Re: YouTube IP Hijacking
On Mon, Feb 25, 2008 at 09:27:41AM +0200, Hank Nussbacher [EMAIL PROTECTED] wrote a message of 17 lines which said: - Lack of clue - Couldn't care less - No revenue Take your pick - or add your own reason. PCCW is not alone. They just happen to be the latest in a long line of ISPs that follow the same rules - their own. No, most operators do filter BGP announcements. I know it, because I have read it on Cnet: http://www.news.com/8301-10784_3-9878655-7.html That's because Hong Kong-based PCCW, which provides the Internet link to Pakistan Telecom, did not stop the misleading broadcast--which is what most large providers in the United States and Europe do.
Re: YouTube IP Hijacking
On Tue, Feb 26, 2008 at 11:43:10AM +0100, Arnd Vehling [EMAIL PROTECTED] wrote a message of 12 lines which said: Every ISP requesting an ASN from one of the LIR's should be required to make a test covering the neccessary skillsets. Giving the rapid turnover of people in this industry, I'm not sure it would help. Two months after the test, may be all the clueful people will be gone. And what about the organizations which rely on external consultancy? Should it be forbidden?
Re: named.root (was: Yay! AAAA records added for root servers)
On Tue, Feb 05, 2008 at 12:25:52PM +, David Freedman [EMAIL PROTECTED] wrote a message of 114 lines which said: Shame its not made it to HTTP yet: Nothing to do with the protocol but with the organization which manages the server: $ lynx --source http://www.internic.net/zones/named.root | grep www.internic.net is managed by ICANN. $ lynx --source ftp://rs.internic.net/domain/named.root | grep last update rs.internic.net is managed by Verisign.
Re: named.root
On Tue, Feb 05, 2008 at 02:31:09PM +, David Freedman [EMAIL PROTECTED] wrote a message of 33 lines which said: Well gosh, and there was me thinking that both would work together to make such a change :) ICANN is typically 2-3 days behind the root zone file editor.
Re: EU Official: IP Is Personal
On Fri, Jan 25, 2008 at 10:42:44AM +, Roland Perry [EMAIL PROTECTED] wrote a message of 15 lines which said: in the UK it [phone number portability] 's done with something similar to DNS. The telephone system looks up the first N digits of the number to determine the operator it was first issued to. And places a query to them. That either causes the call to be accepted and routed, or they get an answer back saying sorry, that number has been ported to operator FOO-TEL, go ask them instead. What happens when a phone number is ported twice, from BAR-TEL to FOO-TEL and then to WAZ-TEL? Does the call follows the list? What if there is a loop? The solution you describe does not look like the DNS to me. A solution more DNS-like would be to have a root (which is not an operator) somewhere and every call triggers a call to the root which then replies, send to WAS-TEL.
Hollywood's 'Untraceable': Fact or fiction?
Very interesting interview of an Hollywood consultant (and former FBI agent) about the facts in the movie 'Untraceable'. Among the many technical details, I note: Q: Any other elements in the movie the naysayers may call you and the writers out on as being technically inaccurate? A: The IP addresses in the movie are not real, for obvious reasons. You can't use real IP addresses, because it will point to real IP addresses. It's similar to the 555 area code for phone numbers in movies. Does the movie uses RFC 3330's 192.0.2.0/24? :-) http://www.networkworld.com/news/2008/011808-hilbert-q-a.html
Re: v6 gluelessness
On Fri, Jan 18, 2008 at 03:51:26PM +0900, Randy Bush [EMAIL PROTECTED] wrote a message of 10 lines which said: similarly for the root, as rip.psg.com serves some tlds. The request has to come from a TLD manager (anyone which uses rip.psg.com) but, of course, you would get a more authoritative reply from IANA.
Re: ISPs slowing P2P traffic...
On Tue, Jan 15, 2008 at 12:14:33PM -0600, David E. Smith [EMAIL PROTECTED] wrote a message of 61 lines which said: To try to make this slightly more relevant, is it a good idea, either technically or legally, to mandate some sort of standard for this? I'm thinking something like the Nutrition Facts information that appears on most packaged foods in the States, that ISPs put on their Web sites and advertisements. I'm willing to disclose that we block certain ports [...] As a consumer, I would say YES. And FCC should mandates it. Practically speaking, you may find the RFC 4084 Terminology for Describing Internet Connectivity interesting: As the Internet has evolved, many types of arrangements have been advertised and sold as Internet connectivity. Because these may differ significantly in the capabilities they offer, the range of options, and the lack of any standard terminology, the effort to distinguish between these services has caused considerable consumer confusion. This document provides a list of terms and definitions that may be helpful to providers, consumers, and, potentially, regulators in clarifying the type and character of services being offered. http://www.ietf.org/rfc/rfc4084.txt
Re: Hey, SiteFinder is back, again...
On Mon, Nov 05, 2007 at 10:54:05AM -0500, Andrew Sullivan [EMAIL PROTECTED] wrote a message of 29 lines which said: One could argue that it is less evil to do this at recursive servers, because people could choose not to use that service by installing their own full resolvers or whatever. It depends. There are three possible ways for an access provider to do it, in order of ascending nastiness: 1) Provide, by default, DNS recursors which do the mangling but also provide another set of recursors which do the right thing (and the user can choose, for instance via a dedicated Web interface for his account). 2) Provide DNS recursors which do the mangling. Power users can still install BIND on their laptop and talk directly to the root name servers, then wasting resources. (Variant: they can add an ORNS in their resolving configuration file.) 3) Provide DNS recursors which do the mangling *and* block users, either by filtering out port 53 or by giving them a RFC 1918 address with no NAT for this port. I've seen 1) and 2) in the wild and I am certain I will see 3) one day or the other.
Re: NAT Multihoming
On Sun, Jun 03, 2007 at 07:33:45PM -0700, Stephen Satchell [EMAIL PROTECTED] wrote a message of 29 lines which said: The last time I renumbered, I found that quite a few people were not honoring the TTLs I put in my DNS zone files. [...] Custom customer zone files hosted elsewhere? Do not forget that applications have their own caches, too, and they typically ignore completely the DNS TTL. A typical Web brower calls getaddrinfo() once and use the IP address as long as it is not restarted.
Re: Interesting new dns failures
On Sun, May 20, 2007 at 09:25:37PM -0700, Roger Marquis [EMAIL PROTECTED] wrote a message of 15 lines which said: If not, have any root nameservers been hacked? To partly answer my own question, no. I cannot find the original message in my mailbox. (Not on NANOG mailing list archives.) What was the issue? The data returned by root (gtld) nameservers is not changing rapidly. Now, I understand nothing. Is there a problem with the root nameservers or with some gTLD nameservers???
Re: Interesting new dns failures
On Mon, May 21, 2007 at 06:57:06PM +0100, Simon Waters [EMAIL PROTECTED] wrote a message of 53 lines which said: PS: Those who make sarcastic comments about people not knowing the difference between root servers, and authoritative servers, may need to be a tad more explicit for the help of the Internet challenged. Warning, the rest of this message is only for Internet-challenged. They are probably uncommon in NANOG. For instance, I cannot believe that people in NANOG may confuse the .com name servers with the root name servers. An authoritative name server is an official source of DNS data for a given domain. For instance, ns2.nic.ve. is authoritative for .ve. There are typically two to ten or sometimes more authoritative name servers for a domain. You can display them with dig NS the-domain-you-want.. A root name server is a server which is authoritative for the root of the DNS. For instance, f.root-servers.net is authoritative for . (the root). You can display them with dig NS . (for the benefit of the Internet-challenged, I did not discuss the alternative roots).
