Re: bind 9.2.3rc3 successful
I am using bind 9.2.2-p2 on our resolver name servers so far.. And I have no problems to report at this time, it's been running smooth so far; mail queues started clearing out nice and clean. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Tue, Sep 23, 2003 at 02:35:48AM -0400, William Allen Simpson wrote: > > Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog > linux powercomputing machine tonight. It worked. And the mail queues > began clearing out. Just for an oddball success report. > > Are others having similar luck? What needs to be done to make this a > standard feature set? Is somebody working on an RFC? > -- > William Allen Simpson > Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: bind 9.2.3rc3 successful
> Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog > linux powercomputing machine tonight. It worked. And the mail queues > began clearing out. Just for an oddball success report. oh hell. thanks for the kind words, but we just released rc4. > Are others having similar luck? What needs to be done to make this a > standard feature set? Is somebody working on an RFC? i do not expect the ietf to say that root and tld zones should all be delegation-only. but good luck trying. -- Paul Vixie
bind 9.2.3rc3 successful
Thought I'd mention that I helped setup BIND 9.2.3rc3 on a yellowdog linux powercomputing machine tonight. It worked. And the mail queues began clearing out. Just for an oddball success report. Are others having similar luck? What needs to be done to make this a standard feature set? Is somebody working on an RFC? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Re: Verisign Responds
> ISC has made root-delegation-only the default behaviour in the new bind, actually, though, we havn't, and wouldn't (ever). the feature is present but must be explicitly enabled by a knowledgeable operator to have effect. > how about drafting up an RFC making it an absolute default requirement > for all DNS? this is what the icann secsac recommendation... http://www.icann.org/correspondence/secsac-to-board-22sep03.htm ...says that ietf/iab should look into: We call on the IAB, the IETF, and the operational community to examine the specifications for the domain name system and consider whether additional specifications could improve the stability of the overall system. Most urgently, we ask for definitive recommendations regarding the use and operation of wildcard DNS names in TLDs and the root domain, so that actions and expectations can become universal. With respect to the broader architectural issues, we call on the technical community to clarify the role of error responses and on the separation of architectural layers, particularly and their interaction with security and stability. and it does seem rather urgent that if a wildcard in the root domain or in a top level domain is dangerous and bad, that the ietf say so out loud so that icann has a respected external reference to include in their contracts. -- Paul Vixie
nanog@merit.edu
Anyone from AT&T on the list? I just bought a Cisco 7507 with a full AT&T config on it from March 2003. Maybe someone should be changing passwords and snmp com strong, etc? It has an AT&T asset number on it, if that helps you identify how that got overlooked. Contact me if necessary. -- Jay Greenberg, CCIE #11021 -- www.free-labs.com -Free Cisco Rack Rental- --
Dedicated hosting / Colocation folk
howdy folk, can someone who is doing dedicated hosting / colocation can contact me offlist please? Mehmet Akcin Key fingerprint = FE 46 F8 8C 0C 2F C3 4A CF 1F BC 36 75 F4 9B C3
Re: Verisign Responds
On Mon, 22 Sep 2003, Dave Stewart wrote: > Courts are likely to support the position that Verisign has control of .net > and .com and can do pretty much anything they want with it. ISC has made root-delegation-only the default behaviour in the new bind, how about drafting up an RFC making it an absolute default requirement for all DNS? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
caida annotated networking bibliography
[ok last operationally irrelevant URL from me this month] those with researchy dispositions might like the (still young) annotated catalog of Internet research publications: http://www.caida.org/outreach/bib/networking/ far from complete and as always we welcome contributions <- -seriously- but it's kinda a cool start k
Cheap temperature sensors
From time to time this thread pops up. I found something which looked interesting and the price was right. I bought one and WOW! It is VERY impressive stuff for any price especially considering how cheap it was. I purchased 10 individual temperature sensors and two temp/humidity sensors, and the SNMP Ethernet module. From unpacking the box to installing the eight sensors in the inlet and outlet ducting of our four A/C units, two more to the inside of two server racks and yet two more to the UPS and general rack areas for ambient temp/humidity monitoring to setting up MRTG graphing and SNMP traps total time was under 4 hours! Very nice stuff. It works out of the box with minimal setup and no fabrication, or development/programming needed. All of this for $445.00 delivered!!! I'm going to order a spare because I like the equipment so much and it is so cheap. http://dcf.sk/microweb/snmpmain.html -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
AS taxonomy (transit/stub, multi-single-homing)
[also won't affect your router; also involves a risk of learning something:] in response to router vendors' request for analysis AS breakdown into of transit vs stub, multi vs single homing, using massive traceroute data as well as routeviews bgp data: http://www.caida.org/analysis/routing/astypes/ feedback more than welcome k
caida macroscopic geographic analysis of IPv6 addresses
[disclaimer: this email will not affect any router config or worm containment or verisign behavior, and please don't waste your time reading unless you want to learn something about v4/v6 address distribution by country] bradley extended his IPv4 address resource geopolitical analysis to IPv6 addresses this summer while working with WIDE in Japan. http://www.caida.org/analysis/geopolitical/bgp2country/ipv6.xml feedback more than welcome k
Re: Verisign Responds
] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data. One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN. Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely. Oh, I dunno... ICANN has no teeth, so that won't happen. Courts are likely to support the position that Verisign has control of .net and .com and can do pretty much anything they want with it. Of course... Verisign's comments tend to remind one of "There are no Americans in Baghdad!" As I said over the weekend: ICANN has requested that Verisign remove the wildcards in .com and .net. So what you're basically saying here is: that ain't gonna happen. Correct? Then I got flamed... hm Carnack is ready for the next answer
Re: Verisign Responds
All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder "The Americans are comitting suicide!" :: american bomb falls in the background :: -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 Fax: (978)263-0033 | POC: HAESU-ARIN On Mon, Sep 22, 2003 at 09:36:38PM -0400, Mike Tancsa wrote: > > Even better, > > > This reminds me of the Iraqi Information minister and his lunatic > counterfactual arguments All indications indeed! > > ---Mike > > At 09:23 PM 22/09/2003, Leo Bicknell wrote: > > >http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm > > > >I quote: > > > >] As to your call for us to suspend the service, I would respectfully > >] suggest that it would be premature to decide on any course of action > >] until we first have had an opportunity to collect and review the > >] available data. > > > >One would think it would be equally premature to roll out the service > >without first asking the appropriate people for their opinion first, > >starting with ICANN. > > > >Looks like the lawsuits are going to be the ones to settle this > >dispute...anyone think there's a chance of ICANN pulling .COM and .NET > >from Verisign due to breach of contract? I think it's highly unlikely. > > > >-- > > Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 > >PGP keys at http://www.ufp.org/~bicknell/ > >Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
ICANN Secsac message to the board
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Recommendations Regarding VeriSign's Introduction of Wild Card Response to Uninstantiated Domains within COM and NET http://www.icann.org/correspondence/secsac-to-board-22sep03.htm Several members of this community responded to my request for input on this topic, and your very helpful suggestions were incorporated in the final product. On behalf of the Committee, I'd like to thank you for these contributions, and encourage you to continue sending comments and suggestions regarding operational or security issues. Doug Barton -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/b6gQyIakK9Wy8PsRAivkAJwLQGFRFSWqklE0q0qVzYk3J+ivWwCfc/AX 8Vvn+ABkkw2MsUK3za0fQ4Q= =cvJc -END PGP SIGNATURE-
Re: VeriSign SMTP reject server updated
>At anytime, Verisign could remove your .COM domain from their DNS for >a short period of time which would result in all of your inbound >email going to the Verisign collector servers. If this was only done >for a brief interval, say 10 minutes, you might never notice that it >had happened. But Versign's industrial espionage department would have >your email in their hands and could do whatever they wish with it. >How profitable might that be? Actually... If they were to accidentally remove someone's .COM domain and do that, that would be a criminal violation of ECPA, says my not-an-attorney analysis. Even if they did it by accident. Even if they didn't keep a copy. Even if their mail server didn't accept it and returned a 550 on the RCPT, if the sending mail agent did something braindead like just pump out a whole message plus embedded SMTP headers like... oh, I dunno... a bunch of Spamware does. It seems... wrong... to consider that we could file criminal charges against Verisign for illegally intercepting spam between the spammer and our systems, but it appears to be a legally consistent postulate. As Verisign is doing SiteFinder for commercial gain, it might even qualify for the higher penalties (1 yr first offense 2 yr each subsequent offense). I wonder if 'offense' would map to 'domain' or 'individual email message' or what. Conceivably could be very very bad news. -george william herbert [EMAIL PROTECTED]
Re: Verisign Responds
Even better, All indications are that users, important members of the internet community we all serve, are benefiting from the improved web navigation offered by Site Finder This reminds me of the Iraqi Information minister and his lunatic counterfactual arguments All indications indeed! ---Mike At 09:23 PM 22/09/2003, Leo Bicknell wrote: http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm I quote: ] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data. One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN. Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
Verisign Responds
>Looks like the lawsuits are going to be the ones to settle this >dispute...anyone think there's a chance of ICANN pulling .COM and .NET >from Verisign due to breach of contract? I think it's highly unlikely. ...about as likely as Mary Carey winning the Califunny recall. VeriSlime has big lobbying muscle here Inside the Beltway. -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Verisign Responds
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm I quote: ] As to your call for us to suspend the service, I would respectfully ] suggest that it would be premature to decide on any course of action ] until we first have had an opportunity to collect and review the ] available data. One would think it would be equally premature to roll out the service without first asking the appropriate people for their opinion first, starting with ICANN. Looks like the lawsuits are going to be the ones to settle this dispute...anyone think there's a chance of ICANN pulling .COM and .NET from Verisign due to breach of contract? I think it's highly unlikely. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
RE: comments on addressing futures....
John, I have forwarded your comments to the appropriate list so that they can be archived. Please look at the ARIN announcement for details concerning these documents. Thanks, Ray > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of John Brown > Sent: Monday, September 22, 2003 7:30 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: comments on addressing futures > > > > YAO (yet another organization) > > Seems the world is full of orgs and people wanting to create > yet a new thing to solve the problem. Make it a new thing and > we can fix the issues at hand. > > I've seen enough of the BS between ICANN and ARIN (and other RIR's) > to know that if both sides would really sit down and be constructive > we wouldn't need YAO.. > > Now that ICANN has a bunch of new management (ergo LT and MLS > are gone) > maybe the RIR's and ICANN should put their hurt feeling (yes one hurt > badly bruised feeling) away and figure out how to work within the > structure that exists today. Ergo the ASO and ICANN > > I personally am quite worried about the RIR"s creating a NRO > (Is that Number Resource Org, or National Recon Org ??) > > I don't see the "broken part here". > > I don't see the masses screeming for the head(s) of the RIR on > a platter, ala Verisign and wildcards. > > I don't see the community pointing the finger en mass to the RIR's > and saying ITS BROKE, Someone should take it away from them. > > Heck, I don't even see the looneys out there really screaming > that the RIR process is broken. > > Since it doesn't really seem broken, why are we trying to 'fix' it ?? > > It does seem to me that a select few people want more control > (term empire building comes to mind) of the IP space and for various > non-operational (show me broken operational things wrt RIRs) reasons > want to kill ICANN. > > Killing ICANN in all seriousness isn't the right answer. Some months > ago I finally gave up on them, figured it was a lost cause and that > they should go the way of the dodo. > > Well that was a wrong thought. If we don't have them things will > be worse. They DO have to stand up to Verisign on this Wildcard > thing, but they can't do it in one day. > > Again, we the community should be helping ICANN get its act together. > > They are after all trying to hire some senior technical managment > people. Certainly there are qualified people on this list to > fill that slot. > > No, NRO is BAD, its bad like splitting the roots. Plain and simple > as that. > > > On Mon, Sep 22, 2003 at 03:22:47PM -0700, [EMAIL PROTECTED] wrote: > > > > this from the ARIN-PPL mailing list... it deserves broad > consideration, > > even from NANOG :) > > > > --- > > > > [EMAIL PROTECTED] writes: > > > > Since ARIN has been sending new proposals today, they seem to have > > forgotten the most important one of all, that applies to > all RIRs and how > > they deal with ICANN. The info is at > http://lacnic.net/sp/draft-9-22.html > > > > > -- > - > > The four RIRs (Regional Internet Registries): APNIC, ARIN, > LACNIC, and > > RIPE NCC have jointly worked on the preparation of a > proposal concerning > > the liaison among the RIRs as well as the structure through > which the > > RIRs and their communities take part in ICANN. > > > > As a consequence, three documents have been prepared: > > > > - Proposal to execute an agreement between the four RIRs in order to > > create the Number Resource Organization (NRO). This > organization will > > represent the interests of the IP addresses community before the > > national, international or public entities. > > > > - Proposal of a Memorandum of Understanding between the RIRs, to act > > through the NRO and the ICANN in relation to the ASO > (Address Supporting > > Organization), the ICANN section committed to the Internet Number > > Resources issues. The ASO was created through a previous > Memorandum of > > Understanding, signed in 1999. The current proposal would > replace the > > previous Memorandum, modifying the present ASO structure. > > > > - Proposal of an Open Letter from the RIRs to the ICANN > relative to the > > previous items. > > > > The RIRs call for public comments from the community > members in relation > > to these documents. As the comments will be jointly > organized, they will > > be officially managed in English. > > > > > > >
Re: comments on addressing futures....
