RE: Stuxnet and more
Grant said today: -Original Message- From: Grant Ridder [mailto:shortdudey...@gmail.com] Sent: Thursday, July 26, 2012 11:25 AM To: nanog@nanog.org Subject: Stuxnet Hi Everyone, I realize most people already know the history of Stuxnet but i figured i would pass along an IEEE article that was just published. http://spectrum.ieee.org/computing/networks/declarations-of-cyberwar -Grant Grant and the rest of you NANOGERS, more regarding new problems in Iran via an F-Secure blog. Here is the link: http://www.f-secure.com/weblog/archives/2403.html Sincerely, Richard Golodner P.S. Did I ever mention how much I hate M$ Windows?
RE: Rate shaping in Active E FTTx networks
Juniper dynamic application awareness does a decent job and so does the cisco counterpart saves buying more hw From: Erik Muller [er...@buh.org] Sent: Thursday, July 26, 2012 10:21 PM To: nanog@nanog.org Subject: Re: Rate shaping in Active E FTTx networks On 7/26/12 12:45 , Jason Lixfeld wrote: > Hi all, > > I'm trying to gauge what operators are doing to handle per-subscriber > Internet access PIR bandwidth in Active E FTTx networks. > > I presume operators would want to limit the each subscriber to a > certain PIR, but within that limit, do things like perform preferential > treatment of interactive services like steaming video or Skype, etc., > ahead of non-interactive services like FTP. > > My impression is that a subscriber's physical access in these networks > is exponentially larger than their allocated amount of Internet access. > This would leave ample room on the physical access access for other > services like Voice and IPTV that might run on separate VLANs than the > Internet access VLAN. That said, I doubt there's really that much of a > concern about allocating PIR on these other service VLANs. > > So in terms of PIR for Internet access, is there some magic box that > sits between the various subscriber aggregation points and the core, > which takes care of shaping the subscriber's Internet access PIR, while > making sure that the any preferential treatment of interactive services > is performed. > > Is that a lot to ask for one box? The ridiculously deep buffers > required in order to shape to PIR vs. police to it (because policing to > a PIR is just plain ugly) and the requirements to perform any sort of > preferential packet treatment above and beyond that seem like quite a > lot to ask of one box. Am I wrong? > > Who might make a box like this, if it exists? And if not, what are > folks using the achieve these results? > > Thanks in advance for any insights.. I've seen a few deployments using Packeteer's (now BlueCoat) PacketShaper for this purpose; the only downside I've heard with that platform is cost. Sandvine and Fortinet are a couple other options that have different approaches, but have a lot of this functionality rolled in alongside their broader security services. -e
Re: Rate shaping in Active E FTTx networks
On 7/26/12 12:45 , Jason Lixfeld wrote: Hi all, I'm trying to gauge what operators are doing to handle per-subscriber > Internet access PIR bandwidth in Active E FTTx networks. I presume operators would want to limit the each subscriber to a certain PIR, but within that limit, do things like perform preferential > treatment of interactive services like steaming video or Skype, etc., > ahead of non-interactive services like FTP. My impression is that a subscriber's physical access in these networks is exponentially larger than their allocated amount of Internet access. > This would leave ample room on the physical access access for other > services like Voice and IPTV that might run on separate VLANs than the > Internet access VLAN. That said, I doubt there's really that much of a > concern about allocating PIR on these other service VLANs. So in terms of PIR for Internet access, is there some magic box that sits between the various subscriber aggregation points and the core, > which takes care of shaping the subscriber's Internet access PIR, while > making sure that the any preferential treatment of interactive services > is performed. Is that a lot to ask for one box? The ridiculously deep buffers required in order to shape to PIR vs. police to it (because policing to > a PIR is just plain ugly) and the requirements to perform any sort of > preferential packet treatment above and beyond that seem like quite a > lot to ask of one box. Am I wrong? Who might make a box like this, if it exists? And if not, what are folks using the achieve these results? Thanks in advance for any insights.. I've seen a few deployments using Packeteer's (now BlueCoat) PacketShaper for this purpose; the only downside I've heard with that platform is cost. Sandvine and Fortinet are a couple other options that have different approaches, but have a lot of this functionality rolled in alongside their broader security services. -e
Re: Is Hotmail in the habit of ignoring MX records?
