Re: .ORG DNS Problem?

2004-06-24 Thread Adam Kujawski 

Seems to be working fine now:

% dig nanog.org ns +trace

;  DiG 9.2.2-P3  nanog.org ns +trace
;; global options:  printcmd
.   298767  IN  NS  C.ROOT-SERVERS.NET.
.   298767  IN  NS  D.ROOT-SERVERS.NET.
.   298767  IN  NS  E.ROOT-SERVERS.NET.
.   298767  IN  NS  F.ROOT-SERVERS.NET.
.   298767  IN  NS  G.ROOT-SERVERS.NET.
.   298767  IN  NS  H.ROOT-SERVERS.NET.
.   298767  IN  NS  I.ROOT-SERVERS.NET.
.   298767  IN  NS  J.ROOT-SERVERS.NET.
.   298767  IN  NS  K.ROOT-SERVERS.NET.
.   298767  IN  NS  L.ROOT-SERVERS.NET.
.   298767  IN  NS  M.ROOT-SERVERS.NET.
.   298767  IN  NS  A.ROOT-SERVERS.NET.
.   298767  IN  NS  B.ROOT-SERVERS.NET.
;; Received 404 bytes from 64.246.100.1#53(64.246.100.1) in 4 ms

org.172800  IN  NS  TLD1.ULTRADNS.NET.
org.172800  IN  NS  TLD2.ULTRADNS.NET.
;; Received 109 bytes from 192.33.4.12#53(C.ROOT-SERVERS.NET) in 9 ms

NANOG.ORG.  172800  IN  NS  DNS2.MERIT.NET.
NANOG.ORG.  172800  IN  NS  DNS.MERIT.NET.
NANOG.ORG.  172800  IN  NS  DNS3.MERIT.NET.
ORG.86400   IN  NS  TLD2.ULTRADNS.NET.
ORG.86400   IN  NS  TLD1.ULTRADNS.NET.
;; Received 180 bytes from 204.74.112.1#53(TLD1.ULTRADNS.NET) in 10 ms


-Adam

Quoting Adam Kujawski [EMAIL PROTECTED]:

 
 Anybody else having problems resolving .ORG domains via TLD1.ULTRADNS.NET
 (204.74.112.1) and TLD2.ULTRADNS.NET. (204.74.113.1). I'm seeing slow
 respones,
 or no responses.
 
 Traceroutes look fine:
 
 % tcptraceroute 204.74.112.1 53
 Selected device fxp0, address 64.246.100.1, port 55786 for outgoing packets
 Tracing the path to 204.74.112.1 on TCP port 53, 30 hops max
  1  fastethernet-0-0.angola-gw.amplex.net (64.246.100.126)  9.403 ms  7.361
 ms 
 9.148 ms
  2  dtrtmi1wce1-ser2-5-5.wcg.net (65.77.89.53)  9.801 ms  8.061 ms  9.917 ms
  3  brvwil1wcx2-pos14-1.wcg.net (64.200.240.33)  9.748 ms  8.341 ms  9.612
 ms
  4  chcgil9lcx1-pos6-0-oc48.wcg.net (64.200.103.118)  10.001 ms  9.172 ms 
 8.762 ms
  5  ge-4-3-0.r00.chcgil06.us.bb.verio.net (206.223.119.12)  9.646 ms  8.960
 ms 
 9.502 ms
  6  ge-0-3-0.r02.chcgil06.us.bb.verio.net (129.250.2.121)  9.323 ms  9.071 ms
 
 9.039 ms
  7  ge-1-1.a00.chcgil07.us.ra.verio.net (129.250.25.136)  9.848 ms  9.306 ms
 
 9.003 ms
  8  fa-2-1.a00.chcgil07.us.ce.verio.net (128.242.186.134)  9.679 ms  9.697 ms
 
 9.684 ms
  9  tld1.ultradns.net (204.74.112.1) [open]  10.296 ms  10.625 ms  9.537 ms
 
 
 -AND -
 
 
 % tcptraceroute 204.74.113.1 53
 Selected device fxp0, address 64.246.100.1, port 55792 for outgoing packets
 Tracing the path to 204.74.113.1 on TCP port 53, 30 hops max
  1  fastethernet-0-0.angola-gw.amplex.net (64.246.100.126)  5.402 ms  7.282
 ms 
 9.738 ms
  2  dtrtmi1wce1-ser2-5-5.wcg.net (65.77.89.53)  9.973 ms  7.958 ms  9.909 ms
  3  brvwil1wcx2-pos14-1.wcg.net (64.200.240.33)  9.800 ms  10.295 ms  8.835
 ms
  4  chcgil9lcx1-pos6-0-oc48.wcg.net (64.200.103.118)  8.878 ms  8.786 ms 
 9.187 ms
  5  fe9-2.IR1.Chicago2-IL.us.xo.net (206.111.2.149)  9.512 ms  8.964 ms 
 8.869 ms
  6  p5-0-0.RAR2.Chicago-IL.us.xo.net (65.106.6.137)  9.580 ms  9.214 ms 
 9.120 ms
  7  p4-1-0.MAR2.Chicago-IL.us.xo.net (65.106.6.154)  9.512 ms  10.285 ms 
 9.594 ms
  8  p15-0.CHR1.Chicago-IL.us.xo.net (207.88.84.14)  10.126 ms  9.517 ms 
 9.472 ms
  9  10.11.102.1 (10.11.102.1)  10.990 ms  9.808 ms  10.182 ms
 10  tld2.ultradns.net (204.74.113.1) [open]  9.933 ms  10.124 ms  9.778 ms
 
 
 Source IP for the traceroutes is 64.246.100.1.
 
 
 Dig's don't get very far:
 
 % dig nanog.org +trace
 
 ;  DiG 9.2.2-P3  nanog.org +trace
 ;; global options:  printcmd
 .   300086  IN  NS  C.ROOT-SERVERS.NET.
 .   300086  IN  NS  D.ROOT-SERVERS.NET.
 .   300086  IN  NS  E.ROOT-SERVERS.NET.
 .   300086  IN  NS  F.ROOT-SERVERS.NET.
 .   300086  IN  NS  G.ROOT-SERVERS.NET.
 .   300086  IN  NS  H.ROOT-SERVERS.NET.
 .   300086  IN  NS  I.ROOT-SERVERS.NET.
 .   300086  IN  NS  J.ROOT-SERVERS.NET.
 .   300086  IN  NS  K.ROOT-SERVERS.NET.
 .   300086  IN  NS  L.ROOT-SERVERS.NET.
 .   300086  IN  NS  M.ROOT-SERVERS.NET.
 .   300086  IN  NS  A.ROOT-SERVERS.NET.
 .   300086  IN  NS  B.ROOT-SERVERS.NET.
 ;; Received 388 bytes from 64.246.100.1#53

Re: dealing with w32/bagle

2004-03-03 Thread Adam Kujawski 

Quoting Dan Hollis [EMAIL PROTECTED]:

 
 I am curious how network operators are dealing with the latest w32/bagle 
 variants which seem particularly evil.

We are currenly blocking *all* .zip attachments as a short-term work around,
until we can modify our virus scanner to block only password-protected zip
files. If anybody has already modified amavisd-new to act in this way, I would
appreciate a hand. I'm *not* a perl person, and my first attempt at changing the
source code has not had the desired effect.

 Also, does anyone have tools for regexp and purging these mails from unix 
 mailbox (not maildir) mailspool files? Eg purging these mails after the 
 fact if they were delivered to user's mailboxes before your virus scanner 
 got a database update.

It seems that this virus uses a limited number of subject lines:

# E-mail account disabling warning.
# E-mail account security warning.
# Email account utilization warning.
# Important notify about your e-mail account.
# Notify about using the e-mail account.
# Notify about your e-mail account utilization.
# Warning about your e-mail account.