Re: IPv6 Finally gets off the ground
On Sun, Apr 08, 2007 at 06:15:34PM -0500, J. Oquendo [EMAIL PROTECTED] wrote a message of 24 lines which said: was successfully configured by NASA Glenn Research Center to use IPsec and IPv6 technologies in space. Any human on board? Because he would have been able to access useful content: http://www.ipv6experiment.com/ The great chicken or the egg dilemma. IPv6 has had operating system and router support for years. But, content providers don't want to deploy it because there aren't enough potential viewers to make it worth the effort. There are concerns about compatibility and breaking IPv4 accessibility just by turning IPv6 on. ISPs don't want to provide IPv6 to end users until there is a killer app on IPv6 that will create demand for end users to actually want IPv6. There hasn't been any reason for end users to want IPv6 - nobody's dumb enough to put desirable content on IPv6 that isn't accessible on IPv4. Until now. We're taking 10 gigabytes of the most popular adult entertainment videos from one of the largest subscription websites on the internet, and giving away access to anyone who can connect to it via IPv6. No advertising, no subscriptions, no registration. If you access the site via IPv4, you get a primer on IPv6, instructions on how to set up IPv6 through your ISP, a list of ISPs that support IPv6 natively, and a discussion forum to share tips and troubleshooting. If you access the site via IPv6 you get instant access to the goods.
Re: America takes over DNS
On Mon, Apr 02, 2007 at 09:23:32AM +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 46 lines which said: It is probably time to start looking at alternative naming systems. For instance, we have a much better understanding of P2P technology these days and a P2P mesh could serve as the top level finder in a naming system rather than having a fixed set of roots. The only serious (?) proposal I've seen until now, CoDoNS (http://www.cs.cornell.edu/people/egs/beehive/codons.php), uses DNSSEC, so it has the same dependency on the US government. better understanding of webs of trust that we could apply to such a mesh. You mix up *resolution* of names (which could be done by a P2P mesh like CoDoNS, replacing the root name servers) and *registration* of names, which have to be hierarchical if you want to preserve unicity of names. And this is the important point of control (the root name servers are not controlled by the US government, unlike the registration root). So, you've not solved the problem.
Re: America takes over DNS
On Mon, Apr 02, 2007 at 12:23:43PM +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 58 lines which said: [unicity of names] does not exist in DNS unless you take an extremely narrow technical view. I thought that NANOG was for extremely narrow technical discussions. For bold We will replace the DNS and IP while we're at it discussions, there are other forums :-)
Re: America takes over DNS
On Mon, Apr 02, 2007 at 01:09:48PM +0200, Peter Dambier [EMAIL PROTECTED] wrote a message of 85 lines which said: The Racines Libres have failed? There are so many out there that we cannot count them any longer. That's true. Dozens of first-year CS students have set up one and then tried to impress a girlfriend by claiming I am now independant from the Evil ICANN. I have never seen a personal root-server attacked. I can attack yours, if you want more credibility.
Re: redefining which infrastructure is the proble [was: Re: On-going ..]
On Sun, Apr 01, 2007 at 09:51:16PM -0500, Gadi Evron [EMAIL PROTECTED] wrote a message of 39 lines which said: I can testify as to some registrars (enom, godaddy, tucows, etc.) being very responsive and some registries (read .info) being very cooperative. OBVIOUSLY this is not the case for everyone. If being cooperative means shoot immediately any presumed-to-be-innocent each time a random vigilante asks you so, I hope that the .fr registry is uncooperative.
Re: DNS: Definitely Not Safe?
On Wed, Feb 14, 2007 at 09:20:38AM -0200, MARLON BORBA [EMAIL PROTECTED] wrote a message of 21 lines which said: Security of DNS servers is an issue for network operators, thus pertaining to NANOG on-topics. This article shows a security-officer view of the recent DNS attacks. It may be on-topic but it is full of FUD, mistakes and blatant b...t. Certainly not the recommended reading for the sysadmin. The best stupid sentence is the one asking firewalls in front of the DNS servers... to prevent tunneling data over DNS!
Re: Every incident is an opportunity
On Tue, Feb 13, 2007 at 05:12:05AM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 17 lines which said: so if the last remaining superpower were to bomb a country in the middle east in preparation for invasion, regime change, etc., that superpower would be well advised to avoid hitting civilian infrastructure, assuming that its bombs were smart enough to target like that? I believe that Barry Shein was assuming invasion for a long-term occupation and exploitation, like the Romans did in Gaule in 52 bc. Not invasion for destroying a regime like the Allied did in Germany in 1945.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan [EMAIL PROTECTED] wrote a message of 16 lines which said: The important lesson is you can educate people. The content may have been bogus, Right on spot: it is easy to educate people with simple and meaningless advices such as Install an antivirus or Hide under the desk or (my favorite, now known by most ordinary users) Do not open attachments from unknown recipients. But most security risks do not require monkey advices (advices that an ordinary monkey could follow). They require intelligence, knowledge in the field, and time, all things that are in short supply. The discussion about the NPO who had the choice between breaking stuff that works because of patches or risking an attack was a very good one and the IT manager at the NPO was quite reasonable, indeed: the aim is not security (except for security professionals), the aim is to have the work done and, if you listen only the security experts, no work will ever be done (but you will be safe). If you can come up with a few simple things to do, it is possible to reach most of the public. Sure, just find these few simple things that will actually improve security. (My personal one would be Erase MS-Windows and install Ubuntu. If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 03:23:26AM -0600, Gadi Evron [EMAIL PROTECTED] wrote a message of 25 lines which said: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? I already do it. With my mother, not yours. And she uses MS-Windows so I can testify that the whole argument MS-Windows requires less tech support than Unix is completely bogus.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 09:31:21AM +, Alexander Harrowell [EMAIL PROTECTED] wrote a message of 28 lines which said: Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. Political fix: and their father, too :-)
Re: what the heck do i do now?
On Mon, Feb 05, 2007 at 10:13:08PM -0500, Jon Lewis [EMAIL PROTECTED] wrote a message of 52 lines which said: 192.0.2.0/24 - This block is assigned as TEST-NET for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet. That /24 doesn't show up in BGP It SHOULD NOT show up, but it does (ROSPRINT-AS, AS2854, does announce it and, among others, routeviews.org sees it).
Re: No DNS operations BOF at NANOG39
On Fri, Feb 02, 2007 at 11:03:57AM -0500, Keith Mitchell [EMAIL PROTECTED] wrote a message of 14 lines which said: If anyone would still like to have a DNS operations discussion in Toronto, Yes, but it was not necessary to destroy half of the DNS this night just to have a discussion :-)
Re: HTML email, was Re: Phishing and BGP Blackholing
On Fri, Jan 19, 2007 at 06:46:00AM +, Fergie [EMAIL PROTECTED] wrote a message of 60 lines which said: a combination of retarded registry policies (pitting business interests against common technical sense) [Disclaimer: I work for a registry.] In a capitalist country, I do not see how you could do otherwise. In a non-capitalist country, there is still hope, I'll talk to Fidel about that, next time we meet.
Re: HTML email, was Re: Phishing and BGP Blackholing
On Thu, Jan 18, 2007 at 08:43:37AM -0500, Joe Abley [EMAIL PROTECTED] wrote a message of 25 lines which said: Back in the day, pre-CIRA, .CA was managed according to rules which included the restriction that a single company was only allowed one domain name. Same thing in .fr, until 2000. I think that policy was good for the DNS, but it was apparently widely hated by everybody else, The big problem with this rule is that you have to define what is a single company. It is easy (especially for a big company like the one you mention) to find or set up fronts to register more domain names.