In message , Michael J Wise writ es: > > On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote: > > > In message , Michael J = > Wise writ > > es: > >>=20 > >> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > >>=20 > >>> The domain is cookephoto.com > >>=20 > >> Why does mail.metron.com have MX records? > >=20 > > Why do you care? There is nothing wrong with having explict MX > > records and they generally take up less room in a DNS cache then > > the negative response does especially if it is DNSSEC signed. > >=20 > >> And they're different. > >=20 > > Again why do you care? > > Why do *I* care? > I don't. > > I'm just trying to find the weird bit that maybe is causing hotmail to = > stumble. > And maybe an endless loop for an MX lookup might be what is causing = > hotmail to panic and throw out the MX records. You don't lookup MX records for MX targets. This is basic MTA processing. If the MX lookup fails, as apposed to returns nodata, you don't lookup the A/ records and synthesis a MX record. You treat it as a soft error and queue for retry later. Again this is basic MTA processing. You don't depend on ALL (ANY) returning MX records as they may not be in the cache. You need to make a explict MX query you get no MX records are returned in response to a ALL query. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Is Hotmail in the habit of ignoring MX records?
On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote: > In message , Michael J Wise > writ > es: >> >> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: >> >>> The domain is cookephoto.com >> >> Why does mail.metron.com have MX records? > > Why do you care? There is nothing wrong with having explict MX > records and they generally take up less room in a DNS cache then > the negative response does especially if it is DNSSEC signed. > >> And they're different. > > Again why do you care? Why do *I* care? I don't. I'm just trying to find the weird bit that maybe is causing hotmail to stumble. And maybe an endless loop for an MX lookup might be what is causing hotmail to panic and throw out the MX records. >> $ host cookephoto.com >> cookephoto.com has address 192.160.193.89 >> cookephoto.com mail is handled by 10 mail.metron.com. >> cookephoto.com mail is handled by 12 mail2.metron.com. >> cookephoto.com mail is handled by 15 mail.katz.com. >> >> $ host mail.metron.com >> mail.metron.com has address 192.160.193.14 >> mail.metron.com mail is handled by 10 mail.metron.com. >> mail.metron.com mail is handled by 20 mail.katz.com. >> >> $ host mail.katz.com >> mail.katz.com has address 192.160.193.14 >> >> $ host mail2.metron.com >> mail2.metron.com has address 209.204.189.91 >> >> $ host plaid.metron.com >> plaid.metron.com has address 192.160.193.135 >> >> Normally, in my experience, the actual mail server doesn't have MX >> records as such, but=85. >> Just seems 0dd. > > All address record (A and A) have MX records. Some may be > implicit but as far as SMTP is concerned they all have MX records. > >> Also, you say =85 >> >>> At the time of the transaction, nothing special was happening here, >> ... >> >> Was anything strange happening with any of the DNS records for any of >> these domains in the past two days? >> >> Aloha, >> Michael. >> -- >> "Please have your Internet License >> and Usenet Registration handy..." > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..."
Re: Is Hotmail in the habit of ignoring MX records?
