Hi everyone,
I thought it polite to also mention it here, especially since my parting
post comes with some thoughts on DNS: I am leaving DNS and PowerDNS.
Although I do grumble a bit in the post, it has been an honour for me to be
part of the DNS community. I leave the scene a lot wiser about
Hello everyone,
Could you flush your caches for maskermatch.be if you have Belgian
customers/users?
They are launching this Corona initiative today but some large
scale providers are sadly on a 24 hour TTL old set of NS records.
Thanks!
___
$GPRMC time. A restart of the ntpd process fixed it.
Hi Muks,
Do you have some further details on the $GPRMC log lines?
Here in any case is what I found with my other project:
From: bert hubert
To: na...@nanog.org
Cc: Forrest Christian , mattli...@rivervalleyinternet.net
Subject: GPS Sync Outag
On Mon, Nov 25, 2019 at 09:54:55PM +0100, Florian Weimer wrote:
> Do we know why the number of root instances has increased? Is it
> because of the incoming data is interesting?
I would venture the latter. This remains a seriously underdiscussed subject.
There is of course "logging of all
On Thu, Jun 11, 2015 at 12:06:54PM +0800, Kevin C. wrote:
Do you know which provider has a good anti-ddos systems and with a
low price for bulk zones? I will suggest him switch to there.
No, this is something you can't offer right now. Geoff Huston's thinking on
this is instrumental:
Hi everybody,
When I registered for the workshop I signed up as a volunteer and then
promptly forgot that and didn't volunteer for anything.
Perhaps to make up for that I wrote a summary of the wonderful workshop this
weekend, it can be found on:
On Tue, Apr 14, 2015 at 10:26:01AM -0700, Mark Boolootian wrote:
https://www.us-cert.gov/ncas/alerts/TA15-103A
Seems they could have mentioned NSEC as well.
And NSEC3, which does help anyhow in any real sense.
Bert
___
dns-operations
On Mon, Mar 16, 2015 at 11:53:17PM +0900, Paul Vixie wrote:
that is not the use case for this. the updated document makes clear that
the iteration complexity in split-authority systems having a lightweight
front end, is the situation where ANY is painful.
Sorry? We solve implementation
On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote:
On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote:
My qmail software is very widely deployed (on roughly 1 million SMTP
server IP addresses) and, by default, relies upon ANY queries in a way
that is guaranteed
On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote:
My qmail software is very widely deployed (on roughly 1 million SMTP
server IP addresses) and, by default, relies upon ANY queries in a way
that is guaranteed to work by the mandatory DNS standards.
Hi Dan,
The way I read RFC
On Fri, Feb 27, 2015 at 12:02:57AM -0500, Sadiq Saif wrote:
Hi all,
Checking local resolver logs and am seeing a large amount of ANY queries
originating from Firefox, is anybody else seeing such behavior?
Well this would be unfortunate since 'any' queries are not guaranteed to do
anything
On Wed, Feb 11, 2015 at 05:44:18AM +0800, Jim Martin wrote:
This is certainly not our intention for legitimate queries, but as
others have stated, very likely a side effect of running RRL. Are you
seeing this anytime you get 5 NXDOMAINs/s (on any query), or anytime you
get 5
On Tue, Feb 10, 2015 at 03:28:10PM -0800, Paul Vixie wrote:
bert hubert mailto:bert.hub...@netherlabs.nl
Tuesday, February 10, 2015 3:02 AM
Hi everybody,
Recently at a large deployment, we ran into f.root-servers.net returning
TC=1 to all our queries. We took this up with ISC who
Hi everybody,
Recently at a large deployment, we ran into f.root-servers.net returning
TC=1 to all our queries. We took this up with ISC who quickly informed us
that this is a setting they run with if you exceed more than 5 NXDOMAIN
responses/s.
The installation in question services millions of
On Tue, Feb 10, 2015 at 11:34:35AM +, ? Roy Arends wrote:
We've since tried to curtail our queries to the root severly, but we still
get TC=1 responses a lot, which slows down our resolution.
Have you thought about running a local copy of the root zone?
More frequently now, yes. But I
On Tue, Feb 03, 2015 at 05:54:59PM +0100, Marek Vavruša wrote:
What I don't like is that it leaks messages to Internet instead of
faking DNS hierarchy on a local interface, thus making the results
unreliable. Is there anything else I'm missing?
Hi Marek,
A few points. Actual real world
On Tue, Jan 27, 2015 at 10:07:33AM +0100, Marek Vavruša wrote:
Hi, I was wondering if there's any operational benefit in including
records other than direct answer in resolver responses [1]? For
example, some recursors return authoritative NS records, SOA, glue,
etc., and some servers scrub
On Tue, Jan 27, 2015 at 09:40:42PM +1100, Mark Andrews wrote:
It is all optional, and nobody does anything with that data. In fact stub
resolvers do very little with what they receive. So for example, even the
additional processing for an MX record is completely ignored mostly.
That is
On Thu, Jan 08, 2015 at 03:44:47PM +0900, Techs_Maru wrote:
Please tell me,
What are the DNS Traffic tester(Traffic Generator) that you are using?
Over at PowerDNS, we are big fans of our tool 'dnsreplay'. With this, you
can take a PCAP record of actual DNS traffic, and replay it against
On Sat, Dec 13, 2014 at 03:27:37PM -0500, Warren Kumari wrote:
What's interesting is that there are many sets of benchmarks, and each
organization's seem to show thier server as best... All depends on what,
and how you test...
Untrue. We've never done that ;-)
We do find that our own testing
Hi everybody,
Please be aware of PowerDNS Security Advisory 2014-02
(http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/), which you
can also find below. The good news is that the currently released version of
the
PowerDNS Recursor is safe. The bad news is that users of older
On Thu, Sep 11, 2014 at 04:38:25PM +0400, Peter Andreev wrote:
I'd like to ask the respected community, how do you detect and protect
against such activity? Will RRL help me if all suspected queries come
with random qname?
No, it will probably not, since the answers are all servfails.
On Fri, Jul 04, 2014 at 03:04:10PM -0700, Paul Vixie wrote:
Roland Dobbins wrote:
I know that some DNS operators disable logging of queries/responses due to
the overhead of doing so - are most folks on this list with large-scale DNS
recursive and/or authoritative DNS infrastructure
On Fri, Jul 04, 2014 at 06:00:48PM +0700, Roland Dobbins wrote:
I know that some DNS operators disable logging of queries/responses due to
almost all, I would suggest.
the overhead of doing so - are most folks on this list with large-scale
DNS recursive and/or authoritative DNS
On Wed, Jul 02, 2014 at 06:29:22AM -0400, Mohamed Lrhazi wrote:
I am sure I messed up something, but cant figure out what! Some DNS
servers, notably Google's, return SERVFAIL, since a couple of days now.
Mohamed,
I checked most things I can check, and it all looks fine. It may be good to
note
Hi,
In addition to Nick Urbanik's work, which is log file based, we've also
provided some tooling to detect the originators and domains in the recent
flood of malicious DNS traffic based on PCAP files.
From our mailing list post to pdns-users yesterday:
Secondly, the botnet mitigation code in
On Fri, Jun 27, 2014 at 10:40:13AM +0200, sth...@nethelp.no wrote:
The output of the tool is, like Nick's work, a list of domain names and
additionally the set of IP addresses sending traffic to those domains.
Is dnsscope available for other OSes, e.g. FreeBSD?
Yes, you can compile it from
Hi everybody,
Like most people, we're currently seeing loads and loads of malicious DNS
traffic. In this post
http://blog.powerdns.com/2014/04/03/further-dos-guidance-packages-and-patches-available/
we describe a new PowerDNS feature that so far has been remarkably
effective. I think it was
. We've since learned that some Linux distributions
automatically tune IPv6 better than the kernel default, but not all do.
The Linux kernel folks are aware of the issue, and people are working on it.
Bert
- Forwarded message from bert hubert bert.hub...@netherlabs.nl -
Date: Thu, 27
On Wed, Jul 03, 2013 at 07:31:40AM -0700, Paul Vixie wrote:
And with this, I'll stop spamming dns-operations with news about
dnstcpbench.
-1.
Ok, several other people agreed that announcement of relevant dns tools are
germane to dns-operations.
We expect to have infrequent releases of
On Tue, Jul 02, 2013 at 02:40:25PM +0100, Kareem Ali wrote:
What dnstcpbench could use is a little more output information about
the queries, like qps. But still, great work.
Added mean and median qps latencies, github has been updated, packages
will be live shortly on
On Tue, Jul 02, 2013 at 11:52:53AM +0100, Kareem Ali wrote:
Hi Bert,
Thanks for developing this tool. I'm trying to test how it works.
How can I specify what input file to use with it ?
Hi Kareem,
It currently reads from standard input. However, since people might want to
read from named
On Fri, Jun 21, 2013 at 02:26:05PM +, Jain, Vipin wrote:
This work, published from Verisign, takes a look at the server selection
algorithms of the various recursive resolvers:
http://www.sigcomm.org/ccr/papers/2012/April/2185376.2185387
For PowerDNS:
SyncRes::doResolveAt first shuffles
On Tue, Jun 11, 2013 at 04:58:11PM +0200, bert hubert wrote:
$ git clone https://github.com/PowerDNS/pdns.git
$ cd pdns
$ ./bootstrap
It has been pointed out off-list that ./bootstrap does not do the right
thing on OSX.
On https://autotest.powerdns.com/job/auth-git/lastSuccessfulBuild
On Mon, Apr 29, 2013 at 04:26:12PM +0200, Patrik Wallström wrote:
and the resolvers. This makes it hard for us to make any proper
evaluation of the cause of any of these kind of errors.
So thank you for your effort in debugging these problems.
For completeness, Jimmy Bergman (Sigint),
On Mon, Apr 29, 2013 at 07:30:38AM -0700, Paul Hoffman wrote:
Retrying queries without EDNS0 seems sensible before deployment of DNSSEC. Is
that still the case now that DNSSEC is more widely deployed?
Yes. The world still needs *a lot* of EDNS downgrading. But not once you've
seen a DS as it
On Thu, Jan 10, 2013 at 08:11:24AM +0100, Florian Weimer wrote:
Some breakage is unavoidable. Considering that ANY queries rarely
give the results expected by the sender, refusing them outright makes
sense to me.
For queries to authoritive servers, the result of an ANY query is very well
On Thu, Jan 10, 2013 at 02:39:58PM +0100, Miek Gieben wrote:
[ Quoting bert hubert at 14:10 on January 10 in Re: [dns-operations] DNS ANY
reques... ]
On Thu, Jan 10, 2013 at 08:11:24AM +0100, Florian Weimer wrote:
Some breakage is unavoidable. Considering that ANY queries rarely
give
On Thu, Dec 13, 2012 at 05:54:41PM -0500, Jason Castonguay wrote:
We encourage operators of DNS infrastructure to update any references
to the old IP address, and replace it with the new address. In
particular, many DNS resolvers have a DNS root “hints” file. This
should be updated with the
On Tue, Nov 06, 2012 at 09:35:23AM +0100, Stephane Bortzmeyer wrote:
It inclouds godaddy, cloudflare, dnsbedand dnspod. Does this have
any hidden problem for resolving?
No.
In fact, some 'shadier' domains to this to make them very hard to take down.
Bert
On Sun, Oct 28, 2012 at 02:22:04AM -0400, Paul Wouters wrote:
On Sun, 28 Oct 2012, bert hubert wrote:
It appears that source port randomization works.
Probably the only vulnerable servers are those behind NAT that derandomizes
the source port. But important servers are unlikely to suffer
On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote:
It appears that source port randomization works.
Was there ever any doubt? The question wasn't (isn't?) whether source
Yes, people used the Kaminsky hack as a way to push DNSSEC.
So perhaps doubt was *instilled*.
making the
On Thu, Sep 27, 2012 at 12:23:12PM -0400, Olafur Gudmundsson wrote:
I noticed a few comments of the kind by doing X you make Y
possible or by doing Z you hurt innocent W .
Usually when this happens in a debate that reflects a
partial/non-shared understanding of the problem.
Thanks for this
On Thu, Sep 27, 2012 at 08:45:43PM +, paul vixie wrote:
On 9/27/2012 8:43 PM, bert hubert wrote:
We should therefore not forget to deploy something that works on the
not so sophisticated attacks we see today, and not immediately shoot
for the stars. ...
bert, it's hard to tell from
Hi everybody,
Go Daddy's servers appear to be down. I first noticed this from the
automated PowerDNS Recursor bulk test, which suddenly could only resolve
91.6% of domains successfully (96% is the norm) [1].
Our test set consists of the most popular domain names on the internet. The
test usually
On Wed, Aug 08, 2012 at 10:08:52PM +, Michael Hoskins (michoski) wrote:
While we're tongue in cheek, everyone knows DJB invented DNS done right.
In a major sense he did. You can still run djbdns from 10 years ago and not
get hacked.
Nobody else managed that.
Bert
On Jun 10, 2012, at 1:24 PM, Kyle Creyts wrote:
So, list, I am young and foolish. Aside from being in the RFC, are there
legitimate reasons to continue supporting ANY queries?
Yes, you don't have that power. If you issue an RFC that ANY queries are
deprecated, nothing will happen. People
On Mon, May 07, 2012 at 09:13:50AM -0400, Stephane Handfield wrote:
Hello DNS operators,
I want to know what rules you follow in terms of capacity planning for your
DNS. I am mainly interested in the best planning practice for caching DNS.
Definitly our rules need to reflect a lots of our
-oarc.net' help though.
Bert
Steve
On 7 May 2012 14:42, bert hubert bert.hub...@netherlabs.nl wrote:
On Mon, May 07, 2012 at 09:13:50AM -0400, Stephane Handfield wrote:
Hello DNS operators,
I want to know what rules you follow in terms of capacity planning for
your
49 matches
Mail list logo