Re: [Fwd: Kremen VS Arin Antitrust Lawsuit - Anyone have feedback?]
On Wed, Sep 13, 2006 at 11:43:36AM -0400, D'Arcy J.M. Cain darcy@druid.net wrote a message of 20 lines which said: No one knows me by my IP address. They know me by my email address(es). It does not seem true. IP addresses are visible outside in: * DNS servers when you get a zone delegation (the most important reason why changing IP addresses is a pain), * some peer-to-peer networks like Freenet, which do not use the DNS. (There are also a lof of internal uses of IP addresses for instance in firewalls and SSH caches.) So, you actually have: 1) Phone numbers (very visible outside) 2) IP addresses (visible outside) 3) MAC addresses (completely invisible outside except for a few minutes in the ARP caches)
Re: Kremen's Buddy?
On Tue, Sep 12, 2006 at 08:46:11PM -0400, Joe Abley [EMAIL PROTECTED] wrote a message of 45 lines which said: It's confusing to me that there appears to be no shortage of people who are prepared to learn the three hundred ways of doing the same thing with perl, or how to dissect a core dump, or how BGP works, but who at the same time are not interested in reading the ARIN policy manual before making a request for resources. I may be very special but I find learning a new programming language or a new protocol much more fun than reading thick and boring policy documents. I've heard that lawyers or accountants have different tastes but I believe they are rare on this mailing list.
Re: Detecting parked domains
On Tue, Aug 01, 2006 at 03:35:40PM -0400, Sean Donelan [EMAIL PROTECTED] wrote a message of 6 lines which said: Has anyone come up with a quick method for detecting if a domain name is parked, but is not being used except displaying ads? I don't think it is possible: being parked cannot be defined in an algorithmic way. My own domain sources.org does not even have a Web site (and I swear it is not parked). Let's try: * Bayesian filtering on the content of the Web page, after suitable training? * Number of different pages on the site (if n == 1 then the domain is parked)? * (Based on the analysis of many sites, not just one) Content of the page almost identical to the content of many other pages? (Caveat: the Apache default installation page...)
Re: www.gigablast.com
On Wed, Jul 12, 2006 at 06:24:08PM -0400, Jim Popovitch [EMAIL PROTECTED] wrote a message of 32 lines which said: The strangeness is that some of their crawling is looking for URLs with multiple exclamation points, those URLs never existed. This may be indicative of a character translation on my system or theirs. From my experience (and I talked with people - or at least intelligent bots - at Gigablast), their HTML parser is seriously broken and it generates non-existing URL quite often. For instance a href=http://www.example.fr/Cafe%20au%20lait; will make their crawler ask for /Cafe. I reported the problem months ago but I got nothing except standard Thanks for telling us.
Re: Sitefinder II, the sequel...
On Mon, Jul 10, 2006 at 11:19:51PM -0700, Steve Sobol [EMAIL PROTECTED] wrote a message of 16 lines which said: There's a big difference, of course, between INTENTIONALLY pointing your computers at DNS servers that do this kind of thing, and having it done for you without your knowledge and/or consent. As Steven Bellovin pointed out, most OpenDNS users will not choose it: it will be choosen for them by their corporate IT department or by their Internet access provider.
Re: Sitefinder II, the sequel...
On Mon, Jul 10, 2006 at 09:06:20AM -0700, Rick Wesson [EMAIL PROTECTED] wrote a message of 49 lines which said: OpenDNS is not SiteFinder; Give them a try, the DNS resolution is blazing fast For the typical NANOGer, yes, but remember that the Internet is larger than that. From France, the RTT is very poor (more than 200 ms), whatever the speed of their application.
Re: Zebra/linux device production networking?
On Tue, Jun 06, 2006 at 02:42:36PM -0700, Nick Burke [EMAIL PROTECTED] wrote a message of 39 lines which said: How many of you have actually use(d) Zebra/Linux as a routing device IMHO, the question is not perfectly phrased. You actually have several issues: * use a regular PC instead of big and expensive iron, * use Linux instead of FreeBSD or IOS or JunOS, * use Zebra instead of Quagga or Xorp. These questions are partly independent and should be addressed as such. For instance, Quagga + a free Unix can run on dedicated boxes like the Soekris, who have different characteristics than a regular PC (no moving parts, for instance). One last advice: be very careful when you read claims like it may seem appealing to suits with no networking knowledge: many people never tried what they criticize, they just do not want their CEO to discover that the expensive network could have been done for much less. [I installed, in a former job, Debian + Linux + Zebra on PCs and they route fine.]
Re: [Fwd: [Full-disclosure] NISCC DNS Protocol Vulnerability]
On Mon, May 01, 2006 at 10:51:19PM +0200, Gadi Evron [EMAIL PROTECTED] wrote a message of 106 lines which said: As an FYI, seems serious. If I read correctly the announce, only Delegate and JunOS are currently found vulnerable (of course, more vulnerabilities may be discovered in the future)?
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists.
Re: OT: Xen
On Tue, Apr 04, 2006 at 08:11:32AM +1000, Matthew Palmer [EMAIL PROTECTED] wrote a message of 14 lines which said: Fairly well -- a lot better than (eg) vservers, and almost certainly better than UMLs. Because they are different virtualisation solutions with different requirments. If you have unrelated customers, who do not trust each other, Xen (or UML) is OK. If you just want to put one service on a different machine but do not have the money (or the rack space) to dedicate a box to just DHCP, Linux Vservers or FreeBSD jails are fine.
Re: com/net Whois format change notice
On Fri, Mar 24, 2006 at 10:56:56AM -0500, Jon Lewis [EMAIL PROTECTED] wrote a message of 37 lines which said: No more Registrant, POCs, or physical address information? Remember that .com and .net are thin registries.
Re: cctld server traffic
On Mon, Jan 23, 2006 at 01:48:19PM -0800, william(at)elan.net [EMAIL PROTECTED] wrote a message of 18 lines which said: Maybe I'm ignorant, but isn't there [cc]tld operations mail list somewhere? There is no worldwide TLD (or even ccTLD) operations list (I would be on it). There are several possible lists, but all of them are partial (purely european, for instance).
Re: cctld server traffic
On Sun, Jan 22, 2006 at 10:42:36AM +0900, Randy Bush [EMAIL PROTECTED] wrote a message of 4 lines which said: any cctld ops seeing unusual traffic in the last hours? DSC showed nothing at all on Sunday for the .fr nameservers that we directly manage. Some are also secondaries for other TLD (.nl or .ru). What did you see?
Re: WMF patch
On Wed, Jan 04, 2006 at 05:58:16PM -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 46 lines which said: How many times do you propose we FTDT before we get fed up and ask upper management to authorize a migration to some other software with a better record? And how many more FTDT's do we need to tolerate while we wait for upper management to authorize a migration? There is no limit to what human beings can stand before becoming reasonable. That is human nature and the engineers' rationality is no match for it. Think about religion, for instance. A lot of people still believe in a supernatural being despite a very bad track record (much worse than MS-Windows').
Re: How to check the As path from internet
On Wed, Nov 23, 2005 at 05:45:30PM +0600, Md. kamal Hossain [EMAIL PROTECTED] wrote a message of 54 lines which said: I am a newbie in bgp. I'm not sure that NANOG charter allow posting by BGP newbies :-) But, since I'm not an operator myself: Would any one describe the as path from the looking glass Sorry, cannot decipher this one. and would tell me some free looking glass url http://www.traceroute.org/#Looking%20Glass This message has been scanned for viruses and dangerous content, and is believed to be clean. Are you sure?
Re: IPv6 news
On Mon, Oct 17, 2005 at 12:08:38PM +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 28 lines which said: There are 437 cities of 1 million or more population. There are roughly 5,000 cities of over 100,000 population. And there are 3,047,000 named communities in the world. Seems to me that the number of routes in the global routing table should logically be closer to 5,000 than to 3,000,000. If there is an exchange point per city over 100,000 (the route goes to the IXP and then to the actual provider)... Otherwise, there is a flaw in your calculation.
Re: IPv6 and BGP
On Thu, Oct 13, 2005 at 01:32:32PM -0500, Mike Hyde [EMAIL PROTECTED] wrote a message of 3 lines which said: On the subject of ipv6, is there currently any way to multi-home with IPv6 yet? RFC 4177: Architectural Approaches to Multi-homing for IPv6 (five approaches, including at least one familiar to NANOG members, PI addresses and BGP) Actual implementations are a different story...
Re: Turkey has switched Root-Servers
On Thu, Oct 06, 2005 at 09:19:07AM +0200, MÃ¥ns Nilsson [EMAIL PROTECTED] wrote a message of 34 lines which said: .museum is operated from Sweden. Correct, Europeans will stop using .com and switch to .museum, its main competitor :-)
Re: TLD anycast clouds?
On Tue, Oct 04, 2005 at 11:54:03PM -0700, william(at)elan.net [EMAIL PROTECTED] wrote a message of 49 lines which said: they [ISC] run .museum TLD It does not seem so. and serve as secondary for one or two other TLDs. Not with their anycast servers, unless they added this service very recently.
GSM Association and NeuStar Sign Agreement to Offer Root DNS Services
It can be of operational interest or it can fuel a new flame about alternative DNS roots. http://www.neustar.com/pressroom/files/announcements/ns_pr_09282005.pdf GSM Association and NeuStar Sign Agreement to Offer Root DNS Services to More than 680 Global GSM Mobile Operators ... NeuStar's Root DNS service will serve two functions: first, to register domain names under the suffixes gprs and 3gppnetwork.org, which are used to register private domain names that allow operators to retrieve routing information when a subscriber accesses data and multimedia services on a roaming or home network. For example, a U.S. mobile subscriber traveling on business in Singapore will be able to access a video or audio file using their mobile device while roaming on a local GSM network. Additionally, NeuStar will operate the master DNS root server and provide updates to GRX (GPRS Roaming Exchange) and MMS (Multimedia Messaging Service) providers, allowing mobile operators to access updated DNS routing information. ...
Re: [Pr-plan] Public-Root resolution problems and UNIDT (fwd)
On Fri, Sep 30, 2005 at 04:05:34PM +0100, Andy Davidson [EMAIL PROTECTED] wrote a message of 19 lines which said: A bit like an internationally organized, non-profit corporation ... Has anyone considered this ? Yes, replacing the DoC puppet by an internationally organized corporation would be a good idea.
Re: Turkey has switched Root-Servers
On Tue, Sep 27, 2005 at 07:39:29PM -0700, Tony Li [EMAIL PROTECTED] wrote a message of 20 lines which said: Actually, I think you've got it backwards. .us and all of the other country-specific TLDs are the last vestiges of nationalism. The problem is that all gTLD are controlled only in the US (even more than the root is). So, they are international only in name.
Re: Turkey has switched Root-Servers
On Tue, Sep 27, 2005 at 10:56:50PM -0400, Robert Boyle [EMAIL PROTECTED] wrote a message of 26 lines which said: Well said! Other than government entities, I never understood why anyone would want a country specific name. So he can call upon the law of his country, rather than the law of the state of California or Virginia?
Re: Turkey has switched Root-Servers
On Tue, Sep 27, 2005 at 12:45:33PM +0300, Evren Demirkan [EMAIL PROTECTED] wrote a message of 29 lines which said: I am located in Turkiye..Can Any one simplify the whole stuff in plain English? There is nothing related with your country in the whole thread. The subject is misleading. (You can do a dig NS . on your machine to be sure.)
Re: PRIX - Puerto RIco Internet Exchange
On Tue, Sep 27, 2005 at 10:55:51AM -0600, John Neiberger [EMAIL PROTECTED] wrote a message of 10 lines which said: Would it be improper to suggest that you pick a different acronym? :-) Mehmet did not say so, but I assume his mailing list will be in spanish and that PRIX is OK in his language.
Re: Non-English Domain Names Likely Delayed
On Sun, Jul 17, 2005 at 04:29:52PM +, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote a message of 49 lines which said: Forwarded Message from Neil Harris [EMAIL PROTECTED] --- ... After extensive analysis and discussion, the Mozilla community and Opera have already produced a fix for this, Which is highly questionable and that is rejected by most european ccTLDs. Already, some 21 TLDs are whitelisted, including .cn, .tw, a number of European ccTLDs, .museum, and .info. Any other registrars who want to be supported can simply E-mail Gerv at the Mozilla Foundation, or his Opera counterpart, and give them a pointer to their anti-spoofing rules. The Polish registry already refused to comply, saying that the Mozilla foundation has no legitimacy deciding the registration rules in .pl.
Re: Non-English Domain Names Likely Delayed
On Sun, Jul 17, 2005 at 09:49:32PM -0700, Dave Crocker [EMAIL PROTECTED] wrote a message of 25 lines which said: 2. Who is the authority that decides whether a TLD uses an acceptable policy? That's the big problem with this so-called solution.
Re: DNS .US outage
On Thu, Jul 07, 2005 at 07:25:20AM -0500, Church, Chuck [EMAIL PROTECTED] wrote a message of 109 lines which said: Is it possible that one of the authoritative servers for .us is unreachable/down at the moment, at least from name server 24.197.96.16's point of view? It is perfectly possible. Unfortunately, all three nameservers of .us are behind the same AS and, unfortunately, they are all in the same /16. Checking the filters is a first step. PS: tracert exists on MS-Windows and c.gtld.biz replies to it.
Re: Enable BIND cache server to resolve chinese domain name?
On Mon, Jul 04, 2005 at 05:21:47PM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 6 lines which said: Every public root experiment that I have seen has always operated as a superset of the ICANN root zone. not www.orsn.net. You are playing with words. ORSN serves the same data as ICANN. So, it is a superset, albeit a strict one.
Email peering (Was: Economics of SPAM [Was: Micorsoft's Sender IDAuthentication......?]
On Mon, Jun 13, 2005 at 11:32:31AM +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 21 lines which said: The number of agreements needed in the email world is significantly higher than what is needed for BGP. The proponents of email peering typically want to switch from the current model (millions of independant email servers) to a different model, with only a few big actors. -- Should anyone be allowed to operate an email system? Perhaps not. Carl Hutzler http://www.circleid.com/article/917_0_1_0_C/
Re: Underscores in host names
On Wed, May 18, 2005 at 12:11:14AM -0400, Steven Champeon [EMAIL PROTECTED] wrote a message of 92 lines which said: So, these are *all* non-compliant? Yes, and you can easily check that the FreeBSD resolver, for instance, cannot retrieve them (the GNU libc resolver on Linux can). notux:~ % uname FreeBSD notux:~ % ping Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr ping: cannot resolve Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr: Unknown server error myriam:~ % uname Linux myriam:~ % ping Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr PING Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr (82.127.31.191) 56(84) bytes of data. 64 bytes from Laubervilliers-151_12-16-191.w82-127.abo.wanadoo.fr (82.127.31.191): icmp_seq=1 ttl=118 time=49.0 ms
Re: Underscores in host names
On Wed, May 18, 2005 at 11:05:56AM +0100, Tony Finch [EMAIL PROTECTED] wrote a message of 12 lines which said: However case insensitivity puts a big spanner in the works. And the fact that you can use any 8-bits character in a domain name but nothing says what the encoding is. UTF-8 ? Latin-1 ? Big5 ? (Some unscrupulous vendors promoted international domain names using that trick.) Hence the RFC 3490.
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN
On Wed, Apr 27, 2005 at 08:52:04PM +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 49 lines which said: the only entities that can be members are nations/governments. This is no longer true (for several years). Corporations (Sector members) can now join (ITU is the only UN organization which does that). See http://www.itu.int/cgi-bin/htsh/mm/scripts/mm.list?_search=SEC So, like ICANN, governements and big corporations are represented at the ITU. Like ICANN, ordinary users are excluded.
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 12:39:09PM -0400, Patrick W. Gilmore [EMAIL PROTECTED] wrote a message of 22 lines which said: From the thread (certainly not a scientific sampling), many people seem to be filtering port 53 TCP to their name servers. Again, a non-scientific sampling but AFNIC (.fr registry) *requires* a successful technical check of the name servers *before* delegation or technical change of a .fr domain. soapboxEvery TLD should do so./soapbox Among the things we check is the TCP access to all the name servers. A lot (lot is not a scientific word, I know) of people complain. Very often, they are clueless (TCP is only for zone transfers), very often also they don't master their infrastucture (DNS hosted somewhere else, firewall middlebox which is an unmanaged black box, firewall which is managed by an external contractor on a per-change charge basis, etc).
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 07:01:47PM +, Christopher L. Morrow [EMAIL PROTECTED] wrote a message of 29 lines which said: Even after I imagine that folks left the filters in place either 'because' or 'I don't run router acls' or 'laziness' [Warning, operational content.] Remember that most firewalls or other middleboxes on the Internet are completely unmanaged. They were configured once and for all. (See the problems with former bogons or with 192.0.0.0/8.) The architecture of the Internet was designed for a network where all the routers were heavily managed and by knowledgeable people. Now, the switch to a network of mostly unmanaged boxes is a big challenge.
Re: using TCP53 for DNS
On Tue, Apr 26, 2005 at 03:04:25PM -0400, Patrick W. Gilmore [EMAIL PROTECTED] wrote a message of 46 lines which said: I am interested in how many name servers - caching or authoritative - are filtering incoming and/or outgoing TCP port 53. For authoritative name servers of TLD, you can browse: http://www.generic-nic.net/dyn/mon/ And see that incoming TCP is often filtered, even on serious TLD: w: Server doesn't listen/answer on port 53 for TCP protocol * Ref: IETF RFC1035 (p.32 4.2. Transport) The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance. * ns.cnc.ac.cn./159.226.1.1 * ns.cernet.net./202.112.0.44
Re: New IANA IPv4 allocation to AfriNIC (41/8)
On Wed, Apr 13, 2005 at 10:14:05AM +0200, Jeroen Massar [EMAIL PROTECTED] wrote a message of 49 lines which said: Btw, is there going to be an LACNIC-alike system for transfering RIPE/ARIN resources to AfriNIC? AFAIK, all inetnums belonging to Africa in the RIPE-NCC database have already been transferred (I don't know for ARIN): % whois -h whois.ripe.net 217.64.96.0 % This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html inetnum: 217.64.96.0 - 217.64.111.255 org: ORG-AFNC1-RIPE netname: AFRINIC-NET-TRANSFERRED-20050223 descr:This network has been transferred to AFRINIC remarks: These IP addresses are assigned in the AFRINIC region. remarks: Authoritative registration information for this network remarks: is available for query and modification in remarks: the AFRINIC whois database: whois.afrinic.net or remarks: web site: http://www.afrinic.net remarks: The routing registry information (route(6) objects) remarks: may be published in any Routing Registry, including remarks: RIPE Whois Database country: EU # country is really somewhere in African Region admin-c: AFRI-RIPE tech-c: AFRI-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT changed: [EMAIL PROTECTED] 20050223 source: RIPE
Re: djbdns: An alternative to BIND
On Fri, Apr 08, 2005 at 03:55:15PM -0700, Vicky Rode [EMAIL PROTECTED] wrote a message of 20 lines which said: Just wondering how many have transitioned to djbdns from bind If transitioning from BIND, why go to the non-free and non-compliant djbdns instead of nsd (http://www.nlnetlabs.nl/nsd/)? One of the (many, many) annoying things about djbware is the constant claim that djbware is the only challenger to reference software.
Re: Internet Email Services Association ( wasRE: Why do so few mail providers su
On Tue, Mar 01, 2005 at 05:44:26AM -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 27 lines which said: I'm skeptical that a model that only sort of works for under 30K ASNs and maybe 1K bilateral peering agreements for the *really* big Tier-1s won't scale to a world that has 40M+ .com domains and probably a million SMTP servers. The agenda of the people who praise email peering is probably to change that. Should anyone be allowed to operate an email system? Perhaps not. AOL postmaster Carl Hutzler http://www.circleid.com/article/917_0_1_0_C/
Re: UN Panel Aims to End Internet Tug of War by July
On Thu, Feb 24, 2005 at 05:00:22PM -0500, William Warren [EMAIL PROTECTED] wrote a message of 45 lines which said: If the UN wants control of the INET WE invented. Who is WE? ICANN? The US governement?
Re: Registrar and registry backend processes.
On Tue, Jan 18, 2005 at 05:08:18AM +0100, Lionel Elie Mamane [EMAIL PROTECTED] wrote a message of 61 lines which said: Further, these options are not documented anywhere, In the man page of GNU whois :-) When querying \fIwhois.denic.de\fP for domain names, the program will automatically add the flags \fI-T dn,ace -C US-ASCII\fP. .P Remember that the whois protocol is a mess. May be IRIS will fix that.
Re: [eweek article] Window of anonymity when domain exists, whois not updated
On Wed, Jan 12, 2005 at 04:11:42PM +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 16 lines which said: And if you will trust an ISP to deliver port 25 packets then why wouldn't you trust them to deliver email messages? There are *many* ISP which provide a reasonable job when carrying IP packets but not an acceptable one when relaying email. If it seems a paradox to you, remember that loosing 5 % of the packets still allow users to work while loosing 1 % of the email is unacceptable. If you never met an ISP with a reasonable service for IP packets and a very lousy service for email, then it means we do not live in the same world.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 0) for the love of God, Montresor, just block port 25 outbound already. If there is no escape / exemption (as proposed by William Leibzon), then, as a consumer, I scream OVER MY DEAD BODY!!!. I want to be able to manage an email server when I subscribe to an ISP. In any case, it would no longer be Internet access. See the Internet-Draft draft-klensin-ip-service-terms-04.txt, Terminology for Describing Internet Connectivity.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 1) any legitimate mail source MUST have valid, functioning, non-generic rDNS indicating that it is a mail server or source. (Most do, many do not. There is NO reason why not.) Since this list is NANOG, it is reasonable that it has a North American bias but remember the Internet is worldwide. I do not know how it is in the USA but there are many parts of the world where ISP do not have a delegation of in-addr.arpa and therefore cannot pass it to their customers. (It is also common to have many levels of ISP, so you need to go through many layers before reaching the RIR.) Requesting rDNS means I don't want to receive email from Africa.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 4) all domains with invalid whois data MUST be deactivated (not confiscated, just temporarily removed from the root dbs) immediately and their owners contacted. Because there is no data protection on many databases (such as .com registrars who are forced to sell the data if requested), people lie when registering, because it is the only tool they have to protect their privacy. Fix the data protection problem and you'll have a better case to force people to register proper information. 5) whois data MUST be normalized and available in machine-readable form (such as a standard XML schema) RFC 3981
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of an
On Thu, Jan 13, 2005 at 10:21:20AM -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote a message of 45 lines which said: Requesting rDNS means I don't want to receive email from Africa. Having an rDNS entry for a host doesn't mean you know if it is/isn't in Africa, Of course, I know that. I just mentioned Africa because, in many countries in Africa, it is simply impossible to get a PTR record. That's a fact, there are many reasons behind.
Re: Measure overall network availability
On Fri, Jan 07, 2005 at 10:43:40AM -0500, Nils Ketelsen [EMAIL PROTECTED] wrote a message of 28 lines which said: is there any recommended method to measure overall network availability? The problem is, that most people have no definition when they consider their network available. RFC 2498 ? At least, it is a start.
Re: Anycast 101
[Warning: I've never actually deployed an anycast DNS setup so you are free to ignore my message.] On Mon, Dec 20, 2004 at 01:28:43PM +0100, Iljitsch van Beijnum [EMAIL PROTECTED] wrote a message of 109 lines which said: 1. There should always be non-anycast alternatives I believe there is a strong consensus about that. And therefore a strong agreement that .org is seriously wrong. This is after all a good engineering practice: when you deploy something new, do it carefully and not everywhere at the same time.
Re: Anycast 101
On Fri, Dec 17, 2004 at 12:31:37AM +0100, Iljitsch van Beijnum [EMAIL PROTECTED] wrote a message of 68 lines which said: and then sees an anycast instance for all root servers over peering. If then something bad happens to the peering connection ... but even if 5 or 8 or 12 addresses become unreachable the timeouts get bad enough for users to notice. We can turn this into a Good Practice: do not put an instance of every root name server on any given exchange point. Actually, this is only a theoretical issue, the current maximum seems to be only three (at the LINX in London).
Re: [Fwd: zone transfers, a spammer's dream?]
On Thu, Dec 09, 2004 at 03:52:38AM +0200, Gadi Evron [EMAIL PROTECTED] wrote a message of 174 lines which said: 171 uk.zone Everything is in subdomains like co.uk, so there is no point in blocking zone transfers for the TLD.
Re: Opinions of recent ITU Comments on the Management of IP Addresses
On Mon, Nov 22, 2004 at 08:16:43PM +, Vince Hoffman [EMAIL PROTECTED] wrote a message of 22 lines which said: This memorandum includes a proposal to create a new IPv6 address space distribution process, based solely on national authorities. This is a wrong presentation of the ITU document and the NRO fixed that bug: http://www.nro.net/documents/statements/nro-clarification.html
Re: Stupid Ipv6 question...
On Fri, Nov 19, 2004 at 03:06:43AM -0500, Dan Mahoney, System Admin [EMAIL PROTECTED] wrote a message of 25 lines which said: I'm having trouble wrapping my head around ipv6 style suffixes -- does anyone have a chart handy? How big is a /64, specifically? Since an IPv6 address is 128 bits, a /64 holds 2 ** (128 - 64) addresses, which is 2 ** 64. But it seems too simple. This was really your question?
Re: anycast roots
On Fri, Nov 12, 2004 at 11:00:54PM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 18 lines which said: as far as i know, the root-servers.org web site is 100% accurate, Following the recent discussion about anycast jitter with j.root-servers.net, I believe one information is missing: wether the node is global or local (BGP NO_EXPORT). It is not easy to find by itself (you have to do a lot of traceroutes) so, if you have access to this information, it would be quite useful. (I'm one of the persons who see a lot of jitter for j.root-servers.net with Randy Bush's experiment.)
Re: anycast roots
On Wed, Nov 17, 2004 at 02:37:25PM +0100, Elmar K. Bins [EMAIL PROTECTED] wrote a message of 34 lines which said: in alternating fashion, but I would assume jns1 through jns6 are just the individual servers of a setup called hgtld. That's a reasonable guess. Someone from Verisign to confirm/infirm?
Re: anycast roots
On Wed, Nov 17, 2004 at 10:05:20AM -0500, Joe Abley [EMAIL PROTECTED] wrote a message of 36 lines which said: I have no idea about Verisign's scheme, but in case anybody notices similar distribution of queries across F root servers, it may help to know that: xxxNa.f.root-servers.org xxxNb.f.root-servers.org xxxNc.f.root-servers.org etc are hosts all located at the same site xxxN. OK, I understand. So, like Elmar Bins, I was seeing intra-site jitter, which is normal (it is only seen with UDP queries, probably because the Verisign load balancer is stateful and remembers the binding for TCP) and no inter-site jitter, which would be more serious. But I'm quite at this edge of the Internet, so let's wait for more reports with Peter Boothe's tool. And just be sure to sanitize the results before jumping to the wrong conclusion, like I did.
Re: IPv6 support for com/net zones on October 19, 2004
On Wed, Oct 27, 2004 at 04:01:45PM -0400, Joe Abley [EMAIL PROTECTED] wrote a message of 42 lines which said: Since I mailed that, 3557 started receiving a covering /48 for A. a.gtld-servers.net works now for us. Verisign does not reply but may listen :-) b is still unreachable. We get a route but not everybody does.
Re: IPv6 support for com/net zones on October 19, 2004
On Fri, Sep 24, 2004 at 02:10:58PM -0400, Matt Larson [EMAIL PROTECTED] wrote a message of 27 lines which said: A few people have asked me privately to publish the IPv6 addresses ahead of time for reachability testing purposes, so here they are: 2001:503:a83e::2:30 (a.gtld-servers.net) 2001:503:231d::2:30 (b.gtld-servers.net) Now that the IPv6 glues are published, I can not reach these nameservers from Renater: ~ % traceroute6 a.gtld-servers.net traceroute to a.gtld-servers.net (2001:503:a83e::2:30) from 2001:660:3003:8::4:68, 30 hops max, 16 byte packets 1 gw.nic.fr (2001:660:3003:8::1) 0.7 ms 0.729 ms 0.687 ms 2 afnic-g0-3-10.cssi.renater.fr (2001:660:300c:1001:0:131:0:2200) 1.432 ms 1.112 ms 1.195 ms 3 nri-a-g13-0-30.cssi.renater.fr (2001:660:3000:3c:86:10::) 1.979 ms 1.8 ms 1.632 ms 4 lyon-pos6-0.cssi.renater.fr (2001:660:3000:41:10:12::) 7.036 ms 6.962 ms 6.968 ms 5 P3-0.BAGCR1.Bagnolet.ipv6.opentransit.net (2001:688:0:3:4::) 12.875 ms 12.142 ms 12.189 ms 6 P6-0-0.BAG6AR1.Bagnolet.ipv6.opentransit.net (2001:688:0:2:4::3) 12.586 ms 12.422 ms 12.214 ms 7 P1-0.LON6AR1.London.ipv6.opentransit.net (2001:688:0:2:1::1) 21.898 ms 21.922 ms 21.672 ms 8 uk6x.ipv6.btexact.com (2001:7f8:2:1::1) 22.226 ms 21.841 ms 22.043 ms 9 v6-tunnel-grnet.ipv6.btexact.com (2001:7f8:2:8018::3) 90.603 ms 90.134 ms 90.413 ms 10 3ffe:2900:1c::2 (3ffe:2900:1c::2) 243.383 ms !S 243.933 ms !S 243.319 ms !S (!S : source route failed, which is quite surprising) Filtering of the micro-allocation of the /48? Something else? Other people with connectivity problems to gtld-servers.net?
Re: Ivan damage...
On Mon, Sep 13, 2004 at 03:42:26PM -0700, Gary E. Miller [EMAIL PROTECTED] wrote a message of 25 lines which said: Not been able to reach my machines in Jamaica. The Kingston Daily Gleaner is back up with text only pages. They report BOTH the primary and secondary submarine cables to Jamaica are severed: And the name servers are all in Jamaica (IANA lists other name servers but they are in lame delegation) so the TLD disappeared as well. ~ % check_soa jm There is no name server running on ns.jm There was no response from ns.utechjamaica.edu.jm There was no response from ns.utech.edu.jm There was no response from ns.cast.edu.jm RFC 2182, 3.1 : Secondary servers must be placed at both topologically and geographically dispersed locations on the Internet, to minimise the likelihood of a single failure disabling all of them. And it is quite easy to get a remote secondary for a TLD (RIPE-NCC, ISC, EP, AFNIC, etc). Too bad it was not done.
Re: Email Complexes
On Tue, Sep 14, 2004 at 09:08:21AM -0500, Hosman, Ross [EMAIL PROTECTED] wrote a message of 22 lines which said: We would like accounts setup at these companies to monitor outgoing email to these complexes. May be it would be simpler to suggest them to implement Message Tracking? (http://www.ietf.org/html.charters/msgtrk-charter.html)It would scale better than asking for accounts.
Re: Sender-ID denied by IETF?
On Mon, Sep 13, 2004 at 10:58:13AM -0400, Jeff Wheeler [EMAIL PROTECTED] wrote a message of 19 lines which said: Top story on Slashdot: http://it.slashdot.org/it/04/09/13/1317238.shtml?tid=172tid=95tid=218 Warning: this is probably non-operational content. I suggest to move the discussion in private or on the MARID Working Group mailing list. Zocalo writes The MARID working group at the IETF responsible for deciding on which extensions to SMTP will be used to try and prevent spoofing of the sender has made their decision. At issue was whether Microsoft's patent encumbered Sender-ID would be eligable for inclusion in an Internet standard. An initial analysis of the text of their decision, available here with a brief analysis, would suggest not. This is heavily simplified (the PRA algorithm was not rejected). Unless Microsoft is going to make any dramatic concessions out of desperation, that pretty much clears the way for Meng Wong's Classic SPF to become the standard and hopefully make Joe-Jobs at thing of the past. This is also either wishful thinking or pure disinformation. For those who want the facts, see: http://www.imc.org/ietf-mxcomp/mail-archive/msg04673.html co-chair judgment of consensus related to last call period of 23-Aug-2004 to 10-Sept-2004
Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 04:59:51PM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 27 lines which said: you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. Good summary. This is the right strategy. but to me, SPF is just a way to rearrange the deck chairs on the Titanic. I can swim but I believe that the water under the Titanic was quite too cold to stay. Any advice to the people on the NANOG mailing list before the boat goes down?
Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 03:15:14PM -0500, Robert Bonomi [EMAIL PROTECTED] wrote a message of 37 lines which said: Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, Sorry, this is simply not true (sendmail, postfix, etc, always keep the original envelope from when forwarding). An SPF check of the _immediate_ sender does *NOT* break forwarded mail. Even SPF people say it: http://spf.pobox.com/faq.html#forwarding
Re: Spammers Skirt IP Authentication Attempts
On Fri, Sep 10, 2004 at 01:57:51AM -0700, Joe Rhett [EMAIL PROTECTED] wrote a message of 19 lines which said: I'm not sure where true diverges from reality in your analysis, but perhaps you should create one of those mail environments and test before you put your foot in your mouth again? Good idea, I plan to install a Fedora this week-end and to learn a bit about Postfix. Your wide experience will certainly help. If you think that sendmail or postfix modify the enveloppe from when forwarding, I suggest that you send your big discovery to the IETF MARID working group, where it may change a lot of things in the current discussion about Sender-ID :-)
Re: Spammers Skirt IP Authentication Attempts
On Tue, Sep 07, 2004 at 11:32:11AM +0100, Paul Jakma [EMAIL PROTECTED] wrote a message of 24 lines which said: Also, SPF doesnt tell you whether it is spam. Of course. It never pretended to do so. Indeed, apparently majority of SPF-valid email at moment is spam! No. Where did you find the figures?
Re: Spammers Skirt IP Authentication Attempts
On Mon, Sep 06, 2004 at 04:26:04AM -0700, Henry Linneweh [EMAIL PROTECTED] wrote a message of 4 lines which said: This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp Bad paper. The CipherTrust story, which is mentioned, is very weak: it contains several big mistakes (such as mentioning SenderID records... which do not exist yet since the working group is in the last call state) so I question its credibility. Regarding the facts, testing on my spam mailbox, I can see SPF records from spammers but it is very uncommon (there is no incentive for them to publish SPF immediately, because few sites will test them). Otherwise, SPF is not anti-spam by itself. In the same way that network security is not provided by a firewall alone, anti-spam protection is not provided by SPF alone. SPF is an enabler: it allows you to be more confident in the authenticity of the domain, giving reputation systems (whilelists and blacklists) a better chance to succeed.
Re: [IP] VeriSign prepares to relaunch Site Finder -- calls
[I'm sure that Paul Vixie knows the difference but others may not and the Washington Post paper, mentioned at the beginning of the thread, was quite confused.] On Tue, Feb 10, 2004 at 04:37:09AM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 22 lines which said: why? that is, why kill sitefinder? Nobody suggested to kill SiteFinder. Despite Verisign's lies, SiteFinder is alive and well (well, Verisign suppressed the A record for sitefinder.versigin.com but it is their decision, they could recreate the A record at anytime) and never stopped. Anyone is free to create a Sitefinder-like service if they want. Many people opposed WILDCARDS in .com, not SiteFinder. The bad action was not to launch SiteFinder, it was to add wildcards. there's been plenty of invective on both sides, and a lot of unprofessional behaviour toward verisign employees at a recent nanog meeting, Wake up: the Internet is no longer a commune of happy geeks working together for a common goal. It is now a social infrastructure and there are fights for its control. There is no longer any reason to be nice with everybody, specially with people trying to divert the common resource for their own profit.
Re: updated root hints file
On Thu, Jan 29, 2004 at 10:44:42PM -0800, bill [EMAIL PROTECTED] wrote a message of 54 lines which said: http://www.root-servers.org/ seems to only have news on I's ASN change, no mention of B or J or the anycast F/K/I's ... methinks this info should have a home on this site.. why this site? Which site do you suggest?
Re: updated root hints file
On Wed, Jan 28, 2004 at 09:19:43PM -0500, Coppola, Brian [EMAIL PROTECTED] wrote a message of 22 lines which said: In preparation for tomorrow morning's B-root IP change from 128.9.0.107 to 192.228.79.201 I notice trouble to reach the new server from many places. Here a machine connected by Global Crossing: master:~ % dig @192.228.79.201 SOA . ; DiG 9.2.1 @192.228.79.201 SOA . ;; global options: printcmd ;; connection timed out; no servers could be reached From other places, it works. I cannot find a common pattern. When it fails, the traceroute looks like (here from 146.82.138.7): master:~ % traceroute 192.228.79.201 traceroute to 192.228.79.201 (192.228.79.201), 30 hops max, 38 byte packets 1 mauser.brainfood.com (146.82.138.1) 0.232 ms 0.165 ms 0.121 ms 2 146.82.136.53 (146.82.136.53) 0.514 ms 0.478 ms 0.450 ms 3 146.82.136.9 (146.82.136.9) 0.422 ms 0.388 ms 0.368 ms 4 332.ge12-0.mpr1.dfw2.us.above.net (209.133.66.58) 0.828 ms 0.857 ms 1.162 ms 5 so-3-0-0.cr2.dfw2.us.above.net (216.200.127.217) 1.001 ms 0.990 ms 0.943 ms 6 pos3-0.er1.atl4.us.above.net (216.200.127.225) 18.004 ms 17.945 ms 17.921 ms 7 pos14-0.pr1.atl4.us.above.net (64.125.30.242) 18.015 ms 17.985 ms 17.954 ms 8 so-1-3.hsa2.Atlanta1.Level3.net (209.0.227.161) 18.123 ms 18.006 ms 17.997 ms 9 ge-6-2-1.bbr1.Atlanta1.Level3.net (64.159.3.73) 18.341 ms 18.142 ms 18.224 ms 10 so-3-0-0.mpls1.Tustin1.Level3.net (209.247.8.121) 53.037 ms 52.893 ms 53.471 ms 11 so-9-0.hsa1.Tustin1.Level3.net (209.244.27.174) 52.944 ms so-10-0.hsa1.Tustin1.Level3.net (209.244.27.154) 52.913 ms so-9-0.hsa1.Tustin1.Level3.net (209.244.27.174) 52.884 ms 12 * * * 13 130.152.181.66 (130.152.181.66) 63.972 ms 65.680 ms 63.889 ms 14 * * * 15 * * * When it succeeds, I get (here from 66.93.172.18): voltaire:~ % traceroute 192.228.79.201 traceroute to 192.228.79.201 (192.228.79.201), 30 hops max, 38 byte packets 1 dsl093-172-001.pit1.dsl.speakeasy.net (66.93.172.1) 386.978 ms 59.405 ms 125.981 ms 2 border1.g4-3.speakeasy-40.wdc.pnap.net (63.251.83.187) 164.026 ms 306.738 ms 548.859 ms 3 core2.ge3-1-bbnet2.wdc002.pnap.net (216.52.127.72) 33.304 ms 242.007 ms 184.611 ms 4 ge-5-1-181.ipcolo1.Washington1.Level3.net (63.210.59.237) 78.556 ms 464.994 ms 357.447 ms 5 ae-0-56.bbr2.Washington1.Level3.net (64.159.18.162) 252.687 ms 518.383 ms 402.284 ms 6 so-3-0-0.mpls1.Tustin1.Level3.net (209.247.8.121) 631.193 ms 485.623 ms 500.692 ms 7 so-9-0.hsa1.Tustin1.Level3.net (209.244.27.174) 460.843 ms 259.303 ms 339.851 ms 8 67.30.130.66 (67.30.130.66) 305.469 ms 312.075 ms 341.656 ms 9 130.152.181.66 (130.152.181.66) 373.986 ms 499.069 ms 518.800 ms 10 b.root-servers.net (192.228.79.201) 461.216 ms 448.530 ms 488.763 ms So, apparently, 67.30.130.66 does not know how to reply to many places. IP addresses which have the problem: 192.134.4.152, 146.82.138.7, 194.117.194.82, 62.23.209.250.
Re: Upcoming change to SOA values in .com and .net zones
On Wed, Jan 07, 2004 at 07:41:54PM -0500, Joe Abley [EMAIL PROTECTED] wrote a message of 16 lines which said: I didn't notice anybody saying thank you for doing the right thing by announcing the change amongst the flurry of jerking knees. So, thank you for doing the right thing. Good luck with the maintenance. And should we thank Verisign for doing for a very minor change what they did not do for a much more crucial change, their wildcards?
Re: Upcoming change to SOA values in .com and .net zones
On Wed, Jan 07, 2004 at 05:43:01PM -0800, Martin J. Levy [EMAIL PROTECTED] wrote a message of 9 lines which said: I believe there have been 26 (opps, now 27) responses to this announcement in the last 2 hours 45 minutes, that's about one response every 6 minutes. This is normal and reasonable sensitivity, taking into account the way Verisign handled the introduction of wildcards. For very minor changes, they tell the 200 technical zealots URL:http://www.redherring.com/Article.aspx?f=articles/2003/12/14c9995f-5557-4dc4-ad48-4548360c2095/14c9995f-5557-4dc4-ad48-4548360c2095.xml in advance. For important and sensitive changes, like the wildcards, they do not.
Re: Upcoming change to SOA values in .com and .net zones
On Thu, Jan 08, 2004 at 05:21:33AM -0800, Avleen Vig [EMAIL PROTECTED] wrote a message of 22 lines which said: Verisign is learning their lesson, and it might take a while yet, but ... Verisign didn't do right last time, but they did this time. No, they are not learning. At least this is not what their CEO says: http://www.redherring.com/Article.aspx?f=articles/2003/12/14c9995f-5557-4dc4-ad48-4548360c2095/14c9995f-5557-4dc4-ad48-4548360c2095.xml This community needs to work together, not apart. I don't remember signing anywhere for being member of the same community than Verisign.
Re: Out of office/vacation messages
On Friday 26 December 2003, at 0 h 50, [EMAIL PROTECTED] (Suresh Ramasubramanian) wrote: There are several other tests to perform (if you are a reasonable program, that is), before sending an Out of the office message. An obvious one is to see wether your human owner is mentioned in the To: field. Unless the list explodes the messages in one explicit copy per recipient, this is enough. Of course, that doesn't work with a list that doesn't set reply-to the list. Why? There is Mail-Followup-To and you can set Reply-To yourself. And you can always edit your headers (or have a software which can do it automatically like mutt). And the purpose was not to suppress *every* O-o-O message (they are very useful), just to lower the number and increase the average relevance.
Re: Out of office/vacation messages
On Friday 26 December 2003, at 11 h 18, Stephen J. Wilcox [EMAIL PROTECTED] wrote: Surely regardless of the presence of precedence you would never autoreply to an email that wasnt addressed to you personally? And I add: in the To: field, not the CC: one.
Re: Out of office/vacation messages
On Friday 26 December 2003, at 9 h 11, Suresh Ramasubramanian [EMAIL PROTECTED] wrote: What I said is that the method proposed wouldn't cut down on OOOs to the list. Yes, it will, in most cases. Let's take the following message: From: Stephane Bortzmeyer [EMAIL PROTECTED] To: Suresh Ramasubramanian [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Imagine that this message arrive in your mailbox. If your auto-responder writes to [EMAIL PROTECTED], it is broken, period. With the algorithm I sent (which is used in all serious responders), it will reply only to [EMAIL PROTECTED] Now, this message: From: Stephane Bortzmeyer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Imagine that this message arrive in your mailbox. If your auto-responder writes to *anyone*, it is broken, period. Now, this one: Reply-To: [EMAIL PROTECTED] From: Stephane Bortzmeyer [EMAIL PROTECTED] To: Suresh Ramasubramanian [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Here, there is a risk that even a proper auto-responder will write to [EMAIL PROTECTED] (at most once every N days, if the auto-responder is a serious one). But it is the only case. It should not happen but it can. Now, with the precedence (belt and suspenders): Reply-To: [EMAIL PROTECTED] From: Stephane Bortzmeyer [EMAIL PROTECTED] To: Suresh Ramasubramanian [EMAIL PROTECTED] Precedence: bulk cc: [EMAIL PROTECTED] Again, if your auto-responder writes to *anyone*, it is broken, period.