In message , Michael J Wise writ es: > > On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > > > The domain is cookephoto.com > > Why does mail.metron.com have MX records? Why do you care? There is nothing wrong with having explict MX records and they generally take up less room in a DNS cache then the negative response does especially if it is DNSSEC signed. > And they're different. Again why do you care? > $ host cookephoto.com > cookephoto.com has address 192.160.193.89 > cookephoto.com mail is handled by 10 mail.metron.com. > cookephoto.com mail is handled by 12 mail2.metron.com. > cookephoto.com mail is handled by 15 mail.katz.com. > > $ host mail.metron.com > mail.metron.com has address 192.160.193.14 > mail.metron.com mail is handled by 10 mail.metron.com. > mail.metron.com mail is handled by 20 mail.katz.com. > > $ host mail.katz.com > mail.katz.com has address 192.160.193.14 > > $ host mail2.metron.com > mail2.metron.com has address 209.204.189.91 > > $ host plaid.metron.com > plaid.metron.com has address 192.160.193.135 > > Normally, in my experience, the actual mail server doesn't have MX > records as such, but=85. > Just seems 0dd. All address record (A and A) have MX records. Some may be implicit but as far as SMTP is concerned they all have MX records. > Also, you say =85 > > > At the time of the transaction, nothing special was happening here, > ... > > Was anything strange happening with any of the DNS records for any of > these domains in the past two days? > > Aloha, > Michael. > -- > "Please have your Internet License > and Usenet Registration handy..." -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
BGP Update Report
BGP Update Report Interval: 21-Jul-12 -to- 25-Jul-12 (4 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS840231474 1.4% 17.8 -- CORBINA-AS OJSC "Vimpelcom" 2 - AS163730729 1.4% 284.5 -- DNIC-AS-01637 - Headquarters, USAISC 3 - AS17813 29341 1.3% 215.7 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 4 - AS47931 25100 1.1% 204.1 -- ALENETWORK A.L.E. COM NETWORK S.R.L 5 - AS982921569 0.9% 16.5 -- BSNL-NIB National Internet Backbone 6 - AS24560 19759 0.9% 19.1 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 7 - AS702915412 0.7% 4.4 -- WINDSTREAM - Windstream Communications Inc 8 - AS755213226 0.6% 11.7 -- VIETEL-AS-AP Vietel Corporation 9 - AS13118 11776 0.5% 245.3 -- ASN-YARTELECOM OJSC Rostelecom 10 - AS645811752 0.5% 13.3 -- Telgua 11 - AS27738 11509 0.5% 20.7 -- Ecuadortelecom S.A. 12 - AS48277 11271 0.5% 201.3 -- SOREX SOREX MEDIA S.R.L. 13 - AS49074 10768 0.5% 219.8 -- TECHNOLOGICAL SC TECHNOLOGICAL SRL 14 - AS638910345 0.5% 3.1 -- BELLSOUTH-NET-BLK - BellSouth.net Inc. 15 - AS285739562 0.4% 4.7 -- NET Servicos de Comunicao S.A. 16 - AS106209514 0.4% 4.7 -- Telmex Colombia S.A. 17 - AS5800 8667 0.4% 33.6 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 18 - AS4766 8347 0.4% 3.0 -- KIXS-AS-KR Korea Telecom 19 - AS8151 8307 0.4% 5.6 -- Uninet S.A. de C.V. 20 - AS438758261 0.4% 206.5 -- DATAINFO-ASN SC Data Media Info SRL TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS165353364 0.1%1121.3 -- ECHOS-3 - Echostar Holding Purchasing Corporation 2 - AS444102654 0.1% 884.7 -- ENTEKHAB-AS ENTEKHAB INDUSTRIAL GROUP 3 - AS433481752 0.1% 876.0 -- TATARINOVA-AS PE Tatarinova Alla Ivanovna 4 - AS49072 837 0.0% 837.0 -- APSUARA-AS TCA Apsuara Ltd. 5 - AS54037 770 0.0% 770.0 -- CAREER-GROUP-INC - CAREER GROUP INC 6 - AS144526312 0.3% 701.3 -- IOS-ASN - INTERNET OF THE SANDHILLS 7 - AS26184 645 0.0% 645.0 -- ASA-HQAS - American Society of Anesthesiologists 8 - AS586551160 0.1% 580.0 -- SKYTEL6-BD SkyTel Communications Limited 9 - AS51250 552 0.0% 552.0 -- ITE-PROTON-AS "Information technologies enterprise "Proton" LTD 10 - AS3 440 0.0% 759.0 -- RESENNET-AS ResenNet Aps 11 - AS42806 411 0.0% 411.0 -- TELECOM-AS Telecom Georgia 12 - AS38857 775 0.0% 387.5 -- ESOFT-TRANSIT-AS-AP e.Soft Technologies Ltd. 13 - AS23007 888 0.0% 296.0 -- Universidad de Los Andes 14 - AS4 296 0.0% 51.0 -- COMUNICALO DE MEXICO S.A. DE C.V 15 - AS27890 576 0.0% 288.0 -- Universidad de Oriente 16 - AS163730729 1.4% 284.5 -- DNIC-AS-01637 - Headquarters, USAISC 17 - AS232371117 0.1% 279.2 -- MCMASTER - McMaster University 18 - AS29398 277 0.0% 277.0 -- PETROBALTIC "Petrobaltic" S.A. 19 - AS347445440 0.2% 247.3 -- GVM S.C. GVM SISTEM 2003 S.R.L. 20 - AS507041723 0.1% 246.1 -- BENEFIC-INTERNET Benefic Consult SRL TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/19 11364 0.5% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 59.176.0.0/14 6407 0.3% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 3 - 182.64.0.0/16 6060 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 4 - 122.161.0.0/16 6034 0.3% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 5 - 200.46.0.0/19 5790 0.2% AS21599 -- NETDIRECT S.A. 6 - 59.177.0.0/16 4822 0.2% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 7 - 202.56.215.0/243646 0.1% AS24560 -- AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services 8 - 67.47.194.0/23 3358 0.1% AS16535 -- ECHOS-3 - Echostar Holding Purchasing Corporation 9 - 59.177.0.0/18 3349 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 10 - 123.252.208.0/24 3197 0.1% AS17762 -- HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd 11 - 59.177.48.0/20 3103 0.1% AS17813 -- MTNL-AP Mahanagar Telephone Nigam Ltd. 12 - 139.139.19.0/243086 0.1% AS1562 -- DNIC-ASBLK-01550-01601 - DoD Network Information Center 13 - 194.63.9.0/24 2924 0.1% AS1273 -- CW Cable and Wireless Worldwide plc 14 - 65.82.30.0/24 2511 0.1% AS6197 -- BATI-ATL - BellSouth N
The Cidr Report
This report has been generated at Fri Jul 27 00:13:01 2012 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date PrefixesCIDR Agg 20-07-12419152 241935 21-07-12420802 243450 22-07-12420851 242316 23-07-12420929 242400 24-07-12420469 242764 25-07-12420742 242807 26-07-12420845 241935 27-07-12421258 243201 AS Summary 41751 Number of ASes in routing system 17450 Number of ASes announcing only one prefix 3412 Largest number of prefixes announced by an AS AS7029 : WINDSTREAM - Windstream Communications Inc 114212832 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 27Jul12 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 421434 243342 17809242.3% All ASes AS6389 3384 190 319494.4% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS17974 2267 456 181179.9% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS7029 3412 1737 167549.1% WINDSTREAM - Windstream Communications Inc AS18566 2088 417 167180.0% COVAD - Covad Communications Co. AS28573 2046 472 157476.9% NET Servicos de Comunicao S.A. AS4766 2762 1295 146753.1% KIXS-AS-KR Korea Telecom AS10620 2030 606 142470.1% Telmex Colombia S.A. AS4323 1577 387 119075.5% TWTC - tw telecom holdings, inc. AS22773 1698 569 112966.5% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS1785 1940 816 112457.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS4755 1618 578 104064.3% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7303 1458 451 100769.1% Telecom Argentina S.A. AS7552 1128 225 90380.1% VIETEL-AS-AP Vietel Corporation AS6458 881 45 83694.9% Telgua AS8151 1473 666 80754.8% Uninet S.A. de C.V. AS18101 942 157 78583.3% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS17908 828 60 76892.8% TCISL Tata Communications AS4808 1118 351 76768.6% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS9394 908 166 74281.7% CRNET CHINA RAILWAY Internet(CRNET) AS13977 839 123 71685.3% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS855694 52 64292.5% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS3356 1108 476 63257.0% LEVEL3 Level 3 Communications AS17676 695 75 62089.2% GIGAINFRA Softbank BB Corp. AS2118 632 14 61897.8% RELCOM-AS OOO "NPO Relcom" AS22561 1035 424 61159.0% DIGITAL-TELEPORT - Digital Teleport Inc. AS19262 1002 404 59859.7% VZGNI-TRANSIT - Verizon Online LLC AS4780 834 243 59170.9% SEEDNET Digital United Inc. AS24560 1037 449 58856.7% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS3549 1000 437 56356.3% GBLX Global Crossing Ltd. AS4804 652 96 55685.3% MPX-AS Microplex PTY LTD Total 43086124373064971.1% Top 30 total Possible Bogus Routes 5.10.8.0/21 AS57154 SWKN Stadtw
Re: [routing-wg] The Cidr Report
Rate shaping in Active E FTTx networks
Hi all, I'm trying to gauge what operators are doing to handle per-subscriber Internet access PIR bandwidth in Active E FTTx networks. I presume operators would want to limit the each subscriber to a certain PIR, but within that limit, do things like perform preferential treatment of interactive services like steaming video or Skype, etc., ahead of non-interactive services like FTP. My impression is that a subscriber's physical access in these networks is exponentially larger than their allocated amount of Internet access. This would leave ample room on the physical access access for other services like Voice and IPTV that might run on separate VLANs than the Internet access VLAN. That said, I doubt there's really that much of a concern about allocating PIR on these other service VLANs. So in terms of PIR for Internet access, is there some magic box that sits between the various subscriber aggregation points and the core, which takes care of shaping the subscriber's Internet access PIR, while making sure that the any preferential treatment of interactive services is performed. Is that a lot to ask for one box? The ridiculously deep buffers required in order to shape to PIR vs. police to it (because policing to a PIR is just plain ugly) and the requirements to perform any sort of preferential packet treatment above and beyond that seem like quite a lot to ask of one box. Am I wrong? Who might make a box like this, if it exists? And if not, what are folks using the achieve these results? Thanks in advance for any insights..
Re: Is Hotmail in the habit of ignoring MX records?
On Thu, Jul 26, 2012 at 09:05:55AM -0500, Ryan Rawdon wrote: > > On Jul 26, 2012, at 2:14 AM, Lou Katz wrote: > > > One of my users has reported incoming mail failures, which I finally > > tracked down. It turned out that Hotmail has seen fit to send the mail > > to his domain's A record machine, despite the fact that he has valid MX > > records. > > > > The A record points to my webserver, which does not normally accept mail > > for anyone. The mail server MX records are to an entirely different machine. > > > > Comments? > > > > Do I need more valium? > > > If you subscribe to http://mailop.org and look in the archives, you'll see a > thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from > March of this year (which carries over into April). In this thread Mark > Foster encounters the same issue, and upon investigation others (including > myself) see it as well. > Ahh - I knew I had seen this before, but thought it was here (nanog) rather than on mailops. I think I may try setting the A record for the domain to my mailserver, and letting the webserver there redirect the http requests. I dislike putting a webserver on the unadorned domain, but out there in the 'real' world, folks seem to have become accustomed to leaving off the 'www'. Thanks for the replies; I'll take this over to mailops if there is any more to say. The funny thing is that this behavior with respect to Hotmail has not affected any of the other couple of dozen domains with similar or identical configurations here. Oh, well. -=[L]=- --
Re: IPv6 only streaming video
On Thu, Jul 26, 2012 at 04:48:48AM +, Tina TSOU wrote: > Do u mean I am a cow? I stop breast feeding this year. > > Tina ROGFLOL This is the best thing I have read yet this morning. Thanks for the laugh. > > On Jul 25, 2012, at 9:47 PM, "Randy Bush" wrote: > > >> I'm responsible for IPv6 deployment in my enterprise network, the > >> users are my colleagues. In this context, I'm not vendor, not > >> operator. > > > > i smell cows > -- - (2^(N-1)) JJH48-ARIN
RE: Is Hotmail in the habit of ignoring MX records?
> From: Ryan Rawdon > Sent: Thursday, July 26, 2012 7:06 AM > To: nanog@nanog.org > Subject: Re: Is Hotmail in the habit of ignoring MX records? > No solution to the issue was found in the various forks of that thread, > however one individual afflicted by this issue (the OP) seems to have > resolved his specific issue with Hotmail by fixing his MX records to be > in stricter compliance with RFCs and best practices (removed a CNAME) - > that said, per the quote above Hotmail should not have been falling > back to the A records or any other RRs for the hostname. I would say MX pointing to a CNAME instead of pointing to an A record is the #1 cause of intermittent mail delivery problems I have seen. Some MTAs seem to tolerate it, some don't. G
Re: Is Hotmail in the habit of ignoring MX records?
On Jul 26, 2012, at 2:21 AM, Suresh Ramasubramanian wrote: > If the MX records are not responsive / timing out, they might be falling > back to the A record. > Per RFC2821 (and later RFC5321): If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any address RRs associated with that name unless they are located using the MX RRs; the "implicit MX" rule above applies only if there are no MX records present. If MX records are present, but none of them are usable, this situation MUST be reported as an error. So while it is possible they are doing this, they should not be Ryan > > -- > Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Is Hotmail in the habit of ignoring MX records?
On Jul 26, 2012, at 2:14 AM, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX > records. > > The A record points to my webserver, which does not normally accept mail > for anyone. The mail server MX records are to an entirely different machine. > > Comments? > > Do I need more valium? If you subscribe to http://mailop.org and look in the archives, you'll see a thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from March of this year (which carries over into April). In this thread Mark Foster encounters the same issue, and upon investigation others (including myself) see it as well. I found that we were having the same issue after users on Hotmail were forwarding us DSNs regarding messages that our mail server had never seen, however upon checking our web servers for that hostname we found connections and delivery attempts from Hotmail. Additionally, quoted from Tony Finch in the mailop thread regarding 'what if your MXes are broken and it is just failing back to A': If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any address RRs associated with that name unless they are located using the MX RRs; the "implicit MX" rule above applies only if there are no MX records present. If MX records are present, but none of them are usable, this situation MUST be reported as an error. No solution to the issue was found in the various forks of that thread, however one individual afflicted by this issue (the OP) seems to have resolved his specific issue with Hotmail by fixing his MX records to be in stricter compliance with RFCs and best practices (removed a CNAME) - that said, per the quote above Hotmail should not have been falling back to the A records or any other RRs for the hostname. The matter is still unresolved for us and presumably others on the list except for the OP > > -=[L]=- > -- >
Re: Is Hotmail in the habit of ignoring MX records?
On Jul 26, 2012, at 1:35 AM, Lou Katz wrote: > The domain is cookephoto.com Why does mail.metron.com have MX records? And they're different. $ host cookephoto.com cookephoto.com has address 192.160.193.89 cookephoto.com mail is handled by 10 mail.metron.com. cookephoto.com mail is handled by 12 mail2.metron.com. cookephoto.com mail is handled by 15 mail.katz.com. $ host mail.metron.com mail.metron.com has address 192.160.193.14 mail.metron.com mail is handled by 10 mail.metron.com. mail.metron.com mail is handled by 20 mail.katz.com. $ host mail.katz.com mail.katz.com has address 192.160.193.14 $ host mail2.metron.com mail2.metron.com has address 209.204.189.91 $ host plaid.metron.com plaid.metron.com has address 192.160.193.135 Normally, in my experience, the actual mail server doesn't have MX records as such, but…. Just seems 0dd. Also, you say … > At the time of the transaction, nothing special was happening here, ... Was anything strange happening with any of the DNS records for any of these domains in the past two days? Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..."
Re: Weekly Routing Table Report
On Jul 25, 2012, at 10:16 PM, Geoff Huston wrote: > > On 21/07/2012, at 6:40 AM, Jared Mauch wrote: > >> >> On Jul 20, 2012, at 4:30 PM, Ron Broersma wrote: >> >>> >>> On Jul 20, 2012, at 1:04 PM, valdis.kletni...@vt.edu wrote: On Sat, 21 Jul 2012 05:10:41 +1000, Routing Analysis Role Account said: > BGP routing table entries examined: 418048 So, whatever happened to that whole "the internet will catch fire when we get to 280K routing table entries" or whatever it was? :) >>> >>> We added memory where we could, or bought bigger routers. The new >>> (conventional wisdom) limit is 1M routes. >> >> I think you mean 512k IPv4 with 256k of IPv6 (taking double space). > > 512K of IPv4? That's getting close! I know a few people had issues around the 256k barrier from tcam based platforms. Expect a lot of BGP instability as people react to 512k entries in their fib
Re: Is Hotmail in the habit of ignoring MX records?
On 26/07/12 20:35, Lou Katz wrote: > On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote: >> On 7/26/12, Lou Katz wrote: >>> One of my users has reported incoming mail failures, which I finally >>> tracked down. It turned out that Hotmail has seen fit to send the mail >>> to his domain's A record machine, despite the fact that he has valid MX >>> records. >> You looked in the mail headers and saw hotmail's mail server do that, >> or the From address/return path just happens to be hotmail? >> I would ask for a specific example of a domain name in which that >> seems to happen, and exact DNS zone contents. >> >> I am sure that Hotmail does not ignore MX in general, unless they No, they do. The exact same thing has happened to me - twice, with two seperate scenarios being fundamentally similar. The MX is ignored, the non-host A record is tried, if it accepts connections on Port 25 it uses this instead. This behavior forced me to set up the mail server on the same box as a webserver I administer to act as a secondary MX for another domain I administer (mail is elsewhere), in one case. In the other, I had to simply write off the option of having http://domain working, and live with just http://www.domain, due to the use of a third party web host that also had an MTA on their machine that was rejecting my email. Like all the behemoth service providers, it's impossible to find someone useful to talk to about these things. I posted on Mailop about it a few months ago, but it's not new behavior - the first instance I came across was more than 2 years ago. Mark.
Re: Is Hotmail in the habit of ignoring MX records?
On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote: > On 7/26/12, Lou Katz wrote: > > One of my users has reported incoming mail failures, which I finally > > tracked down. It turned out that Hotmail has seen fit to send the mail > > to his domain's A record machine, despite the fact that he has valid MX > > records. > > You looked in the mail headers and saw hotmail's mail server do that, > or the From address/return path just happens to be hotmail? > I would ask for a specific example of a domain name in which that > seems to happen, and exact DNS zone contents. > > I am sure that Hotmail does not ignore MX in general, unless they > just broke something; many domains require MX processing and A record > to properly be ignored for mail to be accepted.But there may be > something else going on with a specific domain or DNS > queries/responses from its nameservers, that results in MX being > ignored or unavailable, resulting in a fallback to 'lookup A'. > > An example could be some dns issue such as slow response to MX query, > 'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX > DNS response packet too large, > > > > -- > -JH Unfortunately, all I get from my user is a snippet, and it took me a while to realize that I had to look at the mail logs of my web server, not my mail server, to find the transaction. The domain is cookephoto.com - and here is my zone file: plaid# dig cookephoto.com any ; <<>> DiG 9.3.3 <<>> cookephoto.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55698 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8 ;; QUESTION SECTION: ;cookephoto.com.IN ANY ;; ANSWER SECTION: cookephoto.com. 172800 IN SOA ns.metron.com. hostmeister.metron.com. 2012011900 21600 3600 345600 345600 cookephoto.com. 172800 IN NS ns2.metron.com. cookephoto.com. 172800 IN NS ns1.metron.com. cookephoto.com. 172800 IN NS ns3.metron.com. cookephoto.com. 172800 IN MX 12 mail2.metron.com. cookephoto.com. 172800 IN MX 15 mail.katz.com. cookephoto.com. 172800 IN MX 10 mail.metron.com. cookephoto.com. 172800 IN A 192.160.193.89 ;; ADDITIONAL SECTION: ns1.metron.com. 3600IN A 192.160.193.34 ns2.metron.com. 3600IN A 209.204.189.89 ns2.metron.com. 3600IN 2001:470:838d::89 ns3.metron.com. 3600IN A 192.160.193.55 ns3.metron.com. 3600IN 2001:470:838d::55 mail.metron.com.3600IN A 192.160.193.14 mail2.metron.com. 3600IN A 209.204.189.91 mail.katz.com. 28800 IN A 192.160.193.14 and here is the maillog for the transaction, slightly redacted: Jul 25 13:13:07 plaid sm-mta[5121]: NOQUEUE: connect from blu0-omc2-s2.blu0.hotmail.com [65.55.111.77] Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 220 plaid.metron.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 25 Jul 2012 13:13:07 -0700 (PDT) Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- EHLO blu0-omc2-s2.blu0.hotmail.com Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250-plaid.metron.com Hello blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], pleased to meet you Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- MAIL FROM: Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.1.0 ... Sender ok Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RCPT TO: Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 550 5.7.1 ... Relaying denied Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: ruleset=check_rcpt, arg1=, relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], reject=550 5.7.1 ... Relaying denied Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RSET Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.0.0 Reset state Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: from=, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4, relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77] Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: <-- QUIT Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: --- 221 2.0.0 plaid.metron.com closing connection The 5.7.1 relaying denied is correct, since the webserver does not accept mail for the website domains. At the time of the transaction, nothing special was happening here, and other mail was flowing quite nicely into the mail server. Other Hotmail servers were sending to other recipients here through the regular mailserver OK. Thanks for looking at it. -=[L]=-
Re: Is Hotmail in the habit of ignoring MX records?
On 7/26/12, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX > records. You looked in the mail headers and saw hotmail's mail server do that, or the From address/return path just happens to be hotmail? I would ask for a specific example of a domain name in which that seems to happen, and exact DNS zone contents. I am sure that Hotmail does not ignore MX in general, unless they just broke something; many domains require MX processing and A record to properly be ignored for mail to be accepted.But there may be something else going on with a specific domain or DNS queries/responses from its nameservers, that results in MX being ignored or unavailable, resulting in a fallback to 'lookup A'. An example could be some dns issue such as slow response to MX query, 'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX DNS response packet too large, -- -JH
Re: Is Hotmail in the habit of ignoring MX records?
If the MX records are not responsive / timing out, they might be falling back to the A record. On Thu, Jul 26, 2012 at 12:44 PM, Lou Katz wrote: > One of my users has reported incoming mail failures, which I finally > tracked down. It turned out that Hotmail has seen fit to send the mail > to his domain's A record machine, despite the fact that he has valid MX > records. > > The A record points to my webserver, which does not normally accept mail > for anyone. The mail server MX records are to an entirely different > machine. > -- Suresh Ramasubramanian (ops.li...@gmail.com)
Is Hotmail in the habit of ignoring MX records?
One of my users has reported incoming mail failures, which I finally tracked down. It turned out that Hotmail has seen fit to send the mail to his domain's A record machine, despite the fact that he has valid MX records. The A record points to my webserver, which does not normally accept mail for anyone. The mail server MX records are to an entirely different machine. Comments? Do I need more valium? -=[L]=- --