Re: CAs with dual stacked CRL/OCSP servers
On 12/5/2014 07:06, Rob Seastrom wrote: > > At $DAYJOB, we have some applications that we would like to be all > hipster and *actually check* for certificate revocation. I know this > is way out there in terms of trendiness and may offend some folks. > > Difficulty: the clients are running on single stacked IPv6. We have > recently been advised by our existing CA that they "do not currently > have IPv6 support plan" (sic). > > OCSP Stapling sounds like it could be a winner here. Unfortunately, > the software support is not quite ready yet on the platform on either > end of the connection (client or server). > > So... we're looking around for a vendor that's taken the time to dual > stack its servers. > > Any leads? > > -r > GlobalSign does. ~# host ocsp2.globalsign.com ocsp2.globalsign.com has address 108.162.232.200 ocsp2.globalsign.com has address 108.162.232.202 ocsp2.globalsign.com has address 108.162.232.207 ocsp2.globalsign.com has address 108.162.232.197 ocsp2.globalsign.com has address 108.162.232.198 ocsp2.globalsign.com has address 108.162.232.205 ocsp2.globalsign.com has address 108.162.232.203 ocsp2.globalsign.com has address 108.162.232.199 ocsp2.globalsign.com has address 108.162.232.196 ocsp2.globalsign.com has address 108.162.232.201 ocsp2.globalsign.com has address 108.162.232.204 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9 ocsp2.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8 crl.globalsign.com has address 108.162.232.205 crl.globalsign.com has address 108.162.232.197 crl.globalsign.com has address 108.162.232.203 crl.globalsign.com has address 108.162.232.204 crl.globalsign.com has address 108.162.232.198 crl.globalsign.com has address 108.162.232.200 crl.globalsign.com has address 108.162.232.202 crl.globalsign.com has address 108.162.232.196 crl.globalsign.com has address 108.162.232.201 crl.globalsign.com has address 108.162.232.207 crl.globalsign.com has address 108.162.232.199 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5 crl.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7 -- staticsafe https://staticsafe.ca
Re: Weekly CIDR Reports
On 9/5/2014 20:03, ITechGeek wrote: > Does anyone know if it is possible to get a copy of the Announced and > Withdrawn prefix list a couple weeks ago? Is that weekly list archived > somewhere? > > --- > -ITG (ITechGeek) Since these are mailed to the NANOG list they will be available in their mailman archives: http://mailman.nanog.org/pipermail/nanog/ -- staticsafe https://staticsafe.ca
Re: More Godaddy DNS and whois server issues?
On 9/4/2014 12:22, Mark Keymer wrote: > Hi, > > So this started a little while ago but seems to be getting worse. > > What I am seeing is dns servers over at godaddy not replying however I > seem to be able to traceroute ok to them. Also I have started to see > that the whois.godaddy.com servers also seem to be having issues as well > with "Whois information is currently unavailable. Please try again later." > > Anyone else also seeing issues this morning? And able to confirm the > issue is with godaddy? > > Sincerely, > Do you have any particular NSes and/or domains we can test with? -- staticsafe https://staticsafe.ca
Re: This is me venting.... OVH/lvl3
On 5/12/2014 20:25, Mr. Queue wrote: > Almost a week of this now.. OVH/lvl3 at dal-1-6k. > > Thank you sir may I have another.. > > http://weathermap.ovh.net/usa > Looks fine. -- staticsafe https://asininetech.com
Observations of an Internet Middleman
http://blog.level3.com/global-connectivity/observations-internet-middleman/ -- staticsafe https://asininetech.com
Re: Yahoo DMARC breakage
On 4/20/2014 18:08, Barney Wolff wrote: > On Sun, Apr 20, 2014 at 10:01:38PM +, Franck Martin wrote: >> So I believe, if this list was not stripping the HTML part of the emails, as >> it does not add a subject tag nor a footer, then DKIM would survive the list >> and all would be fine? >> >> why does this list break DKIM when forwarding? > > My system says your message passed DKIM and DMARC. Perhaps that's because > linkedin.com does not publish an SPF record. > They actually do: linkedin.com. 86400 IN SPF "v=spf1 ip4:8.18.31.21 ip4:8.18.31.22 ip4:69.28.149.0/24 ip4:199.101.160.0/25 ip4:199.101.162.0/25 ip4:108.174.3.0/24 ip6:2620:109:c006:104::/64 ip4:216.136.162.65 mx mx:docusign.net ~all" -- staticsafe https://asininetech.com
Fwd: [menog] APRICOT2014 Archives
-- Forwarded message -- From: Miwa Fujii Date: Fri, Mar 7, 2014 at 2:36 AM Subject: [menog] APRICOT2014 Archives To: "me...@menog.org" Hi MENOG members, APRICOT2014 is over now and archived materials are available in: https://2014.apricot.net/program As usual, there were lots of interesting sessions. Here is some sessions to look into as examples of great archives - these are sessions on CGN, managing IPv4 address exhaustion, IPv6 in mobile networs: APNIC Plenary: Anatomy of CGN = Geoff (APNIC), Shin Miyakawa (NTT), Sunny Yeung (Telstra) and Alastair Johnson (Alcatel-Lucent) discussed on CGN. http://www.youtube.com/watch?v=IF7AnAFYrzc https://2014.apricot.net/program#session/66283 IPv6 in Mobile Networks Tutorial bu Sunny Young (Telstra) = https://2014.apricot.net/program#session/66936 464XLAT: Breaking Free of IPv4 Tutorial by Cameron Byrne (T-Mobile USA) === https://2014.apricot.net/program#session/66932 Short video clips = Shin Miyakawa (NTT COM): CGNs and IPv6 http://www.youtube.com/watch?v=J3YD8KG8HaQ Cameron Byrne (T-Mobile USA): T-Mobile's positive experience in deploying IPv6 for its network http://www.youtube.com/watch?v=8yW3cSIm8Bg Sunny Yeung (Australia Telstra): The importance of IPv6 to Telstra's future http://www.youtube.com/watch?v=oStlNQm8je0 Alastair Johnson (Alcatel-Lucent): His thoughts on the trends of network operators around the transition from IPv4 to IPv6 in Asia-Pacific http://www.youtube.com/watch?v=mzp8fWp_srQ&list=PLSnVjSuzLJcyFNlG3JSBTnC76S 25HOLj8 Geoff Huston (APNIC): A brief history of CGNs and the implications for the future of IPv4 and IPv6 http://www.youtube.com/watch?v=H2awlfgM02w&list=PLSnVjSuzLJcyFNlG3JSBTnC76S 25HOLj8 Hope you find something useful for your day to day operations. Cheers, Miwa - Miwa Fujii Senior Advisor, Internet Development, APNIC www.apnic.net www.apnic.net/ipv6 TEL: +61 7 3858 3100 ----- -- staticsafe
Re: Are DomainKeys for e-mail signing dead?
On 2/28/2014 18:36, Suresh Ramasubramanian wrote: > On Saturday, March 1, 2014, Matthew Black wrote: > >> Apologies if I slept through prior discussions on the topic. >> E-mail from our L-Soft LISTSERV was recently rejected by Yahoo with the >> following error: > > > Alive and well after the standard evolved. Google DKIM and then DMARC. > > I doubt anything as antique as listserv supports either, so route its > inbound / outbound mail through a gateway running postfix / sendmail etc. > > --srs > > opendkim[0] does this job beautifully. [0] - http://www.opendkim.org/ -- staticsafe
Re: Cogent 100M DIA in Denver
On 10/14/2013 18:00, Constantine A. Murenin wrote: Which other provider? Please name at least one. Other providers either offer IPv6, or don't. When those other providers do, good or bad, you can connect to any other IPv6 network (well, except maybe for Cogent's AS174). When Cogent offers IPv6, a lot of IPv6 networks are unreachable. No other provider comes close. I mean, even their web-site doesn't work from many IPv6-connected hosts, because there's no route for their network: li163-XXX:~# telnet cogentco.com http Trying 2001:550:1::cc01... ^C li163-XXX:~# C. Fremont Linode? I see it is unreachable from my ARP Networks VPS (HE v6 transit) and also from behind my HE tunnel at home. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.
Re: The block message is 521 DNSRBL: Blocked for abuse
On 9/18/2013 8:16 PM, Tammy Firefly wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Those also are statistics not actual IP block numbers being deallocated/allocated. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSOkJqAAoJEHJ/lMQe1SM0PlIH/0DXHqPkIaVIh0poaj5w0oDM Y/PrbpMu16D+ga2HR0KQtrWglNacOg+VxDikTJMgYYhDmscVd8Y+inCyQpAW4ok6 2MaZeKMf5PEkkBkWh2M7703ljQ6ajDae+xTKJgXM0A4CaEkKlFgjxJ9t3+Wad+BC c5Xso50sVbeT0PG0Xd/6BHchg6kZUhm0IwPHBaD2RwIbydYiDpDKcu2zehBTNhO+ 0wjxXmysAC5opFdyR9sjpDvlXWyPDNqhG3pikEMwFY2HGPZLoq1h1iUdUA/QW5Hi J1eVi96wuNdywr6Kp8F3w7ADSldaAwUqr9mvYxI4EwbzMzjwmj28+68xYTXWxrE= =cuK7 -END PGP SIGNATURE- http://lists.arin.net/mailman/listinfo/arin-issued -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.
[Paper] B4: Experience with a Globally-Deployed Software Defined WAN
"We present the design, implementation, and evaluation of B4, a pri- vate WAN connecting Google’s data centers across the planet." - http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdf -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on.
[security-offi...@isc.org: Notice: BIND Security Jul2013 CVE2013-4854]
ind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2013 Internet Systems Consortium ___ bind-announce mailing list bind-annou...@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-announce - End forwarded message - -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on.
Re: Fwd: [Filtering of NTP-access to swisstime.ethz.ch as of July 1st, 2013]
On Tue, Jun 25, 2013 at 10:52:37AM -0400, Anthony Williams wrote: > > Alex: > > You should also get this posted to the NTP.ORG community. > > http://www.pool.ntp.org > > > Also a Usenet posting (who still uses that, right?) to > comp.protocols.time.ntp will also help get the word out. Forwarded it to the ntp-pool list. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on.
Re: Pen testing and white hats for mass consumption
On Fri, Jun 07, 2013 at 03:03:16PM -0400, Jay Ashworth wrote: > Since one Whacky Weekend thread isn't enough on a post-NANOG weekend: > > Here's some coverage of pentesting and 'ethical' hacking packaged for a > general audience. I only caught the first half of this the other day, but > it seemed worth listening to. > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink > j...@baylink.com > Designer The Things I Think RFC 2100 > Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII > St Petersburg FL USA #natog +1 727 647 1274 > You seem to have forgotten the link. :) -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: looking for documents describing frequent causes for line cuts
On 5/17/2013 22:16, Kyle Creyts wrote: > has anyone come by documents containing some statistics regarding leading > causes for cuts in fiber, power, cable lines? > > I seem to remember one which included % cuts due to equipment failure, > maintenance, weather, rodents, boring, car accidents, etc. > > but alas, I cannot find it in my archives. > On an amusing note: http://blog.level3.com/level-3-network/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: bind verbose logging
On 5/9/2013 22:52, shawn wilson wrote: > In this log line, what is -EDC? I've also noticed +, -, -E, and -ED > but I have no Idea what they are (called/represent). > > 08-May-2013 08:04:49.751 client 1.2.3.4#48747 (ns2.example.com): > query: ns2.example.com IN -EDC (1.2.3.4) > > Also, I'm writing a parser and we're only loging 'queries' but if > someone has examples / schemas for the other categories, I'd like to > integrate that. > http://www.zytrax.com/books/dns/ch7/logging.html > "+EDC on a query indicates that it is: - Recursive (+) - it has come from a client or a server that is forwarding queries to your server - The sender is using EDNS0 (using larger UDP packet sizes and signalling the size that can be accepted) - The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply. - DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail." Source - https://kb.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html Also see https://www.isc.org/software/bind/documentation for further documentation. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: CenturyLink Outage?
On 5/7/2013 12:54, Jason Lester wrote: > Does anyone know what is going on with the nationwide CenturyLink outage? > Their NOC recording says it is a BGP routing issue with their upstream > peers affecting Internet traffic and traffic between regions. Our outside > connectivity with them has basically been down since about 4:00AM (EDT) > this morning. The prefixes we were receiving from them were fluctuating > between a few hundred and a few thousand all morning. We are getting the > full BGP table from them now (for about the last hour), but still not > seeing any incoming traffic. Seems like a major issue since it has been > almost 9 hours now. > > Thanks, > Jason > See the [outages] thread - https://puck.nether.net/pipermail/outages/2013-May/005513.html -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: "It's the end of the world as we know it" -- REM
On 4/23/2013 18:04, Leo Bicknell wrote: > In a message written on Tue, Apr 23, 2013 at 05:41:40PM -0400, > Valdis Kletnieks wrote: >> I didn't see any mention of this Tony Hain paper: >> >> http://tndh.net/~tony/ietf/ARIN-runout-projection.pdf >> >> tl;dr: ARIN predicted to run out of IP space to allocate in >> August this year. > > Here's a Geoff Houston report from 2005: > https://www.arin.net/participate/meetings/reports/ARIN_XVI/PDF/wednesday/huston_ipv4_roundtable.pdf > > I point to page 8, and the prediction "RIR Pool Exhaustion, 4 > June 2013". > > Those of us who paid attention are well prepared. > > tl;dr: Real statistical models properly executed in 2005 were > remarkably close to the reality 8 years later. > On that note, something Mr. Huston wrote more recently: "A Primer on IPv4, IPv6 and Transition" http://www.potaroo.net/ispcol/2013-04/primer.html Discussion: https://news.ycombinator.com/item?id=5586519 -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
Re: Problem with email to Hawaiilink.net email
On 1/15/2013 19:19, david peahi wrote: > Does anyone know of any problems in Hawaii with email or DNS problems? > Sending from gmail.com and pacbell.net domains, I get: > > > host mail.hawaiilink.net[24.43.223.114] said: 553 > 5.1.8 emailaddr...@pacbell.net ... Domain of sender address > emailaddr...@pacbell.net does not exist (in reply to MAIL FROM command) > > Regards, > > David > See thread on [outages] currently going on regarding outages happening at the moment in Hawaii, https://puck.nether.net/pipermail/outages/2013-January/005072.html -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb
