Re: Worst design decisions?
On Thu, 2003-09-18 at 00:43, Matt wrote: Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. the orginal GSR blanks came without handles. They were also put in tight as ***. For days after, your fingers would have the imprints of the little screws on them. I once use my socks to protect my fingers when I was pulling them out. Frank
Re: ICANN - Formal Complaint re Verisign
One thing I haven't seen mentioned in all this is the incredible business monopolizing effect this move will have on the TLD's in question. It dramatically shifts the domain playing field in Verisign's favor by pointing millions of potential customers to their site(s) specifically, giving them millions of dollars in free advertising eye-time over any of the competition I don't see how this eye-time can be translated into millions of dollars. But it is clear that Verisign are making money by selling sponsored links to people who sell spamming services and software. And it is also clear that this redirection of traffic allows them to amass a large database of email addresses that are current, active and which belong to people who don't always check things carefully before acting, i.e. the To: email address was mistyped. They could make a lot of money selling that list of email addresses to spammers. And they could also sell a lot of the mistyped addresses after correcting the domain name portion by supplying the closest matches from the .COM and .NET database. I wonder how anyone can continue to trust a company like this as a certificate authority. They seem to have attracted the breed of get-rich-quick management who want to make money by scamming the public and selling very unsubtantial things like names(.COM) and numbers (SSL certs). I don't pretend to believe that we can stop fast-buck artists from running these sorts of scams but we have to find alternative sources for SSL certs from companies whose business model lies squarely in the world of security and trust. That clearly excludes Verisign. Any company with such shoddy business practices that they can unleash this technically flawed redirection of traffic without proper testing and public consultation is also a soft target for infiltration. As was already mentioned, it is only a matter of time before a criminal gang infiltrates Verisign and launches man-in-the-middle attacks on the banking system. There are already people that are specifically targetting banks by installing surreptitious keyloggers on computers that sniff out Internet banking passwords. This would be far more effective if the keyloggers were installed by a man-in-the-middle so that they were targetted only at the intended victims. --Michael Dillon
Re: ICANN - Formal Complaint re Verisign
If I remember correctly, Verisign person stated in an interview that they estimate that it will be worth up to $100M annually. Boycott Verisign as much as possible. You can register new names in .BIZ or .INFO or in a country specific TLD including .US http://www.us-register.com/faq-us.cfm If you just cannot convince customers to stay away from the polluted mess of .COM then please use one of the alternative registrars so that less of your money goes to Verisign. And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ If you really believe that Verisign's actions are stock manipulation or shareholder fraud and you have some evidence to support that belief then report it to the SEC http://www.sec.gov/complaint.shtml If you believe that Verisign's actions have damaged your business in any way then ask your lawyers to write a letter to Verisign demanding that they cease and desist. If necessary, then follow up with a lawsuit or join in a class action suit against Verisign. Complaining on this mailing list achieves very little but there are things that individuals and businesses can do to put their money where their mouth is and have some real impact on Verisign. --Michael Dillon
Re: public resolver (was: bind patch? (Re: What *are* they smoking?))
On woensdag, sep 17, 2003, at 19:32 Europe/Amsterdam, Paul Vixie wrote: Just when I thought I had a DNS server I could point my IPv6-only hosts to... that's the purpose of the f.6to4-servers.net server, and if it's not working for you then please send dig results and we'll check it out. (not host, and probably not to nanog.) It wouldn't talk to me or some others who were helpful enough to send me dig output yesterday. Works fine now, though.
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Jared Mauch wrote: : ultradns uses the power of anycast to have these ips that appear : to be on close subnets in geographyically diverse locations. Oh, that's brilliant. How nice of them to defeat the concept of redundancy by limiting me to only two of their servers for a gTLD. VeriSign might be doing some loathsome things lately, but at least my named has several more servers than just two to choose from. : could you provide some more technical details, other than : your postulations that they have two machines on : network-wise close subnets and that is the problem? I tracerouted to both IPs from two different locations in the USA; both took the same route before hitting !H from an ultradns.com rDNS machine. And both servers for that route were completely unresponsive from both tried locations during the outage period. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Majdi S. Abbas wrote: : I didn't have a problem with .org this evening, and I've asked : around and others don't seem to have noticed anything either. It would be : more helpful if you told us your source prefix, and which filter you're : hitting when you traceroute to tld[12].ultradns.net. 12 dellfweqab.ultradns.net (204.74.103.2) 24.811 ms !H Same machine for both tld1 and tld2, seen through XO last night and Verio this morning, from source prefix 66.56.64.0/19 (as well as two others, one on the US east coast and one in US midwest which I cannot name publicly). So as far as my machine's source address is concerned, even if the servers are anycast, there are still only two servers which reside on a single point of failure. Anycasting doesn't help me one whit if there are only two servers for my named to choose and both of the ones visible from my location are down (even though their routes are up) -- this is IMNSHO irresponsible for a gTLD operator. If anycast is the game, there should be much more than just two addresses to choose. Ideally, there should be about six, and certain servers should deliberately *not* advertise certain anycast networks, in an overlap mesh that allows one point to fail while others still respond. For instance: USA server location A advertises networks 1, 3, 5; USA server location B advertises networks 1, 3, 4; Europe server location A advertises networks 3, 4, 6; Asia server location A advertises networks 2, 5, 6; or something to that effect. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On donderdag, sep 18, 2003, at 13:38 Europe/Amsterdam, Todd Vierling wrote: : ultradns uses the power of anycast to have these ips that appear : to be on close subnets in geographyically diverse locations. Oh, that's brilliant. How nice of them to defeat the concept of redundancy by limiting me to only two of their servers for a gTLD. Well, for me one goes to London and the other to Washington, so from where I'm sitting there is geographical diversity. But having only two servers and anycast those is nonsense. That means I have to depend on BGP to get to the closest server. This is something BGP is really bad at. DNS servers on the other hand track RTTs for query responses and really *know* which server is the fastest rather than guess based on third hand routing information. And more importantly: if there is only a single working server, everyone in the world is able to reach it. With anycast it can easily happen that you're transported to the nearest dead server. For the root anycasting makes some sense as it's impossible to add more real root servers because of packet size limitations (but I hope they're smart enough to keep some non-anycasted root servers around), but with only two servers listed, org really doesn't need anycasting. the same route before hitting !H from an ultradns.com rDNS machine. What's up with those host unreachables anyway? I wouldn't be surprised if there are IP stacks that cache these. Then if you do a ping to one of the org servers and get a host unreachable, any subsequent DNS queries will be dropped locally as well. There are other ICMP responses that make much more sense for what they're trying to do.
Fw: Re: ICANN - Formal Complaint re Verisign
An interesting thought... Jerry Jerry, One question - if I previously typed in an URL that was incorrect and would get the usual response from my OWN system, there would be not a real lot of data sent/received to pay for that mistake. Now that Verisign is doing their current thing, there is a lot more data being paid by ISPs across the world that shouldnt HAVE to be paid for. So is anyone thinking of banding together the ISPs in on this formal complaint citing loss of income from this? The bigger the ISP - eg AOL - the bigger the new cost for Verisign advertising, paid at the ISP's expense because of all this. A group of ISPs all complaining should get some action you would think. I am posting this to you as if you can use it, feel free to post it to Nanog where I have no posting rights. Regards, Greg. .
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Stephane Bortzmeyer wrote: : BIND does it but what about Microsoft cache/forwarder? At RIPE 45 (you : were there), a talk by people at CAIDA showed that A.root-servers.net : received twice as much traffic as the other root name servers since it : is just the first one listed... There's an easy fix to that particular situation: Make the first (or first two) listed servers anycast, and the rest unicast. That gains the distributed nature of anycast to deal with crap like this, while keeping the ability for DNS servers to find one that is *up*. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Verisign suggestion
In a message written on Thu, Sep 18, 2003 at 12:25:48AM -0400, Gerald wrote: They don't pay a thing for all of these domains that they are now accepting queries for. It would seem to me to our benefit as an Internet community to word this in our favor and send Verisign a bill for manipulating their monopoly on the .net and .com zones. My suggestion: I've seen a lot of knee-jerk responses on the list to this issue, but this one is the first idea I think actually holds up to more detailed inspection. Domain speculators have been registering typos for years, paying money for them, and redirecting you to all sorts of things. While this may not win them any friends it is generally accepted. Verisign can now do that without paying for each mistyped domain, giving them a huge (economic) advantage. [Note: yes, there are technical advantages, like they get everything with one record, but money talks.] Now, as much as I hate ICANN, I do think they are entitled to their cut of each one of these domains. If I worked at ICANN I would write a script to find domains, show that some large number of gTLD's respond, and then show Verisign only paid for a fraction of that number. Verisign's liability here is huge, if you just assume 36 characters (a-z0-9) and 64 character long domain names you could charge them for 36^64 domains. I strongly encourage ICANN to bill them for all the domains they are now redirecting (eg, all mathematically possible, more detailed analysis required), and for the domain speculators who've been registering for years to sue them for unfair monopolistic practices, or something, since they clearly have an unfair advantage. Heck, you might even be able to get an injunction against them pretty quick. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Just had an interesting side effect of the V hijack...
Went to register.com to register a new DNS server for someone, and when it normally asks for the IP address (new server, new domain), it didn't because when it did a query, it got a response for that name. Now, it is reporting the new DNS server as resolving to Verisign's IP address. I think register has got some tweaking to do on their web scripts to ignore wildcard responses... But, shows another side effect of V's unilateral action. Jerry
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Stephen J. Wilcox wrote: : they have two distinct servers by IP, globally they have N x clusters. i'm sure : each instance is actualyl more than a single linux PeeCee Doesn't matter if it's a cluster at each location. The fact remains that there were only two IP addresses visible to my named, and both were unresponsive to my machine. As far as my machine was concerned, .ORG was down for the count, no matter how many servers, that were invisible to me, were still working. : so even if what i see as tld1 now goes into failure.. for the minute or two it : takes to go offline and reconverge on antoerh tld1 i still see tld2 The routes I saw never went offline, as far as I could tell -- and from my location tld1 and tld2 have the *same* route and end up at the same physical connectivity location. So much for redundancy. : maybe its firewalled? I see !H too but my .org is working fine for dns resolving Yes, it is firewalled. I was pointing out that the route is the same for tld1 and tld2 for me, all the way up to the firewall. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On donderdag, sep 18, 2003, at 14:08 Europe/Amsterdam, Stephane Bortzmeyer wrote: BGP is really bad at. DNS servers on the other hand track RTTs for query responses BIND does it but what about Microsoft cache/forwarder? At RIPE 45 (you were there), Was I??? a talk by people at CAIDA showed that A.root-servers.net received twice as much traffic as the other root name servers since it is just the first one listed... That's not good. But not an excuse. If MS is unable to fix this (how long did it take them to retire the FAT filesystem that was considered prehistoric by the late 1980s again?), BIND runs under Windows too... (but I hope they're smart enough to keep some non-anycasted root servers around), Who is they? Not sure. :-) Since there is no top Root Nameservers Authority, every root nameserver manager decides for himself (I assume they coordinate but I'm not sure and it's not the same thing). Unlike a TLD, there is no central decision for management of the root's name servers. So they can all decide independently to anycast. Diversity is a good thing. But who to the root operators answer to anyway? Not to ICANN, I'm told.
Re: Verisign suggestion
On Thu, 18 Sep 2003, David B Harris wrote: : ...and for heavens sake, stop accepting any kind of request at all on port : 25!! Just shut it down altogether. There is no reason for you to accept : any connection of any kind on port 25! : If they don't accept anything on port 25, either by sending all packets : to /dev/null or by responding with SYN+RST (Connection refused), MTAs : everywhere will consider this a temporary error. Then the wildcard should have included a MX that points to nowhere, rather than implementing a fake MTA that allows the MAIL FROM and RCPT TO addresses to be transmitted. The record IN MX 0 . is commonly used for this purpose. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Stephane Bortzmeyer wrote: : There's an easy fix to that particular situation: Make the first (or first : two) listed servers anycast, and the rest unicast. : : It would require a central management (or at least a central : oversight) of the root name servers and I do not believe there is one: : each root name server anycasts at will, without a leader saying (A : and B will anycast, the others will stay unicast). Well, that's something for the root server operators to think about and discuss amongst themselves. I know several of them are reading this list, and may be reading this thread. 8-) Still doesn't help .ORG, which is 100% anycast and thus has no DNS-based redundancy (see my experience elsewhere in this thread). -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Worst design decisions?
Frank wrote: the orginal GSR blanks came without handles. They were also put in tight as ***. For days after, your fingers would have the imprints of the little screws on them. I once use my socks to protect my fingers when I was pulling them out. Some Cisco gear also arrived with the flash cards hammered in, because the manufacturing people seeminly had issues getting the flash card inserted properly, effectively destroying the connectors and the card in process. Though this does not compete with airport / cargo handling forklift accomplishments. Pete
Re: .ORG problems this evening
Todd Vierling wrote: Yes, it is firewalled. I was pointing out that the route is the same for tld1 and tld2 for me, all the way up to the firewall. Please post traceroutes from your location, as well as from the two locations in different parts of the USA (You said earlier: I tracerouted to both IPs from two different locations in the USA; both took the same route before hitting !H from an ultradns.com rDNS machine. ) Then please post the results of sho ip bgp 204.74.112.1 and sho ip bgp 204.74.113.1 from your location. Thanks -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com Technology so advanced, even we don't understand it!(SM)
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Stephane Bortzmeyer wrote: : Still doesn't help .ORG, which is 100% anycast and thus has no DNS-based : redundancy : : Wrong since there are two IP addresses. They may fail at the same time : (which apparently happened to you) but there is a least an element of : non-BGP redundancy (I'm not aware of any TLD running with only one : anycasted name server, although it would still have some redundancy). Okay, let me qualify then: ...no DNS-based redundancy when both routes point to the same place and that particular place goes off the air while its BGP advertisements stay up and running... DNS-based redundancy typically implies going to different servers at different locations, regardless of what BGP says. The fact that anycast took me to the same place for both IPs, and that same place went down all at once, means that I was effectively looking at a single point of failure with no way for DNS to pick another place to look. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Worst design decisions?
Speaking on Deep Background, the Press Secretary whispered: Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. 1) The slide lock on transceiver cables. 2) Intel's+IBM's 640K wall. 3) IDE addressing standards. (We've been through the 528 MB, 2.1 GB, 4.2 GB, 8.4 GB caps what's next?) 2 3 are basically failures to look ahead far enough. We have lots of those. Some would say IPV4 is one, but I'll give them a little more credit than most -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Fw: Re: ICANN - Formal Complaint re Verisign
Somebody pointed out, on another list, that Verisign's move is essentially a man in the middle attack. Which leads to the question: are they in violation of any Federal laws - such as, say, the Patriot Act?
Re: DNS anycast considered harmful (was: .ORG problems this evening)
: There's an easy fix to that particular situation: Make the first (or first : two) listed servers anycast, and the rest unicast. : : It would require a central management (or at least a central : oversight) of the root name servers and I do not believe there is one: : each root name server anycasts at will, without a leader saying (A : and B will anycast, the others will stay unicast). Well, that's something for the root server operators to think about and discuss amongst themselves. I know several of them are reading this list, and may be reading this thread. 8-) Plus, A is verisign so any hopes of cluefulness or working for the community are fading fast! Still doesn't help .ORG, which is 100% anycast and thus has no DNS-based redundancy (see my experience elsewhere in this thread). It does - there are two! Yuo just mean less than 13 as per the root. What is the maximum number you can fit in a single NS reply for a 3 letter tld such as .com/.org ? (Is it still 13? I'm not familiar with the DNS protocol at that level) Steve
Re: Worst design decisions?
I have beef with every chasis designer that has ever left a sharp edge hidden deep inside thier case of doom just waiting to gash some poor IT guy in a most unpleasent manor.. also ASUS who insists on putting thier onboard sound interface at the BOTTOM of the MB when they know that the little cable you get with the cdrom is half the length of the board. you end up with an analog audio cable thats stretched tight and now in the way of all your PCI slots... /rude Ryan Dobrynski Hat-Swapping Gnome Choice Communications Like the ski resort of girls looking for husbands and husbands looking for girls, the situation is not as symmetrical as it might seem.
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Todd Vierling wrote: On Thu, 18 Sep 2003, Stephane Bortzmeyer wrote: : Still doesn't help .ORG, which is 100% anycast and thus has no DNS-based : redundancy : : Wrong since there are two IP addresses. They may fail at the same time : (which apparently happened to you) but there is a least an element of : non-BGP redundancy (I'm not aware of any TLD running with only one : anycasted name server, although it would still have some redundancy). Okay, let me qualify then: ...no DNS-based redundancy when both routes point to the same place and that particular place goes off the air while its BGP advertisements stay up and running... DNS-based redundancy typically implies going to different servers at different locations, regardless of what BGP says. The fact that anycast took me to the same place for both IPs, and that same place went down all at once, means that I was effectively looking at a single point of failure with no way for DNS to pick another place to look. Okay but 1. Only you were affected 2. Only you have both servers going to the same place Theres a theme in this, perhaps indicating where the problem may have been :)
Re: Worst design decisions?
At 08:57 AM 9/18/2003, David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. 1) The slide lock on transceiver cables. 2) Intel's+IBM's 640K wall. 3) IDE addressing standards. (We've been through the 528 MB, 2.1 GB, 4.2 GB, 8.4 GB caps what's next?) Are you asking? :) It would by my count be the 137.4GB limit of LBA28 which was already corrected with LBA48 if your motherboard supports it. Maybe you haven't had to use an IDE drive that large yet. ;) There may have been another limitation in there on IDE that I'm missing in some form... As a sidenote, MS (in trying to phase out FAT32 in favor of NTFS) started limiting the creation of FAT32 drives allowing a maximum of only 32GB in Windows 2000, but that doesn't really bother me. :) Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Worst design decisions?
How about MB chipset fans which always seem to fail! I avoid any mobo with a chipset fan if possible. This is still commonplace and I still see them fail all the time. At 09:09 AM 9/18/2003, Ryan Dobrynski wrote: I have beef with every chasis designer that has ever left a sharp edge hidden deep inside thier case of doom just waiting to gash some poor IT guy in a most unpleasent manor.. also ASUS who insists on putting thier onboard sound interface at the BOTTOM of the MB when they know that the little cable you get with the cdrom is half the length of the board. you end up with an analog audio cable thats stretched tight and now in the way of all your PCI slots... /rude Ryan Dobrynski Hat-Swapping Gnome Choice Communications Like the ski resort of girls looking for husbands and husbands looking for girls, the situation is not as symmetrical as it might seem. Vinny Abello Network Engineer Server Management [EMAIL PROTECTED] (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Re: Verisign suggestion
* [EMAIL PROTECTED] (Todd Vierling) [Thu 18 Sep 2003, 14:34 CEST]: On Thu, 18 Sep 2003, David B Harris wrote: If they don't accept anything on port 25, either by sending all packets to /dev/null or by responding with SYN+RST (Connection refused), MTAs everywhere will consider this a temporary error. Then the wildcard should have included a MX that points to nowhere, rather than implementing a fake MTA that allows the MAIL FROM and RCPT TO addresses to be transmitted. The record IN MX 0 . is commonly used for this purpose. Postfix just throws a Malformed name server reply error and keeps the mail in the queue if you do that. No solution there. The expected behaviour is that mail addressed to recipients at nonexistent domains *bounces* with no delay and, of course, with as little information about the transaction leaked to third parties such as TLD name service operators. -- Niels.
Re: Worst design decisions? (Cisco 4x00 rails)
Cisco 4x00 frame rails are the king - bend 'em and you'll be using a chisel to open the metal chassis so you can remove the NPs. I've still got a 4000 around here somewhere that was shuffled to lab duty after I did surgery on it with a large cold chisel mallet. Matt wrote: Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. 1) Why did Cisco design the I/O controller on the 7246 with screws in the corner, which are very difficult to get at? And worse than that, why did they not include a cheap handle on the blank in this slot? 2) Why did Cisco not include side handles on the 12000 chassis? It's a heavy chassis, and I can imagine how many techs have thrown out their back moving that chassis around. I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think? -- mailto:[EMAIL PROTECTED] phone:402-301-9555 After all that I've been through, you're the only one who matters, you never left me in the dark here on my own - Widespread Panic
RE: Worst design decisions?
* How about the plastic stand-offs that hold the AIM-VPN cards in the 2600 and 1700 series. Yeah...the ones that DON'T come with your SmartNet replacement chassis and that you have the pull the entire board to release. * And how about this: Cisco: PICK A BUSINESS END ON YOUR SMALL OFFICE ROUTING EQUIPMENT. Most of my less clued customer like to help out and rack the equipment ahead of time. And it always gets done pretty side out. Yeah..the side with a Cisco logo and three lights. It sure does look like it should be the front, but it's useless that way. Maybe putting the power on that side would clue people in to the fact that it's basically useless to point that at the easy-access side of the rack. * PCs with built in Ethernet that is so close to a lip on the case, with the release pointed down, that you need to use a screwdriver/knife/whatever to release the cable. * Lack of proper SPAN support on 29xx/35xx series switches. Read only? I can live with it. No inter-vlan? Very bad. Does that make my worse design decision using Cisco CPE at my small customer/remote office sites? H Daryl G. Jurbala BMPC Network Operations Tel: +1 215 825 8401 Fax: +1 508 526 8500 INOC-DBA: 26412*DGJ PGP Key: http://www.introspect.net/pgp
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Stephen J. Wilcox wrote: : 1. Only you were affected I doubt this. At least one person has noted seeing the same on this list, and I bet many more would corroborate by looking for DNS temp failures for MAIL FROM:[EMAIL PROTECTED] in mail logs from last night between about 10:00PM (GMT-4) and 11:30PM (GMT-4). : 2. Only you have both servers going to the same place This is NOT MY FAULT. This is a flaw in the basic design of UltraDNS's .ORG delegation. I do, in fact, understand the purpose behind anycasting. It is not a failsafe redundancy scheme; it is, rather, a (geographic, ideally) traffic distribution scheme based on BGP best-path selection. The problem with UltraDNS, the point which many on this people are missing, is that at least some UltraDNS sites are advertising *all* anycast networks simultaneously (see traceroutes below). Yes, all == 2 at the moment, but this argument holds for any value of all. It is therefore possible (and was last night the case) that the same route was chosen at one site for all UltraDNS anycast networks. This produces, effectively, a single point of failure from the perspective of that site -- and it is NOT that site's fault that its path selection happened to choose the same route for all .ORG servers. So I try to look up domains in .ORG, and all its the servers fail because they all route to a dead site. This is acceptable how? This is my site's fault how? The correct way to fix this is to have more than just two networks -- and to guarantee that no single physical location advertises *all* networks simultaneously. With that scheme, every site is guaranteed that at least one of the anycast networks goes to a geographically different location from the rest. : Theres a theme in this, perhaps indicating where the problem may have been :) gTLD operators should attempt to provide a degree of failsafe redundancy that guarantees no site will select the same server cluster for *all* NS records serving the zone. Last night, a site did select the same destination for all NS addresses, and a failure happened at that site, causing DNS lookups for at least part of the Internet to fail. === Sample traceroutes from today, showing that at least one of UltraDNS's locations is advertising all of their tld*.ultradns.net anycast networks at once. If the site where the dellfweqch is located goes dead to DNS, but these networks continue to be available and selected by the host from which I'm tracerouting, then DNS for .ORG at this site will be dead -- regardless of how many other sites can see the zone. traceroute to tld1.ultradns.net (204.74.112.1): 1-30 hops, 38 byte packets ... 5 so1-0-0-2488M.br2.CHI1.gblx.net (67.17.71.82) 1.85 ms (ttl=250!) 6 p1-6-3-0.r01.chcgil01.us.bb.verio.net (129.250.9.117) 1.17 ms 7 p16-2-0-0.r01.chcgil06.us.bb.verio.net (129.250.5.70) 1.43 ms (ttl=251!) 8 ge-1-1.a00.chcgil07.us.ra.verio.net (129.250.25.167) 1.71 ms (ttl=253!) 9 fa-2-1.a00.chcgil07.us.ce.verio.net (128.242.186.134) 1.34 ms (ttl=251!) 10 dellfweqch.ultradns.net (204.74.102.2) 2.01 ms (ttl=60!) !H traceroute to tld2.ultradns.net (204.74.113.1): 1-30 hops, 38 byte packets ... 4 0.so-1-0-0.XL2.CHI13.ALTER.NET (152.63.69.182) 4.95 ms (ttl=251!) 5 POS7-0.BR1.CHI13.ALTER.NET (152.63.73.22) 4.67 ms 6 a11-0d114.IR1.Chicago2-IL.us.xo.net (206.111.2.73) 1.70 ms (ttl=251!) 7 p5-0-0.RAR1.Chicago-IL.us.xo.net (65.106.6.133) 2.47 ms 8 p4-0-0.MAR1.Chicago-IL.us.xo.net (65.106.6.142) 2.69 ms 9 p0-0.CHR1.Chicago-IL.us.xo.net (207.88.84.10) 2.84 ms (ttl=248!) 10 * 11 dellfweqch.ultradns.net (204.74.102.2) 2.81 ms (ttl=60!) !H -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Worst design decisions?
Sorry, I missed the hands-down winner in my initial thinking, since it's not in my arena [hardware].. The envelope please.. Micro$loth Lookout {applause} Starting with Let's invent top-posting and moving to its virus-spreading abilities; Lookout has never met a standard, either hard [written/RFC] or not [consensus] that it could not wound/kill. Further, it damages the thinking of its users almost as well as drug dealers wares -- be that crack or this week's over-hyped anti-depress^H^H^H mood-fixer. It's the Newspeak of the current era. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: .ORG problems this evening
On Thu, 18 Sep 2003, just me wrote: : If you're still confused, have a read here: : : http://www.ultradns.com/support/managed_dns_faq.cfm : : Q. I read that your service is supposed to make use of several : servers all over the world, but you only give users two server : addresses to provide to their registrar. How do I make use of all the : other servers? I know what anycast does. See the other sister thread. The problem is that their answer is frankly *wrong*: A. The two server addresses you supply your registrar when you set up a domain on the UltraDNS system are actually 'virtual' addresses that will route to the best possible server on our network, based on a number of factors. This highly intelligent mechanism allows you to achieve full redundancy and reliability with only two name server addresses actually listed. In fact, if the registrar would allow you to do so, you could achieve the same level of reliability with only one name server address. Anycast is *NOT* a redundancy and reliability system when dealing with application-based services like DNS. Rather, anycast is a geographically biased traffic distribution system. There is a subtle but important difference here: DNS site A advertises anycast networks 1.2.3.0/24 and 1.2.4.0/24. DNS site B advertises anycast networks 1.2.3.0/24 and 1.2.4.0/24. Host site C attempts to use DNS servers from DNS sites A or B based on best anycast route selection. Host site C's router happens to pick DNS site A as best route for both 1.2.3.0/24 and 1.2.4.0/24. DNS site A goes down, but its BGP advertisements are still in effect. (Their firewall still appears to be up, but DNS requests fail.) Host site C cannot resolve ANYTHING from DNS site A, even though DNS site B is still up and running. But host site C cannot see DNS site B! Get the picture yet? -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: DNS anycast considered harmful (was: .ORG problems this evening)
In a message written on Thu, Sep 18, 2003 at 09:57:23AM -0400, Todd Vierling wrote: The problem with UltraDNS, the point which many on this people are missing, is that at least some UltraDNS sites are advertising *all* anycast networks simultaneously (see traceroutes below). Yes, all == 2 at the moment, but this argument holds for any value of all. Having just looked at this for some work functions I must agree. A truely robust anycast setup has two addresses (or networks, or whatever), but only one per site. From the momentary outage while BGP reconverges to the very real problem of the service being down and the route still being announced there are issues with all anycast addresses going to one site. Number your sites from 1..N, have all odds announce one address, all evens the other. DNS servers will still use the closest (due to RTT checking), but will now also have a backup that does not go to the same site in steady state, but is still very close as well. I strongly suggest the UltraDNS people look at that configuration if they aren't doing it now. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
Re: Worst design decisions?
On Thu, 18 Sep 2003, David Lesher wrote: : Sorry, I missed the hands-down winner in my initial thinking, : since it's not in my arena [hardware].. Oh, the hardware one's easy, though. The modern PC, which does not by default come with a remote management (typically RS-232) system-level console. At least most if not all of the hardware discussed in this thread has *that*. 8-) : The envelope please.. : Micro$loth Lookout METOO/ -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Virus uptick?
I'm suddenly getting 3-4x the M$ patch and bounced mail virus attacks as compared to 2-3 days ago. Is this perhaps a result of VeriSlime's actions? [Note I'm talking raw volume at my accounts; so it's not the result of local filtering breaking.] -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: Worst design decisions?
*glares* Sometimes, especially on the Windows platform, its hard trying to find an email program which does what you need it to. I've tried Eudora, Netscape/Mozilla, and a few others I forget what they are named. All feel clutsy and incomplete. Outlook and its little friend Outlook Express at least work pretty consistantly. I've not had serious problems using it full time. Now, before everyone starts calling me a Microsoft supporter - I hate microsoft just as much as any other sysadmin/netadmin. But sometimes (abeit rarely), microsoft does something halfway decent. Now, if I could get K-Mail forWindows, I'd be in good shape. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: David Lesher [EMAIL PROTECTED] To: nanog list [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:01 AM Subject: Re: Worst design decisions? Sorry, I missed the hands-down winner in my initial thinking, since it's not in my arena [hardware].. The envelope please.. Micro$loth Lookout {applause} Starting with Let's invent top-posting and moving to its virus-spreading abilities; Lookout has never met a standard, either hard [written/RFC] or not [consensus] that it could not wound/kill. Further, it damages the thinking of its users almost as well as drug dealers wares -- be that crack or this week's over-hyped anti-depress^H^H^H mood-fixer. It's the Newspeak of the current era. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
RE: Worst design decisions?
Sun Ultra Enterprise 3500. Three power supplies for redundancy, only *one* power cord. You'd think that with something that originally cost 6 figures, that this would have been thought out a bit more. Oh, and 1U patch panels with only 12 ports in them annoy me. -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2003 5:43 PM To: [EMAIL PROTECTED] Subject: Worst design decisions? Hello all, Was doing some upgrades on a UBR7246 (to a VXR), and I got to thinking about short sighted design considerations. I was curious if any of you had some pet peeves from a design perspective to rant about. I'll start with a couple. 1) Why did Cisco design the I/O controller on the 7246 with screws in the corner, which are very difficult to get at? And worse than that, why did they not include a cheap handle on the blank in this slot? 2) Why did Cisco not include side handles on the 12000 chassis? It's a heavy chassis, and I can imagine how many techs have thrown out their back moving that chassis around. I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think?
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Leo Bicknell wrote: : Number your sites from 1..N, have all odds announce one address, all : evens the other. DNS servers will still use the closest (due to RTT : checking), but will now also have a backup that does not go to the same : site in steady state, but is still very close as well. Yup. Of course, if what they really want is to bias it toward geographic closeness, more than two would be needed. One possible example: tld0.ultradns.net - advertised by everyone tld1.ultradns.net - advertised by odd servers tld2.ultradns.net - advertised by even servers With the provision that tld0 shows up first in queries for the glue records (for first-pick bias). -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: DNS anycast considered harmful (was: .ORG problems this evening)
On Thu, 18 Sep 2003, Leo Bicknell wrote: A truely robust anycast setup has two addresses (or networks, or whatever), but only one per site. From the momentary outage while BGP reconverges to the very real problem of the service being down and the route still being announced there are issues with all anycast addresses going to one site. Yes, this is the fatal miscalculation in the ultradns setup. However, the other aspect, hiding most servers and only showing two at a time, isn't exactly the best idea ever either. First of all, it limits the number of usable DNS servers available at any specific location unnecessarily, and second, BGP metrics are a very poor substitute for RTT measurements.
Re: Root Server Operators (Re: What *are* they smoking?)
Paul Vixie wrote: actually, i had it convincingly argued to me today that wildcards in root or top level domains were likely to be security problems, and that domains like .museum were the exception rather than the rule, and that bind's configuration should permit a knob like don't accept anything but delegations unless it's .museum or a non-root non-tld. i guess the ietf has a lot to think about now. Paul, I would argue as seen in some of my other posts, that the wildcard feature of .museum is not always wanted either. Would it not be wise to push forward into the future with support for software to request if it wants a wildcard or not? While a wildcard bit is ideal, there are methods of determining wildcard programatically. Being able to cache and handle such information is important as different applications have different requirements. After all, is this the Internet or just the World Wide Web? wildcards at the roots are catering solely to the web and disrupting other protocols which require NXDOMAIN. -Jack
Re: Virus uptick?
I have noticed suddenly my virus filter catching more of those exact same messages here in the last 24 hours. David Lesher wrote: I'm suddenly getting 3-4x the M$ patch and bounced mail virus attacks as compared to 2-3 days ago. Is this perhaps a result of VeriSlime's actions? [Note I'm talking raw volume at my accounts; so it's not the result of local filtering breaking.] -- May God Bless you and everything you touch. My foundation verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
Re: Root Server Operators (Re: What *are* they smoking?)
* [EMAIL PROTECTED] (Jack Bates) [Thu 18 Sep 2003, 16:41 CEST]: After all, is this the Internet or just the World Wide Web? wildcards at the roots are catering solely to the web and disrupting other protocols which require NXDOMAIN. Wildcards anywhere are problematic. I've yet to encounter a situation where they didn't cause extreme operational brokenness. -- Niels.
Re: Worst design decisions?
--- Matt [EMAIL PROTECTED] wrote: I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think? Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example (I can think of four types immediately) - not only are the types of console port not standardized, but process for determining the location of the port clearly involved the reading of entrails... -David Barak -Fully RFC 1925 Compliant- __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: Worst design decisions?
Without a question: PS/2 style keyboard and mouse connectors. Impossible to tell from each other, or the right way up without eyeballs directly on them. A real PITA when trying to reach behind a desk or rack. The console port is a close second, though... On Thu, 18 Sep 2003, David Barak wrote: --- Matt [EMAIL PROTECTED] wrote: I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think? Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example (I can think of four types immediately) - not only are the types of console port not standardized, but process for determining the location of the port clearly involved the reading of entrails... -David Barak -Fully RFC 1925 Compliant- __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Virus uptick?
--On Thursday, September 18, 2003 10:45 -0400 William Warren [EMAIL PROTECTED] wrote: I have noticed suddenly my virus filter catching more of those exact same messages here in the last 24 hours. David Lesher wrote: I'm suddenly getting 3-4x the M$ patch and bounced mail virus attacks as compared to 2-3 days ago. It's called Swen-A, but some anti-virus vendors seem to place it in the Gibe class as well. http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=100662 http://vil.nai.com/vil/content/v_100662.htm http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN. A Regards, Scott A. McIntyre XS4ALL Internet B.V.
Contact from Verio
Someone from Verio please contact me off list. We are experiencing some routing issues through/to your network. Thanks, Josh
Re: Worst design decisions?
On Thu, 18 Sep 2003 [EMAIL PROTECTED] wrote: : Without a question: PS/2 style keyboard and mouse connectors. Impossible : to tell from each other, And this part is somewhat funny, too, because the PS/2 connector layout is capable of having both devices share the same bus (there's two unconnected pins, which some laptops use to provide alternate CLK/DATA signals). If PS/2 mice used the unconnected pins rather than the same CLK/DATA pins as the keyboard, all machines could simply have two connectors using all six pins and you'd be able to plug either device into either socket. A real bus would have been better yet, but we're talking about a spec that came from a company bent on continuing to use simple TTL-based clocked communications with collision detection only available by extra bus lines (read: bus and tag 8-). -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: Worst design decisions?
RJ21 patch panel connectors that are designed in such a way that you can only screw down one end of the connector have consistently ruined my day. Untold headaches with intermitten connectivity on devices using the east end of the connector because crowded conditions in the cabinet cause the thick, unwieldy cables to lift the unscrewed end ever-so-slightly out of its socket. -bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:57 AM To: [EMAIL PROTECTED] Subject: Re: Worst design decisions? Without a question: PS/2 style keyboard and mouse connectors. Impossible to tell from each other, or the right way up without eyeballs directly on them. A real PITA when trying to reach behind a desk or rack. The console port is a close second, though... On Thu, 18 Sep 2003, David Barak wrote: --- Matt [EMAIL PROTECTED] wrote: I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think? Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example (I can think of four types immediately) - not only are the types of console port not standardized, but process for determining the location of the port clearly involved the reading of entrails... -David Barak -Fully RFC 1925 Compliant- __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: Virus uptick?
I overlooked the OBVIOUS reason that someone just mentioned: There is a new worm: http://www.f-secure.com/v-descs/swen.shtml Damn, we need a TV-Guide type page listing all the first run and rerun M$ viruses. It's just too hard to keep them all straight.. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
RE: Worst design decisions?
On Thu, 18 Sep 2003, Daryl G. Jurbala wrote: * PCs with built in Ethernet that is so close to a lip on the case, with the release pointed down, that you need to use a screwdriver/knife/whatever to release the cable. ...and combine that with the RJ45 connecters that have a rubber hood over the release. Gr! G
Re: .ORG problems this evening
In a message written on Thu, Sep 18, 2003 at 10:05:15AM -0400, Todd Vierling wrote: Anycast is *NOT* a redundancy and reliability system when dealing with application-based services like DNS. Rather, anycast is a geographically I think you'll find most people on the list would disagree with you on this point. Many ISP's run anycast for customer facing DNS servers, and I'll bet if you ask the first reason why isn't because they provide faster service, or distribute load, but because the average customer only wants one or two IP's to put in his DNS config, and gets real annoyed when they don't work. So it is a redundancy and reliability thing, the customer can configure (potentially) one address, and the ISP can have 10 servers for it so if one dies all is well. Is it appropriate for a gTLD? Now that's a whole different can of worms. Personally I think they should return the two anycast addresses, and as many actual server addresses as will fit in the packet. This is the best of both worlds. When it works, geographicly distributed load, redundancy at the IP layer, quick responces. When one of the failure modes is encountered (eg, stuck route) DNS has the information it needs to switch to a backup as well. Redundancy is good. Redundancy at two levels is even better, particularly when they can back each other up. Plus, in this case it costs them nothing, they just have to tweek a config. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
yo' grammar so funny (was Re: DNS anycast considered harmful)
On Thu, 18 Sep 2003, Todd Vierling wrote: : The problem with UltraDNS, the point which many on this people are missing, : So I try to look up domains in .ORG, and all its the servers fail because Heh. Sorry about the horrible lapse of grammar in the post above. I was writing it on a train, and apparently my normal attention to spelling and grammar detail failed me. I hope everyone could read through the thinkos. 8-) I now return you to your regularly scheduled mailing list entertainment. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Worst design decisions?
On Thu, 18 Sep 2003, David Barak wrote: --- Matt [EMAIL PROTECTED] wrote: I've got a couple others in my head from 3Com and a couple of others, but I thought I'd get the ball rolling. So, what do you think? Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example (I can think of four types immediately) - not only are the types of console port not standardized, but process for determining the location of the port clearly involved the reading of entrails... Applause I can think of 6 different console cable pinouts and connectors that Enterasys (Cabletron) has used over the years. No wait, make that 7. How could I forget the inherited Fore ATM architecture and subsequent blades. Could people just pick ONE pinout and connector and stick with it? Please! Of course I also have a Cisco 675 that I've been unable to use for years simply because I have yet to figure out what ungodly pinout Cisco used in it. Justin
Re: Worst design decisions?
Thats to prevent it from being disconnected accidentally (or for any other reason :-) When I get my hands on one of those, I clip off the hood with a pair of manicure scissors. - Original Message - From: Gerald [EMAIL PROTECTED] To: Daryl G. Jurbala [EMAIL PROTECTED] Cc: nanog list [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:16 Subject: RE: Worst design decisions? On Thu, 18 Sep 2003, Daryl G. Jurbala wrote: * PCs with built in Ethernet that is so close to a lip on the case, with the release pointed down, that you need to use a screwdriver/knife/whatever to release the cable. ...and combine that with the RJ45 connecters that have a rubber hood over the release. Gr! G
Re: Worst design decisions?
On Thu, 18 Sep 2003, Todd Vierling wrote: On Thu, 18 Sep 2003 [EMAIL PROTECTED] wrote: : Without a question: PS/2 style keyboard and mouse connectors. Impossible : to tell from each other, And this part is somewhat funny, too, because the PS/2 connector layout is capable of having both devices share the same bus (there's two unconnected pins, which some laptops use to provide alternate CLK/DATA signals). If PS/2 mice used the unconnected pins rather than the same CLK/DATA pins as the keyboard, all machines could simply have two connectors using all six pins and you'd be able to plug either device into either socket. In other words it should work like Apple's ADB (Apple Desktop Bus) ports do (did until they moved to USB). I really miss those ports. Justin
RE: Worst design decisions?
I can't stand it when I sit down and find the keyboard in front of me has moved the backslash key. It drives me crazy and prompts me to find a real keyboard right away to work with. CB
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Leo Bicknell wrote: : Anycast is *NOT* a redundancy and reliability system when dealing with : application-based services like DNS. Rather, anycast is a geographically : : I think you'll find most people on the list would disagree with you : on this point. Many ISP's run anycast for customer facing DNS : servers, and I'll bet if you ask the first reason why isn't because : they provide faster service, or distribute load, but because the : average customer only wants one or two IP's to put in his DNS config, : and gets real annoyed when they don't work. And guess what: neither of the two addresses supplied by UltraDNS worked last night for some sites, because their anycast configuration is not allowing DNS redundancy. It is depending on every site somehow choosing different routes for both addresses, which is not guaranteed. Anycasting only works as a redundancy scheme when you have a mesh of *partially* overlapping BGP advertisements, so that a client has a guarantee that at least one address in the mix is located elsewhere from the rest. : So it is a redundancy and reliability thing, the customer can configure : (potentially) one address, and the ISP can have 10 servers for it so if : one dies all is well. But if all such anycast addresses have the ability to point to the same physical location, there is only an illusion of redundancy, because there's no way to get an alternate access point to the zone if a site is choosing a dead route for all server addresses. It doesn't matter how many other servers at the DNS provider are still working, because some sites can choose -- and have demonstrably chosen -- a single, dead site for all available anycast NS addresses in a setup like this (UltraDNS's .ORG configuration). : Is it appropriate for a gTLD? UltraDNS's setup isn't even appropriate for a 2LD. I'm damned glad that I don't have my subdomains hosted there. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Verisign suggestion
On Thu, 18 Sep 2003 08:24:40 -0400 (EDT) Todd Vierling [EMAIL PROTECTED] wrote: : ...and for heavens sake, stop accepting any kind of request at all on port : 25!! Just shut it down altogether. There is no reason for you to accept : any connection of any kind on port 25! : If they don't accept anything on port 25, either by sending all packets : to /dev/null or by responding with SYN+RST (Connection refused), MTAs : everywhere will consider this a temporary error. Then the wildcard should have included a MX that points to nowhere, rather than implementing a fake MTA that allows the MAIL FROM and RCPT TO addresses to be transmitted. The record IN MX 0 . is commonly used for this purpose. Yeah, thanks for pointing this out. T'was an accidental omission in my mail. pgp0.pgp Description: PGP signature
Re: ICANN - Formal Complaint re Verisign
On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=utf-8q=Thawte+was+b ought+by+Verisign Marc -- A mouse is a device used to point at the xterm you want to type in - A.S.R. Microsoft is to operating systems security what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger [EMAIL PROTECTED] for PGP key
Re: Worst design decisions?
On Thu, 18 Sep 2003, John Palmer wrote: : ...and combine that with the RJ45 connecters that have a rubber hood over : the release. Gr! : Thats to prevent it from being disconnected accidentally : (or for any other reason :-) Actually, the original intent of those hoods was to snagproof the locking tab -- which is of interest to places that have the Web O' Patch Panel Cables. Think pull a disconnected cable out of the tangled mess and try not to break off the locking tab. 8-) So it's a tradeoff between preserving the RJ45 connector and making it easy to disconnect. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: IP issues with .com/.net change?
On Wed, 17 Sep 2003, Alex Kamantauskas wrote: Not really operational content, but I was wondering if there was an intellectual property issue with the Verisign .com/.net redirect? For instance, http://searchthewebwithgoogle.com/ brings you to a Verisign search engine. Or, even better, http://getyourdomainnameatregister.com/ will bring you to a Verisign website. This is the best point of attack I believe. A quick review of the WIPO domain decision archive: http://listbox.wipo.int/domain-updates shows that domains registered in bad faith, for example wwwcdw.com, are usually ruled against. If the individual domain holders take issue with their own domains, both through WIPO, and what I feel will ultimately need to happen for this madness to stop, the courts, then Verisign can be stopped. Millions of domains registed in bad faith. http://wwwford.net/ http://worldnetatt.net http://wwwlightreading.net http://wwwcnn.net andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: Virus uptick?
At 10:08 AM 18/09/2003, David Lesher wrote: I'm suddenly getting 3-4x the M$ patch and bounced mail virus attacks as compared to 2-3 days ago. This virus seems to depart from the standard Click on mine patches pleases type text. Instead, it has quite an elaborate message complete with in line graphics etc to make it look legit. I imagine quite a few people are being fooled into clicking on it :-( http://vil.nai.com/vil/content/v_100662.htm has a screen shot. ---Mike
Re: ICANN - Formal Complaint re Verisign
Speaking on Deep Background, the Press Secretary whispered: On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign And braindead. Go to that address with lynx. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: ICANN - Formal Complaint re Verisign
Marc MERLIN [EMAIL PROTECTED] 9/18/03 9:27:11 AM On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=utf-8q=Thawte+was+b ought+by+Verisign Marc If GeoTrust is Verisign, why do they make a big deal out of competing with Verisign? http://www.geotrust.com/resources/market_share/index.htm John --
Re: Worst design decisions?
On Thu, 18 Sep 2003 09:53:38 -0400 Daryl G. Jurbala [EMAIL PROTECTED] wrote: * And how about this: Cisco: PICK A BUSINESS END ON YOUR SMALL OFFICE ROUTING EQUIPMENT. Most of my less clued customer like to help out and rack the equipment ahead of time. And it always gets done pretty side out. Yeah..the side with a Cisco logo and three lights. It sure does look like it should be the front, but it's useless that way. Maybe putting the power on that side would clue people in to the fact that it's basically useless to point that at the easy-access side of the rack. I wouldn't consider that a design flaw. In fact, in some environments that may be the preferred way of doing it. Not only will it look nice and neat, but if the side of the box where all the connections are located on is less accessible to humans that may help lessen opportunity for someone to touch something they shouldn't be touching. Unless your devices are constantly being re-cabled, this might be considered good design practice. John
Re: Worst design decisions?
David Barak wrote: Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example [...] Is that the best example you can come up with? Ever use any Bay equipment...? Heh. Makes me want to add I hate it when that happens, as in Ever put your head in a vise and crank it down real tight...? Peter E. Fry
Re: .ORG problems this evening
Speaking on Deep Background, the Press Secretary whispered: : I think you'll find most people on the list would disagree with you : on this point. Many ISP's run anycast for customer facing DNS : servers, and I'll bet if you ask the first reason why isn't because : they provide faster service, or distribute load, but because the : average customer only wants one or two IP's to put in his DNS config, : and gets real annoyed when they don't work. And/or, the networking stack may accept 3,4{...}50 DNS addresses, but only really looks at the first. -- A host is a host from coast to [EMAIL PROTECTED] no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: ICANN - Formal Complaint re Verisign
Once upon a time, Marc MERLIN [EMAIL PROTECTED] said: On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=utf-8q=Thawte+was+b ought+by+Verisign Bzzt, Thawte != Geotrust. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: ICANN - Formal Complaint re Verisign
As someone who has dealt extensively with GeoTrust, I can assure you, they are not owned by Verisign. They're a totally separate company that has the old equifax root cert. Thanks, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Neiberger Sent: Thursday, September 18, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Re: ICANN - Formal Complaint re Verisign Marc MERLIN [EMAIL PROTECTED] 9/18/03 9:27:11 AM On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=u tf-8q=Tha wte+was+b ought+by+Verisign Marc If GeoTrust is Verisign, why do they make a big deal out of competing with Verisign? http://www.geotrust.com/resources/market_share/index.htm John --
Re: ICANN - Formal Complaint re Verisign
On Thu, 18 Sep 2003, Marc MERLIN wrote: On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=utf-8q=Thawte+was+b ought+by+Verisign Geotrust != Thawte, thus follows that Geotrust != Verisign - d. -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
Class A Data Center
Can anyone point me to a set of standards that define a Class A Data Center? I'm not asking for requirements, but an actual pointer to standards hammered out by an organization or governing body. Thanks.
Re: Worst design decisions? (Cisco 4x00 rails)
My vote goes to the EMI gasket Cisco's BPX 8600 cards. The gasket was tacky enough to maintain a nice seal between cards ... enough to remove one or two adjacent cards when you pulled the card out. Special runner up nominee is whatever do-gooder decided it was a good idea to have a cell phone beep incessantly when the battery level is low. Did this person never see the final scene of the original version of The Fly? Mark -- [] Mark 'Doc' Rogaski| Willing to accept a lower economic standard of [] [EMAIL PROTECTED] | living in return for higher quality of life. [] 1994 Suzuki GS500ER | -- David Cantrell [] 1975 Yamaha RD250B| pgp0.pgp Description: PGP signature
Re: .ORG problems this evening
TV Date: Thu, 18 Sep 2003 10:05:15 -0400 (EDT) TV From: Todd Vierling TV DNS site A goes down, but its BGP advertisements are still in TV effect. Or are they? Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: ICANN - Formal Complaint re Verisign
On Thu, 18 Sep 2003 09:59:27 MDT, John Neiberger [EMAIL PROTECTED] said: If GeoTrust is Verisign, why do they make a big deal out of competing with Verisign? And Chevy competes with Pontiac and Buick. Your point? pgp0.pgp Description: PGP signature
Re: Class A Data Center
On Thu, 18 Sep 2003 12:08:43 EDT, Bob German [EMAIL PROTECTED] said: Can anyone point me to a set of standards that define a Class A Data Center? I'm not asking for requirements, but an actual pointer to standards hammered out by an organization or governing body. must have connectivity from a Tier-1 provider? :) pgp0.pgp Description: PGP signature
Re: .ORG problems this evening
TV Date: Thu, 18 Sep 2003 11:39:17 -0400 (EDT) TV From: Todd Vierling TV And guess what: neither of the two addresses supplied by TV UltraDNS worked last night for some sites, because their TV anycast configuration is not allowing DNS redundancy. It is TV depending on every site somehow choosing different routes for TV both addresses, which is not guaranteed. I don't know what UDNS does internally, but ideally anycast: + Has steady, unchanging EGP adverts + Has service-providing boxen that advert/withdraw prefixes in the IGP depending on their status + Includes an internal network, so that flaps are contained. If done properly, anycast means _all_ pods must fail to create a failure condition. If done improperly, it means _any_ pod failure can create a partial failure condition -- which means the probability of failure _increases_ with the number of pods. TV Anycasting only works as a redundancy scheme when you have a TV mesh of *partially* overlapping BGP advertisements, so that a TV client has a guarantee that at least one address in the mix TV is located elsewhere from the rest. Don't be silly. This is like claiming that multihoming only works if you spread services over different netblocks. TV But if all such anycast addresses have the ability to point TV to the same physical location, there is only an illusion of TV redundancy, because there's no way to get an alternate access TV point to the zone if a site is choosing a dead route for all TV server addresses. It doesn't matter how many other servers Ergo, that's why one withdraws the routes when a pod dies. Routes need to reflect what's up. Funny thing is, standard BGP has the same requirement. You're correct that an incorrect anycast setup can cause trouble, and arguably more than unicast. However, claiming that anycast is inherently bad is really, really silly. Eddy (no selfish interest in defending UltraDNS) -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
New routeviews service available (Address/Prefix - AS/ASPATH mappings)
All, In response to requests from many folks asking for prefix to AS mappings, routeviews is now providing 2 new services mapping and address or prefix to its origin AS and to its ASPath. These services are available via two zones: (i).asn.routeviews.org asn.routeviews.org maps an address or prefix into its origin AS, prefix, and prefix length, as seen by route-views2.routeviews.org (the data is held in TXT records). For example, the following command % dig txt 223.128.asn.routeviews.org returns (among other things) 223.128.asn.routeviews.org. 86400 IN TXT 3582 128.223.0.0 16 The syntax here is: AS Prefix Prefix Length (ii). aspath.routeviews.org aspath.routeviews.org is similar to asn.routeviews.org, except that it maps an address or prefix into the ASpath (rather than origin AS), prefix, and prefix length, as seen by route-views2.routeviews.org (again, the data is held in TXT records). For example, the following command % dig txt 223.128.aspath.routeviews.org returns (among other things) 223.128.aspath.routeviews.org. 86400 IN TXT 286 209 3356 3701 3582 128.223.0.0 16 The syntax here is: ASPath Prefix Prefix Length These zones are built twice per-day, 11:45 and 23:45 UTC. Finally, please let us know ([EMAIL PROTECTED]) if you have questions, comments or suggestions for ways we might otherwise improve this service. One note: note that these zones are quite large, and reloading these produces a period of a few minutes during which the server may not reply. Thanks, Dave
Re: .ORG problems this evening
On Thu, 18 Sep 2003, E.B. Dreger wrote: : TV Date: Thu, 18 Sep 2003 10:05:15 -0400 (EDT) : TV From: Todd Vierling : : TV DNS site A goes down, but its BGP advertisements are still in : TV effect. : : Or are they? I couldn't know for sure from some sites, but traceroutes sure got there. That would imply that (at their end) the advertisements were still up. BGP has no way to know that an internal network problem occurred. If someone mistakenly tripped over a network cable that disconnected DNS clusters from a router, how would the router know to drop anycast advertisements? (Sure, you could run zebra on the cluster. But what about if the name server SEGVs? There's a lot of possible scenarios) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
RE: ICANN - Formal Complaint re Verisign
On Thu, 18 Sep 2003, Matthew Zito wrote: As someone who has dealt extensively with GeoTrust, I can assure you, they are not owned by Verisign. They're a totally separate company that has the old equifax root cert. Agreed. I used Equifax before they handed off to Geotrust. Both have done a good job and are less painful ( less expensive) to deal with than VeriSign. I've never had to interact with either beyond purchasing single web certs at a time though. Gerald - How are ya? Never been better, ... Just once I'd like to be better.
Re: ICANN - Formal Complaint re Verisign
On Thu, Sep 18, 2003 at 11:11:12AM -0500, Dominic J. Eidson wrote: On Thu, 18 Sep 2003, Marc MERLIN wrote: On Thu, Sep 18, 2003 at 11:42:19AM +0100, [EMAIL PROTECTED] wrote: And you can get SSL certs from alternative sources such as GeoTrust http://www.geotrust.com/ Bzzz, geotrust is Verisign http://www.google.com/search?sourceid=mozclientie=utf-8oe=utf-8q=Thawte+was+b ought+by+Verisign Geotrust != Thawte, thus follows that Geotrust != Verisign note to self: 1) wake up 2) read Email (you are of course correct) Marc -- A mouse is a device used to point at the xterm you want to type in - A.S.R. Microsoft is to operating systems security what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger [EMAIL PROTECTED] for PGP key
Re: .ORG problems this evening
On Thu, 18 Sep 2003, E.B. Dreger wrote: : TV Anycasting only works as a redundancy scheme when you have a : TV mesh of *partially* overlapping BGP advertisements, so that a : TV client has a guarantee that at least one address in the mix : TV is located elsewhere from the rest. : : Don't be silly. This is like claiming that multihoming only : works if you spread services over different netblocks. We're talking about application (DNS) redundancy here, not transport-level (6to4 anycast RFC comes to mind) redundancy. With this in mind: : Ergo, that's why one withdraws the routes when a pod dies. : Routes need to reflect what's up. BGP doesn't know when a DNS server dies. Therein lies the findamental problem of using anycast as an application redundancy scheme. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Worst design decisions?
PEF Date: Thu, 18 Sep 2003 11:02:08 -0500 PEF From: Peter E. Fry PEF Is that the best example you can come up with? Ever use any PEF Bay equipment...? You have reminded me of Bay's config GUI. I shall have nightmares tonight. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: .ORG problems this evening
TV Date: Thu, 18 Sep 2003 13:01:18 -0400 (EDT) TV From: Todd Vierling TV BGP doesn't know when a DNS server dies. Therein lies the TV findamental problem of using anycast as an application TV redundancy scheme. But it can and should. Again, seeing if the process is running is easy; verifying correct functionality requires more work, but definitely is doable. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: .ORG problems this evening
TV Date: Thu, 18 Sep 2003 12:52:29 -0400 (EDT) TV From: Todd Vierling TV I couldn't know for sure from some sites, but traceroutes TV sure got there. That would imply that (at their end) the TV advertisements were still up. Which would be an implementation flaw, not something inherently wrong with anycast. TV (Sure, you could run zebra on the cluster. But what about if TV the name server SEGVs? There's a lot of possible TV scenarios) That's why the routing daemon must be aware if the service is up or not. It requires custom or modified routing software. Having zebra stat(2) a file that the DNS daemon periodically touches is a quick way to verify that the DNS server software is still running. Easy enough. Gross, but effective, and easy enough. A proper implementation has the routing daemon monitor the service in question -- in this case DNS. If a series of test queries provide the correct response, all is well; if not, it's time to yank the route. Again, perhaps there are implementation flaws... I don't know anything about UltraDNS's internal network. But these can be fixed, and do not make anycast inherently unreliable. If one understands, thinks about, and approaches the problem, it can be solved. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Worst design decisions?
David Barak wrote: Personally my issues are console-cable related: is there a benefit to the HUGE variety of console pinouts used by the various hardware vendors? Just look at vendor C as an example [...] Makes me remember when representatives from mentioned vendor made funny looks when I suggested putting USB consoles on the boxes. Which would report to the host as USB serial (with possible other instances). Would make cable management easier with larger number of consoles. Pete
Re: Worst design decisions?
On Thu, 18 Sep 2003, E.B. Dreger wrote: PEF From: Peter E. Fry PEF Is that the best example you can come up with? Ever use any PEF Bay equipment...? You have reminded me of Bay's config GUI. I shall have nightmares tonight. How about BCC? bcc#config ... wait ... -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli --- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
videotron contact
If anyone from Videotron is around, please contact me off-list. Thanks. Todd Mitchell --
Re: .ORG problems this evening
TV BGP doesn't know when a DNS server dies. Therein lies the TV findamental problem of using anycast as an application TV redundancy scheme. But it can and should. Again, seeing if the process is running is easy; verifying correct functionality requires more work, but definitely is doable. Eddy -- Ick. you really believe that BGP can or should be augmented to understand application liveness? BGP reaching past the router, running a ps -augx and then performing applications specific tricks? I guess that when all you have/understand is a hammer, everything becomes a nail. Wait... Its a joke! you just forgot the :) --bill
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Todd Vierling wrote: On Thu, 18 Sep 2003, E.B. Dreger wrote: : TV Date: Thu, 18 Sep 2003 10:05:15 -0400 (EDT) : TV From: Todd Vierling : : TV DNS site A goes down, but its BGP advertisements are still in : TV effect. : : Or are they? I couldn't know for sure from some sites, but traceroutes sure got there. That would imply that (at their end) the advertisements were still up. BGP has no way to know that an internal network problem occurred. If someone mistakenly tripped over a network cable that disconnected DNS clusters from a router, how would the router know to drop anycast advertisements? (Sure, you could run zebra on the cluster. But what about if the name server SEGVs? There's a lot of possible scenarios) ALmost there.. just make sure your zebra IGPs are redistributing to your BGP so that a failure such as that knocks out the bgp too Steve
Re: Worst design decisions?
- Original Message - From: E.B. Dreger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:04 PM Subject: Re: Worst design decisions? You have reminded me of Bay's config GUI. I shall have nightmares tonight. Ah, the days when I used to work on Bay routers. I've trashed routers with the GUI. Ran like a dog on even the fastest machines. The CLI config isn't much better either The best thing though was finding that some of the Bay routers (the ARN mostly) had their CLI config ripped out to save space on the flash card. Half the time I was on site with a customer when I discovered this. I always carried a Mac laptop, so I was royally screwed. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511
Re: .ORG problems this evening
Todd Vierling wrote: BGP doesn't know when a DNS server dies. Therein lies the findamental problem of using anycast as an application redundancy scheme. You ever think that maybe, just maybe, Ultra wrote some code to do this? Yes, it might have concievably failed in a way that seems to have left you and one or two others in the veritable dark, but I don't think, at this point, using NANOG to debug the problem, no matter where it was, is going to be very productive. But, of course, I don't know anything about using DNS and anycast. ;-) Bob
Re: Worst design decisions?
On Thu, 18 Sep 2003 17:04:47 + (GMT), E.B. Dreger [EMAIL PROTECTED] wrote: You have reminded me of Bay's config GUI. I shall have nightmares tonight. Back in the winter of '00, I had the pleasure of working on a friend's old Bay. He was using it for a home-based ISP, and, well, I believe that it didn't want to do CIDR. Noone knew the Manager password, either, so much recovery had to occur. To make matters more interesting, this was in a garage, and the lake effect machine had kicked in. And I was being an idiot. I don't remember the exact details (who said the human brain doesn't have incredible defense and self-repair mechanisms), but I sent out a narrative regarding the situation to a group of friends, and got the following reply back: Subject: Re: Fear and Loathing in AN-DIAG hehe...three things a Rochester sysadmin should always remember 1) Always make a backup, 2) Always try the Manager login, 3) Always count on lake effect. It's still on my monitor. I did get to send off a PFY to deal with a Cray router, though. -rt -- Ryan Tucker Network Engineer NetAccess, Inc. 1159 Pittsford-Victor Road Bldg. 5, Suite 140 Pittsford, New York 14534 585-419-8200 www.netacc.net
Re: .ORG problems this evening
E.B. Dreger wrote: TV Date: Thu, 18 Sep 2003 13:01:18 -0400 (EDT) TV From: Todd Vierling TV BGP doesn't know when a DNS server dies. Therein lies the TV findamental problem of using anycast as an application TV redundancy scheme. But it can and should. Again, seeing if the process is running is easy; verifying correct functionality requires more work, but definitely is doable. And, I might add, in the case of a highly complex anycast application, you will need to check not only for correctness, but for timeliness. And, again, in the case of a highly complex app such as an anycast DNS, you need to check several behind the scenes apps, such as maybe a db, the responsivness of your high avail partner server, the dns daemon, connectivity through two or more network paths, connectivity to master update servers, BGP on whatever boxes are providing BGP, etc, the list goes on. But again, that's just my opinion, I could be wrong. ;-)
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Todd Vierling wrote: BGP has no way to know that an internal network problem occurred. If someone mistakenly tripped over a network cable that disconnected DNS clusters from a router, how would the router know to drop anycast advertisements? (Sure, you could run zebra on the cluster. But what about if the name server SEGVs? There's a lot of possible scenarios) I can assure you, this is a solved problem. [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Worst design decisions?
Even better: the old bay switches had a backdoor password, that you could always use no matter what. Great security there. G. I had to deal with a campus full of them, and since they had of course forgotten all the passwords, so it was a good thing in that case, I could actually reconfigure them without calling support. On Thu, 18 Sep 2003, Ryan Tucker wrote: Back in the winter of '00, I had the pleasure of working on a friend's old Bay. He was using it for a home-based ISP, and, well, I believe that it didn't want to do CIDR. Noone knew the Manager password, either, so much recovery had to occur. To make matters more interesting, this was in a garage, and the lake effect machine had kicked in. And I was being an idiot. I don't remember the exact details (who said the human brain doesn't have incredible defense and self-repair mechanisms), but I sent out a narrative regarding the situation to a group of friends, and got the following reply back: Subject: Re: Fear and Loathing in AN-DIAG hehe...three things a Rochester sysadmin should always remember 1) Always make a backup, 2) Always try the Manager login, 3) Always count on lake effect. It's still on my monitor. I did get to send off a PFY to deal with a Cray router, though. -rt
Re: .ORG problems this evening
BGP has no way to know that an internal network problem occurred. If someone mistakenly tripped over a network cable that disconnected DNS clusters from a router, how would the router know to drop anycast advertisements? (Sure, you could run zebra on the cluster. But what about if the name server SEGVs? There's a lot of possible scenarios) ALmost there.. just make sure your zebra IGPs are redistributing to your BGP so that a failure such as that knocks out the bgp too Steve Sorry no zebra. Perhaps I should run my TLDs DNS service on my Juniper Routers. some expect/cron work should provide the needed glue... Now if I could just get cisco to add authoritative DNS service to IOS, right up there with the HTTP, firewall, content caching, and load-balancing cruft they have added to their basic routing code... I could use cisco too! (may still need some glue tho) In case it was not clear, I think that multi-tasking hardware might be the wrong choice. I want my routers to route and not do apps work. For apps, I want them to be single-app specific. DNS service on its own hardware, NTP on its platform, HTTP outsourced to (vendor), etc. This has impact on the design of anycast solutions. Ultra has one model, ISC has another, and PCH uses a third. The more generic content crowd has its favorites. Then there are the load-balancing vendors who cater to these folks. One size does not fit all. --bill
anycast (Re: .ORG problems this evening)
Date: Thu, 18 Sep 2003 13:47:01 -0400 From: Keptin Komrade Dr. BobWrench III esq. And, I might add, in the case of a highly complex anycast application, you will need to check not only for correctness, but for timeliness. In a realtime system, something that is late is considered incorrect. A DNS response that arrives after three seconds is unsat, and (from a RT perspective) incorrect. I should have been more clear in my wording. And, again, in the case of a highly complex app such as an anycast DNS, you need to check several behind the scenes apps, such as maybe a db, the responsivness of your high avail partner server, the dns daemon, connectivity through two or more network paths, connectivity to master update servers, BGP on whatever boxes are providing BGP, etc, the list goes on. Yes on all counts, except perhaps connectivity... BGP handles that. If you mean killing the link in case of saturation, I'd argue that's a bad idea -- that just means the large traffic quantity will go elsewhere. But again, that's just my opinion, I could be wrong. ;-) That's why one uses a daemon with main loop including something like: success = 0 ; for ( i = checklist ; i-callback != NULL ; i++ ) success = i-callback(foo) ; if ( success ) send_keepalive(via_some_ipc_mechanism) ; The BGP mechanism listens for keepalives via the IPC mechanism. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Worst design decisions?
In the immortal words of Justin Shore ([EMAIL PROTECTED]): Applause I can think of 6 different console cable pinouts and connectors that Enterasys (Cabletron) has used over the years. No wait, make that 7. How could I forget the inherited Fore ATM architecture and subsequent blades. Could people just pick ONE pinout and connector and stick with it? Please! Of course I also have a Cisco 675 that I've been unable to use for years simply because I have yet to figure out what ungodly pinout Cisco used in it. AOL/ The hands-down winner, so far, is the Cisco CMS-formerly-known-as-Arrowpoint, which has an RJ45 console cable which WILL NOT WORK, full stop, with the RJ45 connectors on Cisco's own console servers. *wild applause* In my fevered dreams, someone with actual clout, perhaps the IEEE, defines a spec for serial login consoles over USB and all vendors start to use it, but that's never, ever gonna happen. -n [EMAIL PROTECTED] I like my beer cold, my TV loud, and my homosexuals FL-MING! (--Homer Simpson) http://blank.org/memory/
Re: .ORG problems this evening
Date: Thu, 18 Sep 2003 10:29:06 -0700 (PDT) From: bmanning Ick. you really believe that BGP can or should be augmented to understand application liveness? BGP reaching past the And why not? BGP deals in reachability information. Perhaps it conventionally represents interface and link state, but there is nothing making that the One True Way. From the BGP scanner's perpective, it's just checking another keepalive. What generates the keepalive for the route matters not. Do you mean that a dead server is just as up as a live server, yet a dead link is not as up as a live link? That's preposterous. router, running a ps -augx and then performing applications specific tricks? No need to use gross shell scripts. Far better means of IPC exist. Please read my previous messages. I guess that when all you have/understand is a hammer, everything becomes a nail. If you have any specific technical complaints (not how it's usually done doesn't count), I'm all ears. I'm also open to a better way; my MUA seems to have truncated the part where you suggested one. :-) Wait... Its a joke! you just forgot the :) No. It works well, as long as flaps are confined. Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: .ORG problems this evening
On Thu, 18 Sep 2003, Keptin Komrade Dr. BobWrench III esq. wrote: : And, I might add, in the case of a highly complex anycast application, : you will need to check not only for correctness, but for timeliness. All this still assumes that DNS should be trusting a single anycast location as the only point of access (a situation which is the case for UltraDNS if both records' routes go to the same place). There's a reason DNS does not trust exactly one server if multiple ones are provided: too many things can and do go wrong. What is going on right now with .ORG is that DNS is being forced to believe that BGP knows what is best for it, and it's already demonstrated that BGP did not always know best. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: anycast (Re: .ORG problems this evening)
EBD Date: Thu, 18 Sep 2003 18:01:07 + (GMT) EBD From: E.B. Dreger EBD That's why one uses a daemon with main loop including EBD something like: EBD EBDsuccess = 0 ; EBDfor ( i = checklist ; i-callback != NULL ; i++ ) EBDsuccess = i-callback(foo) ; EBDif ( success ) EBDsend_keepalive(via_some_ipc_mechanism) ; Eek! s,success = 0,success = 1, Eddy -- Brotsman Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.