There's a script, expire_mail.pl, that's userful for this. It's available at
http://www.binarycode.org/cpan/scripts/mailstuff/expire_mail.pl. It can be used
as such:

/usr/local/bin/expire_mail.pl -verbose -noreset -subject [subject of message
containing virus] /var/mail/*

Of course, this won't work if/when the virus starts sending out emails with
randomized subjects. Let's hope the that the author isn't reading NANOG. :)

-Adam

Re: AOL rejecting mail from IP's w/o reverse DNS ?

2003-12-06 Thread Adam Kujawski 

Quoting Adam McKenna [EMAIL PROTECTED]:

 On Thu, Dec 04, 2003 at 04:59:59PM -0800, Crist Clark wrote:
$ORIGIN 168.50.204.in-addr.arpa.
$GENERATE 0-15 $ NS a.ns.$
$GENERATE 0-15 a.ns.$ A 204.50.168.2
  
  Is any harder than,
  
$ORIGIN 168.50.204.in-addr.arpa.
$GENERATE 0-15 CNAME $.0/28
0/28  NS  ns.mydomain.org.
 
 That's the whole point.  They are equivalent, but the former doesn't force 
 you to invent your own naming scheme or use CNAMES (if using A records in
 in-addr.arpa domains is distasteful, then imho using CNAMES is even more
 distasteful, not to mention RR's containing the / character).
 
 --Adam

Why bother with CNAMES or A records? Is there anything wrong with simply using
NS records for each adress? i.e.:

$ORIGIN 109.246.64.in-addr.arpa.
1NS ns1.customerA.com.
1NS ns2.customerA.com.
2NS ns1.customerA.com.
2NS ns2.customerA.com.
...
16   NS ns1.customerB.com.
16   NS ns2.customerB.com.
17   NS ns1.customerB.com.
17   NS ns2.customerB.com.

If the customer has a dozen name servers they want you to allocate reverse DNS
for, it could become unwieldy, but technically, is there anything wrong with
this setup?

-Adam

Re: Removal of wildcard A records from .com and .net zones

2003-10-03 Thread Adam Kujawski 

Quoting Matt Larson [EMAIL PROTECTED]:

 
 VeriSign was directed by ICANN to suspend the Site Finder service by
 0100 UTC on Sunday, October 5.  We requested an extension from ICANN
 to give more notice to the community but were denied. 

Since when does Verisign argue that the community should be given advanced
notice of drastic changes to the .com/.net zones?

Would anybody from Verisign like to explain how extended notice of the wildcard
removal would benefit the Internet community? I'm all ears.


-Adam

RE: Fun new policy at AOL

2003-08-30 Thread Adam Kujawski 

Quoting Vivien M. [EMAIL PROTECTED]:

 You seem to be misunderstanding the issue. Let's say you work at
 someplace.edu. You want to send mail from home. With the SPF-type schemes
 being discussed, your mail MUST come from someplace.edu's server.
 
 If someplace.edu won't set up an SMTP AUTH relay, what do you do? Your
 dialup account will let you use the dialup ISP's mail server... But your
 mail will get bounced because it's not something from someplace.edu.
 
 Hence, if no SMTP AUTH relay, you're screwed.

If someplace.edu understands the the basic idea being discussed, one might
assume that they wouldn't implement Jim Miller's idea until they've implemented
SMTP AUTH (or POP before SMTP) as well. If they don't know about / know how to
implement SMTP AUTH, they probably wouldn't bother to make the proper DNS
changes to make this idea work. One might also assume that if the MTA used by
someplace.edu implements Jim Miller's idea, said MTA is also is modern enough to
have support for SMTP AUTH. You may find those to be doubious assumptions, but I
don't think they're that unreasonable.

The only weakness I see is that spammers could find a domain that doesn't
implement Jim Miller's idea and forge mail in their name instead. So what if
hotmail.com implements the system? There are 100 million other domain names the
spammers could pick from. It's not a solution. It will slow the spammers down.
It will inconvenience them. It won't stop them. That doesn't mean it shouldn't
be done... just that it's not a panacea, and might not even be that effective.
(I wonder if I would get less SPAM if every SMTP server were still an open relay.)

By the way, a strengh of this idea that I haven't seen discussed here is that
such a system would cut down on the spread (and worthless bounce reports) of
current viruses that forge the From: header.

-Adam

Backbone Infrastructure and Secrecy

2003-07-08 Thread Adam Kujawski 

NANOG's Sean Gorman is in the news:

http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html

I would find GIS like the one described *very* usefull in finding transport 
providers. If I could see who has what where, I would know who to go to for 
quotes. As it stands, most of this information is hard to get ahold of.

Who, besides Sean, has maps like this? The state PUC? If so, is that 
information available to the public? Do you have to go thorugh a background 
check and/or sign an NDA? Or is it only the providers themselves that have the 
maps for this stuff?

-Adam

Re: [Backbone Infrastructure and Secrecy]

2003-07-08 Thread Adam Kujawski 

Quoting Joel Jaeggli [EMAIL PROTECTED]:

 The part that's striking to me, is that as usual, the folks in the
 industry don't know when their facilities are co-mingled, in part becuase
 that information simply isn't readily and easily available unless
 someone's willing to go out collect the small little bits and connect the
 dots... If that compartimentalization continues, then continginency
 planning just remains that much harder when no-one is in a position to
 make informed decisions.

Exactly. I think we all agree that this kind of information would be usefull 
for a variety of reasons (locating available resources, ensuring path 
redundancy, identifying critical points of failure, etc). I think we all agree 
that this information, in the wrong hands, can also be used for naughty 
purposes.

How do we balance these opposing factors? I like the idea of a clearinghouse 
where one can access the data after a background check and a NDA. At the state 
level, the logical place would be the PUC. They have all the data, but do they 
have it all in a single GIS database? They should, but I doubt they do.

At the national level, is there any department or agency to go to? It certainly 
doesn't sound like it. What would it take to get a project such as Mr. Gorman's 
done by the federal government so that there would be a single place to go? 
Does the government already have this information locked up behind closed 
doors? It seems like they would. Is there any reason not to make it available 
to interested parties that have a valid reason to access it?

Would the infrastructure owners oppose such a system being publically 
available? After all, they don't want their competitors to copy their good 
design or take advantage of underserved markets revealed by the maps. But it 
seems they would have much to gain as well - potential customers will know who 
to go to for service.

It sounds like the current trend is toward supressing this kind of information. 
But as an industry, it is in our best interest to compile this information and 
make it available to the proper parties.

-Adam

Re: 923 Mbps across the Ocean ...

2003-03-07 Thread Adam Kujawski 

Quoting Eric Germann [EMAIL PROTECTED]:

 http://www.cnn.com/2003/TECH/internet/03/07/speed.record/index.html
 
 Comments folks?

I'm going to launch a couple DAT tapes across the parking lot with a spud gun 
and see if I can achieve 923 Mb/s!

It would have been nice if the reporter bothered to mention that Internet 
speed records are measured in terabit meters per second. An article 
about Internet speed records that doesn't include the actual record, or even 
a definition of the term Internet speed record, is hardly deserving of 
placement on the front of cnn.com. Slow news day?

-Adam

FNSI (AS6259) - Cogent

2003-02-26 Thread Adam Kujawski 

Fiber Network Solutions and Cogent Communications are pleased to announce that 
Cogent Communications has agreed to acquire the major assets of FNSI, including 
all FNSI customers.  After careful and thorough consideration, FNSI selected 
Cogent, a premier Tier One Internet Service Provider, as the successor to 
FNSI’s operations.

-Kuj