YAO (yet another organization) Seems the world is full of orgs and people wanting to create yet a new thing to solve the problem. Make it a new thing and we can fix the issues at hand. I've seen enough of the BS between ICANN and ARIN (and other RIR's) to know that if both sides would really sit down and be constructive we wouldn't need YAO.. Now that ICANN has a bunch of new management (ergo LT and MLS are gone) maybe the RIR's and ICANN should put their hurt feeling (yes one hurt badly bruised feeling) away and figure out how to work within the structure that exists today. Ergo the ASO and ICANN I personally am quite worried about the RIR"s creating a NRO (Is that Number Resource Org, or National Recon Org ??) I don't see the "broken part here". I don't see the masses screeming for the head(s) of the RIR on a platter, ala Verisign and wildcards. I don't see the community pointing the finger en mass to the RIR's and saying ITS BROKE, Someone should take it away from them. Heck, I don't even see the looneys out there really screaming that the RIR process is broken. Since it doesn't really seem broken, why are we trying to 'fix' it ?? It does seem to me that a select few people want more control (term empire building comes to mind) of the IP space and for various non-operational (show me broken operational things wrt RIRs) reasons want to kill ICANN. Killing ICANN in all seriousness isn't the right answer. Some months ago I finally gave up on them, figured it was a lost cause and that they should go the way of the dodo. Well that was a wrong thought. If we don't have them things will be worse. They DO have to stand up to Verisign on this Wildcard thing, but they can't do it in one day. Again, we the community should be helping ICANN get its act together. They are after all trying to hire some senior technical managment people. Certainly there are qualified people on this list to fill that slot. No, NRO is BAD, its bad like splitting the roots. Plain and simple as that. On Mon, Sep 22, 2003 at 03:22:47PM -0700, [EMAIL PROTECTED] wrote: > > this from the ARIN-PPL mailing list... it deserves broad consideration, > even from NANOG :) > > --- > > [EMAIL PROTECTED] writes: > > Since ARIN has been sending new proposals today, they seem to have > forgotten the most important one of all, that applies to all RIRs and how > they deal with ICANN. The info is at http://lacnic.net/sp/draft-9-22.html > > --- > The four RIRs (Regional Internet Registries): APNIC, ARIN, LACNIC, and > RIPE NCC have jointly worked on the preparation of a proposal concerning > the liaison among the RIRs as well as the structure through which the > RIRs and their communities take part in ICANN. > > As a consequence, three documents have been prepared: > > - Proposal to execute an agreement between the four RIRs in order to > create the Number Resource Organization (NRO). This organization will > represent the interests of the IP addresses community before the > national, international or public entities. > > - Proposal of a Memorandum of Understanding between the RIRs, to act > through the NRO and the ICANN in relation to the ASO (Address Supporting > Organization), the ICANN section committed to the Internet Number > Resources issues. The ASO was created through a previous Memorandum of > Understanding, signed in 1999. The current proposal would replace the > previous Memorandum, modifying the present ASO structure. > > - Proposal of an Open Letter from the RIRs to the ICANN relative to the > previous items. > > The RIRs call for public comments from the community members in relation > to these documents. As the comments will be jointly organized, they will > be officially managed in English. > > >
Go Daddy vs Verisign over Site Finder
Go Daddy is at it again. They filed suit against Verisign accusing Verisign of misuse of their registry position with their Site Finder service. Let's hope they win this lawsuit too! https://www.godaddy.com/gdshop/pressreleases/NR-GoDaddysuesVerisign9-22.pdf?isc=&se=%2B&from%5Fapp=
Re: anycast (Re: .ORG problems this evening)
On Mon, 22 Sep 2003, David G. Andersen wrote: With load balancing, traffic can get routed down a non-functional path while routing takes place over the other one - BBN did that to us once, was very entertaining). Ah yes, I'll always have a special place in my heart for those Localdirectors. *cough* In contrast, talking to a few DNS servers gives you an end-to-end test of how well the service is working. You still depend on the answers being correct, but you can intuit a lot from whether or not you actually get answers, instead of sitting around twiddling your thumbs thinking, "gee, I sure wish that routing update would get sent out so I could use the 'net." Anycast isn't the only thing possibly stuck waiting for routing convergence... Let's not get carried away here. matto [EMAIL PROTECTED]< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include
Re: anycast (Re: .ORG problems this evening)
DGA> Date: Mon, 22 Sep 2003 18:32:19 -0400 DGA> From: David G. Andersen DGA> The whole problem with only listing two anycast servers is that DGA> you leave yourself vulnerable to other kinds of faults. Your DGA> upstream ISP fat-fingers "ip route 64.94.110.11 null0" and DGA> accidentally blitzes the netblock from which the anycast servers DGA> are announced. A router somewhere between customers and the And this is peculiar to anycast? DGA> anycast servers stops forwarding traffic, or starts corrupting And this is peculiar to anycast? DGA> transit data, without interrupting its route processing. DGA> packet filters get misconfigured.. And this is peculiar to anycast? DGA> Route updates in BGP take a while to propagate. Much longer DGA> than the 15ms RTT from me to, say, a.root-server.net. The application DGA> retry in this context can be massively faster than waiting 30+ seconds DGA> for a BGP update interval. If a location goes dark, that's a problem. With redundant machines locally anycasted and inter-location transport, it becomes a question of border router and peer reliability. DGA> The availability of the DNS is now co-mingled with the success DGA> of the magic route tweak code; the resulting system is a fair The availability of * is co-mingled with the success of the gear advertising its prefixes. The difference between standard multihoming and anycast is that the behind-the-scenes stuff happens to be on different machines in different locations. DGA> bit more complex than simply running a bunch of different DGA> DNS servers. God forbid that zebra ever has bugs... DGA> DGA> http://www.geocrawler.com/lists/3/GNU/372/0/ You assume zebra is the only option. Sure, it has bugs. So do Vendors C, J, and R. DGA> In contrast, talking to a few DNS servers gives you an end-to-end DGA> test of how well the service is working. So splay is bad? Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: anycast (Re: .ORG problems this evening)
On Mon, 22 Sep 2003, David G. Andersen wrote: > > Yes, I hope that UltraDNS implements something like this, if they have not > > already. It's still not a guarantee that things will get withdrawn -- or be > > reachable, even if working but not withdrawn -- in case of a problem. That > > still leaves the DNS for a gTLD at risk for a single point of failure. > > The whole problem with only listing two anycast servers is that > you leave yourself vulnerable to other kinds of faults. Your > upstream ISP fat-fingers "ip route 64.94.110.11 null0" and > accidentally blitzes the netblock from which the anycast servers > are announced. A router somewhere between customers and the > anycast servers stops forwarding traffic, or starts corrupting > transit data, without interrupting its route processing. > packet filters get misconfigured.. That's a good reason to make sure that you are anycasting from at least two disparate netblocks, isn't it?. :-) /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Asking the wrong questions is the leading cause of wrong answers \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Re: anycast (Re: .ORG problems this evening)
On Thu, Sep 18, 2003 at 02:38:18PM -0400, Todd Vierling quacked: > > On Thu, 18 Sep 2003, E.B. Dreger wrote: > > : EBD> That's why one uses a daemon with main loop including > : EBD> something like: > : EBD> > : EBD>success = 1 ; > : EBD>for ( i = checklist ; i->callback != NULL ; i++ ) > : EBD>success &= i->callback(foo) ; > : EBD>if ( success ) > : EBD>send_keepalive(via_some_ipc_mechanism) ; > > Yes, I hope that UltraDNS implements something like this, if they have not > already. It's still not a guarantee that things will get withdrawn -- or be > reachable, even if working but not withdrawn -- in case of a problem. That > still leaves the DNS for a gTLD at risk for a single point of failure. The whole problem with only listing two anycast servers is that you leave yourself vulnerable to other kinds of faults. Your upstream ISP fat-fingers "ip route 64.94.110.11 null0" and accidentally blitzes the netblock from which the anycast servers are announced. A router somewhere between customers and the anycast servers stops forwarding traffic, or starts corrupting transit data, without interrupting its route processing. packet filters get misconfigured.. (Observe how divorced route processing and packet processing are in modern routing architectures and it's pretty easy to see how this can happen. With load balancing, traffic can get routed down a non-functional path while routing takes place over the other one - BBN did that to us once, was very entertaining). Route updates in BGP take a while to propagate. Much longer than the 15ms RTT from me to, say, a.root-server.net. The application retry in this context can be massively faster than waiting 30+ seconds for a BGP update interval. The availability of the DNS is now co-mingled with the success of the magic route tweak code; the resulting system is a fair bit more complex than simply running a bunch of different DNS servers. God forbid that zebra ever has bugs... http://www.geocrawler.com/lists/3/GNU/372/0/ In contrast, talking to a few DNS servers gives you an end-to-end test of how well the service is working. You still depend on the answers being correct, but you can intuit a lot from whether or not you actually get answers, instead of sitting around twiddling your thumbs thinking, "gee, I sure wish that routing update would get sent out so I could use the 'net." -Dave -- work: [EMAIL PROTECTED] me: [EMAIL PROTECTED] MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
comments on addressing futures....
this from the ARIN-PPL mailing list... it deserves broad consideration, even from NANOG :) --- [EMAIL PROTECTED] writes: Since ARIN has been sending new proposals today, they seem to have forgotten the most important one of all, that applies to all RIRs and how they deal with ICANN. The info is at http://lacnic.net/sp/draft-9-22.html --- The four RIRs (Regional Internet Registries): APNIC, ARIN, LACNIC, and RIPE NCC have jointly worked on the preparation of a proposal concerning the liaison among the RIRs as well as the structure through which the RIRs and their communities take part in ICANN. As a consequence, three documents have been prepared: - Proposal to execute an agreement between the four RIRs in order to create the Number Resource Organization (NRO). This organization will represent the interests of the IP addresses community before the national, international or public entities. - Proposal of a Memorandum of Understanding between the RIRs, to act through the NRO and the ICANN in relation to the ASO (Address Supporting Organization), the ICANN section committed to the Internet Number Resources issues. The ASO was created through a previous Memorandum of Understanding, signed in 1999. The current proposal would replace the previous Memorandum, modifying the present ASO structure. - Proposal of an Open Letter from the RIRs to the ICANN relative to the previous items. The RIRs call for public comments from the community members in relation to these documents. As the comments will be jointly organized, they will be officially managed in English.
Re: ICANN asks VeriSign to pull redirect service
Worth noting is the follow-up report: http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html and the response from Russell Lewis: http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm Mr. Lewis' response is interesting only if you believe VeriSign has the community's interest in mind by implementing this service. If there was any indication that the change had a detrimental effect to the Internet, an Internet-friendly corporation would have suspended service. This quote is also interesting: "This was done after many months of testing and analysis and in compliance with all applicable technical standards" For such a monumental change, one would think VeriSign would have made a concerted effort to receive community feedback prior to implementation. Again, had they the community's interest in mind. On Sun, 21 Sep 2003 23:12:14 -0400 Haesu <[EMAIL PROTECTED]> wrote: > > It's been about 2 days since ICANN requested Verisign to stop breaking. > > http://www.icann.org/announcements/advisory-19sep03.htm > > Recognizing the concerns about the wildcard service, ICANN has called > upon VeriSign to voluntarily suspend the service until the various > reviews now underway are completed. > > -hc > > -- > Haesu C. > TowardEX Technologies, Inc. > Consulting, colocation, web hosting, network design and implementation > http://www.towardex.com | [EMAIL PROTECTED] > Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 > Fax: (978)263-0033 | POC: HAESU-ARIN > > On Sun, Sep 21, 2003 at 10:42:37PM -0400, Eric Germann wrote: > > > > > http://msnbc-cnet.com.com/2100-1024_3-5079768.html?part=msnbc-cnet&tag=alert > > &form=feed&subj=cnetnews > > > > "The agency that oversees Internet domain names has asked VeriSign to > > voluntarily suspend a new service that redirects Web surfers to its own > site > > when they seek to access unassigned Web addresses, rather than return an > > error message. " > > > > > > > > == > > Eric GermannCCTec > > [EMAIL PROTECTED] Van Wert OH 45891 > > http://www.cctec.comPh: 419 968 2640 > > Fax: 603 825 5893 > > > > "The fact that there are actually ways of knowing and characterizing the > > extent of one?s ignorance, while still remaining ignorant, may ultimately > be > > more interesting and useful to people than Yarkovsky" > > > > -- Jon Giorgini of NASA?s Jet Propulsion Laboratory > > >
ATTBI/Comcast issue
If someone on this list is from ATTBI/Comcast, could you please contact me offline regarding a chronic issue present since about March/April? I've had multiple tickets open and spoke with 2 "supervisors", and no one will address/take responsibility of the problem. Thanks, Tony
Re: Operations notification manager software
On Mon, 22 Sep 2003, Stephane Bortzmeyer wrote: > > On Mon, Sep 22, 2003 at 12:23:35AM -0500, > Justin Shore <[EMAIL PROTECTED]> wrote > a message of 20 lines which said: > > > > What software is available/recommended for NOC contact > > > management? > > > > I've used Nagios (formerly NetSaint) in the past and have been very > > impressed with it. > > I used Nagios and I fail to see what's the connection with the > original question? It seems the original poster is looking for > something like RequestTracker http://www.bestpractical.com/rt/> > instead. >From the original message: > - contact information refresh (regularly verify contact > information via electronic or triggered human interaction, > dealing with failed notification attempts)? I need more info here such as an example. Verify contact info against what? > - complex notification (ie per-event customized notification > by affected device/region/service, notification to > customer-selected method based on type and urgency of > notice) Nagios > - customer-friendly subscription management (including > multiple notification methods) and notification > archiving Nagios > - notification SLA's (ie re-sending multiple timed notices > when required, tracking notifications for auditing, etc) Nagios > - efficiently managing multiple conduits for notification > (email, alpha pager, text-to-voice/scripted call center, RSS > feed, Web archives/posting) Nagios > - enforcing consistency in notifications (ie form-/ > rule-based notification creation and validation, > notification review/authorization prior to distribution) I don't know of a way to review/authorize notifications before going out but it wouldn't exactly be hard to script and use with Nagios. > - handling feedback from notifications (handling customer > responses, tracking viewing and/or reading of notifications, > measuring effectiveness of notifications) Nagios doesn't do this. It can accept comments from admins responsible for a given system/service but that's it that I'm aware of. Tracking feedback sounds more like a ticketing system to me. > - other important features? Nagios has numerous useful features. One of the most useful features is failure notification esculation. 'An email about an outage sent to the sysadm responsible for the mail system go unanswered (ie the problem still exists and hasn't been acknowledged)? Esculate it. Page the on-call pager and let whoever is on-call call the responsible admin on the telephone.' Very handy feature. IMHO I think Nagios fits most of the specifications the requesting person wants. Justin
Re: VeriSign SMTP reject server updated
Matt Larson wrote: In response to this feedback, we have deployed an alternate SMTP implementation using Postfix that should address many of the concerns we've heard. Like snubby, this server rejects any mail sent to it (by returning 550 in response to any number of RCPT TO commands). Matt, The problem is that some systems have a specially formatted response message that they send to their users under certain conditions. For example, commonly used Exchange servers will send User unknown for any 550 issued on a RCPT command, where as they would inform the user that the domain did not exist for nxdomain. I have heard that these messages were also sent back in the proper language. How will users of such systems know if it was a recipient issue or a domain issue? Granted, part of this problem in the example is the smtp implementation (which any abuse desk will tell you that it is aggrivating to get a call about a "User unknown" message when a Security Policy 550 5.7.1 was issued with comment). Of course, mail is the least of concerns. There are millions of programs written that check for NXDOMAIN. A lot of this software cannot readily be changed to recognize the wildcard, requiring recursors to be patched; which is almost as repulsive as the wildcard to begin with. Here's just 2 commonly used applications, who's output has changed which will break many expect scripts and then some. $ ftp jkfsdkjlsfkljsf.com ftp: connect: Connection refused ftp> quit $ ftp jklfskjlsfljks.microsoft.com jklfskjlsfljks.microsoft.com: unknown host ftp> quit $ telnet jlkfsjklsfjklsfd.com Trying 64.94.110.11... ^C$ telnet jksfljksfdljkfs.microsoft.com jksfljksfdljkfs.microsoft.com: Unknown host -Jack
Re: Windows updates and dial up users
--On Monday, September 22, 2003 12:41 PM +0100 Richard Cox <[EMAIL PROTECTED]> wrote: On 22 Sep 2003 10:45 "Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote: | What if MS included something in the Windows Update that gave the user | the option of calling a toll-free number operated by MS for the purpose | of downloading.. ? Toll free - in many cases international - with 56k lines max for dialup and many way below that, would - given the filesizes typically used in WindowsUpdate - be a very costly call for Microsoft. And there'd be rather a lot of them, so you can be sure that M$ would be recovering those $ from somebody. Most probably (current and future) users. I have NO problem with that. Micr0$0ft should start bearing the costs of their brokenness. If they choose to pass that on to their end users, then that is a business decision they can make as a business. Hopefully when the true cost of Windows becomes part of the price tag, Windows users will wake up and realize it's too expensive. WindowsUpdate would presumably refuse to update pirated copies of the software, but pirate copies of the software will still be just as open to the vulnerabilities that have been, and continue to be, discovered. I have heard from multiple sources that this is not true. I suspect Micr0$0ft doesn't have the ability to reliably determine the difference between a pirated copy of Windows and the same serial number being reinstalled and repatched multiple times. Oddly enough the biggest killer of all will not be any of this, but the fact that most people will be unwilling for their single phone line to be tied up and unusable for the length of time each update will take. And then repeat that every month or so.. Yep. Owen
Re: Windows updates and dial up users
Realise that this would require MS to take responsibility for putting out bad code. That's quite unlikely, IMO. Hmm no, they dont have to take that approach, they currently provide updates as part of their license agreement to users, this would just be an enhancement of their existing facility offering a new level of security whereby users can gain access to critical updates without putting their machines at risk by connecting to the global Internet... Actually, they don't, and, that's probably why they don't want others redistributing their patch software. If you run Windows update, you have to agree to half a dozen additional and supplemental EULAs before you can actually get your software patched. (I carefully had someone else agree on the one Windows system I have to cope with so that _I_ am still not a party to a Micr0$0ft EULA). It would be an enhancement for the users, but, for Micr0$0ft, it's all about the EULA, and, if it is distributed on CD, it's much harder for them to enforce the "you must agree to the supplemental EULA" provisions. Owen
Re: Windows updates and dial up users
Ok then different idea, assuming that we're all agreed its MS's responsibility to ensure users are patched promptly and without extra cost to the end user. The problem is that while we agree, Micr0$0ft does not. They feel they should have no "responsibility" whatsoever to the end user beyond cheerfully refunding their money if they decide to stop using Windows. They are of the opinion that they are patching these things out of the goodness of their hart as a favor and in the interests of above-and-beyond customer service. I do not understand why people continue to do business with such an arrogant self-serving organization which has repeatedly demonstrated a completely a-moral approach to business. Just my opinion. Owen
RE: When is Verisign's registry contract up for renewal
The webpage was very 'thrown together' so we could get to work on actually getting the servers built. Our policy is to provide clean versions of the COM and NET zones. Minus all of VeriSign's hackery. If you register a .com domain, it will appear in our zone, if you don't renew one, it disappears. We plan to mimic exactly how a responsible TLD operator should work. We don't want to change the world, we don't want to expand the number of TLDs, and we really don't even want to run a root. The root we are (temporarily) running is just a hack to allow people to access our gTLD zones, everything else is pointed to *.root-servers.net. At this point, nothing really works. But we hope to have it operational within the next week. If you don't like it, don't use it. This is the last post about this you'll see on NANOG from me about it. -Mike -Original Message- From: Stephane Bortzmeyer [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 4:44 AM To: Mike Damm Cc: 'Jared Mauch '; '[EMAIL PROTECTED] ' Subject: Re: When is Verisign's registry contract up for renewal On Sun, Sep 21, 2003 at 07:53:19AM -0700, Mike Damm <[EMAIL PROTECTED]> wrote a message of 63 lines which said: > This sort of not-for-profit is exactly what I proposed when the VeriSign > discussion started. A non-technical response to a non-technical problem. > Since my inital email, I've recruited a few other NANOG folks and put up a > website: www.alt-servers.org. In what way your proposal is different from the other "alternative roots" (such as ORSC, www.open-rsc.org)? All of them are facing the same problem: we don't like ICANN's policies, OK, but what are ours? Do we redelegate .md? Do we give .com to someone else? To who? Do we delegate .god to the jerk that just asked? I'm not aware of any serious policy work from any of the alternative roots: they just claim that they work very hard but they never explain the details. You claim to have working servers already (the easiest part) but you say nothing about your policy...
Re: Providers removing blocks on port 135?
Andy Walden wrote: I'm not necessarily making a statement one way or the other on port 25 filtering, but SMTP Auth, when properly configured and protected against brute force attacks is certainly a useful thing. YMMV of course. Keyloggers are popular in the same viruses that install open proxies. :) -Jack
Re: Windows updates and dial up users
On Mon, 22 Sep 2003 10:45:13 -, "Stephen J. Wilcox" said: > Ok then different idea, assuming that we're all agreed its MS's responsibility > to ensure users are patched promptly and without extra cost to the end user. You agree. I agree. Microsoft doesn't agree, and based on the fact that the user presumably agreed to the EULA as phrased, the users don't either. After all, if the users didn't like the current support, they're free to change vendors. ;) pgp0.pgp Description: PGP signature
Re: Operations notification manager software
Thus spake Stephane Bortzmeyer ([EMAIL PROTECTED]) [22/09/03 08:26]: > > > What software is available/recommended for NOC contact > > > management? > > > > I've used Nagios (formerly NetSaint) in the past and have been very > > impressed with it. > > I used Nagios and I fail to see what's the connection with the > original question? It seems the original poster is looking for > something like RequestTracker http://www.bestpractical.com/rt/> > instead. Ummm... I'm not sure that RT is what you want, either. Out-of-the-box, RT is a Ticketing system, not a Contact Management system. Though I realise that it could probably be hacked to provide such a functionality... I think between the two of them (Nagios and RT), you would have a chunk of the requested functionality taken care of. But you still don't have the Contact Management part, without a little bit of work.
RE: Need help with Ex-Pat project
Thank you to all who replied. I still need some more help, if you know anyone please have them email me directly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas S. Peeples Sent: Monday, September 15, 2003 11:55 AM To: [EMAIL PROTECTED] Subject: Need help with Ex-Pat project I am helping on several areas for the design, testing, and deployment of a Metro Ethernet network (based on MPLS) in the Pacific rim. If you or if you know anyone interested in working over seas for a year or so drop me an email with contact information. Cheers, Doug Peeples
Re: Windows updates and dial up users
Microsoft already does this, it is their TechNet program. They include all service packs and updates. Unfortunately, they charge a whopping pile for the service, beyond the reach of most home/dial users. Jerry ---Original Message--- From: Stephen J. Wilcox Date: Monday, September 22, 2003 07:27:10 To: Roy Bentley Cc: [EMAIL PROTECTED]; Sean Donelan; [EMAIL PROTECTED] Subject: Re: Windows updates and dial up users On Mon, 22 Sep 2003, Roy Bentley wrote: > Stephen J. Wilcox said: > > On Sun, 21 Sep 2003 [EMAIL PROTECTED] wrote: > >> On Sun, 21 Sep 2003 18:25:50 EDT, Sean Donelan <[EMAIL PROTECTED]> said: > >> > >> > "I recently put this suggestion to Microsoft and their response basically > >> > avoided the whole issue. Why wouldn't the company want to offer such a > >> > CD, assuming that's the motivation behind their stonewalling?" > >> > >> It would cost money to produce and ship a new CD on a frequent enough basis > >> for it to do any good. Consider that we're seeing worms within 4 weeks of > >> the patch coming out. How many CD duplicating places are willing to take > >> on a multi-million run with a 1-2 week turn-around, once a month, every > >> month? > > > > Ok then different idea, assuming that we're all agreed its MS's > > responsibility to ensure users are patched promptly and without extra cost > > to the end user. > > > > Its not a problem patching on a dialup, it just takes longer, this may put > > people off when they see their computer tell them its going to take 3 hours > > to download and theyre paying per minute on the call > > > > What if MS included something in the Windows Update that gave the user the > > option of calling a toll-free number operated by MS for the purpose of > > downloading.. ? > > Realise that this would require MS to take responsibility for putting out > bad code. That's quite unlikely, IMO. Hmm no, they dont have to take that approach, they currently provide updates as part of their license agreement to users, this would just be an enhancement of their existing facility offering a new level of security whereby users can gain access to critical updates without putting their machines at risk by connecting to the global Internet... Steve .
Re: Verisign's Threat to Infrastructure Stability
On Mon, 22 Sep 2003, Niels Bakker wrote: > Root server operators aren't the droids you're looking for. The net and > com TLDs are just that - TLDs, not the root zone; they're in the root > zone because they're TLDs but authority has been delegated away from the > root server operators. Yes, I think most understood from the start we're talking about root TLDs (top-level domains) and not root servers. And particular concern is not that TLDs operators maybe entities with high commercial interest in those TLDs - I have no problem with this for NEW tlds (BIZ, INFO, etc) if from the start its undertood how they would be operated and I can hae a choice to register domain there or not. The problem is with .COM, .NET, .ORG (and in part with .US) - these are original TLDs on which the net was built and the were setup by ARPANET/NSF -> US DOC before existance of ICANN and intrusted to be operated by NSI as one of core services of internet (like dns root server, etc). They were from the start services operated as public trust or similar and when ICANN was being setup - it was also setup as a kind of public trust non-commercial organiation in charge of internet core services (please, don't start debates here on how "non-commercial" and "public" they are). The arrangement was then made that separated then commercialized and highly profitable domain registrar business from core registry (only in charge of keeping actual tld registry functioning as service to registrars). Again you can see the idea of keeping core of services as separate public trust here while providing enough opportunities to run profitable business on top of it (remember $35/domain verisign been charging originally...) NSI is specifically required by the agreements they made to run registry services completely separate from registrar and this was the basis of agreement that allowed them to continue to be both registrar and registry for .com / .net / .org domains. And when charges of $6 were decided on for registry operations for each domain, NSI was specifically asked to calculate real cost of providing core registry services, they were trying to get away from answering this question even then but I do believe US DOC forced them to provide enough data to be able to calculate that $6 will be more then enough to keep registry business running. If this is not so now (which is seen by the fact that now NSI is trying to find ways to make additional revenue out of registry), then NSI would need to go to ICANN and DoC and show them that operating registry is not profitable for them and then they can negotiate new appropriate fee for such services or ICANN can invite other companiesto bid on providing the same services on the costs ICANN find acceptable or smaller and operated as public trust to the community. I personally think the best way to do is for ICANN to itself to setup two new non-commecial entities to operate .COM and .NET (.ORG is already with PIR) and require these entities to provide annual reports to ICANN (and to the public) on how much money is being spent on operations, etc. If they have a positive revenue from the services, this should go to special reserve (part of that used possibly for grants for internet research like NSF was doing originally) and amount of fees charged adjusted to more closely reflect the real cost of operations. Of course I'm just dreaming here talking about this perfect world order, etc... (especially considering we could not even get ICANN to provide complete details of their financial activites...). But in any case, the point is that just like .COM .NET were originally operated as public trust (and yes, I have couple domains I registered before I was being charged any fees for it and agreed to any commercial agreements now introduced by NSI, etc) this should be continued now and NSI should not be allowed to use their registry services for commercial activites going beyond what is necessary to keep the TLD registry running. Sorry about long letter... -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Operations notification manager software
On Mon, Sep 22, 2003 at 12:23:35AM -0500, Justin Shore <[EMAIL PROTECTED]> wrote a message of 20 lines which said: > > What software is available/recommended for NOC contact > > management? > > I've used Nagios (formerly NetSaint) in the past and have been very > impressed with it. I used Nagios and I fail to see what's the connection with the original question? It seems the original poster is looking for something like RequestTracker http://www.bestpractical.com/rt/> instead.
[Administrativia] Posting rules: are messages silently dropped?
Messages I send from an email address which is not subscribed to nanog-post are apparently silently dropped. I do not receive a bounce (like it is typically the case when a list is closed) but, according to the archives, they are not distributed either (which may be good for the S/N ratio but I digress). Isn't it too harsh? http://www.nanog.org/email.html> explains how to post but does not mention what happens to posts from non-subscribers.
Re: Riverhead or Lancope?
I have been using Lancope for alomost two years. They have developed a very effective complementary approach to the signature based systems I have been evaluating (SNORT, ISS, SOURCEFIRE, CISCO) using. The latest software release has also provided a number of key enhancements that allow the tool not only to be NIDS, but a great network auditing and troubleshooting tool as well. \michael martin --- John Obi <[EMAIL PROTECTED]> wrote: > > Nanogers, > > Did you ever tested Riverhead or Lancope? I know > rackspace uses one or both of them. > > Are they good products and worth the try? > > Can they really decrease the the DDoS damage? > > Are they better than CISCO products? > > Are there any tips? > > Thanks, > > -J > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com
Re: Windows updates and dial up users
On 22 Sep 2003 10:45 "Stephen J. Wilcox" <[EMAIL PROTECTED]> wrote: | What if MS included something in the Windows Update that gave the user | the option of calling a toll-free number operated by MS for the purpose | of downloading.. ? Toll free - in many cases international - with 56k lines max for dialup and many way below that, would - given the filesizes typically used in WindowsUpdate - be a very costly call for Microsoft. And there'd be rather a lot of them, so you can be sure that M$ would be recovering those $ from somebody. Most probably (current and future) users. WindowsUpdate would presumably refuse to update pirated copies of the software, but pirate copies of the software will still be just as open to the vulnerabilities that have been, and continue to be, discovered. Oddly enough the biggest killer of all will not be any of this, but the fact that most people will be unwilling for their single phone line to be tied up and unusable for the length of time each update will take. And then repeat that every month or so.. -- Richard
Re: Windows updates and dial up users
On Mon, 22 Sep 2003, Roy Bentley wrote: > Stephen J. Wilcox said: > > On Sun, 21 Sep 2003 [EMAIL PROTECTED] wrote: > >> On Sun, 21 Sep 2003 18:25:50 EDT, Sean Donelan <[EMAIL PROTECTED]> said: > >> > >> > "I recently put this suggestion to Microsoft and their response basically > >> > avoided the whole issue. Why wouldn't the company want to offer such a > >> > CD, assuming that's the motivation behind their stonewalling?" > >> > >> It would cost money to produce and ship a new CD on a frequent enough basis > >> for it to do any good. Consider that we're seeing worms within 4 weeks of > >> the patch coming out. How many CD duplicating places are willing to take > >> on a multi-million run with a 1-2 week turn-around, once a month, every > >> month? > > > > Ok then different idea, assuming that we're all agreed its MS's > > responsibility to ensure users are patched promptly and without extra cost > > to the end user. > > > > Its not a problem patching on a dialup, it just takes longer, this may put > > people off when they see their computer tell them its going to take 3 hours > > to download and theyre paying per minute on the call > > > > What if MS included something in the Windows Update that gave the user the > > option of calling a toll-free number operated by MS for the purpose of > > downloading.. ? > > Realise that this would require MS to take responsibility for putting out > bad code. That's quite unlikely, IMO. Hmm no, they dont have to take that approach, they currently provide updates as part of their license agreement to users, this would just be an enhancement of their existing facility offering a new level of security whereby users can gain access to critical updates without putting their machines at risk by connecting to the global Internet... Steve
Re: Verisign's Threat to Infrastructure Stability
* [EMAIL PROTECTED] (Curt Akin) [Mon 22 Sep 2003, 01:04 CEST]: > FWIW: > > To: The Department of Homeland Security > Sent (via dhs.gov site form) > Dated: 21 Sep 2003 14:24:37 - [..] > > DHS would be well advised to consider the potential threat that > Internet unpredictability has on this country's cyber infrastructure > and to seriously consider the relocation of root server responsibility > to non-profit-motive-driven organizations. > > We are all too busy maintaining stable environments to have to > consider reactions and countermeasures to Verisign's autonomous and > arrogant behavior. Root server operators aren't the droids you're looking for. The net and com TLDs are just that - TLDs, not the root zone; they're in the root zone because they're TLDs but authority has been delegated away from the root server operators. Root server operators take their hints from IANA, already a non-profit. See http://www.root-servers.org/> for a list of current root servers and their operators. Note that very few are corporations, so your call for action from the DHS is rather misplaced in this respect. Just to clarify (again). -- Niels. -- "The time of getting fame for your name on its own is over. Artwork that is only about wanting to be famous will never make you famous. Any fame is a bi-product of making something that means something. You don't go to a restaurant and order a meal because you want to have a shit." -- Banksy
Re: Windows updates and dial up users
Stephen J. Wilcox said: > > On Sun, 21 Sep 2003 [EMAIL PROTECTED] wrote: > >> On Sun, 21 Sep 2003 18:25:50 EDT, Sean Donelan <[EMAIL PROTECTED]> said: >> >> > "I recently put this suggestion to Microsoft and their response >> basically >> > avoided the whole issue. Why wouldn't the company want to offer such a >> CD, >> > assuming that's the motivation behind their stonewalling?" >> >> It would cost money to produce and ship a new CD on a frequent enough >> basis >> for it to do any good. Consider that we're seeing worms within 4 weeks >> of the >> patch coming out. How many CD duplicating places are willing to take on >> a multi-million run with a 1-2 week turn-around, once a month, every >> month? > > Ok then different idea, assuming that we're all agreed its MS's > responsibility > to ensure users are patched promptly and without extra cost to the end > user. > > Its not a problem patching on a dialup, it just takes longer, this may put > people off when they see their computer tell them its going to take 3 > hours to > download and theyre paying per minute on the call > > What if MS included something in the Windows Update that gave the user the > option of calling a toll-free number operated by MS for the purpose of > downloading.. ? > > Steve > Realise that this would require MS to take responsibility for putting out bad code. That's quite unlikely, IMO.
Re: Riverhead or Lancope?
On Monday 22 September 2003 11:13, John Obi wrote: > Nanogers, > > Did you ever tested Riverhead or Lancope? I know > rackspace uses one or both of them. > > Are they good products and worth the try? We use Riverhead at IIUCC/ILAN (AS378) to protect the .il root name servers, it is active for a few months, and seems to work well. Maybe Hank will comment on this as well. --Aroel > > Can they really decrease the the DDoS damage? > > Are they better than CISCO products? > > Are there any tips? > > Thanks, > > -J > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com -- -- Ariel Biener e-mail: [EMAIL PROTECTED] PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Re: ICANN asks VeriSign to pull redirect service
I agree In addition I'm not convinced that operated of each GTLD cannot be carried out by more than one organisation. The only requirement is to ensure the uniqueness of the data, there are multiple ways of achieving this without havnig to elect some one as the master.. Steve On Sun, 21 Sep 2003, John Brown wrote: > > and now that Verisign is also not allowing zone file access, > another breach of their contract with ICANN, I think ICANN > should send them a Notice of Breach and Intent to Revoke Registry Status > > Issue the operation of .NET to Non-Profit A > Issue the operation of .COM to Non-Profit B > > Of which one should be ISC. > > but thats just my uneducated thoughts. > > > > On Sun, Sep 21, 2003 at 11:12:14PM -0400, Haesu wrote: > > > > It's been about 2 days since ICANN requested Verisign to stop breaking. > > > > http://www.icann.org/announcements/advisory-19sep03.htm > > > > Recognizing the concerns about the wildcard service, ICANN has called > > upon VeriSign to voluntarily suspend the service until the various > > reviews now underway are completed. > > > > -hc > > > > -- > > Haesu C. > > TowardEX Technologies, Inc. > > Consulting, colocation, web hosting, network design and implementation > > http://www.towardex.com | [EMAIL PROTECTED] > > Cell: (978)394-2867 | Office: (978)263-3399 Ext. 174 > > Fax: (978)263-0033 | POC: HAESU-ARIN > > > > On Sun, Sep 21, 2003 at 10:42:37PM -0400, Eric Germann wrote: > > > > > > http://msnbc-cnet.com.com/2100-1024_3-5079768.html?part=msnbc-cnet&tag=alert > > > &form=feed&subj=cnetnews > > > > > > "The agency that oversees Internet domain names has asked VeriSign to > > > voluntarily suspend a new service that redirects Web surfers to its own site > > > when they seek to access unassigned Web addresses, rather than return an > > > error message. " > > > > > > > > > > > > == > > > Eric GermannCCTec > > > [EMAIL PROTECTED] Van Wert OH 45891 > > > http://www.cctec.comPh: 419 968 2640 > > > Fax: 603 825 5893 > > > > > > "The fact that there are actually ways of knowing and characterizing the > > > extent of one?s ignorance, while still remaining ignorant, may ultimately be > > > more interesting and useful to people than Yarkovsky" > > > > > > -- Jon Giorgini of NASA?s Jet Propulsion Laboratory > > > > > >
Re: Windows updates and dial up users
On Sun, 21 Sep 2003 [EMAIL PROTECTED] wrote: > On Sun, 21 Sep 2003 18:25:50 EDT, Sean Donelan <[EMAIL PROTECTED]> said: > > > "I recently put this suggestion to Microsoft and their response basically > > avoided the whole issue. Why wouldn't the company want to offer such a CD, > > assuming that's the motivation behind their stonewalling?" > > It would cost money to produce and ship a new CD on a frequent enough basis > for it to do any good. Consider that we're seeing worms within 4 weeks of the > patch coming out. How many CD duplicating places are willing to take on > a multi-million run with a 1-2 week turn-around, once a month, every month? Ok then different idea, assuming that we're all agreed its MS's responsibility to ensure users are patched promptly and without extra cost to the end user. Its not a problem patching on a dialup, it just takes longer, this may put people off when they see their computer tell them its going to take 3 hours to download and theyre paying per minute on the call What if MS included something in the Windows Update that gave the user the option of calling a toll-free number operated by MS for the purpose of downloading.. ? Steve
Re: Windows updates and dial up users
On Sun, 21 Sep 2003, Sean Donelan wrote: > "It occurred to me that one way to make things easier for dial-up users, > and even broadband users in many cases, would be to issue periodic update > CDs. Imagine a disc with all of the updates on it and a program, it could > even be written in Windows Script Host, to check a system for which > updates need to be installed, apply them in the correct order and even > reboot in between. Such a program would not be hard to write." > > [...] > > "I recently put this suggestion to Microsoft and their response basically > avoided the whole issue. Why wouldn't the company want to offer such a CD, > assuming that's the motivation behind their stonewalling?" >From this month's issue of /PC Pro/ magazine (UK, Issue 109) : "please accept our apologies for the lack of Microsoft patches or DirectX on our cover discs. Microsoft US has banned the inclusion of any of its code on magazine discs. Presumably, the company assumes we all have broadband to download up to 166MB for DirectX 9b or 134MB for Windows XP Service Pack 1a." And that's without mentioning the mean-time-till-infection of an unpatched system, of course... Regards, Jonathan
Re: VeriSign SMTP reject server updated
On Mon, 22 Sep 2003 10:42:51 +0100 [EMAIL PROTECTED] wrote: | Meanwhile, I would have diverted a copy of the mailserver | communications at the Ethernet switch to a secret server that | does the actual logging of addresses and messages. | | Son of Carnivore? Son? or Brother? See: http://lists.insecure.org/lists/politech/2002/Oct/0009.html -- Richard
Re: VeriSign SMTP reject server updated
>> Wrong protocol. There should be *NO* SMTP transactions for >> non-extistant domains. >After being bit by this over the weekend I would have to agree, due to >a screwup at netSOL a companies domain I manage was resolving to their >sitefinder service, and all mail just went *poof*. At anytime, Verisign could remove your .COM domain from their DNS for a short period of time which would result in all of your inbound email going to the Verisign collector servers. If this was only done for a brief interval, say 10 minutes, you might never notice that it had happened. But Versign's industrial espionage department would have your email in their hands and could do whatever they wish with it. How profitable might that be? Of course, the right way to do this would be to resend the email onward so that you never notice any missing messages at all. In fact, if I were designing the system to do this, I wouldn't log anything at the mailserver. I'd let the mail server and web server technical folks have plausible deniability. Meanwhile, I would have diverted a copy of the mailserver communications at the Ethernet switch to a secret server that does the actual logging of addresses and messages. Son of Carnivore? --Michael Dillon
Re: VeriSign SMTP reject server updated
>before we deployed root-delegation-only here, i was also annoyed that my >e-mail tool could not tell me about misspelled domain names at "send" time >and i had to wait for the wildcard mail servers to bounce the traffic. In other words, Verisign is actually increasing the amount of misspelled domain name traffic by sabotaging the spell-checking feature of your email program. Under normal circumstances you would have noticed your error and corrected it before sending the email. This implies that Verisign could be collecting a much larger number of valid email addresses by logging these seemingly misspelled domain names and then "correcting" the misspelling by closest match against the .COM database. This would be an immensely valuable list for spammers to acquire, whether they do it by paying Verisign or by infiltrating the company to steal it. And don't pay any attention to Matt Larson's comments regarding logging. If he is unable to shut off the wildcard redirection then he has no say over what data is collected and what is done with it. Verisign could easily reassign him with a promotion and then turn on the logging and collection of email addresses. We already know that this company is unscrupulous and not to be trusted. In future we need to ensure that the registry operating the .COM domain works under some sort of contract that controls how they function. This is a public resource that we ourselves have created and not a commercial asset to be milked for profit. --Michael Dillon
Riverhead or Lancope?
Nanogers, Did you ever tested Riverhead or Lancope? I know rackspace uses one or both of them. Are they good products and worth the try? Can they really decrease the the DDoS damage? Are they better than CISCO products? Are there any tips? Thanks, -J __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: When is Verisign's registry contract up for renewal
> DNS piracy is DNS piracy if Verisign gets away with it others will have a go too brandon