14:44, Jared Mauch wrote: > On Mar 31, 2013, at 11:16 PM, valdis.kletni...@vt.edu wrote: >> >> Anybody who is looking at this as an IPv4 issue is woefully misinformed >> about the nature of the problem. > > :) > > IPv4 it's easy to collect an inventory (the math works). IPv6,

Re: ICMP Redirect on Resolvers

On 6 Apr 2013, at 06:36, Shahab Vahabzadeh wrote: > I have two DNS Server (resolver) running on FreeBSD 9.0, I always see in > console messages like this: > > icmp redirect from 192.168.140.36: 192.168.179.80 => 192.168.140.254 You probably configured the wrong default router address or netmask

Re: What do people use public suffix for?

Joe Abley wrote: > > If the rule was just "the nameservers need to be the same and the SOA > RDATA needs to be the same, for some well-documented meaning of 'same'" > then gaming that rule (e.g. for purposes of cookie injection) as a > miscreant is unpleasantly straightforward. To reinforce Joe's

Re: Google Public DNS Problems?

Blair Trosper wrote: > Goes all the way up to the A root server before failing spectacularly. That is an extremely weird response. Are you sure your queries are not being intercepted by a middlebox? What happens if you use dig +vc ? Do you get a similar round-trip time when pinging 8.8.8.8 to th

Re: DNS anycasting - multiple DNS servers on same subnet Vs registrar/registry policies

Anurag Bhatia wrote: > > One small concern I wanted to discuss here. I know few > registry/registrars which do not accept both (or all) name servers of > domain name on same subnet. They demand at least 1 DNS server should be > on different subnet for failover reasons (old thoughts). > > How one c

Re: NXDomain remapping, DNSSEC, Layer 9, and you.

Randy Bush wrote: > > > When your browers supports DANE > > and a billion home nats support dnssec :( I expect there will be a depressingly large amount of DNS-over-TLS in the future in order to bypass broken ALGs. Tony. -- f.anthony.n.finchhttp://dotat.at/ Malin: Cyclonic 4 or 5. Slight or

Re: LinkedIn password database compromised

Tei wrote: > Anonymity on the Internet is a feature, because a lot of the world > netcitizens come from countries where saying this or that is a crime, > and can get you in trouble. Note that you need to make a distinction between pseudonymity and anonymity. In most online situations anonymity i

Re: F-ckin Leap Seconds, how do they work?

Jimmy Hess wrote: > > Someone should write a dastardly system clock daemon to cause the > insertion of frequent spurious positive leap seconds, followed by the >spurious insertion of negative leap seconds. > > For testing purposes... any application which crashes under such a > test, should

Re: F-ckin Leap Seconds, how do they work?

Wolfgang S. Rupprecht wrote: > I wonder why the system's internal time isn't run that way. For compatibility with software that does time calculations without using the crappy libc time API. Tony. -- f.anthony.n.finchhttp://dotat.at/ Humber, Thames, Dover, Wight: South 4 or 5. Slight or mo

Re: F-ckin Leap Seconds, how do they work?

Nick Hilliard wrote: > > Well, yeah, it's not obvious that a minute can have anywhere between 59 and > 62 seconds. No a minute cannot have 62 seconds. That is an old documentation bug which has been fixed. http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/time.h.html Tony. -- f.anthony.n

Re: F-ckin Leap Seconds, how do they work?

Owen DeLong wrote: > > Since we have a tradition of measuring diurnal and other repetitive > cycles (days) based on the rotation of the earth, we end up with fudge > factors to make that line up with months from time to time. (leap > seconds). That is not what leap seconds are. Leap seconds are

Re: F-ckin Leap Seconds, how do they work?

Peter Lothberg wrote: > > We have a NTP server on Earth (say Washington-DC) and Vint has > extended the Internet to planet Mars, can we use NTP? No. http://fanf.livejournal.com/116480.html Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall: Cyclonic, becoming northerly later, 4 or 5, occasi

RE: F-ckin Leap Seconds, how do they work?

Peter Lothberg wrote: > > As the definition of a atomic second is 9192631770 complete > oscillations of cesium 133 between enery level 3 and 4, "everyone" can > make a second in their lab, that's TAI. No, TAI isn't based on the SI second you realise in your lab. It's the SI second realised on the

Re: F-ckin Leap Seconds, how do they work?

valdis.kletni...@vt.edu wrote: > > Leap seconds are added for the exact same reason leap days are - the > earth's rotation isn't a clean multiple of the year. No leap seconds have nothing to do with years. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall: Cyclonic, becoming northerly late

Re: F-ckin Leap Seconds, how do they work?

Peter Lothberg wrote: > And I forgot: They made a "mistake" and missed their intentions of a > solar day year 1900 when defining the atomic second. Off by 2s in 100 > years. No that is not correct, or at least it's nowhere near as simple as that. The atomic second was matched to the second of ep

RE: F-ckin Leap Seconds, how do they work?

Keith Medcalf wrote: > > You are assuming facts not in evidence. The rotation is merely > irregular within the capabilities of our scheme of measurement, > calculation, and observation. There is LOTS of evidence that the earth's rotation is irregular. VLBI, laser ranging of the moon, etc. This w

RE: F-ckin Leap Seconds, how do they work?

Keith Medcalf wrote: > > What you mean is that it is subject to periodicities and forces which > you do not understand, and that within your limited perception, this > ignorance is taken as "irregularity". Just because the system > encompasses rules and properties beyond your understanding and >

  1   2   3   >