Re: Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.
> On Oct 23, 2019, at 8:18 PM, Constantine A. Murenin > wrote: > I’d recommend posting this over on the mailop list as well. Lots of discussions about issues like this there. I too send myself various cron/*nix emails. The difference is I send to my own domain on my own server so I don’t see the issues you do. (Or rather if I do, I can control them) Funny enough, I had a script that shot off an email with the malicious domains (blacklist) it had updated for a squid proxy that I run. I had to do some rejiggering to get this through, if I recall Spamassassin specifically viewed it as highly radioactive. Bigger picture, I think that (unfortunately) we will see more and more problems like this. With the large providers running so much (as you mentioned - “monoculture”), and their services tending toward the “black box”… I don’t know what the answer is. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible."
Re: Spectrum residential IPv6 rDNS - thank you !
> On Oct 9, 2018, at 11:37 AM, endre.szabo@nanog-list-kitfvhs.redir.email wrote: > > Hey there, > > On 10/9/18 4:51 PM, Brandon Applegate wrote: >> Wanted to give a shoutout / thank you to Spectrum for this. Just noticed >> today my home PD now has dynamic/synthesized rDNS for IPv6. > > I wonder how they generate these rDNS PTR records? I was always curious, hope > someone knows. > > -- I’m guessing synthesized. There are a couple of dns servers out there that can do this. An interesting one I just found: https://all-knowing-dns.zekjur.net Also my excitement was a bit premature. It seems that: 1) This is only available from one of the resolvers given out as an IPv6 DNS server (in my region at least) - 2001:1998:f00:1::1 A dig +trace from the internet at large only gets to the NXDOMAIN (which is still much better than a SERVFAIL). 2) Looks like 2001:1998:f00:1::1 is anycasted (as one would expect). However not all of the instances will consistently return a PTR. # Simply running dig a handful of times to hit the different anycast boxes… # vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 cpe-2607-FCC8-1234-5678-0-0-0-1234.dyn6.twc.com. vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 cpe-2607-FCC8-1234-5678-0-0-0-1234.dyn6.twc.com. vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 cpe-2607-FCC8-1234-5678-0-0-0-1234.dyn6.twc.com. vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 vom@ice:~$ dig +short @2001:1998:f00:1::1 -x 2607:fcc8:1234:5678::1234 cpe-2607-FCC8-1234-5678-0-0-0-1234.dyn6.twc.com. I checked 2001:1998:f00:1::1 via whoami.akamai.net and got back a handful of unique IPs. I’m guessing some inconsistent config or something else has broken on some of the instances... -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible."
Spectrum residential IPv6 rDNS - thank you !
Wanted to give a shoutout / thank you to Spectrum for this. Just noticed today my home PD now has dynamic/synthesized rDNS for IPv6. Some of my dumb little scripts outputs are a bit happier today ! :) -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible."
Not announcing (to the greater internet) loopbacks/PTP/infra - how ?
Hello, I’ve seen mention on this list and other places about keeping one’s PTPs / loopbacks out of routing tables for security reasons. Totally get this and am on board with it. What I don’t get - is how. I’m going to list some of my ideas below and the pros/cons/problems (that I can think of at least) for them. - RFC 1918 for loopbacks and PTP - Immediately “protects” from the internet at large, as they aren’t routable. - Traceroutes are miserable. - Use public block that is allocated to you (i.e. PI) - but not announced. - So would this be a totally separate (from user/customer prefixes) announcement and allocation ? In other words, let’s say you were a small ISP getting started. You manage to get a /20 from a broker (IPv6 should be “easy”). Do you also now go out and get a /23 (I’m making these sizes up, obviously all of these will vary based on ISP size, growth plan, etc.). You have the /23 registered to you (with proper rDNS delegation, WHOIS, etc.). But you simply don’t announce it ? I’d say I need this /23 day one to even build my network before it’s ready for customers. - On the IPv6 front - would a RIR give you your /32 and then also a /48 (for loop/PTP) ? - Deaggregate and not announce your infra - Bad net behavior out of the gate with this method. The opposite of elegant. - Keeping with previously made up / arbitrary prefixes - for your /20 - you’d end up announcing 2 x /23, 1 x /22 and 1 x /21. I’m too lazy to enumerate the IPv6 gymnastics, but with IPv6 you could “waste” a bit more to get to boundaries that are a bit easier to work with I suppose. Thanks in advance for insights on this. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible."
Re: TWC/Charter/Spectrum contact off-list ? (Reverse DNS issue)
> On Mar 16, 2018, at 6:00 PM, Ross Vandegrift <r...@kallisti.us> wrote: > > On Thu, Oct 19, 2017 at 08:04:12AM -0400, Brandon Applegate wrote: >> I had success with this issue about 2 years ago when some TWC folks >> contacted me. I don’t know if those folks are still with TWC/Charter >> here in the end of 2017 - hence posting on NANOG. The tl;dr is IPv6 >> reverse DNS issues. It was broken, got fixed, and seems to have >> broken again recently. > > Did you ever get a response or make progress? I got a ticket escalated > to engineering in mid-December about 2606:6000::/32. Just learned from > support that it was closed without a resolution. I did and did (response and progress (fix actually)). I will shoot you who helped me offlist. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP
Spectrum/TWC contact off-list ?
I’ve resisted reaching out like this so far. I posted on DSL Reports and didn't get anything valuable back. I’m also confident that Spectrum front line support will have zero clue as to where to take my question. In a nutshell: seeing some strange IPv6 reachability issues, and they are always overnight/wee-hours (EST). Seems to be very specific to a certain prefix (or more pointedly - my IA_NA vs. IA_PD). If someone could contact me off-list I would greatly appreciate it. This isn’t a hard down or critical issue - but it is an annoying head-scratcher. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP
TWC/Charter/Spectrum contact off-list ? (Reverse DNS issue)
Hello, I had success with this issue about 2 years ago when some TWC folks contacted me. I don’t know if those folks are still with TWC/Charter here in the end of 2017 - hence posting on NANOG. The tl;dr is IPv6 reverse DNS issues. It was broken, got fixed, and seems to have broken again recently. Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP
IPv6 doc. prefix (2001:db8::/32) - APNIC object ?
Just did a whois on the documentation prefix and was surprised to see what looks like a user object registered for it: % Information related to '2001:0DB8::/32AS132111' route6: 2001:0DB8::/32 descr: FUTURE D SDN BHD origin: AS132111 country:MY mnt-by: MAINT-FUTUREDSDNBHD-MY changed:hm-chan...@apnic.net 20160523 source: APNIC Any idea what this is ? I would have thought there might be some sanity check that would have stopped this from getting registered ? -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 "SH1-0151. This is the serial number, of our orbital gun."
IEEE OUI regauth (search ?) site
They’ve made some changes recently - I had a perl script that would do the lookup and scrape live - it was great. It broke a week or so ago. This seems to be the page to search for OUI: https://regauth.standards.ieee.org/standards-ra-web/pub/view.html <https://regauth.standards.ieee.org/standards-ra-web/pub/view.html> I’ve tried 4 Browsers across 2 OS’s - and that page pops up a “Loading” sub window - flashes and reloads (loop). Anyone have any insight on how one can look up an OUI (yes I know about oui.txt, but I’m asking about a live query site). Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 "SH1-0151. This is the serial number, of our orbital gun." signature.asc Description: Message signed with OpenPGP using GPGMail
TWC RR contact off list ?
Could someone from TWC RR contact me off-list ? I have an IPv6 / DNS question / request. I’m in Cincinnati, OH and this is residential if that matters. Otherwise - if anyone non-TWC on list can point me to a person/address etc that will let me leap frog frontline support that would be great. There’s no way the support folks are going to know what I’m asking or who/how to escalate. Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 "SH1-0151. This is the serial number, of our orbital gun." signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Anyone from Cloudflare ? (IPv6 issue)
On Dec 27, 2014, at 3:48 PM, Florian Weimer f...@deneb.enyo.de wrote: * Brandon Applegate: Otherwise - if anyone could share a way to get to clue @Cloudflare I would greatly appreciate it. I put a request in through the web support front door, but I got back about what I expected. Did you receive a reply? I tried to notify security@ about some issue, but never heard back from them. I did - I worked with some Cloudflare guys offlist and they made some (hopefully temporary) BGP path tweaks to route around where we think the trouble is buried. So kudos to them. If you want - let me know 1:1 and I can let you know who I worked with, although I’m not sure they are security focused. signature.asc Description: Message signed with OpenPGP using GPGMail
Anyone from Cloudflare ? (IPv6 issue)
Anyone from Cloudflare able/willing to contact me off list to troubleshoot a very frustrating and intermittent IPv6 connectivity issue ? I have plenty of data points, multiple test systems (Testing from 2 working ASes, and the 1 AS in question that’s broken). Otherwise - if anyone could share a way to get to clue @Cloudflare I would greatly appreciate it. I put a request in through the web support front door, but I got back about what I expected. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. signature.asc Description: Message signed with OpenPGP using GPGMail
IGMP (v3) older version querier timer on OSX
First of all - if there is a better place to ask this, let me know. I simply want to make sure the audience has the technical chops to try to answer the question. So discussions.apple.com / macrumors are out. I’m trying to figure out how OSX is behaving with regard to downgrading sent IGMP messages in the presence of “older” queriers. I.e. if a query is heard from a router (querier) that is v2, start a timer and only speak (IGMP) in v2 until it expires. From the definitions I’ve found of how to calculate this timer - that should be 260 seconds. After this time, assuming we haven’t heard any further v2 queries - we can start speaking v3 again. From my testing (using 10.9 Mavericks and the newest VLC) - this doesn’t happen. From the network side, I’m using a Cisco 3750 with snooping and querier turned on (i.e. not a real mcast router). If I turn these off and reboot, VLC causes IGMP v3 to be sent. If I turn querier back on on my switch - OSX drops down to IGMP v2. It just never seems to bounce back to v3. I think I waited ~ 10 minutes on my last test, and it was still v2. Thanks - and sorry this isn’t about systemd (although I am reading the thread and think it’s a great topic). -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. signature.asc Description: Message signed with OpenPGP using GPGMail
rz.verisign-grs.com root zone ftp access
Is anyone using this and having failed login for a few days now ? I’ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: rz.verisign-grs.com root zone ftp access
On May 20, 2014, at 5:32 PM, jamie 260...@gmail.com wrote: I have access; my last success was today at 12:27am est Wait; Do you have a userid or are you trying to log in anonymous? I'm pretty sure this is a closed system.. I have a username/pass. Got it by signing the agreement years ago. I just started getting errors in the past few days: --2014-05-20 17:39:28-- ftp://user:*password*@rz.verisign-grs.com/ = `/tmp/verisign-root-zones/rz.verisign-grs.com/.listing' Resolving rz.verisign-grs.com (rz.verisign-grs.com)... 69.58.178.63 Connecting to rz.verisign-grs.com (rz.verisign-grs.com)|69.58.178.63|:21... connected. Logging in as user ... Login incorrect. signature.asc Description: Message signed with OpenPGP using GPGMail
NetSol AAAA glue
If anyone with ability to fix this is reading this - contact me offlist and I'll owe you... I'm trying to change an host (name server) address. I've been emailing ipv6...@networksolutions.com back and forth for several days. After fighting through 'authentication' (which btw I *didn't* do several years ago to get the added) they say they have 'completed' it. a.gtld for example still has the old . I've just got a gut feeling that they don't understand what I'm asking. I'm actually getting a bit scared they are going to break my domain. Aside from someone at netsol seeing this - does anyone have any advice other than get off netsol (which I'm considering). Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun.
gmail.com - 550 error for ipv6/PTR ?
Just saw this in a message tonight. No idea if this is a transient error or not. --- host gmail-smtp-in.l.google.com [gmail-smtp-in.l.google.com][2607:f8b0:4002:c01::1a] said: 550-5.7.1 [2607:ff70:11::11] Our system has detected that this message does not 550-5.7.1 meet IPv6 sending guidelines regarding PTR records and authentication 550-5.7.1 . Please review 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error [support.google.com] for more 550 5.7.1 information. t26si2290895yhl.255 - gsmtp (in reply to end of DATA command) --- That URL's relevant section says: Additional guidelines for IPv6 The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected. The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam. --- I have both of these (PTR's RR has matching , and I have SPF (but not DKIM)). I'm guessing that something on google's side is misinterpreting some data or other busted logic. I meet all the requirements laid out, and have been sending mail to gmail addresses (via ipv6) since $forever. Off-list replies are fine to minimize noise, and if there is an answer or any meaningful correlation I will reply on-list. Thanks in advance for any info/feedback. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun.
Netsol AAAA glue
So I sent an email over a week ago to ipv6...@networksolutions.com - and since I've only recieved the auto reply. A year or so ago I did this and got very quick turnaround, but now just dead air (sent another email yesterday). Wanted to see if others had the same results (recently) and any advice before I call into phone tree hell. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun.
Re: fiber cut in California?
On Thu, 19 Apr 2012, Greg Olson wrote: Anyone hear of a fiber cut in California today? I have a customer complaint about degraded performance to a site in China and the path appears to exit Qwest to China Netcom in the LA area. Also this thread on outages: https://puck.nether.net/pipermail/outages/2012-April/003844.html I tried calling Qwest (sorry, Centurylink) NOC/support and there was a preemptive recording basically saying there was a huge outage and that hold times may be long. I had to hang up before they came on to deal with some other things though. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun.
Re: My upstream ISP does not support IPv6
On Fri, 4 Feb 2011, Franck Martin wrote: The biggest complaint that I hear from ISPs, is that their upstream ISP does not support IPv6 or will not provide them with a native IPv6 circuit. Is that bull? I thought the whole backbone is IPv6 now, and it is only the residential ISPs that are still figuring it out because CPE are still not there yet. Where can I get more information? Any list of peering ISPs that have IPv6 as part of their products? It seems to me the typical answer sales people say when asked about IPv6: Gosh, this is the first time I'm asked this one. I can provide anecdotal feedback on this. When we did v6 on our network - we did it to full v4 parity. I.e. if we offer v4 / HSRP redundancy / BGP full table, etc in a given site, we need to be able to do the same with v6. We acheived that. At this point I had a decent v6 network, but was isolated from the world. I had to talk to upstreams. In a nutshell, it was non-trivial. The upstreams in question will remain nameless to protect the guilty, but they are all who some would call 'tier 1'. The common themes were: - Hmm, don't know our process for that, let me send emails and 'reach out' and get back to you. - We can do it, but we have to home you to a different router. This will be a provisioning exercise and you will get new /30 (/126, etc) and new circuit ID. So it was far from simply adding v6 to our existing circuit(s) and another BGP session. It has taken months. I couldn't quite wait that long so I did a tunnel w/ BGP to Hurricane and got it up in a matter of days. At that point, at least I could traceroute somewhere :) We are just now finishing up getting native on our transit circuits. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun.
Sprint BGP/routing engineer needed
If you have visibility and can fix things - I would greatly appreciate an off-list contact. We have a reachability issue through Level3, but it's on the Sprint side of a specific peer and the Level3 support person can't fit the pieces together mentally. We are still pursuing our ticket and trying to do it 'by the book' (we are a Level3 customer) but an off-list contact would be very much appreciated. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun.
Re: Sprint BGP/routing engineer needed
One of our guys navigated a Sprint phone tree and hit a deposit of clue. Issue is fixed, it was indeed on the Sprint side. Thanks to Sprint for responding and fixing this, especially when we aren't even your customer (yet). -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. On Fri, 22 Oct 2010, Brandon Applegate wrote: If you have visibility and can fix things - I would greatly appreciate an off-list contact. We have a reachability issue through Level3, but it's on the Sprint side of a specific peer and the Level3 support person can't fit the pieces together mentally. We are still pursuing our ticket and trying to do it 'by the book' (we are a Level3 customer) but an off-list contact would be very much appreciated. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun.
Re: Cisco 6509/6513 cable management...
On Tue, 21 Sep 2010, Positively Optimistic wrote: Do any of our fellow nanog members have experience with cable management on 6509/6513 cisco switches? We're upgrading infrastructure in some of our facilities,.. and until it came to cable management, the switches seemed to be a great idea... 8 48port blades.. pose a challenge.. or a problem.. Pictures are welcomed... off-list contact would be great. Thanks http://www.cecommunication.com/pages/cablemgmtproducts.html I have no affiliation with them nor do I even have any - but they do look nice. They claim to not block blade swaps or fan tray removal. If you notice about half the pics/links posted - folks have ALL cabling leaving the 6500 to one side. If you don't do this, you must disconnect cables to get the fan tray out. The folks fanning to both sides are either ignorant or overly optimistic (no pun intended WRT your email address) :) -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun.
ipv6 bogon / martian filter - simple
I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun.
