Re: [anti-abuse-wg] Reverse DNS delegations
On Mon 08/Apr/2024 12:19:15 +0200 Gert Doering wrote: On Mon, Apr 08, 2024 at 12:10:57PM +0200, Alessandro Vesely wrote: Delegations don't seem to be generated from the database. How is that supposed to work? They are, but maybe not for the highest level. Like, 8.0.6.0.1.0.0.2.ip6.arpa - that's our space, 2001:608::/32, and the reverse DNS delegation was done (back then, in August 2002) via the DB entry, and I'm assured it still works that way. Yup, that matches: $ dig 8.0.6.0.1.0.0.2.ip6.arpa ns ; <<>> DiG 9.18.24-1-Debian <<>> 8.0.6.0.1.0.0.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26275 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f5890ae0f4d0b45601006613c858ab439750be740ddf (good) ;; QUESTION SECTION: ;8.0.6.0.1.0.0.2.ip6.arpa. IN NS ;; ANSWER SECTION: 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns4.dns.space.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns.ripe.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns.space.net. 8.0.6.0.1.0.0.2.ip6.arpa. 43200 IN NS ns3.dns.space.net. ... $ whois -h whois.ripe.net -T domain -d 2001:608:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '8.0.6.0.1.0.0.2.ip6.arpa' domain: 8.0.6.0.1.0.0.2.ip6.arpa descr: SpaceNET IPv6 Space, reverse delegation (new style) admin-c:SVB tech-c: SPCN-RIPE zone-c: SPCN-RIPE nserver:ns.ripe.net nserver:ns.space.net nserver:ns3.dns.space.net nserver:ns4.dns.space.net mnt-by: SPACENET-N created:2002-08-19T13:31:57Z last-modified: 2016-12-07T21:11:25Z source: RIPE ... Thanks Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sun 07/Apr/2024 20:33:28 +0200 Gert Doering wrote: On Sun, Apr 07, 2024 at 01:44:45PM -0400, John Levine wrote: If you care about rDNS, you need to find a better ISP that meets your needs. Then tell the old one why you left. That seems to be a problem in Italy these days - few ISPs offer IPv6 at all, so finding one that does IPv6 *and* rDNS seems hard. (In Germany, there's competition on the ISP market, but I'm not sure there are many that actually delegegate out /48s - and I'm not sure how many of those that do provide reverse DNS actually permit customers to put in records of their choice, and not just auto-generated PTRs) I counted 2101 lines in the Italian LIRs page[*] and 4302 in the German one[†] (including ~20 lines of header/ footer). Unfortunately, those lists say nothing about what kind of services each ISP does. I wonder if filling those tables with attributes that would be useful to prospect customers is something that RIPE members want RIPE to do... Best Ale -- [*] https://www.ripe.net/membership/indices/IT.html [†] https://www.ripe.net/membership/indices/DE.html -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
Hi, On Mon, Apr 08, 2024 at 12:10:57PM +0200, Alessandro Vesely wrote: > Thanks, that apparently works. However, -T domain -d 2a02:: finds > 0.0.0.0.2.0.a.2.ip6.arpa. It seems to prepend a variable number of zeroes > and cite the wrong name servers (see queries below). Shouldn't it find > 2.0.a.2.ip6.arpa? That domain exists, although it has no name servers. 0.a.2.ip6.arpa is the RIPE's "top level" reverse zone, and I would assume that these need to be entered manually into the DNS system (because it's not "a child zone of an existing zone"). Like you need to add your IP blocks to your IPAM, to be able to allocate a subnet from it. So 0.0.0.0.2.0.a.2.ip6.arpa seems to be the first "customer" DNS delegation from there. > The parent zone, 0.a.2.ip6.arpa, has lots of international NSes, none of > which matches the ones returned by the database queries. > > Delegations don't seem to be generated from the database. How is that > supposed to work? They are, but maybe not for the highest level. Like, 8.0.6.0.1.0.0.2.ip6.arpa - that's our space, 2001:608::/32, and the reverse DNS delegation was done (back then, in August 2002) via the DB entry, and I'm assured it still works that way. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Re: [anti-abuse-wg] Reverse DNS delegations
On Sun 07/Apr/2024 16:47:37 +0200 Semisol via anti-abuse-wg wrote: On 7.04.2024 15:42, Alessandro Vesely wrote: BTW, how should one search DB objects like 2.0.a.2.ip6.arpa? I can search it in the DNS but not in https://apps.db.ripe.net/db-web-ui/query -T domain -d I believe you can also use the more/less specific flags with that query but I didn't try. Thanks, that apparently works. However, -T domain -d 2a02:: finds 0.0.0.0.2.0.a.2.ip6.arpa. It seems to prepend a variable number of zeroes and cite the wrong name servers (see queries below). Shouldn't it find 2.0.a.2.ip6.arpa? That domain exists, although it has no name servers. The parent zone, 0.a.2.ip6.arpa, has lots of international NSes, none of which matches the ones returned by the database queries. Delegations don't seem to be generated from the database. How is that supposed to work? - queries - $ whois -h whois.ripe.net -T domain -d 2a02:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0.2.0.a.2.ip6.arpa' domain: 0.0.0.0.2.0.a.2.ip6.arpa descr: IPv6 reverse delegation SES nserver:isrvdns1.astra-net.com nserver:isrvdns2.astra-net.com nserver:isrvdns3.astra-net.com ... $ dig 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to ::1#53: timed out ... $ dig @isrvdns1.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 212.56.224.20#53: timed out ;; communications error to 212.56.224.20#53: timed out ;; communications error to 212.56.224.20#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns1.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig @isrvdns2.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 212.56.224.21#53: timed out ;; communications error to 212.56.224.21#53: timed out ;; communications error to 212.56.224.21#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns2.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig @isrvdns3.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ;; communications error to 213.169.107.4#53: timed out ;; communications error to 213.169.107.4#53: timed out ;; communications error to 213.169.107.4#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @isrvdns3.astra-net.com 0.0.0.0.2.0.a.2.ip6.arpa ns ; (1 server found) ;; global options: +cmd ;; no servers could be reached $ dig 0.a.2.ip6.arpa ns ; <<>> DiG 9.18.24-1-Debian <<>> 0.a.2.ip6.arpa ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32256 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: b9ca8f96dd329dbf01006613bf18d99a4c9d9cbff52a (good) ;; QUESTION SECTION: ;0.a.2.ip6.arpa.IN NS ;; ANSWER SECTION: 0.a.2.ip6.arpa. 78819 IN NS ns3.lacnic.net. 0.a.2.ip6.arpa. 78819 IN NS ns4.apnic.net. 0.a.2.ip6.arpa. 78819 IN NS rirns.arin.net. 0.a.2.ip6.arpa. 78819 IN NS ns3.afrinic.net. 0.a.2.ip6.arpa. 78819 IN NS pri.authdns.ripe.net. ... $ whois -h whois.ripe.net -T domain -d 2a00:: % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0.a.2.ip6.arpa' domain: 0.0.0.0.a.2.ip6.arpa descr: Arcor AG & Co. KG org:ORG-MAT1-RIPE admin-c:ANOC1-RIPE tech-c: ANOC1-RIPE zone-c: ANOC1-RIPE nserver:ns1.arcor-ip.de nserver:ns2.arcor-ip.de nserver:ns3.arcor-ip.de created:2006-03-14T11:25:21Z last-modified: 2016-11-07T14:07:33Z source: RIPE mnt-by: ARCOR-MNT remarks:Unmaintained reverse domain object. remarks:Address prefix maintainer(s) added by RIPE NCC. remarks:For more information see: remarks:http://www.ripe.net/db/support/security/domain/syntax.html Best Ale -- -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
[anti-abuse-wg] LEA Transparency Report 2023
Dear colleagues, We have published a transparency report that details the nature and number of requests we received from Law Enforcement Agencies in 2023. You can find the report at: https://www.ripe.net/publications/docs/ripe-819/ . Kind regards, Theodoros Fyllaridis Legal Counsel RIPE NCC -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg